My key takeaways
- AWS doesn’t allow to test from a workspace
- Testing inside seems to not violate the TOS
- Always create a "new project on disk" instead of a "temporary project" in Burp
- In the "Target" tab under sitemaps
- black text : Burp has seen request and response
- gray text: Burp has seen a link to this in a request
- during mapping spend most time in the proxy tab
- requests are in order of the request made
- if you search in intruder and click through the requests back and forward, you get it highlighted when something juicy appears
- you can have multiple tabs open in Burp. It’s Java…
- and you can rename them to find them also later on
- Decoder is nice to check encoded strings fast
- Use extensions depending on the project
- to many extensions active will slow down Burp significantly
Env
-
Provided by Wild West Hackin’ Fest
-
Speaker
additional links
- https://github.com/ProfessionallyEvil/pewapt101
- https://owasp.org/www-project-samuraiwtf/
- https://retirejs.github.io/retire.js/
- https://portswigger.net/bappstore/0ac13c45adff4e31a3ca8dc76dd6286c
- https://github.com/danielmiessler/SecLists
User comments
-
NASec — heute um 18:08 Uhr
ZAP is the way to go if you don’t have the Pro version of Burp and need to Fuzz. Intruder just too slow -
JohnnyRocket — heute um 18:52 Uhr
like color coding the proxy results after initial review of site – all manually found URLs are a different color