Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/doyensec/burpdeveltraining

Material for the training "Developing Burp Suite Extensions – From Manual Testing to Security Automation"
https://github.com/doyensec/burpdeveltraining

burp-plugin burpsuite java security-automation training-materials

Last synced: 2 months ago
JSON representation

Material for the training "Developing Burp Suite Extensions – From Manual Testing to Security Automation"

Lists

README 

        
# Developing Burp Suite Extensions



[![Doyensec](https://www.doyensec.com/images/logo.svg)](https://www.doyensec.com/images/logo.svg)



This repository contains the slides and code for the training *Developing Burp Suite Extensions - From Manual Testing to Security Automation*



# Content

  - **BurpExtensionTemplate** - Empty extension templates for NetBeans, Eclipse and IDEA

  - **HelloBurp** - Our first Burp extension

  - **SiteLogger** - Log sitemap and findings to database (MongoDB)

  - **ReplayAndDiff** - Replay a scan with a fresh session and diff the results

  - **DetectSRI** - Passive scanner check to detect the use of Subresource Integrity (SRI) attribute

  - **DetectELJ** - Active scanner check to detect Expression Language (EL) injection vulnerabilities

  - **Bradamsa** - Simplified code of [Bradansa Intruder payloads generator](https://github.com/ikkisoft/bradamsa)

  - **Doyensec_DevelopingBurpSuiteExtensionsTraining.pdf** - Full slides of the training (PDF, 155 pages)



All exercises are provided in *Java*, *Python* and *Ruby*. 



This work is licensed under the Creative Commons **Attribution-NonCommercial-ShareAlike** 3.0 Unported (CC BY-NC-SA 3.0). You are free to **Share** and **Adapt** under the following terms: **Attribution**, **NonCommercial**, **ShareAlike**.



### Overview of the class

In this hands-on class, attendees will learn how to design and develop Burp Suite extensions for a variety of tasks. In a few hours, we work on several plugins to improve manual security testing efforts as well as to create fully-automated security tools. This workshop is based on real-life use cases where the extension capabilities of the tool can be unleashed to improve efficiency and effectiveness of security auditing. As an attendee, you will bring home a full bag of tricks that will take your web security skills to the next level. The class is available in 1-day and 2-days versions.

### Audience

Suitable for both web application security specialists and developers. Attendees are expected to have rudimental understanding of Burp Suite as well as basic object-oriented programming experience. While Burp extensions are developed live in Java, attendees can work on Python or Ruby since all exercises are also provided in those languages.

### Interested?

More details on what to expect from this class can be found on our [blog post](https://blog.doyensec.com/2017/03/02/training-burp.html).

We deliver this class during public events (e.g. security conferences) as well as private company workshops. If you're interested in a forthcoming public training or you want to know more about private classes, please contact [email protected]