Burp Suite and OWASP ZAP is very widely used tools for hacking and pentesting, these two tools are very useful to scan, find bugs and exploit the target web, because many features that available to perform hacking and pentesting. But with HUNTSuite you can get more extra features and extentions for both of these tools.
How to use Burp suite to find Reflected XSS OWASP Top 10 TutorialNote: This video is only for Educational Purpose! Please do not Miss-use!Thank You!Subs. Burp Suite Enterprise Edition The enterprise-enabled web vulnerability scanner. Burp Suite Professional The world's #1 web penetration testing toolkit. Burp Suite Community Edition The best manual tools to start web security testing. View all product editions.
.Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process. This machine uses the OWASP Juice Shop vulnerable web application to learn how to identify and exploit common web application vulnerabilities. For this box we are going to use burp suite free edition. Configure the burp suite proxy to work with firefox.
What is HUNT Suite?
- HUNT Suite is a collection of Burp Suite Pro/Free and OWASP ZAP extensions.
- Identifies common parameters vulnerable to certain vulnerability classes (Burp Suite Pro and OWASP ZAP).
- Organize testing methodologies (Burp Suite Pro and Free).
HUNT Parameter Scanner – Vulnerability Classes
- SQL Injection
- Local/Remote File Inclusion & Path Traversal
- Server Side Request Forgery & Open Redirect
- OS Command Injection
- Insecure Direct Object Reference
- Server Side Template Injection
- Logic & Debug Parameters
Cross Site Scripting External Entity Injection Malicious File Upload
Change regex for parameter names to include user_id instead of just id Search in scanner window Highlight param in scanner window
- Implement script name checking, REST URL support, JSON & XML post-body params.
- Support normal convention of Request tab: Raw, Params, Headers, Hex sub-tabs inside scanner
- Add more methodology JSON files:
Web Application Hacker’s Handbook
- OWASP Top Ten
- OWASP Application Security Verification Standard
- Penetration Testing Execution Standard
- Burp Suite Methodology
- Add more text for advisory in scanner window
- Add more descriptions and resources in methodology window
- Add functionality to send request/response to other Burp tabs like Repeater
Installing HUNT Suite for Burp Suite Pro/Free
1. Download the latest standalone Jython jar.
2. Navigate to Extender -> Options.
- Locate the section called Python Environment.
- Add the location of the Jython
jarby clicking Select file….
3. Navigate to Extender -> Extensions.
- Click Add.
- Locate Extension Details.
- Select “Python” as the Extension Type.
- Click “Select file…” to select the location of where the extension is located in your filesystem.
- Do this for both the HUNT Parameter Scanner and HUNT Testing Methodology
4. The HUNT Parameter Scanner will begin to run across traffic that flows through the proxy.
This is an important step to set your testing scope as the passive scanner is incredibly noisy. Instead of polluting the Scanner window, the HUNT Parameter Scanner creates its own window with its own findings.
1. Navigate to Target -> Scope.
- Click the “Use advanced scope control” checkbox.
- Click add to include to your scope.
2. Navigate to Scanner -> Live scanning.
- Under the “Live Passive Scanning” section, click “Use suite scope [defined in the target tab]”.
HUNT Suite for Burp Suite Pro/Free
HUNT Parameter Scanner (hunt_scanner.py)
This extension does not test these parameters, but rather alerts on them so that a bug hunter can test them manually. For each class of vulnerability, Bugcrowd has identified common parameters or functions associated with that vulnerability class. We also provide curated resources in the issue description to do thorough manual testing of these vulnerability classes.
HUNT Testing Methodology (hunt_methodology.py)
This extension allows testers to send requests and responses to a Burp Suite tab called “HUNT Methodology”. This tab contains a tree on the left side that is a visual representation of your testing methodology. By sending request/responses here testers can organize or attest to having done manual testing in that section of the application or having completed a certain methodology step.
HUNT Parameter Scanner leverages the passive scanning API within Burp. Here are the conditions under which passive scan checks are run:
- First request of an active scan
- Proxy requests
- Any time “Do a passive scan” is selected from the context menu
Passive scans are not run on the following:
- On every active scan response
- On Repeater responses
- On Intruder responses
- On Sequencer responses
- On Spider responses
HUNT Scanner for OWASP ZAP (Alpha – Contributed by Ricardo Lobo @_sbzo)
- Find the “Manage Addons” icon, ensure you have
- Ensure “show All Tabs” icon is clicked
- Click the
Toolsmenu, navigate to the
Passive Scannerand check the box
Scan messages only in scopeand then
- Click into the
Scriptstab (next to the
- Click the
load scripticon and load each python script into ZAP. They should appear under
- Right click on each script under
passive rulesand enable them and save them
- Browse sites and recieve alerts!
- JP Villanueva
- Jason Haddix
- Ryan Black
- Fatih Egbatan
- Vishal Shah
Hello ethical hackers and bug bounty hunters. Today, you will learn the top 10 Burp Suite extensions I found myself using over and over again. They assist me in different areas, such as pretty-printing data, actively testing for specific vulnerability classes, parsing API definitions and brute-forcing.
Wsdler is your burp extension for SOAP
During your penetration testing or bug bounty hunting, you might encounter SOAP-based APIs. They are web services that you can consume according to a file which describes the actions they expose and how to call them. This file is based on the Web Services Description Language (WSDL).
Whenever you find one, you can parse it using Wsdler. Additionally, this Burp extension constructs the HTTP requests as the API expects them.
Before Burp Suite rolled its Pretty button feature, this was the first extension I needed to install after any fresh Burp Suite setup. Nowadays, the majority of web application use RESTful APIs which generally use JSON objects to transfer data between the client and the server. JSON Beautifier prettifies the inline JSON data to make your life easier.
This Burp extension is free and can be used in either Burp Suite Community Edition or Professional.
J2EEScan is a great burp extension for Java EE applications
In my penetration testing assignments, I usually test J2EE web applications, which are Java web applications that support enterprise-level requirements, such as scalability and availability. Therefore, I use J2EEScan to assist me in finding vulnerabilities for the most common CVEs that target J2EE technologies.
Level 3 speed test. The extension adds test cases to the BurpSuite Scanner. Therefore, there no additional configuration after you install it. All you have to do is run a scan and wait for vulnerabilities in the Issue Activity panel in the Burp’s Dashboard tab.
JSON WEB Tokens, the Burp extension, not the standard
According to jwt.io, JSON Web Token is:
[…] an open standard […] that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
When you do bug bounty hunting or web application penetration testing, it is a pain to manually copy the tokens from Burp Suite and paste them into your favourite parsing tool, such as jwt.io. This extension allows you to parse the token within Burp, the same way JSON Beautifier prettifies inline JSON objects.
Burp Suite Owasp Top 10
For those of you who don’t know what SAML, it’s a standard used in Single Sign-On (SSO) for authentication. Here is a brief definition from Wikipedia:
Security Assertion Markup Language (SAML) […] is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions.
Since SAML requests contain long base64 encoded XML data, it is impractical to manually parse them. SAML Raider automatically performs the parsing within Burp Suite. Additionally, you can use it to perform known attacks against your target web application. In fact, it comes with pre-configured exploitation techniques, such as signature wrapping, that you can easily run to test for weaknesses in SAML implementations.
AuthMatrix burp extension for broken access control
I’ve already covered this great extension in a Youtube video. It allows you to test for broken access control vulnerabilities, such as IDOR, unprotected endpoints, etc. The flow is fairly simple. Firstly, you browse your target application and send any interesting requests to this extension. Then, you create the target users, such as the attacker and the victim. Then, for each user, you configure the session cookies, and any HTTP headers containing tokens such as JWT or API keys. Lastly, you hit the run button and let AuthMatrix highlight the suspicious requests in red.
HTTP request smuggler
This is the go-to Burp extension when you want to easily detect and exploit a web application through HTTP Request Smuggling.
It detects whether you have a CL.TE or TE.CL condition and reports it directly into Burp Suite’s Dashboard tab, under the Issue Activity menu where all the issues get listed.
If you have no clue about what do CL.TE and TE.CL means, I invite you to read this article from the authors of Burp Suite.
This extension allows you to send large numbers of HTTP requests to a target web application. If you have Burp Community, you know that you can only work with a limited version of the Intruder which does not support multiple threads. Instead, you can use Turbo Intruder.
Since this Burp extension uses a Python snippet that you can edit, I recommend you get familiar with the basics of the Python programming language. That way, you can customize Turbo Intruder to bring more flexibility when you brute force.
Whenever you encounter a file upload feature that uses the multipart mime type, I encourage you to give this Burp extension a try. In fact, you can use it to probe the upload features for many security issues.
It fuzzes all the parameters using a set of organized categories that you can choose from. If the application retrieves the uploads, you can configure Upload Scanner to fetch the files to verify cases like XSS.
There are plenty of other features in this awesome Burp extension. I encourage you to learn more about it. Additionally, I prepared this Youtube video to show you how it works.
Java Deserialization Scanner
This Burp extension checks for insecure deserialization issues in Java applications. It uses pre-built serialized java objects to probe the application for a callback. You can configure this feedback to be either a time delay or a callback. If the application sleeps for some time before responding, or if you receive a hit as a callback, the extension highlights exactly what payload has triggered it. Therefore, you can prepare your own payload using tools such as ysoserial.
If you want to learn how insecure deserialization works and how to exploit it with real examples, I invite you to read this article.
There are so many tools, extensions and methodologies available a few clicks away. However, I should mention that you don’t have to use them all. Take some time to discover how they work, then pick the ones that suit your taste and your needs.
Hopefully, this episode has shown you some new Burp extensions that might help you in your next assignment.
Owasp Top 10 Burp Suite Download
Until the next episode, stay curious, keep learning and go find some bugs!