-
Nicolas Grégoire AGARRI
Course Abstract
Level: Intermediate to Advanced This training is focused on experienced Web hackers who want to master their toolbox. The goal is to ease automation and to increase the ROI of the time spent testing Web targets.
In doubt, read the testimonials published at https://hackademy.agarri.fr/testimonials
Outline
The following outline may slightly evolve, depending on the latest changes to the Burp Suite ecosystem (the tool itself and its extensions). As a bonus, the whole training platform is provided to students by the end of the training session.
DAY 1
After a quick introduction, the day is spent on basic automation tasks using tools like Proxy, Repeater and Intruder. The goal is to improve the speed of our interactions with the tool, while self-assessing the effectiveness of attacks.
By the end of the day, students are able, among other things, to easily brute-force CSRF- protected forms in Intruder and to automatically process their results with “Grep – Match” and “Grep – Extract”.
DAY 2
The second day is dedicated to macros and session handling rules, on Web applications and APIs (both SOAP and REST ones). Additionally, we keep working on the efficiency of the testing workflow (using shortcuts or extensions) and on self-monitoring. The latter skill will prove itself invaluable when debugging advanced automation scenarios.
By the end of the day, students are able, among other things, to automatically manage authentication and dynamic data (think CSRF tokens) across all Burp’s tools.
DAY 3
On the third day, we exclusively cover extensions. A large share of that time is dedicated to “meta extensions”, which cover recurrent needs (display, log, transform, export, …) and can easily be adapted to specific engagements.
By the end of the day, students are able, among other things, to easily scan values located inside nested encoded parameters and to exploit typical race conditions.
DAY 4
The fourth day includes two distinct sections. The first one dives deep in the often overlooked built-in tools that are Audit and Crawl (previously known as Scanner and Spider), Collaborator and Infiltrator. The second section deals with the cumbersome task of authorization testing, as we detail how different extensions can ease this process.
By the end of the day, students are able, among other things, to setup highly customized scans and to identify authorization bugs despite CSRF tokens and strict workflows.
Who Should Attend
The training is aimed at experienced Web application penetration testers and bug hunters, and will provide them with significant automation capabilities. We aim at a fast and comfortable testing workflow with as-short-as-possible feedback loops.
People with less than one year of intense practice of Burp Suite won’t fully appreciate the training and should instead first work on their own using public resources.
What You Need
- Computer (with appropriate WiFi connectivity)
- 64-bit OS supported by Burp Suite Pro (Linux, Windows or Mac)
- Burp Suite Pro license and installers (if needed, we can provide them)
Bio
Nicolas Grégoire Pwner, AGARRI
Nicolas Grégoire has been auditing web apps for 20 years. He is an official Burp Suite Pro trainer since 2015, and has trained nearly a thousand people since then, either privately or at public events. Other of that, he runs Agarri, a one-man business where he looks for security vulnerabilities for clients and for fun. His public talks (covering SSRF, XSLT, Burp Suite, ...) have been presented at numerous conferences around the world.