wingzRED/H1_webinar_takeaways.txt

## H1_webinar_takeaways.txt
# If your tool does not support proxying, this is a manual way to pipe it into Burp.
cat URLS.txt | xargs -P 10 -n 1 curl -k -x http://127.0.0.1:8080/
# https://explainshell.com/explain?cmd=xargs+-P+10+-n+1+curl+-k+-x+http%3A%2F%2F127.0.0.1%3A8080%2F

Scan Configuration Library
- needs more research done here
- perhaps there exist more custom scan configurations out there that can be used?
- can save resources and help you pinpoint a specific class of vulnerability

Consolidate Items before running in Burp Active Scan
- remove duplicates
- remove unparam'ed requests
- remove URLs such as images, stylesheets, etc
- can also filter out sensitive endpoints such as entry creation, email sending functionality etc.

TLS pass through
- configure a list of annoying websites and Burp will skip proxying them entirely


Resource Pools
- Can be used to setup different "profiles" for your scanning activities
- ie. high threads, no delay for a stable and no-WAF target
- ie. low threads, suitable delay for an unstable/WAF tagret

How to do Content Discovery with Authentication
1. Install Burp Extension: "Add Custom Headers"
2. Session handling Rules, apply to Intruder/Target/Scanner, etc.
3. The scans will now have auth attached to it!

How to not overload your Burp:
1. Don't load ALL extensions, choose whats suited for the gig
2. https://portswigger.net/blog/improved-management-of-system-resources
   - example... if there are large JS files in your scope, you should modify scan profiles to ignore JS scanning, because that would consume LOTS of resources and slow down the overall scan


Burp Coverage issues
1. Burp doesn't know how to follow JavaScript links
2. You can manually sweep over the app, and then once those are registered in the site map, can then feed to scan again

Schedule Your Scans
- Avoid collapsing Burp
- Avoid collapsing the target application
	# If your tool does not support proxying, this is a manual way to pipe it into Burp.
	cat URLS.txt \| xargs -P 10 -n 1 curl -k -x http://127.0.0.1:8080/
	# https://explainshell.com/explain?cmd=xargs+-P+10+-n+1+curl+-k+-x+http%3A%2F%2F127.0.0.1%3A8080%2F

	Scan Configuration Library
	- needs more research done here
	- perhaps there exist more custom scan configurations out there that can be used?
	- can save resources and help you pinpoint a specific class of vulnerability

	Consolidate Items before running in Burp Active Scan
	- remove duplicates
	- remove unparam'ed requests
	- remove URLs such as images, stylesheets, etc
	- can also filter out sensitive endpoints such as entry creation, email sending functionality etc.

	TLS pass through
	- configure a list of annoying websites and Burp will skip proxying them entirely


	Resource Pools
	- Can be used to setup different "profiles" for your scanning activities
	- ie. high threads, no delay for a stable and no-WAF target
	- ie. low threads, suitable delay for an unstable/WAF tagret

	How to do Content Discovery with Authentication
	1. Install Burp Extension: "Add Custom Headers"
	2. Session handling Rules, apply to Intruder/Target/Scanner, etc.
	3. The scans will now have auth attached to it!

	How to not overload your Burp:
	1. Don't load ALL extensions, choose whats suited for the gig
	2. https://portswigger.net/blog/improved-management-of-system-resources
	- example... if there are large JS files in your scope, you should modify scan profiles to ignore JS scanning, because that would consume LOTS of resources and slow down the overall scan


	Burp Coverage issues
	1. Burp doesn't know how to follow JavaScript links
	2. You can manually sweep over the app, and then once those are registered in the site map, can then feed to scan again

	Schedule Your Scans
	- Avoid collapsing Burp
	- Avoid collapsing the target application