Burp Suite Passion Project

The brief

Pick three different vulnerability categories (for example: SQL injection, access control/IDOR, and business logic, or substitute XSS, OAuth, request smuggling). Complete one PortSwigger Practitioner-level lab in each. Practitioner is the middle tier: harder than apprentice, realistic, and a credible signal. The variety shows breadth; the difficulty shows depth.

Write a professional bug report for each finding

Use the same structure a real program expects.

1. 1

   For each of the three findings, write a report with:

2. 2

   1. Title: concise and specific (e.g. 'Blind SQL injection in product filter allows database extraction').

3. 3

   2. Severity: scored with CVSS 3.1 (include the vector string).

4. 4

   3. Environment: the lab/app and relevant context.

5. 5

   4. Steps to reproduce: exact, minimal, reproducible by a stranger in under ten minutes.

6. 6

   5. Proof of concept: the key request/response or a screenshot.

7. 7

   6. Impact: in business terms.

8. 8

   7. Recommended remediation: the specific fix (parameterized queries, server-side authorization, etc.).

Compile the portfolio PDF

Combine the three reports into a single, cleanly formatted PDF. This is the artifact you link from your resume and bring to interviews; it proves you can both find and clearly communicate vulnerabilities, which is exactly what AppSec and pentest hiring managers want to see. A worked example of a complete, high-quality report is included to model from.

Common mistakes only experienced testers catch

Three labs in the same category (no breadth) or all apprentice-level (no depth). Reports without reproducible steps. No CVSS, so severity is vague. A messy PDF that undercuts strong findings. Forgetting the remediation, which signals you understand the fix, not just the break. Treating the writeup as an afterthought when it is the most valuable artifact.