Don't forget to submit your talks for the SAS conference!

Bali, Indonesia, 22-25 Oct, 2024

https://thesascon.com/papers

BurpSuite extension to evade TLS fingerprinting. Bypass WAF, spoof any browser

Awesome TLS

Splitting the email atom: exploiting parsers to bypass access controls

👤 by Gareth Heyes

Some websites parse email addresses to extract the domain and infer which organisation the owner belongs to. This pattern makes email-address parser discrepancies critical. Predicting which domain an email will be routed to should be simple, but is actually ludicrously difficult - even for 'valid', RFC-compliant addresses.

In this paper author is going to show you how to turn email parsing discrepancies into access control bypasses and even RCE.

This paper is accompanied by a free online CTF, so you'll be able to try out your new skill set immediately.

📝 Contents:
● Introduction
● Creating email domain confusion
● Parser discrepancies
● Punycode
● Methodology/Tooling
● Defence
● Materials
● CTF
● Takeaways
● Timeline
● References

https://portswigger.net/research/splitting-the-email-atom

Hacking and securing ElectronJS apps

https://pentesting.academy/p/hacking-and-securing-electronjs-apps

Burp + Elastic Logging (RU only lang)

https://blog.hackinone.click/burp_and_elk

Kaspersky's GReAT has released private plugin – the hrtng plugin for IDA Pro, the result of nearly 10 years of work. Packed with 37 advanced features, the plugin includes entirely new capabilities along with powerful upgrades to popular third-party plugins.

Each feature comes with detailed descriptions, demo links, and practical examples, all designed to make malware analysis faster, more effective, and more efficient.

An example of usage hrtng plugin to dissect FinSpy spyware is here

burpGPT2 Assistant

https://github.com/Geidalaodicha/burpGPTplus

Burp suite extension to find sensitive information by checking incoming text OR binary websocket messages

https://github.com/0xAwali/WebSocketChecker

Automating Authenticated scans in burp suite for 2FA applications

https://freedium.cfd/https://medium.com/@thelazypentester/automating-authenticated-scans-in-burp-suite-for-2fa-applications-ae93882e26c9

TruffleHog's Burp Suite Extension: A Techical Deep Dive

https://trufflesecurity.com/blog/introducing-trufflehog-s-burp-suite-extension-a-techical-deep-dive


10x to @ValyaRoller

SAS CTF is an international competition for cybersecurity experts, held as a part of the Security Analyst Summit conference. The competition consists of an online Jeopardy qualification stage and on-site Attack-Defense finals

The qualification stage will begin on May 17 at 12:00 UTC and will last for 24 hours

Top 8 teams from the qualification stage will compete for a share of the $18.000 prize pot at SAS 2025 in Khao Lak, Thailand on 25-28 October, 2025

https://ctf.thesascon.com

Burp Variables: A Burp Suite Extension

Burp Suite has long been the industry standard for web application testing, thanks in large part to its extensibility. Bishop Fox has built on that tradition with Burp Variables, a new extension that fills a major gap in Burp’s workflow: variable handling.


BishopFox Blog

FlareProx 🔥

Use Cloudflare to create HTTP pass-through proxies for unique IP rotation, similar to fireprox

Features:

-- HTTP Support: All HTTP methods (GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD)
-- Simple URL Redirection: Provide any URL and FlareProx redirects traffic through Cloudflare
-- Global Network: Leverage Cloudflare's worldwide CDN infrastructure
-- Free Tier: 100,000 requests per day on Cloudflare's free plan
-- Easy Deployment: Single command deployment and management

https://github.com/MrTurvey/flareprox

pass: 311138

README (en+ru) inside, plz read it before run BS.

Happy Hacking! 🥳

Run with Java 18 or Java 22 with JDK21+

Burp MCP + Codex CLI
This guide shows how to connect Burp Suite MCP Server to Codex CLI so that Codex can reason directly on your real HTTP traffic — no API keys, no scanning, no fuzzing.

https://pentestbook.six2dez.com/others/burp#burp-mcp?codex-cli