1. Support Center
  2. Training

Burp Suite Training

Are you looking for training in how to use Burp? Would you like to take your understanding of web security to the next level?

Web Security Academy - New !

Burp Suite Training Partners

Burp Suite training is available for both novice and advanced Burp Suite users through our specialist training partners across the globe.

Mastering Burp Suite Pro - 100% Hands-on

Training provider: Agarri
Region: Worldwide
Languages: English, French
Website: http://www.agarri.fr/en/trainings.html
Email: nicolas.gregoire@agarri.fr
Phone: +33 640 374 191
Duration: 3 days
Overview: As "PoC||GTFO Volume II" nicely describes itself, "This is not a book about astronomy; rather, this is a book about telescopes". In the same spirit, this training isn't about Web hacking. Instead, this training is for Web hackers who want to master their toolbox. Mastering Burp Suite Pro, including its newest features, allows testers to get the most out of the tool, optimizing time spent auditing and testing. Work will be faster (hotkeys!) and much more efficient (more tools, more possibilities!). Attendees will also learn to measure and assess the quality of their attacks, a crucial skill in real-life engagements that can make the difference between a false-negative and a critical finding. Note that the training platform is hosted in a Docker infrastructure (around 20 containers) which is made available to all trainees right after the training session. Key learning objectives: - Menial tasks (like sharing requests among the different tools, applying common encodings or navigating the GUI) should be as fast and transparent as possible, in order to free time and brain power for harder subjects. - Recurrent tasks (like brute-forcing a CSRF-protected form, frobbing an opaque blob of data, logging-in automatically or doing 1-byte fuzzing of a specific parameter) should be executed without having to think too much about it, thanks to prior rehearsals. - Advanced tasks (like managing a complex state, dealing with a custom format or testing authorizations) should be doable exclusively in Burp Suite Pro, possibly with the help of session handling rules or specific extensions. These tasks require testers to live-assess themselves, in order to detect as early as possible any error and to allow for correction and self-improvement.
Audience: The training is aimed at Web application penetration testers and bug hunters, and will provide them with significant automation capabilities. We aim at a fast and comfortable testing workflow with as-short-as-possible feedback loops.

Burp Suite Workshop

Training provider: Alcorn Group
Region: Asia Pacific
Languages: English
Website: http://alcorngroup.com/services/
Email: info@alcorngroup.com
Phone: +61 7 3821 2895
Duration: Half day, full day and two day workshops are available
Overview: This training provides you with both a theoretical and practical understanding of how to use the very popular hacking tool Burp Suite Professional. Mastering this professional ethical hacker tool of choice will give you a capability to easily find vulnerabilities in your web applications. Burp Suite has possibly been the most consistently high quality tool for assessing web applications for over a decade and the methodologies in this course are a must for any serious web application assessment.
Audience: Suitable for new entrants in web application security, also intermediate and advanced web application security specialists.

Dominating Burp Suite

Training provider: ArtsSEC
Region: Latin America & Worldwide
Languages: Spanish, Portuguese and English
Website: https://www.artssec.com/
Email: info@artssec.com
Phone: (+ 54 9) 11-6211-3325
Duration: Half day, 1 or 2 days workshops are available
Overview: This training provides a theoretical and practical understanding of the most risky vulnerabilities and their combination in the detection and exploitation of them, using the famous Burp Suite hacking tool. It contains numerous real-life examples, with CVEs, Bounties to help attendees understand the true impact of these vulnerabilities. You will learn how to use the typical functions and those less known, hidden among the tabs and configurations of Burp Suite. Develop the first extension in Python, Ruby or Java and take advantage of the API.
Audience: The training has been created for developers, security analysts, penetration testers, bug hunters or any enthusiastic person who wishes to take their skills to the next level.

Developing Burp Suite Extensions - From manual testing to security automation

Training provider: Doyensec LLC
Region: Worldwide
Languages: English
Website: https://www.doyensec.com/
Email: info@doyensec.com
Phone: +1 (628) 333 9093
Duration: 1 or 2 days workshops are available
Overview: In this hands-on class, attendees will learn how to design and develop Burp Suite extensions for a variety of tasks. After a quick intro to Burp and its extension APIs, we work on setting up an optimal development environment enabling fast coding and debugging. Then, we discuss and create many different types of plugins, including: * A custom logger to provide persistency and data export functionalities using MongoDB * A simple (and yet useful) replay tool * Passive check for Burp's scanning engine to detect missing SubResource Integrity (SRI) attributes * Active check for Burp's scanning engine to detect Expression Language (EL) injection vulnerabilities * A custom Intruder payload generator to fuzz using Radamsa Finally, we leverage our extensions to build a security automation toolchain integrated in a CI environment (Jenkins). This workshop is based on real-life use cases where the extension capabilities of the tool can be unleashed to improve efficiency and effectiveness of security auditing. While we develop our code in Java using Oracle's NetBeans, we also provide templates for IntelliJ IDEA and Eclipse. Additionally, we discuss and provide code for both Python and Ruby so that you can work using your favorite programming language.
Audience: The training is suitable for both web application security specialists and developers. Attendees are expected to have rudimental understanding of Burp Suite as well as basic Object-Oriented Programming experience. While Burp extensions are developed live in Java, attendees can work on Python or Ruby since all exercises are also provided in those languages.

Web Application Hacking with Burp Suite

Training provider: Maven Security Consulting Inc.
Region: US
Languages: English
Website: https://www.mavensecurity.com/burpsuite_training/
Email: burpsuite@mavensecurity.com
Phone: +1-877-MAVEN-HQ (1-877-628-3647)
Duration: 1, 2 and 3 day workshops are available
Overview: This workshop, through hands-on demos and labs, will introduce the student to the techniques needed to remotely detect and validate the presence of common vulnerabilities in web-based applications using Burp Suite, the industries' most popular toolkit. Testing will be conducted from the perspective of the end user (as opposed to a source code audit). Security testing helps to fulfill industry best practices and validate implementation. Remote security testing is especially useful since it can be done at various phases within the application's lifecycle (e.g. during development), or when source code is not available for review.
Audience: People who are auditing web application security, developing web applications, or managing the development of web applications.

The Web Application Hacker's Handbook (CREST approved course)

Training provider: MDSec
Region: Worldwide
Languages: English
Website: https://www.mdsec.co.uk/
Email: contact@mdsec.co.uk
Phone: +44 (0)1625 263 503
Duration: 2 or 3 days
Overview: This 2 or 3 day course is a practical counterpart to the well-known Web Application Hacker's Handbook, and is developed and taught by the authors, with strong focus on practical attacks and methods. After a short introduction to the subject the course then delves into common insecurities. The Web Application Hacker's Handbook course is CREST approved and is useful preparation for: CREST Certified Infrastructure Tester (CCT INF) and CREST Certified Web Applications Tester (CCT APP).
Audience: Those who wish to build on their skills in web application security, including those wishing to learn how to get the most out of Burp. Also suitable for new entrants to the web application security industry, including those working in Quality Assurance or internal testing functions. This course has frequently been recommended by candidates who have taken both the CREST CCT Infrastructure and CCT Web Applications exams.

Practical Web Application Penetration Testing (PWAPT)

Training provider: PractiSec - Tim Tomes
Region: US
Languages: English
Website: http://www.lanmaster53.com/training/
Email: tim.tomes@practisec.com
Phone: +1-864-756-1417
Duration: 3-day workshop
Overview: This hands-on course provides comprehensive training on the latest open source tools and manual techniques for performing end-to-end web application penetration testing engagements. After a quick overview of the penetration testing methodology, the instructor will lead students through the process of testing and exploiting a target web application using the techniques and approaches developed from a career of real world application penetration testing experiences. Students will be introduced to the best tools currently available for the specific steps of the methodology, including Burp Suite Pro, and taught how to integrate these tools with manual testing techniques to maximize effectiveness. A major goal of this course is teaching students the glue that brings the tools and techniques together to successfully perform a web application penetration test from beginning to end. The end result is an individual with the confidence and skill set to conduct consultative web application penetration testing engagements.
Audience: This class is intended for individuals with introductory knowledge of the OWASP Top 10 and a thorough understanding of the HTTP protocol. For additional detail, see the above website.

Practical Burp Suite Pro: Advanced Tactics (PBAT)

Training provider: PractiSec - Tim Tomes
Region: US
Languages: English
Website: http://www.lanmaster53.com/training/
Email: tim.tomes@practisec.com
Phone: +1-864-756-1417
Duration: 2-day workshop
Overview: This hands-on course provides comprehensive training on the capabilities of Burp Suite Pro and the practical application of these capabilities in real world web application penetration testing engagements. The instructor will introduce the various components of Burp Suite Pro, discussing their purpose, strengths, and limitations, and lead students in realistic scenario driven hands-on exercises leveraging the components against a modern web application. As the scenarios unfold, the instructor will share tips and tricks for using Burp Suite Pro gained from years of personal usage experience and extensive research into the tool's capabilities and ongoing expansion. These scenarios include the use of lesser-known features hidden within the Burp interface, and the modification and chaining of features to solve complex problems that make testing modern applications a challenge.
Audience: This class is intended for individuals with introductory knowledge of Burp Suite Pro and an intermediate understanding of web application vulnerabilities and testing methodology. For additional detail, see the above website.

Tactical Burp Suite & Advanced Tactical Burp Suite

Training provider: Secure Ideas LLC
Region: Virtual (recorded webinar)
Languages: English
Website: https://training.secureideas.com/our-courses/
Email: info@secureideas.com
Phone: +1-866-404-7837
Duration: 2 hours (pre-recorded webinar)
Overview: Tactical Burp Suite:Tips and Tricks to Using Our Favorite Web PenTesting Tool! Kevin Johnson and Jason Gillam will explore the various features of Burp Suite, focused on how we use the system during our penetration testing. This webinar will use hands-on examples to reinforce the topics and tricks that Jason and Kevin will be showing. Not only will we be doing the demos, but a target system will be made available to attendees so that they can do the examples along with Kevin and Jason. This webinar costs $25 dollars and runs for approximately two hours.
Audience: Everyone with an interest in using Burp Suite.

Web Application Security

Training provider: Securitum
Region: Europe
Languages: Polish, English
Website: https://securitum.pl/szkolenia/bezpieczenstwo-aplikacji-www-szkolenie/
Email: securitum@securitum.pl
Phone: +48 12 361 33 37
Duration: 3 days
Overview: This three-day hands-on training, gives participants a practical knowledge of web application security issues. Throughout the course the participants will analyse the security of a number of systems for vulnerabilities using Burp Suite Professional. Each vulnerability is preceded by a theoretical introduction, and for these vulnerabilities a method of protection against attacks. The training can be delivered in English onsite for a closed group.
Audience: Those who wish to build on their skills in web application security. Recommended (but not required) experience: 1. Basic knowledge of SQL 2. Basic knowledge of HTML/Javascript 3. Basic knowledge of HTTP communication 4. General IT background

Web Application Bootcamp - Journeyman Level

Training provider: SensePost
Region: UK, South Africa & USA
Languages: English
Website: https://www.sensepost.com/learn/journeyman-application/
Email: training@sensepost.com
Phone: +44 (0)202 7956 8826
Duration: 2 days
Overview: We love owning the application layer and this course reflects that. We want to take students on a path of obtaining offensive security knowledge in the web application realm. The course focuses on the fundamentals rather than specific tools and introduces you to our hacking methodology refined over thousands of assessment conducted over the last 14 years. SQLi/XML/XPath/LDAP/RFI/DOM, this industry loves acronyms. From the start we cut through the acronym soup and start serving up plain and simple approaches to understand how applications are built and where vulnerabilities are introduced. This is hands on learning, not just listening.
Audience: This course is meant for those who are new to penetration testing, network administrators or indeed anyone who wants to understand more about offensive testing and get their hands dirty breaking into various networks and applications.

Web Application Penetration Testing with Burp Suite

Training provider: TrustFoundry
Region: US, Worldwide
Languages: English
Website: https://trustfoundry.net/
Email: training@trustfoundry.net
Phone: +1 (913) 871-3371
Duration: Half-day, 1 day, 2 day, and 3 day courses available
Overview: We have an introductory and an advanced class, although we can create customized classes depending on the targeted duration and material. Introduction to Web Application Penetration Testing Learn the tools and techniques for conducting a web application penetration test. Get your hands dirty with HTTP and Burp Suite. This workshop will provide a solid introduction to web application penetration testing. This class is designed for those with little to no web application penetration testing experience, although it will move quickly. This class will include hands on challenges where attendees use skills acquired during the class to exploit web applications. Attendees will walk away with a basic understanding of the tools and processes for conducting a web application penetration test. Advanced Web Application Penetration Testing So you've popped some alert boxes, and understand the OWASP Top 10, but you're looking to take your skills to the next level? In this course, students will gain an understanding of moderate to advanced web application attacks and assessment techniques. This class will include hands on challenges where attendees use skills acquired during the class to exploit web applications. Attendees will walk away with an understanding of the tools and processes for conducting a deep-dive web application penetration test. Full agenda available at: https://trustfoundry.net/services/#training
Audience: Introduction to Web Application Penetration Testing Basic knowledge of HTTP requests and responses, and any web application programming experience will be helpful, but is not required. Advanced Web Application Penetration Testing Basic knowledge of HTTP, Burp Suite, and the ability to exploit basic web application attacks (XSS, SQLi, etc.) is suggested. Web application programming experience will be helpful, but is not required.

Forthcoming public training

A look beyond the Web Application Hacker's Handbook

Training provider: MDSec
Date: 01 August 2020 - 02 August 2020
Location: blackhat 2020, Mandalay Bay, Las Vegas (Now Online!)
Language: English
Register: https://www.blackhat.com/us-20/training/schedule/index.html#a-look-beyond-the-web-application-hackers-handbook-18926

Mastering Burp Suite Pro - 100% Hands-on

Training provider: Agarri
Date: 01 August 2020 - 04 August 2020
Location: Ringzer0, Las Vegas, USA (Now Online!)
Language: English
Register: https://ringzer0.training/mastering-burp-suite-pro.html

Self-Study Resources