2023-05-18, 16:45–17:15, Ville-Marie
Based on my in-depth knowledge of both Burp Suite and its extensions, this talk aims to provide bug hunters and pentesters with a set of useful strategies. The underlying goal is to increase the efficiency of the testing workflow (in terms of both capabilities and speed). I presented a similar talk in 2013, but the tool and its ecosystem changed significantly since then.
Among the topics to be covered:
- Improved usage the Burp Suite GUI, from modifying default settings to increasing the speed of interaction (including hotkeys)
- Automation of recurrent tasks, mainly the transparent management of sessions (via both cookies and headers like JWT) and CSRF tokens
- Essential extensions like Hackvertor, Piper and Burp Bounty
- Efficiently find authorization bugs, on both APIs and web apps
- Niche knowledge about Collaborator (correlation) and Intruder (placeholders in wordlists)
- Poor-man automation pipeline, from a list of domains to findings
- Evergreen pieces of advice (on performances and live monitoring)
- How to stay up to date (a list of relevant online resources)
The talk includes self-hosted demos illustrating its most critical points.
English
Nicolas Grégoire has been auditing web apps for 20 years. He is an official Burp Suite Pro trainer since 2015, and has trained nearly a thousand people since then, either privately or at public events. Other of that, he runs Agarri, a one-man business where he looks for security vulnerabilities for clients and for fun. His public talks (covering SSRF, XSLT, Burp Suite, ...) have been presented at numerous conferences around the world.