Why bother investing time to automate work when doing IT security testing? On one hand,
manual testing is a tedious work, where you spend time doing vulnerability tests that
could be done by a machine. On the other hand, letting a machine decide fully on its
own on how to do tests will mostly result in the machine doing nothing useful. This
is especially true for security testing, where manually checking every parameter for
injection attacks is very laborious and automated security scanners go on scanning
for hours while a human would have aborted the scan for various reasons. However,
if we teach automated tools to do things correctly each time, we get the sweet middle
spot of semi-automated security testing, where the tools do the automatic and systematic
security tests and the analyst can focus on the parts of a security test, where the tools
are likely insufficient.
Burp Suite Pro is one of the main tools to do all kind of
HTTP related security analysis and that supports a semi-automated testing. But now
and then it lacks certain features. Burp
extensions can again add some of them. In this post we would like to show how to use
one of the most powerful extensions, Hackvertor
by Gareth Hayes and its relatively new feature
of Python scripting.
Weiterlesen…