Hello ethical hackers and bug bounty hunters. Today, you will learn the top 10 Burp Suite extensions I found myself using over and over again. They assist me in different areas, such as pretty-printing data, actively testing for specific vulnerability classes, parsing API definitions and brute-forcing.
How to bypass file upload restrictions using burp suite. How to perform a simple port scan with Nmap. How to get a meterpreter session with Metasploit. How to perform a directory discovery with dirb. How to perform an exploit search with Searchsploit. For example, if you try to upload a.burp project into Nucleus it will fail because it is not the supported format. Other Things to Look Out For Besides verifying the scan file you are uploading, there are a couple of other potential reasons why your scan file might not be uploading. Mod0BurpUploadScanner - HTTP file upload scanner for Burp Proxy 403 A Burp Suite Pro extension to do security tests for HTTP file uploads. Testing web applications is a standard task for every. Burp Suite Enterpr i se is a powerful application security scanning tool to integrate within DevSecOps environment. Enterprise Edition offers fully automated and scheduled scanning, extreme. In our last Burp Suite Tutorial we introduced some of the useful features that Burp Suite has to offer when performing a Web Application Penetration Test.In part 2 of this series we will continue to explore how to use Burp Suite including: Validating Scanner Results, Exporting Scanner Reports, Parsing XML Results, Saving a Burp Session and Burp Extensions.
Wsdler is your burp extension for SOAP
During your penetration testing or bug bounty hunting, you might encounter SOAP-based APIs. They are web services that you can consume according to a file which describes the actions they expose and how to call them. This file is based on the Web Services Description Language (WSDL).
Whenever you find one, you can parse it using Wsdler. Additionally, this Burp extension constructs the HTTP requests as the API expects them.
Before Burp Suite rolled its Pretty button feature, this was the first extension I needed to install after any fresh Burp Suite setup. Nowadays, the majority of web application use RESTful APIs which generally use JSON objects to transfer data between the client and the server. JSON Beautifier prettifies the inline JSON data to make your life easier.
This Burp extension is free and can be used in either Burp Suite Community Edition or Professional.
J2EEScan is a great burp extension for Java EE applications
In my penetration testing assignments, I usually test J2EE web applications, which are Java web applications that support enterprise-level requirements, such as scalability and availability. Therefore, I use J2EEScan to assist me in finding vulnerabilities for the most common CVEs that target J2EE technologies.
The extension adds test cases to the BurpSuite Scanner. Therefore, there no additional configuration after you install it. All you have to do is run a scan and wait for vulnerabilities in the Issue Activity panel in the Burp’s Dashboard tab.
JSON WEB Tokens, the Burp extension, not the standard
According to jwt.io, JSON Web Token is:
[…] an open standard […] that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
When you do bug bounty hunting or web application penetration testing, it is a pain to manually copy the tokens from Burp Suite and paste them into your favourite parsing tool, such as jwt.io. This extension allows you to parse the token within Burp, the same way JSON Beautifier prettifies inline JSON objects.
For those of you who don’t know what SAML, it’s a standard used in Single Sign-On (SSO) for authentication. Here is a brief definition from Wikipedia:
Security Assertion Markup Language (SAML) […] is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions.
Since SAML requests contain long base64 encoded XML data, it is impractical to manually parse them. SAML Raider automatically performs the parsing within Burp Suite. Additionally, you can use it to perform known attacks against your target web application. In fact, it comes with pre-configured exploitation techniques, such as signature wrapping, that you can easily run to test for weaknesses in SAML implementations.
AuthMatrix burp extension for broken access control
I’ve already covered this great extension in a Youtube video. It allows you to test for broken access control vulnerabilities, such as IDOR, unprotected endpoints, etc. The flow is fairly simple. Firstly, you browse your target application and send any interesting requests to this extension. Then, you create the target users, such as the attacker and the victim. Then, for each user, you configure the session cookies, and any HTTP headers containing tokens such as JWT or API keys. Lastly, you hit the run button and let AuthMatrix highlight the suspicious requests in red.
HTTP request smuggler
This is the go-to Burp extension when you want to easily detect and exploit a web application through HTTP Request Smuggling.
It detects whether you have a CL.TE or TE.CL condition and reports it directly into Burp Suite’s Dashboard tab, under the Issue Activity menu where all the issues get listed.
If you have no clue about what do CL.TE and TE.CL means, I invite you to read this article from the authors of Burp Suite.
Upload Scanner Burp
This extension allows you to send large numbers of HTTP requests to a target web application. If you have Burp Community, you know that you can only work with a limited version of the Intruder which does not support multiple threads. Instead, you can use Turbo Intruder.
Since this Burp extension uses a Python snippet that you can edit, I recommend you get familiar with the basics of the Python programming language. That way, you can customize Turbo Intruder to bring more flexibility when you brute force.
Whenever you encounter a file upload feature that uses the multipart mime type, I encourage you to give this Burp extension a try. In fact, you can use it to probe the upload features for many security issues.
It fuzzes all the parameters using a set of organized categories that you can choose from. If the application retrieves the uploads, you can configure Upload Scanner to fetch the files to verify cases like XSS.
There are plenty of other features in this awesome Burp extension. I encourage you to learn more about it. Additionally, I prepared this Youtube video to show you how it works.
Java Deserialization Scanner
This Burp extension checks for insecure deserialization issues in Java applications. It uses pre-built serialized java objects to probe the application for a callback. You can configure this feedback to be either a time delay or a callback. If the application sleeps for some time before responding, or if you receive a hit as a callback, the extension highlights exactly what payload has triggered it. Therefore, you can prepare your own payload using tools such as ysoserial.
How To Use Burp Scanner
If you want to learn how insecure deserialization works and how to exploit it with real examples, I invite you to read this article.
There are so many tools, extensions and methodologies available a few clicks away. However, I should mention that you don’t have to use them all. Take some time to discover how they work, then pick the ones that suit your taste and your needs.
Hopefully, this episode has shown you some new Burp extensions that might help you in your next assignment.
Until the next episode, stay curious, keep learning and go find some bugs!
Qualys offers a wide array of security and compliance solutions for your organization. All capabilities are delivered from Qualys Cloud Platform. Visit Qualys Cloud Platform Apps to learn more.
But let’s narrow the discussion to web application security. To have a complete webappsec program, it’s important that ALL of your web applications have some level of security testing. Automated scans using Qualys Web Application Scanning (WAS) are perfect to meet this need given its cloud-based architecture, accuracy, and ability to scale. However, performing manual penetration testing against your most business-critical applications is highly recommended to supplement automated scanning. Manual analysis complements scanning by identifying security holes such as flaws in business logic or authorization that an automated scanner would be incapable of detecting.
One of the most popular tools for manual testing of web apps is Burp Suite Professional. This month Qualys introduced a Burp extension for Qualys WAS to easily import Burp-discovered issues into Qualys WAS. With this integration, Burp issues and WAS findings can be viewed centrally, and webappsec teams can perform integrated analysis of data from manual penetration testing and automated web application scans. The combined data set may also be programmatically extracted via the Qualys API for external analysis.
Qualys Burp Extension
The Qualys WAS extension is available today in Burp’s BApp Store:
Ookla internet broadband Speed Test Ookla internet broadband Speed test is one of the most popular internet speed test websites. We have included a clean licensed version of the Ookla internet broadband Speed Tester below so that you can test your broadband speed now. For an accurate reading, Run the Ookla Speedtest Twice. Test your Internet connection bandwidth to locations around the world with this interactive broadband speed test from Ookla. Spectrum speed test internet speed.
Using the extension is quite simple. Once you’ve installed the extension and generated some Burp scanner issues (either passively or actively), go to the Target tab. Select the issues you wish to send to WAS, right-click to open the context menu, and select “Send to Qualys WAS”.
In the example below we are sending three Burp issues to WAS:
You’ll be asked to choose your platform and enter your Qualys credentials unless you’ve already done so on the Qualys WAS tab. Note that your Qualys user account must have API access enabled.
After providing valid credentials, a list of web applications in your WAS subscription will appear. Select the web application for which these Burp issues apply. Using the checkboxes, you may optionally choose to purge (delete) existing Burp issues for the application in WAS or choose to close existing Burp issues in WAS that you aren’t sending.
Click the “Send to Qualys WAS” button and look for a success message. If the operation fails, check the “Logs” section under the Qualys WAS tab in Burp for troubleshooting information.
We can see from the screenshot below that our three Burp issues were successfully imported into Qualys WAS. You can use the filters on the left to see only the detections that you’re interested in.
Once the Burp data is stored within WAS, you can leverage the Qualys API to programmatically retrieve both WAS findings and Burp issues. The API output data format can be either in XML or JSON. See the WAS API User Guide for details.
A More Complete Picture
Upload Scanner Burpee
To summarize, the Qualys WAS Burp extension provides a seamless method for Qualys WAS customers to push Burp scanner findings to the WAS module. Viewing and reporting Burp issues alongside WAS findings allows you to have a more complete picture of your web application’s security posture.
In addition to web application security testing, Qualys offers a wide array of security and compliance solutions for your organization. All capabilities are delivered from Qualys Cloud Platform. To learn more, please visit Qualys Cloud Platform Apps.