Restoring Testability: Handling Complex Scenarios in Burp Suite with a Custom Extension

“When performing security assessments on HTTP-based applications, whether web, mobile, APIs, or thick clients, the standard workflow is straightforward: put Burp Suite in the middle, and you’re good to go. Most of the time, that’s all you need. Every now and then, though, you run into a small but significant class of applications where that workflow breaks down. Custom protocols, payload encryption, request signatures, replay protection, non-standard encoding, these are the scenarios where you can no longer work manually the way you’re used to, and where Burp’s automated tools (Intruder, Scanner) stop being useful because they’re operating on data they can’t meaningfully read or modify. In this talk I took one of these complexities as example, additional payload encryption, and used it as a vehicle to explore advanced approaches based on custom Burp extensions to restore full testability: working manually in Proxy and Repeater, running automated tools like Intruder and Scanner, and even driving external tools like SQLMap through Burp, all as if the complexity simply weren’t there.” submitted by /u/0xdea [link] [comments]Technical Information Security Content & DiscussionRead More