BurpSmartBuster - A smart way to find hidden treasures

Presented at DerbyCon 6.0 Recharge (2016), Sept. 23, 2016, 7 p.m. (25 minutes)

Bruteforcing non-indexed data is often use to discover hidden files and directories which can lead to information disclosure or even a system compromise when a backup file is found. This bruteforce technique is still useful today, but the tools are lacking the application context and aren’t using any smart behaviour to reduce the bruteforce scanning time or even be stealthier. BurpSmartBuster, a Burp Suite Plugin offers to use the application context and add the smart into the Buster! This 20 minute presentation will reveal this new open-source plugin and will show practical case of how you can use this new tool to accelerate your Web pentest to find hidden treasures! The following will be covered: - How to add context to a web bruteforce tool - How we can be stealthier - How to limit the number of requests: Focus only on what is the most critical - Show how simple the code is and how you can help to make it even better!

Presenters:

• Patrick Mathieu

Similar Presentations:

• Hackfest 2016 / BurpSmartBuster - A smart way to find hidden treasures, the next steps
• 33C3 (2016) / Lockpicking in the IoT: ...or why adding BTLE to a device sometimes isn't smart at all