Mastering Burp Suite Pro, 100% hands-on

Price: 19.00 USD | Size:15.0 GB |? ?Duration : 25.19 Hours??| 22 Video Lessons | Bonus : Burp Suite PDF Guides




Price: 19.00 USD | Size:15.0 GB |? ?Duration : 25.19 Hours??| 22 Video Lessons | Bonus : Burp Suite PDF Guides


Mastering Burp Suite Pro, 100% hands-on


The following?4-day?plan may slightly evolve, depending on the latest changes to the Burp Suite ecosystem (either the tool itself or its extensions).

Day 1

After an introduction to the training platform and its challenges, the day is spent on well defined tasks where the goal is to find flags, like in CTF contests. We practice basic automation using tools like?Proxy,?Repeater?and?Intruder. The goal is to?improve the speed of our interactions with the tool, while monitoring and self-assessing our attacks.

  • Introduction: rules and advice, connecting to the network, description of the training platform and its challenges
  • Getting started: navigating the GUI, loading custom options, using hotkeys, sorting and filtering data
  • Match & Replace: well-known examples, live traffic modifications
  • Repeater: keyboard-only usage, replaying WebSockets traffic, dealing with streamed data
  • Intruder: coverage of all attack types and most payload types, automatic processing of results with ?Grep ? Match? and ?Grep – Extract?, data extraction, managing CSRF-tokens without session handling rules, atypical injection points, frobbing and fuzzing
  • Traffic interception: HTTP exchanges and WebSocket messages are intercepted and manually modified on the fly, in order to bypass client-side protections or to subvert the logic of (emulated) mobile apps. That?s the only section where ?Intercept is On? isn?t a problem ūüėČ

Day 2

The second day is?dedicated to macros and session handling rules, first on Web applications then on APIs (both SOAP Web services and REST endpoints). Additionally, we keep working on the efficiency of the testing workflow (using shortcuts or extensions) and on self-monitoring (now with the?Logger++?extension). The latter skill will later prove itself invaluable when debugging advanced automation scenarios.

  • Macros and session handling rules for Web applications: terminology, basic setups, common use-cases (like managing CSRF tokens or logging-in automatically). We also cover session handling rules being applied to third-party tools like sqlmap
  • REST APIs and SOAP WebServices: why is a specific toolbox needed, how to generate requests from definition files (WSDL, OpenAPI, etc.), using session handling rules to manage authentication in cookie-less environments

Day 3

On the third day,?we exclusively cover extensions. A large share of that time is dedicated to??meta extensions?. This term describes extensions which at the same time cover recurrent needs (display, transform, export, …) and can easily be adapted to specific situations. We also cover more specific extensions, including the ones enabling headless usage of Burp Suite Pro.

  • Companions: AutoChrome and PwnFox
  • Meta extensions: Logger++, Hackvertor, HTTP Mock, Piper, Turbo Data Miner, Stepper
  • Headless usage: using the REST APIs provided by Burp Buddy and VMware extensions
  • Other extensions: Turbo Intruder, Backslash Powered Scanner, Request Minimizer, …
Quick Navigation