Restoring Testability: Slides, Code & Video

Hi!

Last Thursday, as part of the Burp Extensibility Month on the PortSwigger Discord server, I gave a talk on topic “Restoring Testability: Handling Complex Scenarios in Burp Suite with a Custom Extension”.

When performing security assessments on HTTP-based applications, whether web, mobile, APIs, or thick clients, the standard workflow is straightforward: put Burp Suite in the middle, and you’re good to go. Most of the time, that’s all you need.

Every now and then, though, you run into a small but significant class of applications where that workflow breaks down. Custom protocols, payload encryption, request signatures, replay protection, non-standard encoding, these are the scenarios where you can no longer work manually the way you’re used to, and where Burp’s automated tools (Intruder, Scanner) stop being useful because they’re operating on data they can’t meaningfully read or modify.

In this talk I took one of these complexities as example, additional payload encryption, and used it as a vehicle to explore advanced approaches based on custom Burp extensions to restore full testability: working manually in Proxy and Repeater, running automated tools like Intruder and Scanner, and even driving external tools like SQLMap through Burp, all as if the complexity simply weren’t there.

The talk is quite dense, with probably more content than the available time 😆, but I’ve published the slides, the full code of the examples, and the recording, hoping they’ll help make these advanced topics as clear as possible.

You can find the slides and the example code in a dedicated GitHub repository or in the #event-enthusiast channel of PortSwigger Discord server.

And this is the video of the talk!

And if you haven’t done so yet, you can nominate your favorite Burp extensions for the 2026 Burp Suite Extension Awards until Tuesday 26th May! You can find the link for the nomination here.

Cheers!