Burp Suite Pro, 100% hands-on

Nicolas Grégoire

Dates

23-26 Sep. 2025

9:00 – 18:00

EARLY BIRD PRICE

~~€ 4.000,00~~

€ 3.600,00

Course objectives

This is a training for Web hackers who want to master their toolbox. Burp Suite Pro is the leading tool for auditing Web applications at large, but also a complex beast where new features get added every few weeks. Mastering Burp Suite Pro, including its newest features, allows testers to get the most out of the tool, optimizing time spent auditing and testing. Work will be faster (hotkeys!) and much more efficient (more tools, more possibilities!). Attendees will also learn to measure and assess the quality of their attacks, a crucial skill in real-life engagements that can make the difference between a false-negative and a critical finding.

Training outcomes

Menial tasks (like sharing requests among the different tools, applying common encodings or navigating the GUI) should be as fast and transparent as possible, in order to free time and brain power for harder subjects.
Recurrent tasks (like brute-forcing a CSRF-protected form, frobbing an opaque blob of data, logging-in automatically or doing 1-byte fuzzing of a specific parameter) should be executed without having to think too much about it, thanks to prior rehearsals.
Advanced tasks (like managing a complex state, dealing with a custom format or testing authorizations) should be doable exclusively in Burp Suite Pro, possibly with the help of session handling rules or specific extensions. These tasks require testers to live-assess themselves, in order to detect as early as possible any error and to allow for correction and self-improvement.

About the trainer

Nicolas Grégoire has been auditing web apps for 20 years. He is an official Burp Suite Pro trainer since 2015, and has trained more than a thousand people since then, either privately or at public events. Other of that, he runs Agarri, a one-man business where he looks for security vulnerabilities for clients and for fun. His public talks (covering SSRF, XSLT, Burp Suite, ...) have been presented at numerous conferences around the world.

Required skills

Working knowledge of common Web vulnerabilities (XSS, SQLi, SSRF, etc.)
Good knowledge of Burp Suite (at least UI navigation, traffic interception and replay)
Warning: people new to Burp Suite will not get so much value from the training!

What to bring?

Laptop (with appropriate WiFi connectivity)
64-bit OS supported by Burp Suite Pro (Linux, Windows or Mac)
optional Burp Suite Pro license and installers (can be provided by the trainer for the duration of the training)

What will be provided?

Four days of hands-on practice!

An indexed and searchable slide deck (more than 600 pages)
The whole training platform (around 20 containers and hundreds of challenges)
A custom Burp Suite configuration
A cheat-sheet of hotkeys
Access to private channels of our Discord server
optional Burp Suite Pro license and installers can be provided by the trainer for the duration of the training

CLASS SYLLABUS¹

DAY 1

After an introduction to the training platform and its challenges, the day is spent on well defined tasks where the goal is to find flags, like in CTF contests. We practice basic automation using
tools like Proxy, Repeater and Intruder. The goal is to improve the speed of our interactions with the tool, while monitoring and self-assessing our attacks.

Introduction: rules and advice, connecting to the network, description of the training platform and its challenges
Getting started: navigating the GUI, loading custom options, using hotkeys, sorting and filtering data
Match & Replace: well-known examples, live traffic modifications
Repeater: keyboard-only usage, replaying WebSockets traffic
Intruder: coverage of all attack types and most payload types, automatic processing of results with “Grep – Match” and “Grep – Extract”, data extraction, managing CSRF-tokens without session handling rules, atypical injection points, frobbing and fuzzing
Traffic interception: HTTP exchanges and WebSocket messages are intercepted and manually modified on the fly, in order to bypass client-side protections or to subvert the logic of (emulated) mobile apps. That’s the only section where “Intercept is On” isn’t a problem 😉

DAY 2

The second day is dedicated to macros and session handling rules, first on Web applications then on APIs (both SOAP Web services and REST endpoints). Additionally, we keep working on the efficiency of the testing workflow (using shortcuts or extensions) and on self-monitoring (with the built-in Logger tool or with the Logger++ extension). The latter skill will later prove itself invaluable when debugging advanced automation scenarios.

Macros and session handling rules for Web applications: terminology, basic setups, common use-cases (like managing CSRF tokens or logging-in automatically). We also cover session handling rules being applied to third-party tools like sqlmap
REST APIs and SOAP WebServices: why is a specific toolbox needed, how to generate requests from definition files (WSDL, OpenAPI, etc.), using session handling rules to manage authentication in cookie-less environments

DAY 3

On the third day, we exclusively cover extensions. A large share of that time is dedicated to “meta extensions”. This term describes extensions which at the same time cover recurrent needs (display, transform, export, …) and can easily be adapted to specific situations. We also cover more specific extensions, including the ones enabling headless usage of Burp Suite Pro.

Meta extensions: Logger++, Hackvertor, HTTP Mock, Piper, Turbo Intruder
Other extensions: WSDLer, Sharpener, Paramalyzer, Backslash Powered Scanner, Turbo Data Miner, Request Minimizer, Stepper, …

DAY 4

The fourth day includes two distinct sections. The first one dives deep in the often overlooked built-in tools that are Audit and Crawl, Collaborator and Infiltrator. The second section deals with the often cumbersome and boring task of identifying authorization-based vulnerabilities, as we detail how different extensions can ease this process.

Scans and live tasks: configuring default tasks, using the crawler, configuring and running specialized scans, observing the oriented-graphs generated during crawling, using these graphs with “Crawl and Audit” (in order, for example, to scan CSRF-protected forms without resorting to macros)
Two-way communication with the target: deploying and using a private Collaborator instance, patching the target byte-code with Infiltrator in order to receive additional details
(filename, line number, etc.), running an Infiltrator-only active scan
Authorization testing: from quick tests without specific configuration to deep tests requiring business-specific knowledge (extensions “Authz”, “AutoAnalyzer” and “AuthMatrix” are covered)

¹ Schedule of lectures on the specified days may be subject to changes