Mastering Burp Suite Pro
100% hands on
4 Day u_long 32 CPE Hour Training: August 2020
"This is not a book about astronomy; rather, this is a book about telescopes" -- PoC||GTFO Volume II
This is a training for Web hackers who want to master their toolbox.
Burp Suite Pro is the leading tool for auditing Web applications at large, but also a complex beast where new features get added every few weeks. Mastering Burp Suite Pro, including its newest features, allows testers to get the most out of the tool, optimizing time spent auditing and testing. Work will be faster (hotkeys!) and much more efficient (more tools, more possibilities!). Attendees will also learn to measure and assess the quality of their attacks, a crucial skill in real-life engagements that can make the difference between a false-negative and a critical finding.
Every student goes through the main track, composed of nearly 100 challenges. Plenty of additional ones are available, depending on your speed, taste, skills and professional needs. No way to get bored! Among the available challenges: complex brute-force, data extraction, support of custom formats, automatic management of anti-CSRF tokens, WebSockets, weak cryptography, webhooks, NoSQL injections, authorizations bugs, aggressive disconnection, JWT-authenticated APIs, arbitrary Java deserialization, blind stored XSS, instrumented Java applications, strict workflows, etc.
Key Learning Objectives
Menial tasks (like sharing requests among the different tools, applying common encodings or navigating the GUI) should be as fast and transparent as possible, in order to free time and brain power for harder subjects. Recurrent tasks (like brute-forcing a CSRF-protected form, frobbing an opaque blob of data, logging-in automatically or doing 1-byte fuzzing of a specific parameter) should be executed without having to think too much about it, thanks to prior rehearsals. Advanced tasks (like managing a complex state, dealing with a custom format or testing authorizations) should be doable exclusively in Burp Suite Pro, possibly with the help of session handling rules or specific extensions. These tasks require testers to live-assess themselves, in order to detect as early as possible any error and to allow for correction and self-improvement.
Who Should Attend
The training is aimed at Web application penetration testers and bug hunters, and will provide them with significant automation capabilities. We aim at a fast and comfortable testing workflow with as-short-as-possible feedback loops.
Here's what past students have to say about the training!
After an introduction to the training platform and its challenges, this day is spent on well defined tasks where the goal is to find flags, like in CTF contests. We practice basic automation using tools like Proxy, Repeater and Intruder. The goal is to improve the speed of our interactions with the tool, while monitoring and self-assessing our attacks.
- Introduction: rules and advice, connecting to the network, description of the training platform and its challenges
- Getting started: navigating the GUI, loading custom options, using hotkeys, sorting and filtering data
- Match & Replace: well-known examples, live traffic modifications
- Repeater: keyboard-only usage, replaying WebSockets traffic, dealing with streamed data
- Intruder: coverage of all attack types and most payload types, automatic processing of results with "Grep - Match" and "Grep - Extract", data extraction, managing CSRF-tokens without session handling rules, atypical injection points, frobbing and fuzzing
On the second day, challenges get more realistic: solving them requires a good understanding of the underlying application and the usage of multiple Burp Suite tools, possibly including extensions. Additionally, we keep working on the efficiency of the testing workflow (using shortcuts or extensions) and on self-monitoring (now with Logger++). The latter skill will prove itself invaluable when working on session handling rules.
- Traffic interception: HTTP exchanges and WebSocket messages are intercepted and modified on the fly, in order to bypass client-side protections or to subvert the logic of (emulated) mobile apps. That's the only section where "Intercept is On" isn't a problem
- Macros and session handling rules for Web applications: terminology, basic setups, common use-cases (like managing CSRF tokens or logging-in automatically), applying session handling rules to third-party tools like sqlmap. Note that dealing with Web services (either SOAP or REST) is quite different and is covered in the separate section, on the third day.
- Extensions: review and testing of the most useful and/or popular extensions (Logger++, Hackvertor, JSON Beautifier, Paramalyzer, Turbo Intruder, etc.)
The third day is used to dig deeper in advanced subjects. That covers authorization testing, custom active scanning, Web Services and much more! Built-in features are pushed to their limits, and extra ones provided by extensions are commonly used.
- Authorization testing: from quick tests w/o specific configuration to deep tests requiring business-specific knowledge (extensions "Authz", "AutoRepeater", "SessionAuth" and "AuthMatrix" are covered)
- REST and SOAP WebServices: why is a specific toolbox needed, generating requests from definition files (WSDL, OpenAPI, etc.), using session handling rules to manage authentication in cookie-less environments
- Two-way communication with the target: deploying and using a private Collaborator instance, patching the target byte-code with Infiltrator in order to receive additional details (filename, line number, etc.), running an Infiltrator-only active scan
- Scans and live tasks: differences between v1 and v2 (terminology, GUI, usage), using the scanner like in v1, description and testing of the much-improved crawler, configuring and running specialized scans, observing the oriented-graphs generated during crawling, using these graphs with "Crawl and Audit" (in order to audit CSRF-protected forms without macros)
- Headless usage: driving Burp Suite Pro via a REST API (provided by 3rd-party extensions)
- AngularJS-specific XSS vulnerabilities
At this point, students usually have a clear idea of which recently acquired skills will be useful in their specific contexts. So the last day is usually dedicated to practicing these skills again, either on the training platform itself or on authorized targets (usually in scope of bug bounty programs). Trainees may also switch to advanced Web exploitation challenges or atypical scenarios.
- Rehearsals: Intruder (1-byte fuzzing, managing CSRF tokens without macros), session handling rules (logging-in automatically on Web apps and services, generic management of CSRF tokens), etc.
- Vuln-specific tooling: Blind XSS, from builtin features to 3rd-party tools like Sleepy Puppy
- Advanced macros and session handling rules, including macros with multiple requests
- Pure exploitation: ECB block shuffling, Java deserialization, escalating a NoSQL injection to a full-blown RCE
- Extensions: adapting existing ones to your needs, creating your own
- Working knowledge of common Web vulnerabilities (XSS, SQLi, SSRF, etc.)
- Basic knowledge of Burp Suite (UI navigation, traffic interception and replay)
- A working laptop (no Netbooks, no Tablets, no iPads)
- VNC and SSH clients to connect to the "Lab in the Cloud"
Students will be provided with
- Copy of the whole training platform (around twenty containers and hundreds of challenges)
- Burp Suite Pro installers and the corresponding temporary licenses
Nicolas Grégoire has nearly 20 years of experience in penetration testing and auditing of networks and (mostly Web) applications. He is an official Burp Suite Pro trainer since 2015, and trained hundreds of people since then, either privately or during infosec events. Outside of that, he runs Agarri, a one-guy company where he finds security bugs for customers and for fun. His public security research (that mostly deals with XML, XSLT and SSRF) was presented at numerous conferences around the world (HackInTheBox, ZeroNights, HackInParis, Nullcon, etc.). He was also thanked by numerous vendors for responsibly disclosing vulnerabilities in their products and services, directly or through bug bounty programs.