Burp Suite

Introduction to Web Proxies Web proxies sit between a browser or mobile client and the back-end server to capture and inspect HTTP traffic. Unlike full network sniffers that see all local traffic, web proxies focus on web ports such as HTTP/80 and HTTPS/443. This focus makes them ideal for web assessment workflows that require precise request editing and replay. Web proxies support more than interception, and they become a central tool for application testing. They can map endpoints, review headers, and identify patterns that guide further attacks or validation checks. Common tasks include the following: ...

Introduction Command Injection is one of the most critical web vulnerabilities because it lets an attacker execute OS commands on the backend host. The impact can be full system compromise and lateral movement if the server has network access. The vulnerability appears when user input is passed into a system command without strict validation and sanitization. This issue is not limited to web apps, but web apps are the most common surface because they regularly call system utilities. If a parameter such as an IP address is used inside a command, a small injection operator can turn it into a full shell. Because the execution happens server-side, any output you can observe is valuable evidence. ...

Introduction to File Upload Attacks File upload features are extremely common in web apps, from profile pictures to document portals. The moment an app stores user-controlled files on the server, it expands the attack surface beyond standard input fields. If validation is weak or missing, attackers can upload active content and trigger code execution. The core risk is that a server may treat an uploaded file as code rather than data. That can happen when the extension is executable, the server is misconfigured, or the upload directory allows script execution. Even if direct execution is blocked, uploads can enable stored XSS, XXE, or DoS. ...

Introduction This topic brings together three very common web attack families: HTTP verb tampering, insecure direct object references, and XML external entity injection. They look different on the surface, but all three usually come from the same core weakness: the application trusts client-controlled input more than it should, and the backend does not enforce validation and authorization consistently. In practice, this means a tester can often move from a small logic flaw to data exposure, privilege escalation, or even server-side code execution. ...