Share your experience using Defensics Protocol Fuzzing

I have used the Intruder tool in PortSwigger Burp Suite Professional at least once or twice. It is used to fuzz parameters or brute force login. I think I used it once. I don't remember if it gave me results, but at least I had a good tool to use. It's a tool that automatically uses different payloads for something specific, and it is good.

The Repeater tool is the bread and butter of my work. This is how we work. We use the proxy, then we stop, we interrupt it, and then we get a message with a request that has a response. We want to check it, so we use the Repeater. We take it, change one little thing, and send it again. Then we change it a little, and send it again. I've used the Repeater repeatedly. The Repeater is the bread and butter of PortSwigger Burp Suite Professional.

I've run the Scanner feature in PortSwigger Burp Suite Professional once or twice. However, for finding vulnerabilities in an automatic way, I use ZAP. I used to work with ZAP, OWASP ZAP, an automatic vulnerability scanning tool that is freeware. When I worked with Fiddler, I did the proxy work with Fiddler and the automating attacks with ZAP. Fiddler, in those days at least, perhaps still now, didn't have anything automatic. PortSwigger Burp Suite Professional, at the beginning, didn't have it, and eventually, it added this possibility. I think it's been there for a couple of years, but at the beginning, it didn't have it. Even though I started working with PortSwigger Burp Suite Professional, I think I may have run the Scanner once, but I prefer to run ZAP because I'm more used to it and I think it checks many more vulnerabilities. ZAP has a lot of add-ons. For the Scanner, I use ZAP.

Whenever I need to run something automatic, I use ZAP. I always use ZAP. I think I used the Scanner in PortSwigger Burp Suite Professional once, but not a lot. Perhaps I should do it again because I haven't done it lately; perhaps they made it better. I was so used to running ZAP that for this part of the proxy work I use PortSwigger Burp Suite Professional, but for the automatic, I use ZAP.

One of the best things in PortSwigger Burp Suite Professional is that it has its own browser. It brings it up and it has its own browser. Fiddler uses either Chrome or Firefox or Edge or whatever it is, and Fiddler works with it together in a very good way. However, lately, I've noticed that I have problems with HTTPS sites that have a way of securing them against proxy attacks. I wasn't sure how Fiddler works with it. On the other hand, in PortSwigger Burp Suite Professional, there's no problem because it has its own browser, so it knows how to deal with it. That's one good thing, and I've been working on and off because I'm not a full-time penetration tester, just part-time, but I have used PortSwigger Burp Suite Professional in the last year or so quite a few times. I've worked on four or five projects.

I didn't use the customized test configurations in PortSwigger Burp Suite Professional; I used the default configuration. I'm not a truly expert on it. I used the configuration, but I know and I have used at least one add-on. PortSwigger Burp Suite Professional has add-ons. There's a special one for JWT attacks, a JWT token. Configurations I've used are the standard. What is good in PortSwigger Burp Suite Professional that I don't remember it having in Fiddler is that it has projects. I can say I can work on different projects, especially if I have Burp Pro, I can define, if I work on two things, two projects, then I don't get mixed up. I can divide the work into projects and keep each project separate. That's a very good thing.

I'm hoping perhaps for something to make it easier, such as to define things where if a message or a response is such and such, automatically make a request that is such and such. Perhaps something like this because otherwise, nowadays we have to do it manually. Perhaps they can automate it a bit more. Perhaps they could add some automation to things, to see what we do manually, which it has the tools to do manually, and perhaps enable with a click of a button to do things automatically. I'm not too sure which, but I'm sure they can from a product management point of view, do things that we need to do two, three, or four steps manually regarding specific testing. For instance, we want to check something specific if it's this or if it's that. Perhaps to define it once and have it more automatic, perhaps.

I've been working with PortSwigger Burp Suite Professional on and off for about a year or a maximum of two years.

In my current company, I've been working for the last five years. Before that, I worked another 10 years in another information security company, and there I was nearly a full-time penetration tester. Although in the previous company, I did look at PortSwigger Burp Suite Professional and worked a bit, I mostly worked with Fiddler. In this company that I'm working on, I again started with Fiddler, but I moved on to PortSwigger Burp Suite Professional for the last, say, two years.

I am not working with Fiddler for nearly two years because most of the things I have to test are HTTPS, and I haven't managed to get it working. Perhaps it's my problem, but on the other hand, it is good because it forced me to start working with PortSwigger Burp Suite Professional, which has a lot of good possibilities for using a lot of good options for doing tests. It forced me to learn a very good product. Before that, I was using Fiddler, which is good, but PortSwigger Burp Suite Professional is superior in quite a few options.

PortSwigger Burp Suite Professional perhaps can reach the level of all the various attacks that ZAP does. They do have the basic set. I don't think they have everything. I don't think they have all the various attacks and at least not all the various combinations of attacks. In that case, ZAP is better in the scanner. For APIs, when I want to look at them, change things, and test, I like the Postman user interface for APIs. Perhaps PortSwigger Burp Suite Professional can get a bit better, although I can check the APIs in PortSwigger Burp Suite Professional using the Repeater. I check APIs with Repeater, but Postman has some GUI options that make it a bit more understandable, at least for beginners. They may want to take a bit of the GUI from Postman and use it for API testing or some parts of it to make it simpler to understand what's happening there. However, from a functionality point of view, I do look at Postman to understand and check things, but for actual testing projects, I use the Repeater. The developers use Postman, and it is good that we get the Postman files and use them to understand the structure and everything of what happens with the APIs. I test it using Repeater. Perhaps to get some ideas from Postman would be good for the APIs.

I haven't used a lot of BApp Store extensions, but I found that the JWT attack extension was a good extension. I saw my colleague used that Turbo Intruder extension. That's what my colleague used. This makes it much better for different payloads, for attacking. It's an extension. I saw him use it. I haven't used it, but I saw that he was very happy with it.

I think the pricing for PortSwigger Burp Suite Professional is reasonable. I don't remember the price, but at the place where I work, we needed four or five licenses and we asked management, and they didn't have any problem with it. The price, although I have to pay every year, is very reasonable. Especially if I take it into account that perhaps not now, but at my previous work, I was a penetration tester and did about 30 or 40 penetration tests a year. Each one took a week or two weeks. I was constantly working with a proxy tool. If I take PortSwigger Burp Suite Professional and someone who's working not around the clock, but nearly every day and is a penetration tester who works every day, in another team that I'm kind of part of, there are people there who work more as penetration testers. I do a bit of consulting, so I don't do it all the time. However, they do it all the time, and they work with PortSwigger Burp Suite Professional all the time. For a tool that people work with all the time, and it is their main tool for application testing, penetration testing, vulnerability scanning, and finding things of this nature, I think the price is quite reasonable.

The price is reasonable. I would rate my overall experience with PortSwigger Burp Suite Professional as a 9 out of 10.

My main use case for GitLab is utilizing it in three main ways: one is using the Issues and Epics tracking for tasks, the second way is using the Wiki, which is the documentation feature, and then the third way is for code management.

Out of those three, I find myself using the Issues and Epics tracking feature the most often. I really quite like it because I find it clear and clean to use, and it works well when using it with numerous people.

We use the Issues feature to record our tasks and assign those out, as well as recording the description of what the task requires. Then we use the Epics feature to group the issues into categories, which makes it easier to track the tasks at a higher level.

In my opinion, the best features GitLab offers are the Issues and Epics feature, which I find very clean and clear to use, and it is very quick and responsive. I also quite value the Wiki feature because both of those are built into the same platform, making it very easy to bounce between the two and create links between the boards and the Wiki.

The ability to link between the boards and the Wiki helps my workflow and collaboration with my team by ensuring that if we have any tasks that need to be carried out, we have them on the Issues board, and we write runbooks in the Wiki on how to carry out the task. We copy the link of the Wiki and put it into the description of the tickets so that when someone is working on the ticket, they can very quickly go over to the Wiki and know how to carry out their task, which saves us time.

GitLab has positively impacted our organization by making our code very secure because GitLab prides itself on security. Storing code in GitLab is a very secure way to do it, and from an operational efficiency and time-saving perspective, the Issues and Epics board is definitely helpful, offering a few benefits operationally.

The only feature I have used in GitLab that I thought could be improved is their code generation feature. When I previously used it, some of my questions were met with responses saying that it did not know the answer, and some responses were incorrect as well. I understand this is something new for them, so they are still developing it, but I do not feel that it is in a position where I would use it regularly just because it is not very reliable right now.

I have been working in my current field between five to ten years.

GitLab is very stable. I have not seen any instability issues.

GitLab is highly scalable and could very easily scale to thousands of code repos, which is necessary for any organizational size.

The customer support for GitLab is very good, and I have no complaints because they have always been quite helpful. I would rate the customer support a ten out of ten because I have never had any issues with them before, and they are very knowledgeable.

Positive

Personally, I have previously used GitHub and Bitbucket as well. I find that GitLab has the cleanest and clearest UI out of all of them, and it has numerous features, such as the Issues and Epics tracking feature, as well as the Wiki feature, which sets it apart.

I have seen a return on investment. Any company that generates its own code and develops applications needs a code base, so it is more of a necessity rather than choosing something because it results in a measurable benefit. However, in terms of operational efficiency, a ten to twenty percent increase in speed could quite easily be seen from using the Issues and Epics tracking feature.

Regarding pricing, setup cost, and licensing, to my understanding, GitLab offers competitive rates. There are a few big competitors within this space, such as GitHub and Bitbucket, so GitLab prices themselves competitively.

Before choosing GitLab, I did evaluate other options, and the main competitors I considered were GitHub and Bitbucket. They are great as well, and all three are brilliant, but GitLab, in my opinion, has the cleanest UI, which sets it apart.

I would recommend others to use GitLab because it is a great tool and there are not any real major drawbacks, just a minor one related to the AI code generation. I have given this review an overall rating of nine out of ten.