A lot of services are provided through the Web. Pentesters are spending a lot of time testing Web applications, Web Services, REST and JSON interfaces, mobile applications and thick clients. For all these assessments, an interactive HTTP proxy is mandatory to intercept, analyze, modify and replay the traffic. Burp Pro is the "de facto" tool for this kind of job. This presentation conveys many years of experience in using this tool and will try to address real-life situations. Topics covered: recent features like Burp Extender, testing of mobile applications, automatic scanning despite CSRF tokens (using "Recursive Grep" or Macros) and session logout, interactive parsing and manipulation of items, useful tricks like shortcuts and backups, efficient brute-forcing of BasicAuth forms, ...