Introducing BurpSmartBuster at DerbyCon 2016

September 14, 2016


A Smarter Way to Find Hidden Treasures

Congratulations to our team at Security Compass for being accepted to present at this year’s DerbyCon in Louisville, Kentucky (September 23rd — 25th, 2016). Patrick Mathieu, Senior Security Consultant, will be speaking about a new open-source Burp Suite plugin he developed. His presentation will be on Friday September 23rd at 7:00 PM, within Track 5 (Stable Talks) at Pimlico. Here is an abstract about what Patrick will be speaking about:


— A Smarter Way to Find Hidden Treasures

Bruteforcing non-indexed data is often used to discover hidden files and directories which can lead to information disclosure, or even a system compromise when a backup file is found. This bruteforce technique is still useful today, but the current tools aren’t stealthy, lack application context, and do not integrate smart behaviour to reduce the bruteforce scanning time. BurpSmartBuster, a new Burp Suite plugin, offers to include the application context, putting the Smart into the Buster!

At DerbyCon, we will reveal this new open-source plugin and illustrate a practical case of how you can use this tool to accelerate your Web pentest to find hidden treasures. The following will be covered:

  • How to add context to a web bruteforce tool
  • How we can be stealthier
  • How to limit the number of requests by focusing only on critical items
  • Show how simple the code is and how you can help to make it even better

The open-source code previously shared at DEF CON Demolabs for BurpSmartBuster can be found here.

To meet Patrick in person and to learn more about BurpSmartBuster, attend his presentation at DerbyCon on Friday September 23rd at 7:00 PM, within Track 5 (Stable Talks) at Pimlico.

Patrick is the co-founder of, the largest hacking event in Canada, and has been involved in computer security for more than 10 years. He has been a member of the hacking community around Quebec, Canada for more than 20 years, starting from when he found out about hacking in the last online BBS. He is currently a Senior Security Consultant at Security Compass where he specializes in application security for both offence and defence, currently working on multiple webapp pentests, Red Team, and training assignments. Patrick holds a Bachelor’s and College degree in Computer Science. Follow his tweets here.



Previous Article
Securing HyperCat
Securing HyperCat

A Solution for Resource Service-Discovery Challenges within the Internet of Things By now, most of us are f...

Next Article
Infographic: Do You Code Securely?
Infographic: Do You Code Securely?

(Java, PHP, Mobile, .Net) The Training team at Security Compass is constantly looking for ways to help our ...

Equilibrium Conference | June 24, 2021. Virtually Meet DevSecOps Leaders & Professionals

Register Now