Burp Suite - Top Extensions

So in this article we wanted to list our favourite and most handy burp extensions! These can be installed form the burp extender, Github or the BApp Store. Burp is essential for most web app or even mobile application testing.

The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp’s capabilities. - https://portswigger.net/bappstore

The Essentials

1. Retrie.JS

This extension integrates Burp with the Retire.js repository to find vulnerable JavaScript libraries.

It passively looks at JavaScript files loaded and identifies those which are vulnerable based on various signature types (URL, filename, file content or specific hash).

2. Software Version Reporter

This extension passively detects server software version numbers during scanning, spidering etc.

Often the server version is revealed only on error responses, which may not be visible during the normal course of testing. Some examples are:

"Apache Tomcat/6.0.24 - Error report"
"Server: Apache/2.2.4 (Unix) mod_perl/2.0.3 Perl/v5.8.8"
"X-AspNet-Version: 4.0.30319"

Match rules are loaded from a remote tab-delimited file at extension startup. Users can also load their own match rules from a local file or using the BApp GUI.

3. ExifTool Scanner

This Burp extension reads metadata from various filetypes (JPEG, PNG, PDF, DOC, XLS and much more) using ExifTool. Results are presented as Passive scan issues and Message editor tabs.

Windows, Linux and macOS binaries (11.10) are embedded into the extension. Another versions can by used by putting them in the system path.

4. Autorize

Autorize is an extension aimed at helping the penetration tester to detect authorization vulnerabilities, one of the more time-consuming tasks in a web application penetration test.

It is sufficient to give to the extension the cookies of a low privileged user and navigate the website with a high privileged user. The extension automatically repeats every request with the session of the low privileged user and detects authorization vulnerabilities.

It is also possible to repeat every request without any cookies in order to detect authentication vulnerabilities in addiction to authorization ones.

The plugin works without any configuration, but is also highly customizable, allowing configuration of the granularity of the authorization enforcement conditions and also which requests the plugin must test and which not. It is possible to save the state of the plugin and to export a report of the authorization tests in HTML or in CSV.

5. JSON Web Token Attacker

JOSEPH - JavaScript Object Signing and Encryption Pentesting Helper

This extension helps to test applications that use JavaScript Object Signing and Encryption, including JSON Web Tokens.

Features

  • Recognition and marking
  • JWS/JWE editors
  • (Semi-)Automated attacks
  • Bleichenbacher MMA
  • Key Confusion (aka Algorithm Substitution)
  • Signature Exclusion
  • Base64url en-/decoder
  • Easy extensibility of new attacks

6. Logger++

This extension can be used to log the requests and responses made by all Burp tools, and display them in a sortable table. It can also save the logged data in CSV format.

Useful Tweaks

1. PDF Viewer

This extension adds a tab to the HTTP message viewer to render PDF files in responses.

2. Request Highlighter

Request Highlighter is a simple extension for Burp Suite tool (for both community and professional editions) that provides an automatic way to highlight HTTP requests based on headers content (eg. Host, User-Agent, Cookies, Auth token, custom headers etc.). With Request Highlighter testers can easily identify and point out, within the Proxy history tab, requests belonging to different sessions, hosts, browsers or devices.

4. Add Custom Header

Add or update custom HTTP headers from session handling rules. This is especially useful for JSON Web Tokens (JWT).

Data conversion

1. .NET Beautifier

This extension beautifies .NET requests to make the body parameters more human readable. Built-in parameters like VIEWSTATE have their values masked. Form field names have the auto-generated part of their name removed.

Requests are only beautified in contexts where they can be edited, such as the Proxy intercept view. ss For example, a .NET request with the following body:

__VIEWSTATE=%2oiAIHfiohsdoigjKLASgjghajklgjSDGsjdglSDJg9SDJGsdgjSGJDDSasdfja9sdjfasdfja0sdfja
... [1000 lines later] ...
&ctl00%24ctl00%24InnerContentPlaceHolder%24Element_42%24ctl00%24FrmLogin%24TxtUsername_intern
al=username&ctl00%24ctl00%24InnerContentPlaceHolder%24Element_42%24ctl00%24FrmLogin%24TxtPass
word_internal=password&ctl00%24ctl00%24InnerContentPlaceHolder%24Element_42%24ctl00%24BtnLogi
n=Login

will be displayed like this:

__VIEWSTATE=&TxtUsername_internal=username&TxtPassword_internal=password&BtnLogin=Login

This is done without compromising the integrity of the underlying message so you can edit parameter values and the request will be correctly reconstructed. You can also send the beautified messages to other Burp tools, and they will be handled correctly.

A Burp Suite Professional extension for decrypting/decoding various types of cookies.

  • Passive scanner checks create informational issues in Burp Suite
  • Currently handles Netscaler, F5 BigIP, and Flask cookies
  • Written in Python
  • Requires Jython 2.7+

3. JSON Beautifier

This extension adds a new tab to Burp’s HTTP message viewer to beautify JSON content.

Scanner Improvements

1. Active Scan++

ActiveScan++ extends Burp Suite’s active and passive scanning capabilities. Designed to add minimal network overhead, it identifies application behaviour that may be of interest to advanced testers:

  • Potential host header attacks (password reset poisoning, cache poisoning, DNS rebinding)
  • Edge side includes
  • XML input handling
  • Suspicious input transformation (eg 7*7 => ‘49’, \x41\x41 => ‘AA’)
  • Passive-scanner issues that only occur during fuzzing (install the ‘Error Message Checks’ extension for maximum effectiveness)

It also adds checks for the following issues:

  • Blind code injection via expression language, Ruby’s open() and Perl’s open()
  • CVE-2014-6271/CVE-2014-6278 ‘shellshock’ and CVE-2015-2080, CVE-2017-5638, CVE-2017-12629, CVE-2018-11776 It also provides insertion points for HTTP basic authentication.

To invoke these checks, just run a normal active scan.

The host header checks tamper with the host header, which may result in requests being routed to different applications on the same host. Exercise caution when running this scanner against applications in a shared hosting environment.

2. Backslash Powered Scanner

This extension complements Burp’s active scanner by using a novel approach capable of finding and confirming both known and unknown classes of server-side injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.

For more information, please refer to the whitepaper at http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html

3. CMS Scanner

An active scan extension for Burp that provides supplemental coverage when testing popular content management systems.

Test cases:

  • Drupal - CVE-2014-3704 - SQL Injection (Drupalgeddon)
  • Joomla - CVE-2017-8917 - SQL Injection
  • Wordpress - CVE-2017-9603 - WP Jobs Plugin - SQL Injection
  • Wordpress - Single Personal Message Plugin - SQL Injection

4. CSRF Scanner

This extension can be used to passively scan for CSRF (cross-site request forgery) vulnerabilities.

To use, load the extension and send items for scanning in the normal way. The check for CSRF vulnerabilities will be run as part of normal passive scanning.

5. SSL Scanner

This extension enables Burp to scan for SSL vulnerabilities.

Most of the testing logic are from testssl.sh. Heartbleed test and CCS Injection test code are modified from a2sv.

Vulnerabilities:

  • SSLv2 and SSLv3 connectivity
  • Heartbleed
  • CCS Injection
  • TLS_FALLBACK_SCSV support
  • POODLE (SSLv3)
  • Sweet32
  • DROWN
  • FREAK
  • LUCKY13
  • CRIME (TLS Compression)
  • BEAST
  • Check for weak ciphers
  • BREACH
  • Logjam

6. HTTPoxy Scanner

This extension adds an active scan check for the HTTPoxy vulnerability.

HTTPoxy is a vulnerability that arises when the application reads the Proxy header value from an HTTP request, saves it to the HTTP_PROXY environment variable, and outgoing HTTP requests made by the server use it to proxy those requests.

7. Same Origin Method Execution

This extension monitors HTTP requests and responses to determine if a webpage is vulnerable to same origin method execution.

For more details, see Finding Same Origin Method Execution Vulnerabilities.

8. Upload Scanner

Testing web applications is a standard task for every security analyst. Various automated and semi-automated security testing tools exist to simplify the task. HTTP based file uploads are one specialised use case. However, most automated web application security scanners are not adapting their attacks when encountering file uploads and are therefore likely to miss vulnerabilities related to file upload functionalities.

Main feature

While the extension has various interesting features in its various modules, one of the main features is:

  • Taking a small gif, png, jpeg, tiff, pdf, zip and mp4 file
  • If it’s an image, resize the image (sizes are UI options)
  • If it’s an image, give it a random new color
  • If the file format supports it, use the exiftool file format meta data techniques “keywords”, “comment”, “iptc:keywords”, “xmp:keywords”, v”exif:ImageDescription” and “ThumbnailImage” …
  • … to inject PHP, JSP, ASP, XXE, SSRF, XXS and SSI payloads …
  • … then upload with various combinations of file extensions and content-types …
  • … to detect issues via sleep based payloads, Burp Collaborator interactions or by downloading the file again

9. XSS Validator

This extension sends responses to a locally-running XSS-Detector server, powered by either Phantom.js and/or Slimer.js

Serialization Vulnerabilities

1. J2EEScan

The goal of this extension is to improve the test coverage during web application penetration tests on J2EE applications. It adds some new test cases and new strategies to discover different kind of J2EE vulnerabilities.

Test cases: – * Expression Language Injection (CVE-2011-2730) * JBoss SEAM Remote Command Execution (CVE-2010-1871) * Java Server Faces Local File Include (CVE-2013-3827 CVE-2011-4367) * Local File include - /WEB-INF/web.xml Retrieved * Local File include - Spring Application Context Retrieved * Local File include - struts.xml Retrieved * Local File include - weblogic.xml Retrieved

There’s so many of these, view the Bapp Store for the full list !

2. Java Deserialization Scanner

This extension gives Burp Suite the ability to find Java deserialization vulnerabilities.

It adds checks to both the active and passive scanner and can also be used in an “Intruder like” manual mode, with a dedicated tab.

The extension allows the user to discover and exploit Java Deserialization Vulnerabilities with different encodings (Raw, Base64, Ascii Hex, GZIP, Base64 GZIP) when the following libraries are loaded in the target JVM:

  • Apache Commons Collections 3 (up to 3.2.1), with four different chains
  • Apache Commons Collections 4 (up to 4.4.0), with two different chains
  • Spring (up to 4.2.2)
  • Java 6 and Java 7 (up to Jdk7u21) without any weak library
  • Hibernate 5
  • JSON
  • Rome
  • Java 8 (up to Jdk8u20) without any weak library
  • Apache Commons BeanUtils

New CPU mode is able to detect deserialization issues also without the presence of any vulnerable library, thanks to the work of Wouter Coekaerts https://gist.github.com/coekie/a27cc406fc9f3dc7a70d

After that a Java deserialization vulnerability has been found, a dedicated exploitation tab offers a comfortable interface to exploit deserialization vulnerabilities using frohoff ysoserial https://github.com/frohoff/ysoserial

Mini walkthrough: https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/

3. Java Serialized Payloads

This extension generates various Java serialized payloads designed to execute OS commands. There are three ways to use the extension:

  • Generate a payload from the Java Serialized Payloads Tab. You can then copy and paste it into other tabs in Burp.

  • Generate a payload from the Java Serialized Payloads Tab. In another tab you can select the text you want to replace and right click. You have three encoding options:

Raw - This will replace your selected text with a raw unencoded version of the payload. B64 - This will replace your selected text with a Base64 encoded version. URLEnc - This will replace your selected text with a URL-encoded and base64 encoded payload.

  • You can use inline commands to replace your text with a payload that contains your command.

WAFs & Proxies

1. What-The-WAF

This extension adds a custom payload type to the Intruder tool, to help test for bypasses of Web Application Firewalls (WAFs).

Usage:

  • In the “What the WAF” tab, configure details of the target application, and the payload lists you would like to use.
  • In Intruder, select the “Extension generated” payload type, and choose the “What the WAF” payload generator.
  • Launch the Intruder attack in the normal way.

2. Bypass WAF

This extension add headers to all Burp requests to bypass some WAF products. The following headers are automatically added to all requests:

X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1

Parameter Tampering

1. Reflected File Download Checker

This extension checks for reflected file downloads.

2. Reflected Parameters

This extension monitors traffic and looks for request parameter values (longer than 3 characters) that are reflected in the response.

The extension monitors in-scope requests made by the Proxy and Spider tools. You can send reported items to other Burp tools. When sending an item to the Scanner, you can choose to scan all reflected parameters or only one reflected parameter.

Cloud Services

1. AWS Security Checks

This extensions provides additional Scanner checks for AWS security issues.

Passive checks performed:

  • AWS secrets returned in response

Active checks performed:

  • S3 buckets in use
  • S3 buckets unauth read
  • S3 buckets unauth write
  • S3 buckets authed read (requires AWS SDK)
  • S3 buckets authed write (requires AWS SDK)
  • AWS secrets accessible via meta-data

2. Cloud Storage Tester

This extension can identify and test S3 buckets as well as Google Storage buckets and Azure Storage containers for common misconfiguration issues.

You can enter AWS keys or GS keys from your management console to do through tests. The extension will still provide minimal functionality (e.g., identifying buckets) even if none of the above requirements are satisfied.

API Testing

1. Meth0dMan

This extension helps with testing HTTP methods. It generates custom Burp Intruder payloads based on the site map, allowing quick identification of several HTTP method issues.

Features:

  • Custom Burp Intruder payloads based on the current site map.
  • Automatic parameter highlighting within Burp Intruder.
  • Helps find directory listings, cross-site tracing (XST) and other issues.

2. OpenAPI Parser

This extension provides the following features:

  • Parse OpenAPI documents, formerly known as the Swagger specification, fully compliant with OpenAPI 2.0/3.0 Specifications (OAS). Supports both JSON and YAML formats.
  • OpenAPI documents can be parsed either from a supplied file or URL. The extension can fetch OpenAPI documents directly from a URL using the Send to OpenAPI Parser feature under the Target -> Site map context menu.
  • Requests can be sent to the Comparer, Intruder, Repeater, Scanner and Site map Burp tools.

3. Postman Integration

This extension integrates with the Postman tool by generating a Postman collection JSON file.

To use it, select the requests you want to export, and choose “Export as Postman Collection” from the context menu. This will open a dialog that allows you to configure the output and generate the file.

Authentication

1. NTLM Challenge Decoder

This extension decodes NTLM SSP headers. NTLM challenges over HTTP allows us to decode interesting information about a server, such as:

  • The server’s hostname
  • The server’s operating system
  • The server’s timestamp
  • The domain’s name
  • The domain’s FQDN
  • The parent domain’s name

2. SAML Raider

SAML Raider is a Burp Suite extension for testing SAML infrastructures. It contains two core features - a SAML message editor and an X.509 certificate manager.

The message editor provides the following capabilities:

  • Sign SAML Messages
  • Sign SAML Assertions
  • Remove Signatures
  • Edit SAML Messages (Supported Messages: SAMLRequest and SAMLResponse)
  • Preview eight common XSW Attacks
  • Execute eight common XSW Attacks
  • Send certificate to SAML Raider Certificate Management
  • Undo all changes of a SAML Message
  • Supported Profiles: SAML Webbrowser Single Sign-on Profile, Web Services Security SAML Token Profile
  • Supported Bindings: POST Binding, Redirect Binding, SOAP Binding, URI Binding

The certificate manager provides the following capabilities:

  • Import X.509 certificates (PEM and DER format)
  • Import X.509 certificate chains
  • Export X.509 certificates (PEM format)
  • Delete imported X.509 certificates
  • Display informations of X.509 certificates
  • Import private keys (PKCD#8 in DER format and traditional RSA in PEM Format)
  • Export private keys (traditional RSA Key PEM Format)
  • Cloning X.509 certificates
  • Cloning X.509 certificate chains
  • Create new X.509 certificates
  • Editing and self-sign existing X.509 certificates

3. Wsdler

This extension takes a WSDL request, parses out the operations that are associated with the targeted web service, and generates SOAP requests that can then be sent to the SOAP endpoints.

To use this extension, select a suitable item in Burp, and choose “Parse WSDL” from the context menu.

The extension builds upon the work done by Tom Bujok and his soap-ws project which is essentially the WSDL parsing portion of Soap-UI without the UI.

Auditing And Code Review

1. CSP-Bypass

This extension is designed to passively scan for CSP headers that contain known bypasses as well as other potential weaknesses.

2. Detect Dynamic JS

This extension compares JavaScript files with each other to detect dynamically generated content and content that is only accessible when the user is authenticated. This occasionally contains not only code but also data with user or session information. User/session information can then be checked for potential leakage. This extension is supposed to help hunting for exploitable situations.

3.HTML5 Auditor

This extension checks for usage of HTML5 features that have potential security risks, including:

  • client side storage
  • client geo-location
  • HTML5 client caches
  • web sockets

4. UUID Detector

This extension passively reports UUID/GUIDs observed within HTTP requests.

Mobile Application Tests

1. Brida, Burp to Frida bridge

This extension works as a bridge between Burp Suite and Frida, lets you use and manipulate applications’ own methods while tampering the traffic exchanged between the applications and their back-end services/servers. It supports all platforms supported by Frida (Windows, macOS, Linux, iOS, Android, and QNX).

Randomly Useful

1. GWT Insertion Points

This extension automatically identifies insertion points for GWT (Google Web Toolkit) requests when sending them to the active Scanner or Burp Intruder.

Share Comments
comments powered by Disqus