The Top 8 Burp Suite Extensions
Burp Suite is an integrated platform for attacking web applications. It contains a number of tools, and for these tools to design a number of interfaces to accelerate the process of attacking the application process. All of the tools share a powerful extensible framework for handling and displaying HTTP messages, persistence, authentication, proxies, logs, and alerts.
Whether it is free or paid version of the version, Burp Suite provides a certain number of plug-ins, these plug-ins greatly facilitate the penetration of our usual work. BAPP Store in the development of a lot of good plug-in code can be downloaded from the installation, in the specified directory below the corresponding python code or jar package exists, these are very good learning code, recommend a few relatively easy to use Of the plug-ins:
AuthMatrix is an extension to Burp Suite that provides a simple way to test authorization in web applications and web services. With AuthMatrix, testers focus on thoroughly defining tables of users, roles, and requests for their specific target application upfront. These tables are displayed through the UI in a similar format to that of an access control matrix commonly built in various threat modeling methodologies.
Once the tables have been assembled, testers can use the simple click-to-run interface to efficiently run all combinations of roles and requests. Testers can then confirm their results with an easy to read, color-coded interface indicating any authorization vulnerabilities detected in the system. Additionally, the extension provides the ability to save and load target configurations for simple regression testing.
The goal of this extension is to improve the test coverage during web application penetration tests on J2EE applications. It adds some new test cases and new strategies to discover different kind of J2EE vulnerabilities
- activeScan ++
The plug-in is mainly in the active scanning and passive scanning, in order to enhance scanning vulnerability effect. Added some of the automation scan itself does not have the vulnerability check.
We sometimes encounter WAF (Application Layer Firewall) in the penetration test, which is often a headache. Burp Suite is a big-time web application penetration testing integration platform, and this plug-in can help you bypass some of the WAF.
Automatic HPP attack testing in GET / POST
Automatic HTTP Request Smuggling attack
Project Home: https://github.com/allfro/BurpKit/releases
- CSRF Scanner
CSRF Scanner is a CSRF vulnerability testing tool that proactively scans CSRF vulnerabilities, primarily to enhance CSRPS scanning in burpsuite.
You can select “CSRF Scanner” from the left side of the “Bapp Store” interface, navigate to the right click “install” to install.
Java-Deserialization-Scanner is a BurpSuite plug-in, used to automate the discovery of Java deserialization vulnerability.
CSP-Bypass is a Burp plug-in written in Python that uses known methods to try to check the security of the site’s CSP and whether it can be bypassed.
Project Home: https://github.com/moloch-/CSP-Bypass