March 23

Webinar takeaway – Tactical BurpSuite


My key takeaways

  • AWS doesn’t allow to test from a workspace
    • Testing inside seems to not violate the TOS
  • Always create a "new project on disk" instead of a "temporary project" in Burp
  • In the "Target" tab under sitemaps
    • black text : Burp has seen request and response
    • gray text: Burp has seen a link to this in a request
  • during mapping spend most time in the proxy tab
    • requests are in order of the request made
  • if you search in intruder and click through the requests back and forward, you get it highlighted when something juicy appears
  • you can have multiple tabs open in Burp. It’s Java…
    • and you can rename them to find them also later on
  • Decoder is nice to check encoded strings fast
  • Use extensions depending on the project
    • to many extensions active will slow down Burp significantly


additional links

User comments

  • NASec — heute um 18:08 Uhr
    ZAP is the way to go if you don’t have the Pro version of Burp and need to Fuzz. Intruder just too slow

  • JohnnyRocket — heute um 18:52 Uhr
    like color coding the proxy results after initial review of site – all manually found URLs are a different color


penetration test, pentest, webapp, websec

You may also like

Event takeaway: Layer8 Conference

Event takeaway: Layer8 Conference

Webinar takeaway: Getting Started with Burp Suite & Webapp Pentesting

Webinar takeaway: Getting Started with Burp Suite & Webapp Pentesting
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}