PimpMyBurp #4: Burp Suite extensions that should get your attention!

Categories
PimpMyBurp YesWeRHackers

Burp Suite is a great tool for bug bounty and general security testing. Given the wide range of available plugins, we have launched a series called “PimpMyBurp” to present our selection of Burp Suite extensions.

These last few weeks, we have selected 17 Burp Suite addons that caught our attention and certainly deserve yours. Let’s be honest: these extensions will not do everything for you, nor will they make you rich in the blink of an eye. However, those will certainly make your daily life as a Bug Hunter (so much) easier, especially because they are really convenient! Many of them can be used to do some one-click actions such as sending requests to FUFF or SQLmap directly, analysing Javascript… and more.

The following extensions are all very useful and complementary, so we decided to cover those in a single dedicated article rather than detailing each one separately. If you think I’ve forgotten some essential addons (and I probably did) feel free to ping me on Twitter.

👇 Addons to write your requests faster

BurpSuiteAutoCompletion & HopLa: autocompletion for headers & payloads

These two plugins are very similar but both helps when you want tosave time writing requests and crafting payloads and headers more easily. BurpSuiteAutoCompletion was the first addon (if I remember correctly) to integrate autocompletion for headers in Repeater tab and Intruder too. A few days ago, a new plugin (inspired by BurpSuiteAutoCompletion) has been released by Synacktiv. Called HopLa, this extension also add autocompletion for payloads.

InQl: GraphQL extension

Writing GraphQL requestcan be challenging, even more when you have mutations. In my last article about GraphQL exploitation, I told you about InQL, and it is thus quite naturally that this extension finds its place here. InQL allows you to perform Introspection, and if it’s available, you will have all Mutations and Query integrated in Burp Suite. You can then define a specific authorization header and it’s also possible to use a local web interface to build your GraphQL requests.

👇 Addons to (help you) find vulnerabilities (JWT, SSRF…)

Collaborator Everywhere: adding BurpCollaborator headers in your requests

Collaborator Everywhere is a simple but useful burp extension dedicated to SSRF vulnerabilities research. This addon, developed by James Kettle (aka Albinowax) will inject “non-invasive” headers, designed to reveal backend systems by causing pingbacks to Burp Collaborator.

From Albinowax: “To help efficiently triage pingbacks I wrote Collaborator Everywhere, a simple Burp extension that injects payloads containing unique identifiers into all proxied traffic, and uses these to automatically correlate pingbacks with the corresponding attacks.

AES Killer: decrypt AES Encrypted traffic on the fly

More and more web apps are using AES encryption (mobile application principally) but Burp can’t decrypt thid traffic easily. This extension will help you do the job. You still need to have a Secret Key and Initialize Vector which means you need to make little reverse on your target first.

HTTP Methods Discloser: list all HTTP methods available on your target

GET, POST, PATCH, PUT, DELETE… Do you test all methods every time on all your requests? HTTP Methods Discloser can do it for you and can help you find hidden methods. Very useful on API endpoints, sometimes vulnerabilities occur by using a different method like PUT instead of PATCH thus allowing to bypass 403 status.

JWT4B: cracking JWT has never been easier

Json Web Token is a common authentication method, which can come with various known problems if not properly implemented. “None” algo flaw, weak security key on HS256… JWT4B will add a new feature to read JWT and help you identify potential flaws.

403Bypasser: bypass restricted directory with multiple payloads

Any hacker know when a server respond with a status code “403 Forbidden” for a directory, this means “you should try to bypass this restriction“. 403Bypasser extension will try to use PassiveScan to detect the 403 status code and find a workaround on your target.

👇 Addons to pair Burp Suite with other tools

BC2Telegram : send burp collaborator notification in Telegram

It’s all in the title, this extension allow you to combine Burp Collaborator and Telegram to receive notification directly on this messenger application. Simple but effective.

Burp Copy As FFUF: copy your requests to use it with FFUF

FFUF is used by many people for enumerating files and directories (myself included) and coupled with Burp Suite, these tools can be very effective for recon. With Copy As FFUF you can create a default template to generate a specific query to use with FFUF, directly from Burp Suite with one click.

Burp-Send-To: adds a customizable “Send to…” context-menu to use with (SQLmap, WPscan, Nikto)

Burp is probably not the only tool you use for your hunting sessions. If you use other tools like SQLMap or your own custom scripts, this Burp-Send-To extension could be useful to add a little more automation when you want to export your query in ready-to-use mode. There are a lot of possibilities to customize and prepare your templates for export.

👇 Addons to enhance Burp (repeater, intruder, collaborator…)

Stepper: create sequences of steps in repeater

Stepper lets you create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps. For example, your target require multiple steps to authenticate (login form > 302 redirect > JWT in response), you can use Stepper to automatically extract the JWT and reuse it after.

Burp Repeater Tab Highlighter Javas: highlight Repeater tabs in different colors and fonts

After 24 hours of hunting, your repeater tab can be huge and it’s not always easy to find the right tab with the right payload and you kind of get into this situation of, “So, not this one with the old session cookie, the new one, but with the JSON content-type, yeah, this one. Oh no, not the 70… the 59 maybe… Oh no. Damn, it was tab number 41“. You know what I mean? 😉 Adding colors to the title of your tabs can therefore be useful and help you to quickly identify the right tab for the right test.

ReshaperForBurp: IFTTT for Burp Suite (IF This Then That)

Do you know IFTTT? It’s a useful service to create applets with conditional triggers. Who would not like to do the same on Burp? This is what the ReshaperForBurp extension offers. Many examples are available on the GitHub repository, feel free to use them as an inspiration!

👇 Addons to improve your recon

Burp Scope Monitor: monitor and keep track of tested endpoints

When you are facing a big target, it’s hard to keep the books and have a clear view of what you have already tested, which endpoint you have tried to broke and which endpoints you need to test yet. Burp Scope Monitor could help you organize your recon process with a dedicated tab where each endpoint can be marked as analyzed or not.

Domain hunter Pro: a recon tool embarked in Burp Suite (subdomain enumeration, crawl, retrieving page titles, status code…)

Recon is part of a global bug hunter routine and many external services, tools and scripts exist to do this. The extension Domain Hunter Pro could help you identify new assets, directly in Burp Suite. The tool is rather comprehensive and  offers numerous options to search all corners of your target.

Source-Mapper: analyze source map files and extract the source code

JavaScript Source Map files are debugging files containing the original & uncompressed source code of the deployed JavaScript code. These files can contain sensitive data and could be very useful for effective reconnaissance to gather new information about your target. Source-Mapper will try to identify these files in PassiveScan and analyze them in an attempt to extract the source code.