Budapest, JUN13
Budapest, 1906 [past]
Burp for testers and developers

Budapest (HU), 1-day intensive training

Early tickets till MAY31: €470 net [148KHUF+VAT]
Final price: €580 net [185KHUF+VAT]/seat.

* Note: there was also 'WebAppSec testing/fixing' workshop the following day.

Onsite pizza lunch by
Green Fox Academy.

June 13 (Thu), 9:00-18:00
Green Fox Academy, Budapest
 Zsombor Kovács
course topics
upon completion
certificate of attendance

Burp Suite for testers and developers

The purpose of the workshop is to provide testers and developers an overview how the Burp suite can be used for web testing work. Even though Burp is primarily designed for penetration testers, its sophisticated capabilities can come handy for everyone whose job is to perform general bug hunting in web applications.

By the end of the training, participants will have a general understanding of how web applications work under the hood, how to use Burp for troubleshooting errors and how to utilize Burp's tool set for re-creation of error conditions by manual HTTP traffic manipulation.

Burp for developers

from the 'DIY security testing' series

full title
Burp Suite for testers and developers
course level
practical baseline
testers, developers, security champions, junior security testers
1 XL day, 7 hrs education time
a laptop with Linux desktop native or virtualized or MacOS
Burp (ideally a licensed Pro version, but the Community version is mostly enough); Firefox w FoxyProxy, Wireshark, nmap, socat
qualification requirement
general understanding of how networks work; familiarity with HTML and simple JS code

Understanding Burp

Computer networking in general
The HTTP protocol. Requests and responses. Stateful and stateless protocol philosophy and built-in hacks in HTTP.
Browsers and web applications
Executable code vs. static code. Basic browser features (cookies, caching etc.) and potential pitfalls.
Web proxies
Different types, features. TLS/SSL related issues. Advantages, disadvantages of proxy implementations.
Burp at a glance
Overall philosophy of the GUI. Sending requests internally between tools. Basic use of the GUI for static HTTP traffic inspection.
Burp and networking
TLS/SSL, certificates, the PortswiggerCA. Importing and exporting certificates. Potential pitfalls with the oh-so-many different SSL certificate formats. Downstream and upstream proxies.
The Target tab
The significance of scope settings. Exclusion lists and the proper scope selection process.
The Spider tab
Operation, caveats and results. Throttling and performance issues.
The Repeater
Operation, use of this versatile tool in several scenarios.
The Sequencer
Setup, parametrization and use. Result interpretation.
The Intruder
Interaction with repeater. The payload position template. Different types of payloads. Attack types (sniper, pitchfork etc.) and usage. Payload selection and pre-send processing. Throttling and result interpretation.
The Decoder
Different encodings and external tools to enhance the efficiency of the process.
The Extender
Basic concepts, the Burp API. Writing extensions for various tasks in Python.

Mastering Burp

In this session, lifelike challenges will be presented to participants as small web applications modelling real-life scenarios, which can be overcome by using and fine-tuning several tools in conjunctions within Burp.

This workshop was delivered by

Zsombor Kovács is a security specialist with many years of hands-on experience in penetration testing in Budapest, London and Zürich. Besides penetration tests performed on mobile device (both iOS and Android) his main focus is application and infrastructure evaluation. Zsombor conducts penetration tests and malware analysis on a daily basis. He found vulnerabilities in all sorts of Android and iOS applications from e-banking and telecommunication to document management, to MDM. He also has been involved in projects dealing with incident response, forensic engineering, reversing, physical security and social engineering. Zsombor is keen on everything related to hacking from finding bugs in mobile applications to secdev consulting, to lock picking and RFID hacking and exploring the human psyche.

Recently, Zsombor got involved in secure development trainings on both mobile platforms.

From the trainings record of Zsombor:
LogMeIn, GoToMeeting, defdev1611, defdev1805

The workshop was hosted by

For sponsors

def[dev]eu events provide a unique opportunity for the secure development tooling and services providers to get in touch with developers and team leaders from cool European development teams and IT departments

Contact us at [email protected], direct message us on twitter @defdeveu or call +32476222722 [Timur].

The training was supported by