SlideShare a Scribd company logo

Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf

N
NullHyderabad

The document discusses using custom scan profiles in Burp Suite to efficiently detect web application vulnerabilities. It introduces Burp Suite's configuration library and built-in scan profiles. It then explains how to create custom scan profiles tailored to specific vulnerability categories. The document demonstrates how custom profiles can efficiently detect vulnerabilities by focusing scans on particular parameters and endpoints. It also discusses extending scanning capabilities through Burp extensions and open source tools.

Technology
1 of 14
Download to read offline
Finding Web Application vulnerabilities with Burp Suite Scan Profiles
#Whoami MOHAMMAD SAQLAIN (mrroot) Application Security Engineer Bug Bounty Hunter
Agenda 1. Introduction to Burp Suite Configuration Library 2. Understanding Burp Suite Scan Profiles 3. Creating Burp Suite Custom Scan Profiles 4. Efficiently detecting vulnerabilities with Custom Scan Profiles 5. Using Burp Extensions and Open Source tools to detect vulnerabilities
Introduction to Burp Suite Configuration Library Burp Suite comes with a range of built-in setting profiles which can help users to quickly fuzz an application's endpoints. Crawl options : control Scanner’s behavior during the crawl phase of the scan. Audit options : control Scanner's behavior during the audit phase of the scan.
Understanding Burp Suite Scan Profiles https://portswigger.net/burp/documentation/scanner/scan-configurations/burp-scanner-built-in-configs
Creating Burp Suite Custom Scan Profiles
Creating Burp Suite Custom Scan Profiles
Creating Burp Suite Custom Scan Profiles
Creating Burp Suite Custom Scan Profiles Based on the vulnerability category, we can create as many custom profiles as we require Such as ● Path Traversal ● XML Entity Injection ● Server Side Request Forgery ● Web Cache Poison ● HTTP Request Smuggling ● Cross Origin Resource Sharing These custom profiles are incredibly useful when you need to search for vulnerabilities on specific parameters and endpoints, allowing you to efficiently and effectively detect any potential vulnerabilities.
Efficiently detecting vulnerabilities with Custom Scan Profiles Demo Time
Extending Scanning Capabilities : Active Scan++ - https://github.com/PortSwigger/active-scan-plus-plus Backslash Powered Scanner - https://github.com/portswigger/backslash-powered-scanner Authorization checks : Auth Analyzer - https://github.com/PortSwigger/auth-analyzer Upload functionality checks : Upload Scanner - https://github.com/PortSwigger/upload-scanner Applying various Encoding, Hashing, and Encryption Techniques : Hackvertor - https://github.com/portswigger/hackvertor GraphQL technology security auditing InQL Scanner - https://github.com/portswigger/inql Finding Potential Parameters GAP - https://github.com/xnl-h4ck3r/GAP-Burp-Extension Other Extensions - https://github.com/snoopysecurity/awesome-burp-extensions Using Burp Extensions & Open Source tools to detect vulnerabilities
Any Questions…
Conclusions ● Don’t spray and pray…. Find the right way ● Be a Pentester not Fun Tester ● Remember Human > Machine ( even ChatGPT ) 😂
Contact

Recommended

Introduction to financial management
Introduction to financial managementIntroduction to financial management
Introduction to financial managementSrinivas Methuku
 
PMS MUTUAL FUNDS & AIF IN INDIA
PMS MUTUAL FUNDS & AIF IN INDIAPMS MUTUAL FUNDS & AIF IN INDIA
PMS MUTUAL FUNDS & AIF IN INDIApurtikaunder
 
Credit evaluation slide share
Credit evaluation slide shareCredit evaluation slide share
Credit evaluation slide shareZahari Aziz
 
Liquidity Management.pptx
Liquidity Management.pptxLiquidity Management.pptx
Liquidity Management.pptxParamesh P
 
Burp Suite 101 - Online Sync Meetup by CyberForge Academy Mohali
Burp Suite 101 - Online Sync Meetup by CyberForge Academy MohaliBurp Suite 101 - Online Sync Meetup by CyberForge Academy Mohali
Burp Suite 101 - Online Sync Meetup by CyberForge Academy Mohalicyberforgeacademy
 
Burp Suite 101 - Online Sync Meetup by CyberForge Academy Mohali
Burp Suite 101 - Online Sync Meetup by CyberForge Academy MohaliBurp Suite 101 - Online Sync Meetup by CyberForge Academy Mohali
Burp Suite 101 - Online Sync Meetup by CyberForge Academy Mohalicyberforgeacademy
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 

Recommended

Introduction to financial management
Introduction to financial managementIntroduction to financial management
Introduction to financial managementSrinivas Methuku
 
PMS MUTUAL FUNDS & AIF IN INDIA
PMS MUTUAL FUNDS & AIF IN INDIAPMS MUTUAL FUNDS & AIF IN INDIA
PMS MUTUAL FUNDS & AIF IN INDIApurtikaunder
 
Credit evaluation slide share
Credit evaluation slide shareCredit evaluation slide share
Credit evaluation slide shareZahari Aziz
 
Liquidity Management.pptx
Liquidity Management.pptxLiquidity Management.pptx
Liquidity Management.pptxParamesh P
 
Burp Suite 101 - Online Sync Meetup by CyberForge Academy Mohali
Burp Suite 101 - Online Sync Meetup by CyberForge Academy MohaliBurp Suite 101 - Online Sync Meetup by CyberForge Academy Mohali
Burp Suite 101 - Online Sync Meetup by CyberForge Academy Mohalicyberforgeacademy
 
Burp Suite 101 - Online Sync Meetup by CyberForge Academy Mohali
Burp Suite 101 - Online Sync Meetup by CyberForge Academy MohaliBurp Suite 101 - Online Sync Meetup by CyberForge Academy Mohali
Burp Suite 101 - Online Sync Meetup by CyberForge Academy Mohalicyberforgeacademy
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugLewis Ardern
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Computer security
Computer securityComputer security
Computer securityMohamed Abdo
 
Android application analyzer
Android application analyzerAndroid application analyzer
Android application analyzerSanjay Gondaliya
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Kyle Lai
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomationLinkesh Kanna Velu
 
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...n|u - The Open Security Community
 
Acunetix technical presentation v7 setembro2011
Acunetix technical presentation v7 setembro2011Acunetix technical presentation v7 setembro2011
Acunetix technical presentation v7 setembro2011Wlad1m1r
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesSimon Bennetts
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorialtutorialsruby
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorialtutorialsruby
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...gmaran23
 
Burp suite
Burp suiteBurp suite
Burp suitepenetration Tester
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsAmazon Web Services
 
Defcon 23 - hariri spelman gorenc - abusing adobe readers java sc
Defcon 23 - hariri spelman gorenc - abusing adobe readers java scDefcon 23 - hariri spelman gorenc - abusing adobe readers java sc
Defcon 23 - hariri spelman gorenc - abusing adobe readers java scFelipe Prado
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

More Related Content

Similar to Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf

Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugLewis Ardern
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Android application analyzer
Android application analyzerAndroid application analyzer
Android application analyzerSanjay Gondaliya
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Kyle Lai
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...n|u - The Open Security Community
 
Acunetix technical presentation v7 setembro2011
Acunetix technical presentation v7 setembro2011Acunetix technical presentation v7 setembro2011
Acunetix technical presentation v7 setembro2011Wlad1m1r
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesSimon Bennetts
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorialtutorialsruby
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorialtutorialsruby
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...gmaran23
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsAmazon Web Services
 
Defcon 23 - hariri spelman gorenc - abusing adobe readers java sc
Defcon 23 - hariri spelman gorenc - abusing adobe readers java scDefcon 23 - hariri spelman gorenc - abusing adobe readers java sc
Defcon 23 - hariri spelman gorenc - abusing adobe readers java scFelipe Prado
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 

Similar to Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf (20)

Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
Computer security
Computer securityComputer security
Computer security
 
Android application analyzer
Android application analyzerAndroid application analyzer
Android application analyzer
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...
 
Acunetix technical presentation v7 setembro2011
Acunetix technical presentation v7 setembro2011Acunetix technical presentation v7 setembro2011
Acunetix technical presentation v7 setembro2011
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced Features
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorial
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorial
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
 
Burp suite
Burp suiteBurp suite
Burp suite
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
 
Defcon 23 - hariri spelman gorenc - abusing adobe readers java sc
Defcon 23 - hariri spelman gorenc - abusing adobe readers java scDefcon 23 - hariri spelman gorenc - abusing adobe readers java sc
Defcon 23 - hariri spelman gorenc - abusing adobe readers java sc
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
 

Recently uploaded

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 

Recently uploaded (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 

Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf

  • 1. Finding Web Application vulnerabilities with Burp Suite Scan Profiles
  • 2. #Whoami MOHAMMAD SAQLAIN (mrroot) Application Security Engineer Bug Bounty Hunter
  • 3. Agenda 1. Introduction to Burp Suite Configuration Library 2. Understanding Burp Suite Scan Profiles 3. Creating Burp Suite Custom Scan Profiles 4. Efficiently detecting vulnerabilities with Custom Scan Profiles 5. Using Burp Extensions and Open Source tools to detect vulnerabilities
  • 4. Introduction to Burp Suite Configuration Library Burp Suite comes with a range of built-in setting profiles which can help users to quickly fuzz an application's endpoints. Crawl options : control Scanner’s behavior during the crawl phase of the scan. Audit options : control Scanner's behavior during the audit phase of the scan.
  • 5. Understanding Burp Suite Scan Profiles https://portswigger.net/burp/documentation/scanner/scan-configurations/burp-scanner-built-in-configs
  • 6. Creating Burp Suite Custom Scan Profiles
  • 7. Creating Burp Suite Custom Scan Profiles
  • 8. Creating Burp Suite Custom Scan Profiles
  • 9. Creating Burp Suite Custom Scan Profiles Based on the vulnerability category, we can create as many custom profiles as we require Such as ● Path Traversal ● XML Entity Injection ● Server Side Request Forgery ● Web Cache Poison ● HTTP Request Smuggling ● Cross Origin Resource Sharing These custom profiles are incredibly useful when you need to search for vulnerabilities on specific parameters and endpoints, allowing you to efficiently and effectively detect any potential vulnerabilities.
  • 10. Efficiently detecting vulnerabilities with Custom Scan Profiles Demo Time
  • 11. Extending Scanning Capabilities : Active Scan++ - https://github.com/PortSwigger/active-scan-plus-plus Backslash Powered Scanner - https://github.com/portswigger/backslash-powered-scanner Authorization checks : Auth Analyzer - https://github.com/PortSwigger/auth-analyzer Upload functionality checks : Upload Scanner - https://github.com/PortSwigger/upload-scanner Applying various Encoding, Hashing, and Encryption Techniques : Hackvertor - https://github.com/portswigger/hackvertor GraphQL technology security auditing InQL Scanner - https://github.com/portswigger/inql Finding Potential Parameters GAP - https://github.com/xnl-h4ck3r/GAP-Burp-Extension Other Extensions - https://github.com/snoopysecurity/awesome-burp-extensions Using Burp Extensions & Open Source tools to detect vulnerabilities
  • 13. Conclusions ● Don’t spray and pray…. Find the right way ● Be a Pentester not Fun Tester ● Remember Human > Machine ( even ChatGPT ) 😂