In Episode 174, host Brad Causey is joined by guest Jordan Natter for a practical, tool-focused conversation on web application penetration testing. Together they break down the essential tools and Burp Suite Pro extensions that make up a modern web app pen testing toolkit.

Topics covered include:

• Burp Suite Pro vs. OWASP ZAP — comparing capabilities, extensions, and use cases
• CSP Auditor — identifying unsafe Content Security Policy directives
• JSON Web Token (JWT) extension — surfacing and tampering with JWTs in HTTP history
• Retire.js — flagging outdated JavaScript libraries with known vulnerabilities
• CyberChef & JWT.io — encoding, decoding, and debugging tokens
• Postman & Swagger — API testing and documentation workflows
• SQLMap — powerful SQL injection discovery (and why you should never run it in production)
• Proxy Forge — evading cloud-based WAFs and testing geo-blocking
• GraphQL Hunter — enumerating and testing GraphQL instances

Have a tool or extension you swear by? Drop it in the comments — Brad and Jordan want to hear from you!

---

Burp Suite is an integrated platform for attacking web applications. http://portswigger.net/burp/

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov

Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com

Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.