Burp Zeronights workshop

•Download as PPTX, PDF•

1 like•1,305 views

Igor Bulatenko

Burp Workshop about developing your own plugins.

Technology

Enlarge your burp
or how not to be afraid of JavaDocs
Igor Bulatenko
Ivan Elkin

#whoami
• #videns
• Head of QIWI application security department
• Former security software developer
• CTF player and organizer (TechnoPandas)
• JBFC Member 

What is all about
• Why people (us) use burp
• Burp 101
• Official info
• Other presentations
• Internals
• Plugins

Is it good?
• #1 among web scanners *
• Crossplatform
• Good for manual vulnerabilities testing
• Can scan whole internet
• Has plugins
• Most popular vulnerability checks
• Gartner challengers for AST

Unofficial infos
http://www.slideshare.net/jasonhaddix/bsides-final
http://www.slideshare.net/AugustDetlefsen/burp-extensions
http://www.slideshare.net/marcwickenden/burp-plugin-development-for-java-
n00bs-44-con
http://www.agarri.fr/docs/HiP2k13-Burp_Pro_Tips_and_Tricks.pdf
http://www.youtube.com/watch?v=Q2WK5LpDbxw
http://www.youtube.com/watch?v=N-IKHmGjf2c
https://twitter.com/everythingburp
http://www.slideshare.net/AugustDetlefsen/appsec-usa-2015-customizing-
burp-suite

Why improve it?
• Not correct use of API
• Scan fullness
• Time for implementing new techniques

Demo 01
• Simplest Plugin
• Show logging functionality (stdout, stderr)
• Log InsertionPoints info
• Nested InsertionPoint
• DoActiveScan
• How to debug in python (jython)

Demo 02
• DoActiveScan
• Building request for attack
• How requests are counted (scanner tab)
• Send requests via callbacks or via jython
• Highlighting in request/responses

Demo 03
• Error message check (http://virvales.blogspot.ru/2015/08/burp-stacktrace-
sniffer.html)
• HttpListener
• Manual adding scan issue

Demo 04
Insertion Point Provider
Custom Insertion Point, necessary methods
Logging payloads

Viewers also liked

AméricaSebastián Aliaga Buenaño

TurningPointA4-1107Mark McIntyre

5 ways data analytics lets you cosy up to clientsRedPixie

JustinDBeckResume2016Justin Beck

Ch10 printmakingUniversity of South Carolina Upstate

Ficha de evaluacion de desempeño 2015 edMg. Edgar Zavaleta Portillo

EVALUACIÓN DEL DESEMPEÑO LABORAL. Marly Rodriguez

wael Darwish CV4wael darwish

Viewers also liked (8)

América

TurningPointA4-1107

5 ways data analytics lets you cosy up to clients

JustinDBeckResume2016

Ch10 printmaking

Ficha de evaluacion de desempeño 2015 ed

EVALUACIÓN DEL DESEMPEÑO LABORAL.

wael Darwish CV4

Similar to Burp Zeronights workshop

Work with Developers for Fun and Progress - AppSec Californialeifdreizler

Manual JavaScript Analysis Is A BugLewis Ardern

Dev and Ops Collaboration and Awareness at Etsy and FlickrJohn Allspaw

APIs in production - we built it, can we fix it?Martin Gutenbrunner

Bug Bounty Career.pdfVishal318796

Firefox os how large open source project worksFred Lin

Code Review: How and WhenPaul Gower

窺探職場上所需之資安專業技術與能力 Tdohconfjack51706

ErjangJéferson Machado

What is being exposed from IoT DevicesThe Security of Things Forum

ITT 2015 - Vincent Garrigues - Continuous Integration at SoundCloudIstanbul Tech Talks

Keeping IoT stack in quality check - meetup IoT Under TestSilvair

Owasp owtf the offensive (web) testing framework + ptes penetration testing e...Mauro Risonho de Paula Assumpcao

How to be a Tizen CommitterEun Young Lee

Legal and efficient web app testing without permissionAbraham Aranguren

SplunkLive! Munich 2018: Getting Started with Splunk EnterpriseSplunk

Code Review: How and WhenPaul Gower

Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil

ProdSec: A Technical ApproachJeremy Brown

10 Useful Testing Tools for Open Source Projects @ TuxCon 2015Peter Sabev

Similar to Burp Zeronights workshop (20)

Work with Developers for Fun and Progress - AppSec California

Manual JavaScript Analysis Is A Bug

Dev and Ops Collaboration and Awareness at Etsy and Flickr

APIs in production - we built it, can we fix it?

Bug Bounty Career.pdf

Firefox os how large open source project works

Code Review: How and When

窺探職場上所需之資安專業技術與能力 Tdohconf

Erjang

What is being exposed from IoT Devices

ITT 2015 - Vincent Garrigues - Continuous Integration at SoundCloud

Keeping IoT stack in quality check - meetup IoT Under Test

Owasp owtf the offensive (web) testing framework + ptes penetration testing e...

How to be a Tizen Committer

Legal and efficient web app testing without permission

SplunkLive! Munich 2018: Getting Started with Splunk Enterprise

Code Review: How and When

Heartbleed Bug Vulnerability: Discovery, Impact and Solution

ProdSec: A Technical Approach

10 Useful Testing Tools for Open Source Projects @ TuxCon 2015

Recently uploaded

How to write a Business Continuity PlanDatabarracks

Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University

Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3

Commit 2024 - Secret Management made easyAlfredo García Lavilla

Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely

Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson

From Family Reminiscence to Scholarly Archive .Alan Dix

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada

DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays

Advanced Computer Architecture – An IntroductionDilum Bandara

Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation

Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada

Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited

"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays

Recently uploaded (20)

How to write a Business Continuity Plan

Nell’iperspazio con Rocket: il Framework Web di Rust!

Developer Data Modeling Mistakes: From Postgres to NoSQL

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx

Commit 2024 - Secret Management made easy

Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf

Are Multi-Cloud and Serverless Good or Bad?

From Family Reminiscence to Scholarly Archive .

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024

DevoxxFR 2024 Reproducible Builds with Apache Maven

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack

Advanced Computer Architecture – An Introduction

Connect Wave/ connectwave Pitch Deck Presentation

Unleash Your Potential - Namagunga Girls Coding Club

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024

Ensuring Technical Readiness For Copilot in Microsoft 365

"Debugging python applications inside k8s environment", Andrii Soldatenko

Burp Zeronights workshop

1. Enlarge your burp or how not to be afraid of JavaDocs Igor Bulatenko Ivan Elkin

2. Sources https://goo.gl/oYjBTg (python)

3. #whoami • #videns • Head of QIWI application security department • Former security software developer • CTF player and organizer (TechnoPandas) • JBFC Member 

4. What is all about • Why people (us) use burp • Burp 101 • Official info • Other presentations • Internals • Plugins

5. Is it good? • #1 among web scanners * • Crossplatform • Good for manual vulnerabilities testing • Can scan whole internet • Has plugins • Most popular vulnerability checks • Gartner challengers for AST

6. Unofficial infos http://www.slideshare.net/jasonhaddix/bsides-final http://www.slideshare.net/AugustDetlefsen/burp-extensions http://www.slideshare.net/marcwickenden/burp-plugin-development-for-java- n00bs-44-con http://www.agarri.fr/docs/HiP2k13-Burp_Pro_Tips_and_Tricks.pdf http://www.youtube.com/watch?v=Q2WK5LpDbxw http://www.youtube.com/watch?v=N-IKHmGjf2c https://twitter.com/everythingburp http://www.slideshare.net/AugustDetlefsen/appsec-usa-2015-customizing- burp-suite

7. Why improve it? • Not correct use of API • Scan fullness • Time for implementing new techniques

8. How it works (spidering)

9. How its works (active scan)

10. Demo 01 • Simplest Plugin • Show logging functionality (stdout, stderr) • Log InsertionPoints info • Nested InsertionPoint • DoActiveScan • How to debug in python (jython)

11. Demo 02 • DoActiveScan • Building request for attack • How requests are counted (scanner tab) • Send requests via callbacks or via jython • Highlighting in request/responses

12. Demo 03 • Error message check (http://virvales.blogspot.ru/2015/08/burp-stacktrace- sniffer.html) • HttpListener • Manual adding scan issue

13. You’re doing it wrong

14. Right way

15. Demo 04 Insertion Point Provider Custom Insertion Point, necessary methods Logging payloads

16. The end (part 1)

Burp Zeronights workshop

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (8)

Similar to Burp Zeronights workshop

Similar to Burp Zeronights workshop (20)

Recently uploaded

Recently uploaded (20)

Burp Zeronights workshop