10. Playing around Proxy
Play around Message Analytics
Can also contain XML, AMF & View
State
Intercept Request
Intercept Response
HTTP history: Params & Filter
Unhide hidden form fields
11. Exploiting with Intruder
Send lots of data & make sense of
response
Username Enumeration, Directory
Fuzzing – XSS, SQLi, Path traversal
Add payload: FuzzDB, WebAppURLs,
OWASP DirBuster
Demo: Save & Load attack Config
12. Stay calm & use
Scanner
Passive Scanning
Active Scanning
Use wise!
Crawl -> Scan
Demo
Don’t make too fast
Be in-scope
13. Never miss anything - Repeater
Scratchpad
Demo
Change the way you want it
Try OPTIONS
14. The good Spider
Create lots of Pollution
Form Submissions
Do after manual Crawl
Demo
Some are only on Prod: robots.txt
Careful - Delete all users
Control threads
15. All about tokens - Sequencer
Test how random it is..
Session, CSRF, Password reset etc
Min 100 tokens required
16. Find the secret - Decode
No Key - No Security
Encode != Security
Demo
Send to Decoder
20. Maintenance
Save State
Save in-scope only
Restore State
Don’t restore from untrusted sources
Auto backup
Schedule Task: Save State - Creates only
1file
21. Some more if you need
Right click & you got all
Shortcuts: Options > Misc > Hotkeys
22. References & Reads
Burp Suite Essentials by Akash Mahajan
10 Unbeatable Features of Burp Suite
Pro
Official Documentation
Pen Testing with Burp Suite
Real life tips & tricks