Their challenge

With an increasing range of different attack scenarios to test for, across a wide variety of clients’ web estates, they face a number of challenges:

• As their clients’ web estates become increasingly complex, there are wider, more sprawling attack surfaces to scour.
• Identifying potential vulnerabilities is time-consuming, leaving them with less time to spend on the highest value work.
  
• Their clients don’t just expect high-quality results, but concise, impactful reports and reproducible POCs they can action themselves.
  

Balancing extensiveness with efficiency is difficult, and they require tools that complement their expertise. That’s where Burp comes in.

For this pentester and their team, Burp is essential, “I actually don’t think a single one of the team isn’t using Burp on a daily basis."

Building the sitemap and beginning recon

During this initial phase, their aim is to map and understand the full extent of the application’s attack surface using Burp Proxy.

I find Burp incredibly helpful during discovery. Populating the site map gives me a tree view of the app, which is massively useful for identifying areas to focus on. What I often do is walk the application in the built-in browser then, for example, I might see an API just popped up, so I can look into that.

Once a sitemap has been built out, they can begin probing areas of interest for more focused content-discovery using Proxy “to identify traffic that looks really interesting as an initial target". They then send the associated requests to Repeater for closer inspection “to help get an understanding of what's happening."

While their focused on exploring high-value vulnerabilities with Proxy and Repeater, they leverage automation through the Scanner.

I'll start a scan almost immediately and just have that running in the background to produce some very quick results and spot things that are otherwise really easy to miss.

This toolset allows them to multi-task seamlessly.

What I really love is that, while I'm walking around the application, I can say 'oh, that's a cool endpoint!' then send it to Param Miner or run more targeted scans straight away. I know that's just happening in the background while I do more recon. I love all that.

Identifying vulnerabilities through automation and manual testing

Once they have built a comprehensive understanding of the application, they can begin the Attack phase. The primary objective here is to identify vulnerabilities that pose a significant risk to the target application.

This is where the Scanner delivers real value for this pentester.

I hate manual fuzzing and having to come up with test cases based on what I have in my notes.

While they can’t remove all manual elements from testing, the Burp Scanner can reduce a lot of the pain, testing more payloads than they would be able to manually.

I love the Burp Scanner. It's probably my number one feature. It means I can focus on the manual testing and the stuff that I know the scanner can't do.

As well as reducing manual work, they use the Scanner for identifying specifics like injection vulnerabilities, or finding a JSON object inside of a parameter, while using extensions like Hackverter and Backslash Power Scanner to add even more power.

Any potential issues found in the Scanner (and elsewhere) are then sent to Repeater, where they can test different avenues and begin building his POC.

Distilling the results into an actionable POC

In the final phase of his workflow, they need to report on their findings and create a POC for their clients to take away and action themselves.

While they don't use Burp’s built-in report generation, they do utilise Repeater to compile reports.

Usually I send the request to Repeater, edit it into the simplest form I possibly can, and then I take its URL into our reporting tool and build a proof of concept.

Removing irrelevant HTTP headers helps reduce the request to its simplest form, allowing them to provide clear reproduction steps.

The new ‘hide uninteresting headers’ option is great for that, especially now that we're able to customize the list to include our own headers.

Alongside the simplified requests from Repeater, they use evidence provided by the Burp Scanner to highlight the parameter request.

Rather than me having to enter all that data manually and describe which parameter is affected and how, Burp is very good at saying 'it's this parameter, and here is the evidence.’

Using the range of tools and extensions within Burp Suite Professional allows them to streamline all phases of their workflow, ensuring comprehensive testing in every client engagement.

Focus on the vulnerabilities that matter most

Without Burp Suite, this pentester would face time-consuming manual workflows, risk missing critical vulnerabilities, and deliver less actionable reports for their clients.

Burp Suite Professional is indispensable in their workflow. From the Scanner, to Proxy, Repeater, and more - Burp enables them to focus on finding the vulnerabilities that matter most.

Join over 80,000 security professionals using Burp Suite Professional. Request a fully-featured free trial of the web security tester's toolkit of choice.