Unlock enhanced API scanning with Burp Suite Enterprise Edition  –  Learn more

Web Security Academy

Andres Rauschecker

High flyers in the Hall of Fame

Interviewing the Web Security Academy high flyers

Andres Rauschecker, 26 years old, and Munich-based, is a cybersecurity enthusiast to his very core. He got into the field at a young age, pursuing what was initially just an interest and turning it into a BSc in Informatics. He followed that up with a Master's in Cybersecurity, taking a specific focus on web exploitation and vulnerability studies.

"I've been following the work of PortSwigger for some time now, as I love their whole ethos. They give so much value to the people who use their products, as well as the whole of the cybersecurity community."

A high flyer in the Web Security Academy Hall of Fame

His naturally competitive nature, and love of all things PortSwigger, led him to discovering the Web Security Academy. He really enjoys the gamification of the labs available, as well as the focus on learning and understanding all the vulnerabilities out there.

A high flyer in our Hall of Fame, we wanted to catch up with this cyber maven and find out what he had to say about his experience with the Web Security Academy.

Emma S (PortSwigger): First things first, how do you use Burp?

Andres Rauschecker: I use Burp Suite Pro in my job as a pentester, but also privately for various challenges and CTFs (Capture the Flag). The tool is a great companion during my everyday work.

"The Web Security Academy has allowed me to put Burp Suite Pro to the test - I can analyze how reliable automated scan configurations are, and how my overall workflow can be improved."

ES: What do you enjoy about using Burp Suite?

AR: I find it amazing how much Burp is able to automate - the things it can find on it's own, especially command injection, are staggering. I don't always have as much time as I would like to go deep into the integrations, so the automation features are brilliant for me.

"I've actually created an internal document, to help my colleagues understand how to get the most benefit from using the amazing feature-set within Burp Suite. Every time I've completed another topic I end up with another page of notes to add to the document!"

Blockquote

Burp is the ultimate brain.

Andres Rauschecker

ES: Moving on to the Web Security Academy, what was your favorite topic?

AR: XSS, every time. I go back to those labs over and over again. Outside of the XSS topics though, I really enjoyed web cache poisoning and HTTP request smuggling. I read up on all of that research when it came out, and followed the talks from BlackHat, but I was never quite sure that I properly understood how it all worked. Having the Web Academy as a lab playground, with documentation and available solutions, really allowed me to check that I could properly execute those exploits.

"The expert level labs within the topics are mind blowing. It's so cool that you provided the solutions as well - they showed me vectors I would never have thought of before. They added so much value for me and were really insightful."

ES: So despite being highly competitive, you like having the solutions available?

AR: Oh yes definitely, you did it just right. The solutions aren't just a copy and paste answer, you have to actually work for it. With some of the topics there is an obvious single solution, but that's more due to the nature of the vulnerability than what the Web Security Academy gives you.

Blockquote

With the solutions on the Web Security Academy, it's not like you're just being given a cookie. It's more like you guys have given us the ingredients for a cookie, and we have to figure out how to make and bake it ourselves.

Andres Rauschecker

ES: Is there anything you've learned from the Web Security Academy?

AR: I've been really pleasantly surprised by how much I've learned from it actually. Having to follow the process of reading through the topics, then completing the labs, it's helped me to progress further into topics that I thought I was familiar with already. It's gamified yes, so I'm obviously having a good time whilst I'm learning, but it teaches me so much.

ES: What's the most useful thing you've gained from doing the labs?

AR: It was in one of the XSS topics actually. I can't believe I never thought about it this way, but I was always focused on attacking a web page within its own window context. What I didn't think about was how embedding that window or interacting with it from outside contexts (e.g. iFrames, postMessages handlers) could allow different attacks.

ES: Have you noticed any other benefits from working through the topics?

AR: One thing I do find myself doing actually is stealing the payloads from the lab solutions. I was recently working with an extended cross-site request forgery vulnerability, and I was copying the payloads from the Web Security Academy lab solutions to help me with this.

"The payloads are really basic, there's nothing random around them, which makes them really helpful to use for client demonstrations. There's no huge JavaScript code spawning a remote shell, or anything like that, so they fit really well with my demonstrations to explain things to clients in a simple manner, which saves me loads of time."

ES: Have you got any advice for new users looking to work through the Web Security Academy?

AR: The advice I would give anyone would be to take notes. The information that PortSwigger shares, totally for free, is incredibly valuable - so write it all down!

Blockquote

The best advice I could share, for anyone starting out on the Web Security Academy, is to pick a topic that interests you. Hacking is meant to be fun, so start somewhere where you know you'll be interested and work up from there.

Andres Rauschecker

ES: If you could change something about the Web Security Academy, or add any feature to improve it, what would it be?

AR: I had to really think about this, but if I was going to suggest anything I would like to see more browser-dependent attacks in the XSS topics. Some of the labs there are really based on the browser and compatibility, so it would be cool to incorporate more configuration options. I would also love to see your YouTube channel linked to the Academy.

"When I found out there was a video explaining who Carlos was I had to go and watch it. I wanted to know more about PortSwigger, and more about this guy that I had to keep deleting!"

ES: And finally, is there anything else you'd like to add for people getting started on the Web Security Academy?

AR: The XSS cheat sheet is amazing, I use it almost every single day, so make sure you are making the best use of that. Quite a few of my colleagues didn't know about it so I've shared it around with anyone and everyone - it's just so useful that I felt like they should all have it!

Blockquote

PortSwigger is a huge company in the cybersecurity field that gives back and creates a community. The way that Burp has developed, how you listen to the community, and create free learning material, it's absolutely amazing. The best thing I can do is to promote you guys!

Andres Rauschecker

Take Andres' advice and get started on the Web Security Academy