Functional PoCs in less than a minute? Julen Garrido Estévez puts Burp AI to the test
ATT&CK techniques detected
T1190Exploit Public-Facing Application
70%
"am testing the [ parameter / path / header ] to determine whether there is evidence of [ vuln _ type e. g. idor, sql injection, ssrf, xss, csrf, cors, jwt ]. focus on userid / post / api / user / cookie : session … perform concrete tests, suggest payloads, and provide criteria th…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
37%
"##rp ai with a focused prompt : i am testing the ' message ' parameter to determine if there is evidence of xss or ssti. focus on ' message ' and see how it is reflected in the response. perform specific tests, suggested payloads, and criteria that confirm the vulnerability. if a…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
37%
"##s, and once it confirmed the vulnerability, it immediately stopped testing. the result was a clean, working proof - of - concept exploit for ssti, found quickly and efficiently. for the second test, i focused on a product page that issues a serialized php object as a session co…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Note: This is a guest post by pentester Julen Garrido Estévez (@b3xal). Methodology Key results Examples Key learnings Prompt template A pentester's POV on Burp AI Pentester Julen Garrido Es