Just like in the previous modules, we can naturally also perform login through an add-on based on a parameter. While in the past we have always logged in with the same user, we can specify and read the desired username in the HTTP request, for example from a parameter:

When the built add-on sees this parameter, the login can be performed using the provided user. This way, the username can be changed on the fly, and we can test how the application behaves depending on a spesific role or username. Naturally, the application does not use or care about the given parameter, but if needed, this parameter can be wiped from the HTTP request by the add-on. Utilize this mindset to solve the next task.


Now, we will utilize concepts learned earlier and solve the next task without predefined codes. In this module's task, there are three different users, 

 The application contains folders and files whose visibility depends entirely on the user used. Find these, and you will find the flag.

### The user can also be changed on the fly

Just like in the previous modules, we can naturally also perform login through an add-on based on a parameter. While in the past we have always logged in with the same user, we can specify and read the desired username in the HTTP request, for example from a parameter:

@embed 55a35086d8c8

When the built add-on sees this parameter, the login can be performed using the provided user. This way, the username can be changed on the fly, and we can test how the application behaves depending on a spesific role or username. Naturally, the application does not use or care about the given parameter, but if needed, this parameter can be wiped from the HTTP request by the add-on. Utilize this mindset to solve the next task.

### 
Exercise

Now, we will utilize concepts learned earlier and solve the next task without predefined codes. In this module's task, there are three different users, *admin, bobby*, and *johnny.* The application contains folders and files whose visibility depends entirely on the user used. Find these, and you will find the flag.

*Note! - It is good to utilize e.g. *[*ffuf tool*](https://codingo.io/tools/ffuf/bounty/2020/09/17/everything-you-need-to-know-about-ffuf.html)*:*

```sh
ffuf -u http://example.com/FUZZ?user=admin -w words.txt -mc all
```

@exercise ef2ab76986ab


Automatic session management - Practice

The course delves into advanced development with Burp Suite and teaches effective use of its extension API. We will build several practical extensions to address common challenges encountered during testing

The course delves into advanced development with Burp Suite and teaches effective use of its extension API. We will build several practical extensions to address common challenges encountered during testing.

BurpSuite - Fundamentals

Python Programming

Fundamentals

Automatic session management - Practice

The user can also be changed on the fly

Learn to hack — start here