BSides Glasgow 2018 - Paul Johnston - Replicator: Helping Developers to Replicate Pen Test Findings

Talk delivered at BSides Glasgow 2018 on the 27th of April. Abstract - Developers need to be able to replicate issues discovered by pen testers to understand the root cause and verify fixes. This can be difficult, especially when there is complex session logic, and when vulnerabilities require security tools to exploit. Replicator is a Burp extension, available in the BApp Store, that helps developers to replicate pen test issues. The pen tester creates a Replicator file which contains the vulnerability payloads, along with session handling rules, Burp configuration and detection logic. The develop can load this file into Replicator and quickly reproduce the issues. This talk will describe the difficulties that motivated the extension, demonstrate practical usage in various scenarios, and explain how it works under the hood.