5 tips on how I used Burp Pro in my 85+ pentests in 2022:
(thread)
1. Use “TLS Pass Through” to cancel out as much noise as possible, and save your configuration to file. Here’s a small portion of my personal config.
Alternatively, you can use scoping, but I find that as being more restrictive.
2. Use regex filtering with negative search in “HTTP History” and Target “Site map” to further clean your testing. Here’s how my personal config looks like.
3. Use the Extensions library to put your testing on steroids. My personal favorites are GraphQL Raider, Autorize and Upload Scanner.
4. Save user and project settings as a template and adapt for each pentest (very time saving!)
5. Automatic backup every 15 minutes (or less!). This feature alone has saved me from a lot of trouble countless times.
6. (Bonus): Name your repeater tabs
I usually do the majority of testing first, then the report writing. It’s much easier when writing the report, if beforehand, I name my tabs accordingly.
7. There are many more takeaway messages from my experience as a Burp heavy user. So, stay tuned…
Like, retweet, and follow me for more posts like this.
#infosec #pentesting #cybersecurity #appsec @Burp_Suite @BurpSuiteTips