Watch the stream
Based on my in-depth knowledge of both Burp Suite and its extensions, this talk aims to provide bug hunters and pentesters with a set of useful strategies. The underlying goal is to increase the efficiency of the testing workflow (in terms of both capabilities and speed). I presented a similar talk in 2013, but the tool and its ecosystem changed significantly since then.
Among the topics to be covered: - Improved usage the Burp Suite GUI, from modifying default settings to increasing the speed of interaction (including hotkeys) - Automation of recurrent tasks, mainly the transparent management of sessions (via both cookies and headers like JWT) and CSRF tokens - Essential extensions like Hackvertor, Piper and Burp Bounty - Efficiently find authorization bugs, on both APIs and web apps - Niche knowledge about Collaborator (correlation) and Intruder (placeholders in wordlists) - Poor-man automation pipeline, from a list of domains to findings - Evergreen pieces of advice (on performances and live monitoring) - How to stay up to date (a list of relevant online resources)
The talk includes self-hosted demos illustrating its most critical points.