Skip to main content

Posts

Showing posts with the label PortSwigger

Burp Suite for Beginners: The Ultimate Tool for Web Hacking (2026 Guide)

  Welcome to the 17th part of our Cybersecurity series! We have discussed many vulnerabilities like SQLi, XSS, and SSRF. But to find these bugs in the real world like a professional, you need to master one specific tool: Burp Suite . What is Burp Suite? Burp Suite is an integrated platform for performing security testing of web applications. It acts as an Interception Proxy between your browser and the target web server. This allows you to pause, inspect, and modify the data (HTTP requests) before it reaches the server. Key Components of Burp Suite To be a successful Bug Bounty hunter, you must understand these core tabs: Proxy: The heart of Burp. It lets you intercept and modify requests and responses. Repeater: Allows you to send a single HTTP request repeatedly with manual modifications to test how the server reacts. Intruder: Used for automated attacks like brute-forcing passwords or fuzzing for hidden directories. Decoder: A handy tool to quickly encode or decode data (B...

Server-Side Request Forgery (SSRF): A Comprehensive Guide for Beginners (2026)

Introduction In this part of the cybersecurity series, we explore one of the most critical web vulnerabilities: Server-Side Request Forgery (SSRF). With the rise of cloud platforms such as AWS, Azure, and Google Cloud, SSRF has become a high-impact vulnerability frequently targeted in bug bounty programs. What is SSRF? Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to force a server to make requests to unintended locations. In simple terms, the attacker uses the server as a proxy to access internal or restricted resources. How SSRF Works Many applications fetch data from external URLs. For example: fetch("https://trusted-site.com/data.json") If user input is not properly validated, an attacker can modify the request: fetch("http://127.0.0.1/admin") or: fetch("http://192.168.1.1/config") Because the request originates from the server, internal systems may trust it and return sensitive data. Types of SSRF Basic (In-band) SSRF T...

File Inclusion Vulnerabilities: Understanding LFI and RFI for Beginners (2026 Guide)

Introduction In this part of the cybersecurity series, we will explore a critical web vulnerability known as File Inclusion . File Inclusion occurs when a web application allows users to control which files are loaded or executed on the server without proper validation. This vulnerability can lead to sensitive data exposure or even full server compromise. What is File Inclusion? File Inclusion is a vulnerability where an application includes files based on user input without proper validation or restrictions. There are two main types of File Inclusion vulnerabilities: Local File Inclusion (LFI) Remote File Inclusion (RFI) 1. Local File Inclusion (LFI) LFI allows an attacker to access and sometimes execute files that are stored on the local server. How LFI Works Consider a website that loads pages using a parameter: https://example.com/view.php?page=contact.php If the application is vulnerable, an attacker can manipulate the parameter: https://example.com/view.php?page=../../../../etc/p...

Cross-Site Scripting (XSS) for Beginners: Mastering Web Security (2026 Guide)

Introduction After learning SQL Injection, the next most important vulnerability every aspiring ethical hacker must understand is Cross-Site Scripting (XSS). XSS is one of the most common web vulnerabilities and plays a major role in bug bounty programs and penetration testing. What is Cross-Site Scripting (XSS)? Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject malicious scripts into trusted websites. These scripts are executed in the victim’s browser, allowing attackers to manipulate user interactions, steal sensitive data, or hijack sessions. How Does XSS Work? Unlike SQL Injection, which targets the database, XSS targets users interacting with a web application. If a website does not properly sanitize user input, an attacker can inject JavaScript like: <script>alert('Hacked!');</script> When another user visits the affected page, the script executes in their browser. Types of XSS 1. Stored XSS (Persistent) In this type, m...

SQL Injection (SQLi) for Beginners: A Step-by-Step Guide to Your First Hack

  What is SQL Injection (SQLi)? SQL Injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data they are not normally able to retrieve. How Does it Work? (The Logic) Imagine a login form where you enter your username. The database query looks like this: SELECT * FROM users WHERE username = 'YOUR_NAME' AND password = 'YOUR_PASSWORD' If the website is vulnerable, an attacker can enter ' OR 1=1 -- in the username field. The query becomes: SELECT * FROM users WHERE username = '' OR 1=1 --' AND password = '...' Since 1=1 is always true, the database grants access without a valid password! Types of SQL Injection In-band SQLi (Classic): The attacker uses the same communication channel to launch the attack and gather results. Error-based: Forcing the database to produce an error message. Union-based: Using the UNION SQL operat...