Part of our internal mentoring and training culture at VDA includes Lunch and Learn events where engineers share helpful information about a relevant security topic. This past week, several of us discussed our favorite BurpSuite extensions, which are helpful additions during our various AppSec or IoT assessments.
Extensions can be added to BurpSuite Pro by visiting the “Extender -> BApp Store” tabs. Hopefully, you find this list of our top BurpSuite extensions helpful. It’s not a comprehensive list, but can help Bug Bounty hunters or Web Pen-testers find high-risk issues.
Plug and Play Extensions:
Installing this group of BurpSute extensions automatically adds helpful functionality without the need for additional customization. Since the setup process for adding them is so simple, they are an obvious addition to the tester’s toolkit.
Taborator – Are you looking for blind/out-of-band interactions in IoT devices or web applications? This extension makes it super easy to keep a collaborator client open in a simple BurpSuite tab. One of my favorite extensions for manually hunting amazing bugs.
JSON Beautifier & .NET Beautifier – Both of these extensions help improve BurpSute by making output from web responses easier to read.
Active Scan++ – If you like using Active Scan, this extension will help look for a number of additional issues, including Shellshock, XML input handling, and others.
Additional Scanner Checks – Provides some great passive checks for common web application issues which don’t already exist.
Freddy, Deserialization Bug Finder – Do you want to find places of web applications that are vulnerable to deserialization of server-side code? This extension is a great starting point.
HTML5 Auditor – This extension checks for usage of HTML5 features with potential security risks.
CSP-Bypass – Passively scan for CSP headers containing known bypasses as well as other potential weaknesses.
AWS Security Checks – While not a comprehensive toolset for assessing bucket issues, this extension will automate some checks, which is helpful.
SSL Scanner – Need a quick way to assess TLS ciphers and other SSL/TLS related issues? Install this and run it on your target site. There are better tools out there, but having this functionality inside BurpSuite is extremely convenient.
J2EEScan – Add this extension to automatically hunt issues with J2EE during Active Scans. J2EEScan conducts multiple tests, such as like JBoss SEAM Remote Command Execution (CVE-2010-1871), Expression Language Injection (CVE-2011-2730), and Apache Struts 2 S2-016.
Error Message Checks – This extension looks for common error message formats for several server-side programming languages.
Other Amazing Extensions:
This group of extension are super helpful, but might require some additional configuration and understanding to use in an impactful way. Some of them are certainly worth the configuration effort.
Software Vulnerability Scanner – This one is an extra favorite. Vulnerable components in software stacks can lead to major issues. This extensions uses the Vulners.com API to hunt known outdated pieces of web applications. Obtaining your own API key from Vulners.com is recommended, but not hard to do.
CSRF Scanner – This extension excels at locating missing anti-CSRF tokens in various requests. When configured to watch for known anti-CSRF tokens in the target application, it highlights requests which neglect to include the tokens. Also, the possibility for false positive exists on requests which don’t perform a sensitive action.
Collaborator Everywhere – If you need to look for backend systems which might be proxying your traffic, use this extension to inject headers leading to out-of-band interactions. This one can result in some really fun bugs. We recommend crawling and interacting with your target web site with this extension off, then turning it on for awhile. It it not recommend to leave it on permanently. Also, targeted traffic must be added to BurpSuite’s “Target -> Scope” tab.
Upload Scanner – Have you located a file upload location in a target web application or IoT device? This extension can help with automating the many tests required to properly audit file upload bypasses. Proper configuration requires an understanding of this subject area. It’s not Plug and Play, but we highly recommend it!