If you spend a lot of time doing web application security testing, you’re probably using Burp Suite. And if you’re using Burp Suite, you’ve likely explored its extension library to make your work easier or more efficient. One extension I use almost every day is called Agartha. It’s not flashy. It’s not hyped up. But it works—and it’s helped me spot real issues faster and with less effort.
This post isn’t a sales pitch. I’m not affiliated with the developer. I just think it’s a solid tool that more people should know about. If you’re doing penetration testing or red teaming, Agartha can save you time and help you dig a little deeper.
Let’s look at what it does, how it works, and why I keep it in my Burp Suite setup.
What Is Agartha?
Agartha was developed by Volkan Dindar and is a free extension available through the BApp Store in Burp Suite. It includes several tools, but at its core, it helps you build smarter payloads, explore access controls, and automate common testing tasks. It’s aimed at testers who already know what they’re doing but want a more efficient way to do it.
There’s no magic involved. Agartha doesn’t replace your judgment or your skills. But it can reduce repetitive work, expose issues that are easy to miss, and give you helpful shortcuts.
Dynamic Payload Generator
One of Agartha’s most useful features is its Dynamic Payload Generator. This lets you quickly build lists of payloads to test for common vulnerabilities. It covers things like:
- SQL injection (SQLi)
- Local File Inclusion (LFI)
- Remote Code Execution (RCE)
The extension comes preloaded with payload templates and bypass tricks. You can also customize your own. What’s helpful here is that Agartha adjusts payloads in real time, letting you adapt on the fly as you test.
And these aren’t just the same 10 strings you’ve seen on every cheat sheet. Agartha includes evasion techniques—things like altered encodings, header tricks, and subtle format changes. These can help you slip past filters or protections like WAFs.
You could build all of this manually, but doing it with Agartha saves time. It also helps keep your testing organized, especially when working under time pressure.
Authorization Matrix
Access control is often overlooked, and it’s hard to test thoroughly. Agartha helps with this through something it calls the Authorization Matrix.
Here’s how it works. You test an application as different users—maybe an admin, a regular user, and a guest. Agartha tracks which URLs each one accesses and builds a map. If one user can access something they shouldn’t, it flags that.
This isn’t a full access control scanner. It won’t write your report for you. But it gives you a simple view of where access breaks down.
For example, maybe a regular user shouldn’t be able to hit /admin/users. You try it—and you get a 200 OK. Agartha logs that as a mismatch. This makes it easier to spot privilege escalation paths, especially in apps with dozens (or hundreds) of endpoints.
You can also export this matrix and use it as evidence in your findings. Clients appreciate seeing this kind of data—it’s clearer than a paragraph of text.
Convert HTTP Requests to JavaScript
Sometimes, you need to build a proof of concept. You’ve found an XSS, or maybe a CSRF. Now you want to show it in action.
Agartha helps by converting HTTP requests into JavaScript. This saves you the time of writing out fetch() or XMLHttpRequest code by hand. You copy the request, click a button, and Agartha turns it into JavaScript. You can then drop this into a payload, a test page, or a browser console.
This is especially useful when chaining vulnerabilities—say, combining XSS with RCE or CSRF. Agartha helps you move quickly from discovery to demonstration.
403 Bypass Testing
We’ve all run into this: you try to access a page, and you get a “403 Forbidden” response. It’s frustrating, and sometimes the block isn’t as solid as it looks.
Agartha has a built-in 403 Bypass module. It tries small changes to see if the restriction can be bypassed. That might mean:
- Modifying headers like X-Original-URL or X-Rewrite-URL
- Changing the request method
- Adjusting the URL (adding a trailing slash, dot, or encoded character)
None of these tricks are new. But having them all in one place, and being able to automate them, makes the process faster. You don’t have to remember every variation or write a script on the fly.
And yes, sometimes it works. You’ll find a bypass and gain access to something the app was trying to hide. Even when it doesn’t work, you’ve ruled out some options quickly and can move on.
Why I Use It
Agartha isn’t the only tool out there that does these things. You can find scripts, other extensions, or write your own. But what I like about Agartha is that it puts several useful tools in one place—and they all work well together.
It helps with payload generation, access testing, proof-of-concept building, and bypass attempts. That’s a lot of value for one extension. And it fits into my existing workflow without slowing me down.
I don’t rely on it blindly. I still write my own payloads and do manual checks. But when I want to save time or double-check something, Agartha is where I go.
A Few Things to Keep in Mind
- Agartha is best used by testers who already know the basics. It’s not a teaching tool.
- It doesn’t replace logic or experience. It supports your testing—it doesn’t do it for you.
- Like any tool, it can give false positives or miss things. Always confirm what you find.
- You’ll get more out of it if you customize the payloads and explore all the features.
Final Thoughts
There’s a lot of noise in the security tool space. New scanners, AI-based platforms, and one-click pentesting tools show up every week. Most of them promise too much and deliver too little.
Agartha doesn’t do that. It’s simple, practical, and focused. If you do hands-on testing with Burp Suite, it’s worth trying.
You won’t find marketing pages or slick videos for it. Just an honest tool that can make your job easier.
If you haven’t used Agartha yet, give it a shot. And if you already use it, I’d be curious to hear what you think—or how you use it differently.
