Training "Mastering Burp Suite Pro - 100% hands-on"


This is not a training about Web hacking. This is a training for Web hackers who want to master their toolbox.


Burp Suite Pro is the leading tool for auditing Web applications at large. Its users are mainly penetration testers, QA people, or advanced developers. Mastering Burp Suite allows users to get the most out of the tool, optimizing time spent. Work will be faster, more effective and more efficient. What's more, advanced automation techniques allow detection of additional vulnerabilities whether complex or subtle. Attendees will also learn to measure the quality of their attacks, a crucial skill in real-life engagements.

Most features included in the tool are covered, including the newest ones like Infiltrator (IAST of Java and .Net applications). Alternative strategies and techniques will be demonstrated, giving a wider view of available functionalities. Tons of challenges are available (even after the training!), covering classic web applications, of course, but also thin clients, mobile applications, e-commerce platforms, ...

Target audience

The following roles are expected:

  1. Web application penetration testers
  2. QA people and advanced developers

Whatever your role, this training will provide beneficial automation skills whether novice (having used the Free version a few times) or expert (using the Pro version for years).


Every trainee goes through the main track, composed of nearly 60 challenges. Plenty of additional ones are available, depending on your speed, taste, skills and professional needs. No way to get bored! Among the available challenges: complex brute-force, data extraction, support of custom formats, automatic management of anti-CSRF tokens, weak cryptography, webhooks, NoSQL injections, authorizations bugs, aggressive disconnection, arbitrary Java deserialization, blind stored XSS, instrumented Java applications, strict workflows, ...

The challenges are hosted in a Docker infrastructure (15 containers) which is made available to all trainees right after the training session. It's super easy to use: install Docker, run a few commands, enjoy the challenges! Click here for an overview of the training infrastructure.


Basic knowledge of Burp Suite (UI navigation, traffic interception and replay)

Laptop (with appropriate wired or WiFi connectivity)

64-bit OS supported by Burp Suite Pro (Linux, Mac, Windows)

Recent version of the 64-bit Oracle JVM (can be installed using the Burp bundle)

Latest version of Burp Suite Pro (can be installed using the Burp bundle)

Burp Suite Pro license (temporary ones can be provided)

Modern browser (no IE6, no Epiphany)

Text editor (ideally with syntax coloring)

Day 1


  1. GUI, tools, options and projects, inline help, ...


  1. Scope, filters, sorting, ...


  1. Exploitation of the D-Link DIR-100 backdoor, efficiency tips, ...


  1. Most payload types, anti-CSRF tokens without macros, data extraction, ...

Day 2

Advanced Proxy

  1. Live modifications, interception and manual analysis, ...


  1. Token analysis (live or not)

Advanced Intruder

  1. Reusing options, exporting results, time-based feedback, ...

Authentication and authorization

  1. Horizontal and vertical privileges escalation

Macros and sessions

  1. Anti-CSRF tokens, short sessions, workflows, ...

Day 3

Advanced automation

  1. AngularJS and blind XSS, dynamic external references, ...


  1. Interesting public extensions, develop your own, ...

OOB communication via Collaborator

  1. Set up your own instance, interact manually

IAST with Infiltrator

  1. Instrumented version of Jenkins and WebGoat are available

Automated interaction with Burp Suite Pro

  1. Scheduled tasks, 3rd party REST interfaces

Upcoming public trainings

Hack In The Box Beijing (October 29, 2018 - October 31, 2018)

Cost (early bird, until 09/01/2018): USD2999

Cost (normal): USD3599

Online registration is open

Hack In The Box Amsterdam, Netherlands (May 6, 2019 - May 8, 2019)

Online registration opens early 2019.

I also give worldwide in-house trainings. Please contact me directly...

Additional information

Previous public sessions

2018: Hack In The Box (NL), Prague (CZ), HITB GSEC (SG)

2017: Hack In The Box (NL), Czech OWASP meeting (CZ)

2016: NorthSec (CA), HackInParis (FR), HITB GSEC (SG), Cybsec (CH)

2015: Hackfest (CA), HackInParis (FR)

2014: HackInParis (FR), Insomni'hack (CH)

2013: AppSec Security Forum (CH)

What to expect

3 days of intensive hands-on practice
Copy of the challenges infrastructure
Slidedeck (~500 pages) in paper and PDF
A temporary Pro license
Some Burp Suite goodies

Trainer biography

Nicolas Gregoire has more than 15 years of experience in penetration testing and auditing of networks and (mostly Web) applications. He is an official Burp Suite Pro trainer since 2015, and trained hundred of people since then. Outside of that, he founded Agarri, a small company where he finds security bugs for customers and for fun. His research was presented at numerous conferences around the world and he was publicly thanked by numerous vendors for responsibly disclosing vulnerabilities in their products and services, directly or through bug bounty programs.

Copyright 2010-2017 Agarri