Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Elevating Web Security Testing with Burpsuite B...

BreachForce
February 03, 2024

Elevating Web Security Testing with Burpsuite BChecks

Title: Elevating Web Security Testing with BurpSuite BChecks
Presenter: Kaustubh Rai
Event: Breachforce CyberSecurity Cohort
Talk Date: 3rd February 2024

In this presentation, Kaustubh Rai unveils advanced techniques to enhance web security testing using BurpSuite BChecks, along with an exclusive demonstration of his proprietary tool, Rahasya. Rahasya is designed for seamless and efficient secret scanning within code repositories, making it an indispensable resource for security professionals. The slides offer a comprehensive overview of how to leverage BurpSuite's capabilities, combined with the innovative features of Rahasya, to identify and mitigate vulnerabilities effectively. These insights will improve upon your approach to web security.

BreachForce

February 03, 2024
Tweet

More Decks by BreachForce

Other Decks in Technology

Transcript

  1. • Widely used by both Red Teamers and Blue Teamers

    • Essential for day-to-day security operations Burp Suite: A Staple in Security Testing
  2. The Challenge: Remembering Test Cases • Keeping track of specific

    test cases and notes • The risk of relying on memory in high-pressure situations
  3. BChecks: Automation to the Rescue • Capture the minutiae often

    missed under tight deadlines • Automate repetitive and specific test cases
  4. The Power of BChecks Automate tests for everything from response

    headers to background JavaScript Reduce memory overhead with multiple BChecks per extension
  5. Continuous Testing with BChecks Runs alongside your testing, with issues

    displayed on the dashboard Continuously analyze requests piled up in proxy history
  6. • Extensively test individual requests • Refine BChecks for precise

    issue reporting Fine-Tuning BChecks for Precision
  7. The Advantages of BChecks • Simplifies and streamlines security testing

    processes • Allows for a focus on critical vulnerabilities with less effort
  8. no burp pro? caido! currently bchecks is only for burp

    pro 😞 caido is similar to burpsuite, and in v0.32.1 they have something similar to bchecks called workflows
  9. Gitleaks • simple SAST tool to detect hardcoded stuff •

    extensively updated with new regexes TruffleHog Detect Secrets Key Features • scans verified and unverified commits • over 700 credentials detector • for enterprise clients • backwards compatible • multiple plugins that checks for enterprise level. on by default
  10. Git Guardian Talisman Key Features • Github’s own secret scanner

    • requires api key ¯\_(ツ)_/¯ • scan all the things that every scanner has, and it scans for git changesets • scans every commit, scraped commit history, all that stuff • report will be shown in a presentable html format
  11. Customization & Support • ggshield api key can be added,

    other tools older/newer version can be used. • Tool can be customized to by simply editing the dockerfile