The document discusses the Burp extension 'Replicator', which focuses on deployment and usage modes for penetration testing, particularly for developers. It highlights various functional aspects, including input validation, session macro creation, and usage across different environments. The presentation also emphasizes the importance of awareness among development and testing teams while serving as a substitute for documentation during incremental testing.

1. Understanding Burp
Extension: Replicator
Neelu Tripathy
Senior Consultant, NotSoSecure

2. Agenda Burp
Extensions
Why
Replicator
Deployment
& Use
Modes WhenToUse

3. Burp Extensions
 Web Proxy
 Tampering :: Input Validation Issues
 Authentication module – SAML Raider, EsPreSSO
 Logging :: Logger ++
 Web Services: : WSDLER
 Serialization: PHP Object Injection Check
 Known Component Issue: Software Vulnerability Scanner
 PoC :: Replicator

4. Why Replicator?
 Pentesting Focused For Developers
 Used Twice > Before and After FIX Applied
 One Per Instance > Specially where encoding/fuzzing is involved
 Dev: Should Understand it is just a PoC & can have variations
 Finding Wise: User wise session macro

5. Deployment & Use

7. Modes
Tester Mode
 Immediate PoC from Burp, tool
 Input from Other Tools: Specify
Expressions Manually
 Create Session Macro
 Scrub cookies & Save to replicator
Developer Mode
 Load all
 Use inbuilt session macros
 Works across Environments(dev,
pre-prod, etc)
 Test All after Clearing Cookies
 Treat as sample poc

8. Demo

10. When to Use?
 Replication
 Team awareness: Developers, Test Teams, Security Testing
 As a substitute for documentation: for incremental testing
 Not Exhaustive: Cross Site Scripting, SQl Injections, Permutational Issues
 WAF in Place

11. Thank You!
References
 https://portswigger.net/bappstore/56cf
924977874104ac35e52962a9a553
 http://www.itsecgames.com/
Neelu Tripathy
https://www.linkedin.com/in/neelutripathy/
https://www.slideshare.net/NeeluTripathy2/