First, of course, a link to the interview https://www.youtube.com/watch?v=U0bPPw6uPgY">https://www.youtube.com/watch...
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        Books I cherised in the early days: "Building Internet Firewalls" and "The Web Application Hacker& #39;s Handbook"
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        What I consider a very good talk: Unicode research by  @h3xstream at  @northsec_io 2020  https://gosecure.github.io/presentations/2020-05-unicode-northsec/unicode_v3_northsec.pdf">https://gosecure.github.io/presentat...
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        English-speaking video of my 2015 talk on SSRF (the one which changed Naffy& #39;s view on hacking): https://www.youtube.com/watch?v=8t5-A4ASTIU">https://www.youtube.com/watch...
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        And a French version of the same talk (with more jokes!!), given at  @hackfest_ca  https://www.youtube.com/watch?v=TrBUrVDlc20">https://www.youtube.com/watch...
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        How to select a subject: try dozens of them (for example on  @WebSecAcademy labs) and keep the ones that really got you intellectually excited
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        How to reach the (public) "state of the art": select a subject, read/watch all the good stuff on it, replicate at home, then battle-test your skills on real targets
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        How to find innovative stuff: reach the state of the art and continue exploring (possibly because known techniques don& #39;t work on your targets), either in depth or in width
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        Cf  @NahamSec and  @daeken research on PDF generators https://docs.google.com/presentation/d/1JdIjHHPsFSgLbaJcHmMkE904jmwPM4xdhEuwhy2ebvo/edit">https://docs.google.com/presentat...
                        
                                                
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        Another example with  @orange_8361 research on abusing URL parsers  https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf">https://www.blackhat.com/docs/us-1...
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        One of my first workshop on Burp Suite (2013 - in French - image quality is awful) https://www.youtube.com/watch?v=BD3aTpMfoBc">https://www.youtube.com/watch...
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        My lastest blog post on Burp Suite: how to deal with CSRF tokens in Intruder, without macros  https://www.agarri.fr/blog/archives/2020/01/13/intruder_and_csrf-protected_form_without_macros/index.html">https://www.agarri.fr/blog/arch...
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        An older blog entry, where I exploit a blind XSS with only Burp Suite  https://www.agarri.fr/blog/archives/2017/04/04/exploiting_a_blind_xss_using_burp_suite/index.html">https://www.agarri.fr/blog/arch...
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        Last one: exploiting WPAD with Burp Suite and a custom extension, for example during internal pentests  https://www.agarri.fr/blog/archives/2013/10/22/exploiting_wpad_with_burp_suite_and_the_http_injector_extension/index.html">https://www.agarri.fr/blog/arch...
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        Burp Suite extensions I recommend (in no specific order): AutoRepeater, Content Type Converter, Param Miner, Request Minimizer, Backslash Powered Scanner, ActiveScan++, Taborator, Paramalyzer, Upload Scanner, Hackvertor, Piper, Request Timer, Logger++, Add Custom Header
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        One way to optimize your Burp Suite workflow: learn keyboard shortcuts and combine them (any idea what Ctrl-R + Ctrl-Shift-R + Control-Space will do?)
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        A second way, shortening feedback loops: use macros and session handling rules to automate common scenarios, like injecting in page A and looking at the response of page B
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        Knowing how to program is super useful. Here& #39;s a basic Bash script, used to download videos from Twitter https://gist.github.com/ngregoire/43891d80fde3c6cbb1a52a5a6468fe41">https://gist.github.com/ngregoire...
                        
                                                
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        My favorite French expression is "La putain de sa mère !"
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        One single advice for newcomers and future hackers: you have only one reputation. Take care of it, that will maximize your opportunities.
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        Recent example: long-read on  @MalwareTechBlog at Wired https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/">https://www.wired.com/story/con...
                        
                                                
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        I& #39;ll give an online Burp Suite Pro training in early August, with my great assistant  @AbyXss  https://ringzer0.training/mastering-burp-suite-pro.html">https://ringzer0.training/mastering...
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        My "HTTP Traceroute" tool and research from 2011 (apparently still useful, according to the stream& #39;s chat)  https://www.agarri.fr/blog/archives/2011/11/12/traceroute-like_http_scanner/index.html">https://www.agarri.fr/blog/arch...
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        Quoting myself: "In order to do new research, you don& #39;t need a new subject!"
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                    
                
                 
                         Read on Twitter
Read on Twitter 
                                     
                                    