Burp Suite Enterprise Edition is now available in our secure Cloud  –  Learn more

Burp Suite Training

Are you looking for training in how to use Burp Suite? Would you like to take your understanding of web security to the next level? Our training hub incorporates options for self-study, development and learning pathways, practice examinations for our certification, and specialist training partners across the globe.

PortSwigger offers Burp Suite training

The Web Security Academy

a Web Security Academy user in training

The Web Security Academy contains high-quality learning materials, interactive vulnerability labs, and video tutorials. You can learn at your own pace, wherever and whenever suits you. It is a living resource, that we'll continue updating with new material and labs, covering the latest developments in web security research.

  • Get hands-on learning with over 190 interactive labs.

  • Learn how to test applications like the experts.

  • Keep up with the latest and greatest vulnerabilities.

Already got an account? Login here

Burp Suite Training Partners

Burp Suite training is available for both novice and advanced Burp Suite users through our specialist training partners across the globe. These courses provide hands-on training on how to use Burp Suite to find real-world vulnerabilities. You can contact any of our training partners directly to discuss options for tailored on-site training.

Mastering Burp Suite Pro - 100% Hands-on

Training provider:

Agarri

Region:

Worldwide

Languages:

English, French

Website:

http://www.agarri.fr/en/trainings.html

Email:

nicolas.gregoire@agarri.fr

Phone:

+33 640 374 191

Duration:

3 days

Overview:

As "PoC||GTFO Volume II" nicely describes itself, "This is not a book about astronomy; rather, this is a book about telescopes". In the same spirit, this training isn't about Web hacking. Instead, this training is for Web hackers who want to master their toolbox. Mastering Burp Suite Pro, including its newest features, allows testers to get the most out of the tool, optimizing time spent auditing and testing. Work will be faster (hotkeys!) and much more efficient (more tools, more possibilities!). Attendees will also learn to measure and assess the quality of their attacks, a crucial skill in real-life engagements that can make the difference between a false-negative and a critical finding. Note that the training platform is hosted in a Docker infrastructure (around 20 containers) which is made available to all trainees right after the training session. Key learning objectives: - Menial tasks (like sharing requests among the different tools, applying common encodings or navigating the GUI) should be as fast and transparent as possible, in order to free time and brain power for harder subjects. - Recurrent tasks (like brute-forcing a CSRF-protected form, frobbing an opaque blob of data, logging-in automatically or doing 1-byte fuzzing of a specific parameter) should be executed without having to think too much about it, thanks to prior rehearsals. - Advanced tasks (like managing a complex state, dealing with a custom format or testing authorizations) should be doable exclusively in Burp Suite Pro, possibly with the help of session handling rules or specific extensions. These tasks require testers to live-assess themselves, in order to detect as early as possible any error and to allow for correction and self-improvement.

Audience:

The training is aimed at Web application penetration testers and bug hunters, and will provide them with significant automation capabilities. We aim at a fast and comfortable testing workflow with as-short-as-possible feedback loops.

Dominating Burp Suite

Training provider:

ArtsSEC

Region:

Latin America & Worldwide

Languages:

Spanish, Portuguese and English

Website:

https://www.artssec.com/

Email:

info@artssec.com

Phone:

(+ 54 9) 11-6211-3325

Duration:

Half day, 1 or 2 days workshops are available

Overview:

This training provides a theoretical and practical understanding of the most risky vulnerabilities and their combination in the detection and exploitation of them, using the famous Burp Suite hacking tool. It contains numerous real-life examples, with CVEs, Bounties to help attendees understand the true impact of these vulnerabilities. You will learn how to use the typical functions and those less known, hidden among the tabs and configurations of Burp Suite. Develop the first extension in Python, Ruby or Java and take advantage of the API.

Audience:

The training has been created for developers, security analysts, penetration testers, bug hunters or any enthusiastic person who wishes to take their skills to the next level.

Developing Burp Suite Extensions - From manual testing to security automation

Training provider:

Doyensec LLC

Region:

Worldwide

Languages:

English

Website:

https://www.doyensec.com/

Email:

info@doyensec.com

Phone:

+1 (628) 333 9093

Duration:

1 or 2 days workshops are available

Overview:

In this hands-on class, attendees will learn how to design and develop Burp Suite extensions for a variety of tasks. After a quick intro to Burp and its extension APIs, we work on setting up an optimal development environment enabling fast coding and debugging. Then, we discuss and create many different types of plugins, including: * A custom logger to provide persistency and data export functionalities using MongoDB * A simple (and yet useful) replay tool * Passive check for Burp's scanning engine to detect missing SubResource Integrity (SRI) attributes * Active check for Burp's scanning engine to detect Expression Language (EL) injection vulnerabilities * A custom Intruder payload generator to fuzz using Radamsa Finally, we leverage our extensions to build a security automation toolchain integrated in a CI environment (Jenkins). This workshop is based on real-life use cases where the extension capabilities of the tool can be unleashed to improve efficiency and effectiveness of security auditing. While we develop our code in Java using Oracle's NetBeans, we also provide templates for IntelliJ IDEA and Eclipse. Additionally, we discuss and provide code for both Python and Ruby so that you can work using your favorite programming language.

Audience:

The training is suitable for both web application security specialists and developers. Attendees are expected to have rudimental understanding of Burp Suite as well as basic Object-Oriented Programming experience. While Burp extensions are developed live in Java, attendees can work on Python or Ruby since all exercises are also provided in those languages.

Web Application Hacking with Burp Suite

Training provider:

Maven Security Consulting Inc.

Region:

US

Languages:

English

Website:

https://www.mavensecurity.com/burpsuite_training/

Email:

burpsuite@mavensecurity.com

Phone:

+1-877-MAVEN-HQ (1-877-628-3647)

Duration:

1, 2 and 3 day workshops are available

Overview:

This workshop, through hands-on demos and labs, will introduce the student to the techniques needed to remotely detect and validate the presence of common vulnerabilities in web-based applications using Burp Suite, the industries' most popular toolkit. Testing will be conducted from the perspective of the end user (as opposed to a source code audit). Security testing helps to fulfill industry best practices and validate implementation. Remote security testing is especially useful since it can be done at various phases within the application's lifecycle (e.g. during development), or when source code is not available for review.

Audience:

People who are auditing web application security, developing web applications, or managing the development of web applications.

The Web Application Hacker's Handbook (CREST approved course)

Training provider:

MDSec

Region:

Worldwide

Languages:

English

Website:

https://www.mdsec.co.uk/

Email:

contact@mdsec.co.uk

Phone:

+44 (0)1625 263 503

Duration:

2 or 3 days

Overview:

This 2 or 3 day course is a practical counterpart to the well-known Web Application Hacker's Handbook, and is developed and taught by the authors, with strong focus on practical attacks and methods. After a short introduction to the subject the course then delves into common insecurities. The Web Application Hacker's Handbook course is CREST approved and is useful preparation for: CREST Certified Infrastructure Tester (CCT INF) and CREST Certified Web Applications Tester (CCT APP).

Audience:

Those who wish to build on their skills in web application security, including those wishing to learn how to get the most out of Burp. Also suitable for new entrants to the web application security industry, including those working in Quality Assurance or internal testing functions. This course has frequently been recommended by candidates who have taken both the CREST CCT Infrastructure and CCT Web Applications exams.

Practical Web Application Penetration Testing (PWAPT)

Training provider:

PractiSec - Tim Tomes

Region:

US

Languages:

English

Website:

https://www.practisec.com/training/

Email:

tim.tomes@practisec.com

Phone:

+1-864-756-1417

Duration:

3-day workshop

Overview:

This hands-on course provides comprehensive training on the latest open source tools and manual techniques for performing end-to-end web application penetration testing engagements. After a quick overview of the penetration testing methodology, the instructor will lead students through the process of testing and exploiting a target web application using the techniques and approaches developed from a career of real world application penetration testing experiences. Students will be introduced to the best tools currently available for the specific steps of the methodology, including Burp Suite Pro, and taught how to integrate these tools with manual testing techniques to maximize effectiveness. A major goal of this course is teaching students the glue that brings the tools and techniques together to successfully perform a web application penetration test from beginning to end. The end result is an individual with the confidence and skill set to conduct consultative web application penetration testing engagements.

Audience:

This class is intended for individuals with introductory knowledge of the OWASP Top 10 and a thorough understanding of the HTTP protocol. For additional detail, see the above website.

Practical Burp Suite Pro: Advanced Tactics (PBAT)

Training provider:

PractiSec - Tim Tomes

Region:

US

Languages:

English

Website:

https://www.practisec.com/training/

Email:

tim.tomes@practisec.com

Phone:

+1-864-756-1417

Duration:

2-day workshop

Overview:

This hands-on course provides comprehensive training on the capabilities of Burp Suite Pro and the practical application of these capabilities in real world web application penetration testing engagements. The instructor will introduce the various components of Burp Suite Pro, discussing their purpose, strengths, and limitations, and lead students in realistic scenario driven hands-on exercises leveraging the components against a modern web application. As the scenarios unfold, the instructor will share tips and tricks for using Burp Suite Pro gained from years of personal usage experience and extensive research into the tool's capabilities and ongoing expansion. These scenarios include the use of lesser-known features hidden within the Burp interface, and the modification and chaining of features to solve complex problems that make testing modern applications a challenge.

Audience:

This class is intended for individuals with introductory knowledge of Burp Suite Pro and an intermediate understanding of web application vulnerabilities and testing methodology. For additional detail, see the above website.

Web Application Security

Training provider:

Securitum

Region:

Europe

Languages:

Polish, English

Website:

https://securitum.pl/szkolenia/bezpieczenstwo-aplikacji-www-szkolenie/

Email:

securitum@securitum.pl

Phone:

+48 12 361 33 37

Duration:

3 days

Overview:

This three-day hands-on training, gives participants a practical knowledge of web application security issues. Throughout the course the participants will analyse the security of a number of systems for vulnerabilities using Burp Suite Professional. Each vulnerability is preceded by a theoretical introduction, and for these vulnerabilities a method of protection against attacks. The training can be delivered in English onsite for a closed group.

Audience:

Those who wish to build on their skills in web application security. Recommended (but not required) experience: 1. Basic knowledge of SQL 2. Basic knowledge of HTML/Javascript 3. Basic knowledge of HTTP communication 4. General IT background

Web Application Bootcamp - Journeyman Level

Training provider:

SensePost

Region:

UK, South Africa & USA

Languages:

English

Website:

https://www.sensepost.com/learn/journeyman-application/

Email:

training@sensepost.com

Phone:

+44 (0)202 7956 8826

Duration:

2 days

Overview:

We love owning the application layer and this course reflects that. We want to take students on a path of obtaining offensive security knowledge in the web application realm. The course focuses on the fundamentals rather than specific tools and introduces you to our hacking methodology refined over thousands of assessment conducted over the last 14 years. SQLi/XML/XPath/LDAP/RFI/DOM, this industry loves acronyms. From the start we cut through the acronym soup and start serving up plain and simple approaches to understand how applications are built and where vulnerabilities are introduced. This is hands on learning, not just listening.

Audience:

This course is meant for those who are new to penetration testing, network administrators or indeed anyone who wants to understand more about offensive testing and get their hands dirty breaking into various networks and applications.

Web Application Penetration Testing with Burp Suite

Training provider:

TrustFoundry

Region:

US, Worldwide

Languages:

English

Website:

https://trustfoundry.net/

Email:

training@trustfoundry.net

Phone:

+1 (913) 871-3371

Duration:

Half-day, 1 day, 2 day, and 3 day courses available

Overview:

We have an introductory and an advanced class, although we can create customized classes depending on the targeted duration and material. Introduction to Web Application Penetration Testing Learn the tools and techniques for conducting a web application penetration test. Get your hands dirty with HTTP and Burp Suite. This workshop will provide a solid introduction to web application penetration testing. This class is designed for those with little to no web application penetration testing experience, although it will move quickly. This class will include hands on challenges where attendees use skills acquired during the class to exploit web applications. Attendees will walk away with a basic understanding of the tools and processes for conducting a web application penetration test. Advanced Web Application Penetration Testing So you've popped some alert boxes, and understand the OWASP Top 10, but you're looking to take your skills to the next level? In this course, students will gain an understanding of moderate to advanced web application attacks and assessment techniques. This class will include hands on challenges where attendees use skills acquired during the class to exploit web applications. Attendees will walk away with an understanding of the tools and processes for conducting a deep-dive web application penetration test. Full agenda available at: https://trustfoundry.net/services/#training

Audience:

Introduction to Web Application Penetration Testing Basic knowledge of HTTP requests and responses, and any web application programming experience will be helpful, but is not required. Advanced Web Application Penetration Testing Basic knowledge of HTTP, Burp Suite, and the ability to exploit basic web application attacks (XSS, SQLi, etc.) is suggested. Web application programming experience will be helpful, but is not required.

Self-study resources