Mastering Burp Suite Pro 100% Hands-On
Nicolas Gregoire Agarri
This is not a training about Web hacking. It’s a training for Web hackers who want to master their toolbox.
Burp Suite Pro is the leading tool for auditing Web applications at large. Mastering it allows users to get the most out of the tool, optimizing time spent. Work will be faster, more effective and more efficient. What’s more, advanced automation techniques allow detection of additional vulnerabilities whether complex or subtle. Attendees will also learn to measure the quality of their attacks, a crucial skill in real-life engagements.
Most features included in the tool are covered, including the recent ones like Collaborator (out- of-band interactions) and Infiltrator (IAST of Java and .Net applications). Alternative strategies and techniques will be demonstrated, giving a wider view of available functionalities.
The training infrastructure (around 20 Docker containers) is made available to all trainees right after the session. It’s super easy to use: install Docker, run a few commands and enjoy your local platform! Among the available challenges: complex brute-force, data extraction, support of custom formats, automatic management of anti-CSRF tokens, weak cryptography, webhooks, NoSQL injections, authorizations bugs, aggressive disconnection, JWT-authenticated APIs, arbitrary Java deserialization, blind stored XSS, instrumented Java applications, strict workflows, …
Additional details, including testimonials, are available here.
The first day is spent on well defined tasks where the goal is to find flags, like in CTF contests. We practice basic automation using tools like Proxy, Repeater and Intruder:
- Introduction to Burp (GUI, tools, shortcuts, inline help, …)
- Proxy (defining the scope, filtering and sorting data, …)
- Repeater (exploitation of the Dlink DIR-100 backdoor, efficiency tips, …)
- Intruder (most payload types, anti-CSRF tokens without macros, data extraction, …)
On the second day, challenges get more complex: solving them requires a good understanding of the underlying application and the usage of multiple Burp Suite tools:
- Advanced Intruder (customized wordlists, exporting results, time-based feedback, …)
- Advanced Proxy (live modifications, interception and manual analysis, …)
- Data frobbing (dealing with opaque chunks of data)
- Macros and Sessions (anti-CSRF tokens, short-lived sessions, strict workflows, …)
The third and last day is quite different from previous ones. After that numerous advanced subjects were introduced, students are invited to select the ones they are interested in. They then spend the day working on these subjects. Among them:
- Highly useful extensions and third-party tools
- Tools for authentication and authorization audits
- Advanced automation (AngularJS and blind XSS, dynamic external references, …)
- Web Services (SOAP and REST interfaces, JWT authentication via macros, …)
- OOB communication via Collaborator (set up your own instance, interact manually)
- IAST with Infiltrator (instrumented version of Jenkins and WebGoat are available)
- Automated and headless usage (fine tuning, using REST interfaces, …)
- Advanced Web exploitation (Java deserialization, weak cryptography, complex macros)
- Basic knowledge of Burp Suite (UI navigation, traffic interception and replay)
- Computer (with appropriate wired or WiFi connectivity)
- 64-bit OS supported by Burp Suite Pro (Linux, Windows or Mac)
- Administrative privileges (in order to configure network settings)
- Recent version of the 64-bit Oracle JVM (can be installed using the Burp bundle)
- Burp Pro license (temporary ones can be provided)
- Modern browser (no IE6, no Epiphany)
Nicolas Gregoire Web Hacker, Bug Hunter, Trainer, Agarri
Nicolas Gregoire has more than 15 years of experience in penetration testing and auditing of networks and (mostly Web) applications. He is an official Burp Suite Pro trainer since 2015, and trained hundreds of people since then.
Outside of that, he founded Agarri, a small company where he finds security bugs for customers and for fun. His research was presented at numerous conferences around the world (Netherlands, Germany, Switzerland, France, Russia, Canada, India, ...) and he was publicly thanked by numerous vendors for responsibly disclosing vulnerabilities in their products and services, directly or through bug bounty programs.