A Smarter Way to Find Hidden Treasures
Congratulations to our team at Security Compass for being accepted to present at this year’s DerbyCon in Louisville, Kentucky (September 23rd — 25th, 2016). Patrick Mathieu, Senior Security Consultant, will be speaking about a new open-source Burp Suite plugin he developed. His presentation will be on Friday September 23rd at 7:00 PM, within Track 5 (Stable Talks) at Pimlico. Here is an abstract about what Patrick will be speaking about:
— A Smarter Way to Find Hidden Treasures
Bruteforcing non-indexed data is often used to discover hidden files and directories which can lead to information disclosure, or even a system compromise when a backup file is found. This bruteforce technique is still useful today, but the current tools aren’t stealthy, lack application context, and do not integrate smart behaviour to reduce the bruteforce scanning time. BurpSmartBuster, a new Burp Suite plugin, offers to include the application context, putting the Smart into the Buster!
At DerbyCon, we will reveal this new open-source plugin and illustrate a practical case of how you can use this tool to accelerate your Web pentest to find hidden treasures. The following will be covered:
- How to add context to a web bruteforce tool
- How we can be stealthier
- How to limit the number of requests by focusing only on critical items
- Show how simple the code is and how you can help to make it even better
The open-source code previously shared at DEF CON Demolabs for BurpSmartBuster can be found here.
To meet Patrick in person and to learn more about BurpSmartBuster, attend his presentation at DerbyCon on Friday September 23rd at 7:00 PM, within Track 5 (Stable Talks) at Pimlico.
Patrick is the co-founder of Hackfest.ca, the largest hacking event in Canada, and has been involved in computer security for more than 10 years. He has been a member of the hacking community around Quebec, Canada for more than 20 years, starting from when he found out about hacking in the last online BBS. He is currently a Senior Security Consultant at Security Compass where he specializes in application security for both offence and defence, currently working on multiple webapp pentests, Red Team, and training assignments. Patrick holds a Bachelor’s and College degree in Computer Science. Follow his tweets here.