It has been quite a while since my last blog post here. Not that I have ever really blogged much, but in 2010, I officially switched from a world filled with enterprise firewalls and intrusion detection systems, to one filled with Web Applications (and other types of applications).
On one hand, for someone who
likes to learn, Web Application Penenetration Testing is perfect: There are so many
languages, frameworks, best practices, and common mistakes to understand, that as a tester, you will never run out of things to learn. Of course, that also means that
you will never come close to being able to learning it all. Left
unmanaged, this can be a source of frustration and despair.
The main point of this blog re-launch, is that it has been far too long since I have written any code. I'd like to document the mistakes I make, and the lessons I am bound to learn, as I jump back into things.
mainly test applications from a Windows OS, so those thousands of hours of BASH
scripting experience from my past are just sitting in my brain as memories. I
was just starting to become functional in Python also, when I essentially
abandoned that as well. I have found a few things to automate over the last few
years, but to be honest, most times I think of something related to application
testing that I can automate in Python, I realize that Portswigger's Burp Suite
already does that. I can't tell you how many times this has happened.
Of course, the problem with
relying on a tool to do something for you is that if you need it to do
something slightly differently, you are stuck. This is where the Burp Extension
API comes into play.
Recently, I have done a
number of assessments on custom applications (Mostly thick clients written in
Java, C#, etc), that use web services to communicate with the server. While
these applications use HTTP(s), and can be intercepted with Burp, their implementations
are unique and it becomes difficult to analyze the requests with the default
This is of course, the perfect opportunity
for me to extend Burp Suite to make it do things that only I need it to do,
while at the same time, an opportunity for me to dust off my
The next few posts at least, will contain Burp Extension related info. They will hopefully show me improving from noob to moderatly functional. We'll see...