3-DAY TRAINING 6 – Mastering Burp Suite Pro: 100% Hands-On

DURATION: 3 DAYS

CAPACITY: 20 pax

SEATS AVAILABLE: CLASS CANCELLED


EUR2599 (early bird)

EUR3199 (normal)

Early bird registration rate ends on the 31st of January


Overview

As nicely said in PoC||GTFO Volume II, « This is not a book about astronomy; rather, this is a book about telescopes ». In the same spirit, this training isn’t about Web hacking. Instead, this training is for Web hackers who want to master their toolbox.

Burp Suite Pro is the leading tool for auditing Web applications at large, but also a complex beast where new features get added every few weeks. Mastering Burp Suite Pro, including its newest features, allows testers to get the most out of the tool, optimizing time spent auditing and testing.

Work will be faster (hotkeys!) and much more efficient (more tools, more possibilities!). Attendees will also learn to measure and assess the quality of their attacks, a crucial skill in real-life engagements that can make the difference between a false-negative and a critical finding.

Who should attend

The training is aimed at Web application penetration testers and bug hunters, and will provide them with significant automation capabilities. We aim at a fast and comfortable testing workflow with asshort-as-possible feedback loops.

If you wonder if previous attendees enjoyed the training, have a look at the public testimonials I compiled: link

Key Learning Objectives

Menial tasks (like sharing requests among the different tools, applying common encodings or navigating the GUI) should be as fast and transparent as possible, in order to free time and brain power for harder subjects.

Recurrent tasks (like brute-forcing a CSRF-protected form, frobbing an opaque blob of data, logging-in automatically or doing 1-byte fuzzing of a specific parameter) should be executed without having to think too much about it, thanks to prior rehearsals.

Advanced tasks (like managing a complex state, dealing with a custom format or testing authorizations) should be doable exclusively in Burp Suite Pro, possibly with the help of session handling rules or specific extensions. These tasks require testers to live-assess themselves, in order to detect as early as possible any error and to allow for correction and self-improvement.

Hardware / Software Requirements

  • Decent laptop (no Netbooks, no Tablets, no iPads)
  • Wireless connectivity (either builtin or via a external card)
  • 64-bit OS supported by Burp Suite Pro (Linux, Windows or Mac)
  • Administrative privileges (in order to configure network settings)
  • Modern browser (no IE6, no Epiphany)

Prerequisite Knowledge

  • Working knowledge of common Web vulnerabilities (XSS, SQLi, SSRF, etc.)
  • Basic knowledge of Burp Suite (UI navigation, traffic interception and replay)

Course outline

Every trainee goes through the main track, composed of nearly 100 challenges. Plenty of additional ones are available, depending on your speed, taste, skills and professional needs. No way to get bored! Among the available challenges: complex brute-force, data extraction, support of custom formats, automatic management of anti-CSRF tokens, WebSockets, weak cryptography, webhooks, NoSQL injections, authorizations bugs, aggressive disconnection, JWT-authenticated APIs, arbitrary Java deserialization, blind stored XSS, instrumented Java applications, strict workflows, …

Agenda – Day 1:

After an introduction to the training platform and its challenges, this day is spent on well defined tasks where the goal is to find flags, like in CTF contests. We practice basic automation using tools like Proxy, Repeater and Intruder. The goal is to improve the speed of our interactions with the tool, while monitoring and self-assessing our attacks.

  • Introduction: rules and advice, connecting to the network, description of the training platform and its challenges
  • Getting started: navigating the GUI, loading custom options, using hotkeys, sorting and filtering data
  • Match & Replace: well-known examples, live traffic modifications
  • Repeater: keyboard-only usage, replaying WebSockets traffic, dealing with streamed data
  • Intruder: coverage of all attack types and most payload types, automatic processing of results with “Grep – Match” and “Grep – Extract”, data extraction, managing CSRF-tokens without session handling rules, atypical injection points, frobbing and fuzzing

Agenda – Day 2:

On the second day, challenges get more realistic: solving them requires a good understanding of the underlying application and the usage of multiple Burp Suite tools, possibly including extensions.
Additionally, we keep working on the efficiency of the testing workflow (using shortcuts or extensions) and on self-monitoring (now with Logger++). The latter skill will prove itself invaluable when working on session handling rules.

  • Traffic interception: HTTP exchanges and WebSocket messages are intercepted and modified on the fly, in order to bypass client-side protections or to subvert the logic of (emulated) mobile apps. That’s the only section where “Intercept is On” isn’t a problem.
  • Macros and session handling rules for Web applications: terminology, basic setups, common use-cases (like managing CSRF tokens or logging-in automatically), applying session handling rules to third-party tools like sqlmap. Note that dealing with Web services (either SOAP or REST) is quite different and is covered in the separate section, on the third day.
  • Extensions: review and testing of the most useful and/or popular extensions (Logger++, Hackvertor, JSON Beautifier, Paramalyzer, Turbo Intruder, …)

Agenda – Day 3:

The third day is used to dig deeper in advanced subjects. That covers authorization testing, custom active scanning, Web Services and much more! Built-in features are pushed to their limits, and extra ones provided by extensions are commonly used.

  • Authorization testing: from quick tests w/o specific configuration to deep tests requiring business-specific knowledge (extensions “Authz”, “AutoRepeater”, “SessionAuth” and “AuthMatrix” are covered)
  • REST and SOAP WebServices: why is a specific toolbox needed, generating requests from definition files (WSDL, OpenAPI, …), using session handling rules to manage authentication in cookie-less environments
  • Two-way communication with the target: deploying and using a private Collaborator instance, patching the target byte-code with Infiltrator in order to receive additional details (filename, line number, …), running an Infiltrator-only active scan
  • Scans and live tasks: differences between v1 and v2 (terminology, GUI, usage), using the scanner like in v1, description and testing of the much-improved crawler, configuring and running specialized scans, observing the oriented-graphs generated during crawling, using these graphs with “Crawl and Audit” (in order to audit CSRF-protected forms without macros)
  • Headless usage: driving Burp Suite Pro via a REST API (provided by 3rd-party extensions)
  • Vuln-specific tooling: Blind XSS, from builtin features to 3rd-party tools like Sleepy Puppy

TRAININGS
Location: Training Rooms Date: April 20, 2020 Time: 9:00 am - 6:00 pm Nicolas Gregoire