Early bird registration rate ends on the 31st of January
As nicely said in PoC||GTFO Volume II, « This is not a book about astronomy; rather, this is a book about telescopes ». In the same spirit, this training isn’t about Web hacking. Instead, this training is for Web hackers who want to master their toolbox.
Burp Suite Pro is the leading tool for auditing Web applications at large, but also a complex beast where new features get added every few weeks. Mastering Burp Suite Pro, including its newest features, allows testers to get the most out of the tool, optimizing time spent auditing and testing.
Work will be faster (hotkeys!) and much more efficient (more tools, more possibilities!). Attendees will also learn to measure and assess the quality of their attacks, a crucial skill in real-life engagements that can make the difference between a false-negative and a critical finding.
The training is aimed at Web application penetration testers and bug hunters, and will provide them with significant automation capabilities. We aim at a fast and comfortable testing workflow with asshort-as-possible feedback loops.
If you wonder if previous attendees enjoyed the training, have a look at the public testimonials I compiled: link
Menial tasks (like sharing requests among the different tools, applying common encodings or navigating the GUI) should be as fast and transparent as possible, in order to free time and brain power for harder subjects.
Recurrent tasks (like brute-forcing a CSRF-protected form, frobbing an opaque blob of data, logging-in automatically or doing 1-byte fuzzing of a specific parameter) should be executed without having to think too much about it, thanks to prior rehearsals.
Advanced tasks (like managing a complex state, dealing with a custom format or testing authorizations) should be doable exclusively in Burp Suite Pro, possibly with the help of session handling rules or specific extensions. These tasks require testers to live-assess themselves, in order to detect as early as possible any error and to allow for correction and self-improvement.
Every trainee goes through the main track, composed of nearly 100 challenges. Plenty of additional ones are available, depending on your speed, taste, skills and professional needs. No way to get bored! Among the available challenges: complex brute-force, data extraction, support of custom formats, automatic management of anti-CSRF tokens, WebSockets, weak cryptography, webhooks, NoSQL injections, authorizations bugs, aggressive disconnection, JWT-authenticated APIs, arbitrary Java deserialization, blind stored XSS, instrumented Java applications, strict workflows, …
After an introduction to the training platform and its challenges, this day is spent on well defined tasks where the goal is to find flags, like in CTF contests. We practice basic automation using tools like Proxy, Repeater and Intruder. The goal is to improve the speed of our interactions with the tool, while monitoring and self-assessing our attacks.
On the second day, challenges get more realistic: solving them requires a good understanding of the underlying application and the usage of multiple Burp Suite tools, possibly including extensions.
Additionally, we keep working on the efficiency of the testing workflow (using shortcuts or extensions) and on self-monitoring (now with Logger++). The latter skill will prove itself invaluable when working on session handling rules.
The third day is used to dig deeper in advanced subjects. That covers authorization testing, custom active scanning, Web Services and much more! Built-in features are pushed to their limits, and extra ones provided by extensions are commonly used.
