-
Tim Tomes (Lanmaster53) PractiSec
Description
PBAT provides comprehensive training on the capabilities of Burp Suite Pro and the practical application of these capabilities in real world web application penetration testing engagements. The instructor will introduce the various components of Burp Suite Pro, discussing their purpose, strengths, and limitations, and lead students in realistic scenario driven hands-on exercises leveraging the components against a modern web application. As the scenarios unfold, the instructor will share tips and tricks for using Burp Suite Pro gained from years of personal usage experience and extensive research into the tool’s capabilities and ongoing expansion. These scenarios include the use of lesser-known features hidden within the Burp interface, and the modification and chaining of features to solve complex problems that make testing modern applications a challenge.
PBAT is a PortSwigger preferred Burp Suite Training course. As a PortSwigger Preferred Burp Suite Pro Trainer, Tim is a trusted source for comprehensive training on Burp Suite Pro. Students will receive a trial license for Burp Suite Pro to use during and after the course.
Skill Requirements
PBAT is 100% focused on the latest stable version of Burp Suite Pro and does not address the process of assessing web applications for security issues or specific vulnerabilities. However, the class is taught within the context of a web application security assessment in order to provide realistic scenarios for the tool’s usage. While not an official continuation of Practical Web Application Penetration Testing (PWAPT) or Practical Web Application Security Assessment (PWASA), PBAT is a great follow-up for students who have previously attended either of these courses.
Technical Requirements
- Laptop with the latest VMware Player, VMware Workstation, or VWware Fusion installed. Other virtualization software such as Parallels or VirtualBox will probably work if the attendee is familiar with its functionality. However, VMware Player should be prepared as a backup.
- Ability to disable all security software on their laptop such as Antivirus and/or firewalls (Administrator).
- At least twenty (20) GB of hard drive space.
- At least eight (8) GB of RAM.
- WARNING: Due to virtualization limitations, systems using Apple silicon are not supported and cannot be used.
Outline
Note: Timing depends largely on the ability level of the students. 24 hours is sufficient to complete the class for students that know the HTTP protocol and have a basic understanding of Web technologies. Exposure to code at any level and a general understanding of programming fundamentals is encouraged.
Introduction to the environment and the workflow initialization tool set (4 hours)
- PwnedHub target environment overview.
- Scenario: Testing architecture setup.
- Burp Suite Pro introduction and core configuration.
- Burp Target introduction with interface and configuration deep dive.
- Burp Engagement Tools
- Discover Content introduction with interface and configuration deep dive.
- CSRF PoC introduction with interface and configuration deep dive.
- Burp Proxy introduction with interface and configuration deep dive.
- Scenario: Manual authorization testing and exploitation with proxy manipulation rules.
- Scenario: Conducting TLS Stripping MITM attacks.
Advanced use of the primary testing tool set. (4 hours)
- Burp Repeater introduction with interface and configuration deep dive.
- Scenario: Bypassing CSRF mitigations with Method Interchange (Verb Tampering).
- Scenario: Interfacing with, testing, and exploiting Websockets.
- Burp Intruder introduction with interface and configuration deep dive.
- Scenario: Dynamically discovering and exploiting Mass Assignment vulnerabilities.
- Scenario: Conducting Timing-based enumeration attacks.
- Scenario: Extracting complex datasets from fuzzing results.
- Scenario: Bypassing CSRF controls with advanced payload types.
Enhancing Burp Suite Pro with external and internal capabilities (4 hours)
- Burp Extender introduction with interface and configuration deep dive.
- Match and Replace BApp introduction with interface and configuration deep dive.
- JWT Editor BApp introduction with interface and configuration deep dive.
- Python Scripter BApp introduction with interface and configuration deep dive.
- Scenario: Quickly extending Burp’s passive scanner with Python
- Burp Logger introduction with interface and configuration deep dive.
- Burp Macros introduction with interface and configuration deep dive.
- Scenario: Fuzzing through restricted flows.
- Scenario: Automating persistent service authentication.
Handling and testing authentication and authorization in complex scenarios (6 hours)
- Burp Compare Sitemaps introduction with interface and configuration deep dive.
- Scenario: Discovering broken access controls in server-side rendered applications.
- Scenario: Discovering broken access controls in RESTful web services.
- Burp Scanner introduction with interface and configuration deep dive.
- Scenario: Scanning through out-of-scope Single Sign-On systems.
- Scenario: Scanning through complex authentication systems (OIDC, SAML, etc.).
- Scenario: Universally bypassing CSRF controls to augment manual and automated testing.
Maximizing the use of Burp’s remote capabilities (6 hours)
- Burp Collaborator introduction with interface and configuration deep dive.
- Scenario: Discovering and exploiting SSRF.
- Scenario: Discovering and exploiting out-of-band command injection.
- Scenario: Discovering and exploiting blind XSS.
- Scenario: Extracting data and hijacking sessions through the Burp Collaborator server.
- Burp Rest API introduction with interface and configuration deep dive.
- Scenario: Conducting remote headless scans.
Bio
Tim Tomes (Lanmaster53) Burp Suite Master, PractiSec
Application Security Engineer with extensive experience in the information technology and security industries. Experience ranges from software development to full-scope penetration testing (red teaming) as both a technician and leader for both the United States Military and private industry. Currently specializing in application security as a trainer and practitioner of web application penetration testing and secure software development.