[T2] Burp Suite Pro
by Nicolas Grégoire (@Agarri_FR)

Author: Nicolas Grégoire (@Agarri_FR)
Language: French or English
Number of participants: 5 to 15
Price: 750.- CHF
Date and time: Nov. 1 - 8:00-17:30


This training is designed for Web penetration testers familiar with the Burp Suite Pro auditing tool. Based on the "Mastering Burp Suite Pro – 100% hands-on" class, this session is expected to go much faster, while covering interesting problems faced in everyday engagements and significantly enhancing your automation skills. The numerous elaborately designed challenges will guide trainees during this full day of intense-but-fun Burp Suite Pro practice.

Table of content:

  1. Intruder’s small secrets
    • Covering the whole 7-bit range
    • Traversing linked lists
  2. Advanced automation
    • Dealing with anti-CSRF tokens (using “Recursive Grep”, Intruder only)
    • Dealing with anti-CSRF tokens (using “Session Handling Rules”, all tools)
  3. Modern pwnag
    • Cryptographic flaws (using the Crypto Attacker extension)
    • Out-of-band callbacks (using Burp Collaborator and custom tools)
  4. Useful extensions
    • Data manipulation with Hackvertor
    • Visually aided authorization checks with AuthMatrix and SessionAuth
  5. Extending the tool
    • Quick addition of custom request editors and response viewers to Intruder
    • Looking for SSRF bypasses with extension-generated obfuscated IP addresses

Audience type:

Advanced users of Burp Suite Pro.


Each participant should bring a laptop.


750.- CHF


Nicolas Grégoire has more than 15 years of experience in penetration testing and auditing of networks and (mostly web) applications. He is also one of the few official "Burp Suite Training Partners". Some years ago, he founded Agarri, a small company where he finds security bugs for customers and for fun. His research (XSLT, XXE, SSRF, ...) was presented at numerous conferences around the world and he was publicly thanked by numerous vendors for responsibly disclosing vulnerabilities in their products. He occasionally participates in bug bounties, and earned some of the largest rewards paid by Facebook, Yahoo, Coinbase and Prezi.