Mastering Burp Suite Pro, 100% hands-on

"This is not a book about astronomy; rather, this is a book about telescopes" - PoC||GTFO Volume II

Syllabus

The following 4-day plan may slightly evolve, depending on the latest changes to the Burp Suite ecosystem (either the tool itself or its extensions).

Day 1

After an introduction to the training platform and its challenges, the day is spent on well defined tasks where the goal is to find flags, like in CTF contests. We practice basic automation using tools like Proxy, Repeater and Intruder. The goal is to improve the speed of our interactions with the tool, while monitoring and self-assessing our attacks.

  • Introduction: rules and advice, connecting to the network, description of the training platform and its challenges

  • Getting started: navigating the GUI, loading custom options, using hotkeys, sorting and filtering data

  • Match & Replace: well-known examples, live traffic modifications

  • Repeater: keyboard-only usage, replaying WebSockets traffic, dealing with streamed data

  • Intruder: coverage of all attack types and most payload types, automatic processing of results with “Grep – Match” and “Grep - Extract”, data extraction, managing CSRF-tokens without session handling rules, atypical injection points, frobbing and fuzzing

  • Traffic interception: HTTP exchanges and WebSocket messages are intercepted and manually modified on the fly, in order to bypass client-side protections or to subvert the logic of (emulated) mobile apps. That’s the only section where “Intercept is On” isn’t a problem ;-)

Day 2

The second day is dedicated to macros and session handling rules, first on Web applications then on APIs (both SOAP Web services and REST endpoints). Additionally, we keep working on the efficiency of the testing workflow (using shortcuts or extensions) and on self-monitoring (now with the Logger++ extension). The latter skill will later prove itself invaluable when debugging advanced automation scenarios.

  • Macros and session handling rules for Web applications: terminology, basic setups, common use-cases (like managing CSRF tokens or logging-in automatically). We also cover session handling rules being applied to third-party tools like sqlmap

  • REST APIs and SOAP WebServices: why is a specific toolbox needed, how to generate requests from definition files (WSDL, OpenAPI, etc.), using session handling rules to manage authentication in cookie-less environments

Day 3

On the third day, we exclusively cover extensions. A large share of that time is dedicated to “meta extensions”. This term describes extensions which at the same time cover recurrent needs (display, transform, export, ...) and can easily be adapted to specific situations. We also cover more specific extensions, including the ones enabling headless usage of Burp Suite Pro.

  • Companions: AutoChrome and PwnFox

  • Meta extensions: Logger++, Hackvertor, HTTP Mock, Piper, Turbo Data Miner, Stepper

  • Headless usage: using the REST APIs provided by Burp Buddy and VMware extensions

  • Other extensions: Turbo Intruder, Backslash Powered Scanner, Request Minimizer, ...

Day 4

The fourth day includes two distinct sections. The first one dives deep in the often overlooked built-in tools that are Audit and Crawl (previously known as Scanner and Spider), Collaborator and Infiltrator. The second section deals with the cumbersome and boring task of identifying authorization-based vulnerabilities, as we detail how different extensions can ease this process.

  • Scans and live tasks: differences between Burp v1 and v2 (terminology, GUI, usage), using the scanner like in v1, description and testing of the much-improved crawler, configuring and running specialized scans, observing the oriented-graphs generated during crawling, using these graphs with “Crawl and Audit” (in order, for example, to scan CSRF-protected forms without resorting to macros)

  • Two-way communication with the target: deploying and using a private Collaborator instance, patching the target byte-code with Infiltrator in order to receive additional details (filename, line number, etc.), running an Infiltrator-only active scan

  • Authorization testing: from quick tests without specific configuration to deep tests requiring business-specific knowledge (extensions Authz, AutoRepeater, SessionAuth and AuthMatrix are covered)