https://github.com/doyensec/burpdeveltraining

Material for the training "Developing Burp Suite Extensions – From Manual Testing to Security Automation"
https://github.com/doyensec/burpdeveltraining

burp-plugin burpsuite java security-automation training-materials

Last synced: 3 months ago
JSON representation

Material for the training "Developing Burp Suite Extensions – From Manual Testing to Security Automation"

• Host: GitHub
• URL: https://github.com/doyensec/burpdeveltraining
• Owner: doyensec
• License: other
• Created: 2017-02-24T16:43:46.000Z (over 7 years ago)
• Default Branch: master
• Last Pushed: 2020-10-14T20:44:08.000Z (about 4 years ago)
• Last Synced: 2024-04-28T04:35:11.091Z (6 months ago)
• Topics: burp-plugin, burpsuite, java, security-automation, training-materials
• Language: Java
• Homepage:
• Size: 8.5 MB
• Stars: 346
• Watchers: 31
• Forks: 75
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.md

Awesome Lists containing this project

• awesome-burp-extensions - Developing Burp Suite Extensions - Doyensec
• awesome-hacking-lists - doyensec/burpdeveltraining - Material for the training "Developing Burp Suite Extensions – From Manual Testing to Security Automation" (Java)

README

        
# Developing Burp Suite Extensions

[![Doyensec](https://www.doyensec.com/images/logo.svg)](https://www.doyensec.com/images/logo.svg)

This repository contains the slides and code for the training *Developing Burp Suite Extensions - From Manual Testing to Security Automation*

# Content

  - **BurpExtensionTemplate** - Empty extension templates for NetBeans, Eclipse and IDEA

  - **HelloBurp** - Our first Burp extension

  - **SiteLogger** - Log sitemap and findings to database (MongoDB)

  - **ReplayAndDiff** - Replay a scan with a fresh session and diff the results

  - **DetectSRI** - Passive scanner check to detect the use of Subresource Integrity (SRI) attribute

  - **DetectELJ** - Active scanner check to detect Expression Language (EL) injection vulnerabilities

  - **Bradamsa** - Simplified code of [Bradansa Intruder payloads generator](https://github.com/ikkisoft/bradamsa)

  - **Doyensec_DevelopingBurpSuiteExtensionsTraining.pdf** - Full slides of the training (PDF, 155 pages)

All exercises are provided in *Java*, *Python* and *Ruby*. 

This work is licensed under the Creative Commons **Attribution-NonCommercial-ShareAlike** 3.0 Unported (CC BY-NC-SA 3.0). You are free to **Share** and **Adapt** under the following terms: **Attribution**, **NonCommercial**, **ShareAlike**.

### Overview of the class

In this hands-on class, attendees will learn how to design and develop Burp Suite extensions for a variety of tasks. In a few hours, we work on several plugins to improve manual security testing efforts as well as to create fully-automated security tools. This workshop is based on real-life use cases where the extension capabilities of the tool can be unleashed to improve efficiency and effectiveness of security auditing. As an attendee, you will bring home a full bag of tricks that will take your web security skills to the next level. The class is available in 1-day and 2-days versions.

### Audience

Suitable for both web application security specialists and developers. Attendees are expected to have rudimental understanding of Burp Suite as well as basic object-oriented programming experience. While Burp extensions are developed live in Java, attendees can work on Python or Ruby since all exercises are also provided in those languages.

### Interested?

More details on what to expect from this class can be found on our [blog post](https://blog.doyensec.com/2017/03/02/training-burp.html).

We deliver this class during public events (e.g. security conferences) as well as private company workshops. If you're interested in a forthcoming public training or you want to know more about private classes, please contact [email protected]