In this article you are going to learn about top 5 extensions in burp suite which are really helpful in bug bounty hunting. These extensions are not only helpful in bug bounty hunting, but you can also use these extension during your normal penetration testing sessions.
Before staring the list the below section is for those who don’t know how to install extensions in burp suite.
How to install Extensions in Burp suite?
There are few simple steps to install the extension in burp suite.
- When you open the burp suite you can see different tabs like proxy, intruder, repeater among them there is a tab name extender. We have to go to extender tab to install the extensions.
The above picture is of burp version 2.0.11 latest is 2.1.06 but the functionality of the program is same.
2. After going to extender tab you can see BApp store in sub tabs.
3. Here you can see all the extension present.
4. To install the extension select it, scroll down the page and click on install.
That’s it, you now know how to install burp extensions
Let’s start the list.
1. Active Scan++
The first on our list is Active Scan++. It is one of the most popular burp suite extensions. Burp already comes with active and passive scanning abilities but this extension takes the scanning process to another level.
Official Description
ActiveScan++ extends Burp Suite’s active and passive scanning capabilities. Designed to add minimal network overhead, it identifies application behavior that may be of interest to advanced testers:
- Potential host header attacks (password reset poisoning, cache poisoning, DNS rebinding)
- Edge side includes
- XML input handling
- Suspicious input transformation (eg 7*7 => ’49’, \x41\x41 => ‘AA’)
- Passive-scanner issues that only occur during fuzzing (install the ‘Error Message Checks’ extension for maximum effectiveness)
- Blind code injection via expression language, Ruby’s open() and Perl’s open()
- CVE-2014-6271/CVE-2014-6278 ‘shellshock’ and CVE-2015-2080, CVE-2017-5638, CVE-2017-12629, CVE-2018-11776
It also provides insertion points for HTTP basic authentication.
To invoke these checks, just run a normal active scan.
The host header checks tamper with the host header, which may result in requests being routed to different applications on the same host. Exercise caution when running this scanner against applications in a shared hosting environment.
This extension requires Burp Suite Professional version 1.6 or later and Jython 2.5 or later standalone.
2. Authorize
As the name suggests, authorize extension helps in detecting the authorization vulnerabilities. Authorization vulnerabilities are one of the most time consuming vulnerability to check in web app pentesting.
Official Description
It is sufficient to give to the extension the cookies of a low-privileged user and navigate the website with a high privileged user. The extension automatically repeats every request with the session of the low-privileged user and detects authorization vulnerabilities.
It is also possible to repeat every request without any cookies in order to detect authentication vulnerabilities in addiction to authorization ones.
The plugin works without any configuration, but is also highly customizable, allowing configuration of the granularity of the authorization enforcement conditions and also which requests the plugin must test and which not. It is possible to save the state of the plugin and to export a report of the authorization tests in HTML or in CSV.
The reported enforcement statuses are the following:
- Bypassed! – Red color
- Enforced! – Green color
- Is enforced??? (please configure enforcement detector) – Yellow color
3. Flow
Basically, Burp suite don’t save all the requests with the help of this plugin you can save all the requests in burp suite.
Official description
This extension provides a Proxy history-like view along with search filter capabilities for all Burp tools.
Requests without responses received are also shown and they are later updated as soon as a response is received. This might be helpful to troubleshoot e.g. scanning issues.
Requests and responses are split into separate columns (Repeater-like view).
If required the extension window can be detached from the Burp UI.
Requires Java version 7.
4. Headless Burp
This extension allows you to use the Burp suite in headless or let’s say you can control Burp via command line.
Official Description
This extension allows you to run Burp Suite’s Spider and Scanner tools in headless mode via the command-line. It can:
- Run burp scan in headless or GUI mode.
- Specify target sitemap and add URL(s) to Burp’s target scope.
- Use the seed request/response data saved in a project file, generated by any integration, functional or manual testing.
- Mark issues as false positives, these will not be reported in the scan report anymore.
- Spider the target scope.
- Actively scan the target scope.
- Generate a scan report in JUnit, HTML, or XML format. The JUnit report can be used to instruct the CI server to fail the build when vulnerabilities are found.
- Shut down Burp
Get Usage Details from Official GitHub Repository https://github.com/NetsOSS/headless-burp
5. Logger ++
Logger++ is plugin like the proxy history in the burp suite, Basically, logger++ log all the responses from burp suite in real time.
Official Descrription
Logger++ is a multithreaded logging extension for Burp Suite. In addition to logging requests and responses from all Burp Suite tools, the extension allows advanced filters to be defined to highlight interesting entries or filter logs to only those which match the filter.
A built in grep tool allows the logs to be searched to locate entries which match a specified pattern, and extract the values of the capture groups.
To enable logs to be used in other systems, the table can also be uploaded to elasticsearch or exported to CSV.
Features:
- Works with the latest version of Burp Suite (tested on 1.7.27)
- Logs all the tools that are sending requests and receiving responses
- Ability to log from a specific tool
- Can save the results in CSV format
- Ability to show results of custom regular expressions in request/response
- User can customise the column headers
- Advanced Filters can be created to display only requests matching a specific string or regex pattern
- Row highlighting can be added using advanced filters to make interesting requests more visible
- Grep through logs
- Live requests and responses
- Multiple view options
- Pop out view panel
- Multithreaded
Current Limitations:
- Cannot log the requests’ actual time unless originating from proxy tool
- Cannot calculate the actual delay between a request and its response unless originating from proxy tool
Conclusion
So, that’s it for this list. There are lot’s of extensions for burp suite, But these are some of the best. Take some time to discover how they work and then choose what to use according to your need. Hope you learned something good in this article.
For more check our blogs