I signed up for a HackerOne account last year. I had performed security research prior to that, but never as part of an official Vulnerability Disclosure Program (VDP). Mostly, up until last year, it was just me on a computer deploying various tools and techniques whilst trying not to get caught or go to jail. Hacking can be scary, even when it's legit (ethical). Look up "safe harbor" for more on that.
Over the last few years, I have spent many (many) hours fiddling around with all types of hacking tools.
I had downloaded:
I never "found my groove" with any of these tools. I just couldn't catch a vibe. And because of that, my research was unorganized, random, uneventful, and frustrating most of the time. Each tool has it's use, and I eventually found myself jumping back and forth between them; never getting much of anything done. Not that it wasn't fun but, I wanted a result.
Advertisement
First, I found HackerOne, and then, months later...I came across BurpSuite.
Here's how...
I was chatting with a notable hacker on Twitter. He was giving away a BurpSuite Pro license, which I think was what prompted the chat but, I don't know. Although I cannot recall what we talked about, as it went on for a few days, I realized that many of his followers could not afford the license, and thus, like me, they were using combinations of all the free and open source tools out there.
Except, I could afford it, I just didn't know it existed, nor how great it was. Even he didn't know it was a thing until a few years ago. But now he swore by it, and he's currently a 'millionaire hacker' by the way so, I had to see what the hype was about.
Burp Suite is a web hacking toolkit developed by the researchers at PortSwigger. a software and learning pioneer in cybersecurity.
At first visit of the website I saw their packages. I thought "Oh, a free version, let's try that first." So I downloaded the "Community" edition. I opened it, tried it, was unimpressed. I couldn't really do much more than before, so I went ahead and upgraded. (I always intended to upgrade, I just wanted to see what I was upgrading from.)
I purchased a license at $399/year hoping it would be as useful as others were saying it is and, boy, was I surprised!
WELL WORTH IT!
Advertisement
Why? Not only did I have a plethora of helpful tools at my disposal but, I also had everything I needed to write a professional vulnerability report, and proof of concept (POC). Something I had struggled with prior to this. Trying to track down all the information needed into a coherent professional report was a deterrent most days, not going to lie. It seemed like more work than finding the bug itself. I wasn't doing it to have to write more than I already do on a daily basis.
There are so many tools out there, it is easy to overlook some. BurpSuite is not one you want to miss. If you are into bug bounty hunting, security research, or other pentesting activity, then I recommend it for sure.
I was on HackerOne for a while and no bugs. The day my BurpSuite license became active, I found two bugs, and submitted reports.
One was rated/categorized as "Out of Scope". Oops!
The other on was "P5 - Informational", which meant no bounty but, they did thank me, so that's something.
The reason BurpSuite is superior, in my opinion, is because it automates a lot of the work. Here's 6 reasons why I recommend it:
It is not a tool, it is an entire all-in-one toolkit. (Proxy, Scanner, Collaborator, Repeater, and more.)
It tests for the entire OWASP TOP 10.
You can add plug-ins/extensions from the BApp Store.
It was developed, and is updated/maintained, by the best of the best. These researchers/hackers are the OGs, the Creme-de-la-Creme.
Portswigger offers awesome tutorials and instructions in their free Web Security Academy. They pretty much teach you how to use all their tools. (Also, their blog is definitely one to follow.)
You can generate proof-of-concepts. 'Nuff said.
Really though, there are dozens of reasons why BurpSuite is a premier hacking toolkit. I've had it for a year now. I don't use it as much as I could as of late -- with all the work teaching classes, gardening, reading, writing, cooking, walking the dog, hanging with the kids, napping, exercising, and everything else I do -- but when I do sit down to hack, BurpSuite is the only tool I use now. I've uninstalled most of the others.
Check it out for yourself! Visit Burp Suite Pro Site.
###
コメント