Bruteforcing non-indexed data is often use to discover hidden files and directories which can lead to information disclosure or even a system compromise when a backup file is found. This bruteforce technique is still useful today, but the tools are lacking the application context and aren't using any smart behaviour to reduce the bruteforce scanning time or even be stealthier. BurpSmartBuster, a Burp Suite Plugin offers to use the application context and add the smart into the Buster! This 20 minute presentation will reveal this new open-source plugin and will show practical case of how you can use this new tool to accelerate your Web pentest to find hidden treasures! The following will be covered: - How to add context to a web bruteforce tool - How we can be stealthier - How to limit the number of requests: Focus only on what is the most critical - Show how simple the code is and how you can help to make it even better!
Patrick is co-founder of Hackfest.ca the largest security event in Eastern Canada and has been involved in computer security for more than 10 years and the hacking community around Quebec, Canada for more than 20y ears starting when he found text about hacking in the last online BBS. He is currently employed as Senior Security Consultant where he’s specialised in application security for both offence and defence currently assign to multiple webapps pentests and trainings. Patrick holds a Bachelor and College degree in computer science.