Burp Suite Extensions

POC

Burp Suite is definitely the most used tool for me on a daily basis since I started my new job. Which is funny in a way because in my old job, I found myself relying too heavily on it and trusting it way too much. That said, it is also my favorite tool. 

Don’t get me wrong, there is still a learning curve and I’m still learning more about it everyday but I decided to show what extensions I use and especially extensions that have come in handy now and then. Also, I’ll add a link to an extension I made.

burp-look
Here is my Burp default load; notice the 500 tabs from all of the extensions

By the way, yes I am still using the non-beta version of Burp. That is because I first jumped right into the beta upon release and quickly got worried of getting into trouble/ dealing with a hassle because I found plenty of things not working the way I want especially with active scanning, which I felt never paused or stopped even I told it too. 

I’m debating going through every extension and their value so unless just one person asks for an explanation, I’ll hold off. That said, here is a complete list of extensions I have loaded/unloaded:

list-of-plugins-1list-of-plugins-2

All of these are available if you have Burp Suite Professional within the Bapp Store except the last one ;]

Ones that I find really needed out of all of the above are:

  • Additional Scanner Checks
  • Freddy
  • Exiftool Scanner
  • Software Version Reporter/Software Vulnerability Scanner
  •  Error Message Checks
  • HTML5 Auditor
  • J2EEScan/Retire.js

That said, if you have the resources I’d really suggest using them all!

So now, with that out of the way, i’ll introduce my own extension:

GoldenNuggets! (Click here to download)

golden-nuggets-1

Meant to be a one click solution to create Wordlists of URI, Parameters and more.

I’m not going into depth about how important and how in love I am with Wordlists because I’m saving that for it’s own post, but let me just say that you can find a lot of great findings from solid wordlists. One cannot argue how beneficial creating wordlists from the websites/applications you test! Make it a habit and trust me you won’t regret it!

Expect more soon especially on my github!

End Transmission

 

Published

Leave a Reply