Active scan
Right-click on a request and select "Do active scan", Burp Scanner will use its default configuration to audit only this request.
Scan selected insertion point
Highlight the insertion point, right-click, and select "Scan selected insertion point" to focus on the input of interest and avoid unnecessary content.
Scan manual insertion point extension
Highlight a character sequence, usually a parameter value, and select Extensions > "Scan manual insertion point".
- Multi-Account Containers (extension) It create a separate browser environment for each account you are testing
- Autorize (burp extension)
- Automatically repeats every request with the session of the low privileged user
PwnFox provide useful tools for your security audit
- Single click BurpProxy
- Containers Profiles (it will automatically add a X-PwnFox-Color header to hightlight the query in Burp)
- Other: https://github.com/yeswehack/PwnFox
Many companies filtering and block outbound traffic to the default collaborator domain.
- webhook.site Webhook.site generates a free, unique URL and e-mail address and lets you see everything that’s sent there instantly.
- Vulnerabilities (Cross-Site Scripting, Server-Side Request Forgery, Local File Inclusion, SQL Injection, Remote Code Execution, Open Redirect)
- https://owasp.org/www-project-top-25-parameters/
- https://github.com/lutfumertceylan/top25-parameter/tree/master