This training isn’t about Web hacking. Instead, this training is for Web hackers who want to master their toolbox.
Burp Suite Pro is the leading tool for auditing Web applications at large, but also a complex beast where new features get added every few weeks. Mastering Burp Suite Pro, including its newest features, allows testers to get the most out of the tool, optimizing time spent auditing and testing. Work will be faster (hotkeys!) and much more efficient (more tools, more possibilities!). Attendees will also learn to measure and assess the quality of their attacks, a crucial skill in real-life engagements that can make the difference between a false-negative and a critical finding.
After an introduction to the training platform and its challenges, this day is spent on well-defined tasks where the goal is to find flags, like in CTF contests. We practice basic automation using tools like Proxy, Repeater and Intruder. The goal is to improve the speed of our interactions with the tool, while monitoring and self-assessing our attacks.
Challenges get more realistic: solving them requires a good understanding of the underlying application and the usage of multiple Burp Suite tools, possibly including extensions. Additionally, we keep working on the efficiency of the testing workflow (using shortcuts or extensions) and on self-monitoring (now with Logger++). The latter skill will prove itself invaluable when working on session handling rules.
Next, we dig deeper in advanced subjects. That covers authorization testing, custom active scanning, Web Services and much more! Built-in features are pushed to their limits, and extra ones provided by extensions are commonly used.