🧮Tips and Extensions
If Render Page crash: sudo sysctl -w kernel.unprivileged_userns_clone=1
If embedded browser crash due sandbox: find .BurpSuite -name chrome-sandbox -exec chown root:root {} ; -exec chmod 4755 {} ;
Scope with all subdomains: .*.test.com$
Use Intruder to target specific parameters for scanning
Right click: actively scan defined insertion points
Configuration
Project Options -> HTTP -> Redirections -> Enable JavaScript-driven
User Options -> Misc -> Proxy Interception -> Always disabled
Target -> Site Map -> Show all && Show only in-scope items
XSS Validator extension
Start xss.js phantomjs $HOME/.BurpSuite/bapps/xss.js
Send Request to Intruder
Mark Position
Import xss-payload-list from $Tools into xssValidator
Change Payload Type to Extension Generated
Change Payload Process to Invoke-Burp Extension - XSS Validator
Add Grep-Match rule as per XSS Validator
Start.
Filter the noise
https://gist.github.com/vsec7/d5518a432b70714bedad79e4963ff320
Filter the noise TLDR
TLS Pass Through
..google.com ..gstatic.com ..googleapis.com ..pki.goog .*.mozilla.com
Send swagger to burp
https://github.com/RhinoSecurityLabs/Swagger-EZ
Hosted:
https://rhinosecuritylabs.github.io/Swagger-EZ/
If some request/response breaks or slow down Burp
Project options -> HTTP -> Streaming responses -> Add url and uncheck "Store streaming responses...."
Burp Extension rotate IP yo avoid IP restrictions
https://github.com/RhinoSecurityLabs/IPRotate_Burp_Extension
Collab/SSRF/pingback alternative
interactsh.com ceye.io requestcatcher.com canarytokens.org webhook.site ngrok.com pingb.in swin.es requestbin.net ssrftest.com rbnd.gl0.eu dnslog.cn beeceptor.com
Run private collaborator instance in AWS
https://github.com/Leoid/AWSBurpCollaborator
Run your own collab server
https://github.com/yeswehack/pwn-machine
Wordlist from burp project file
cat project.burp | strings | tok | sort -u > custom_wordlist.txt
Autorize:
Copy cookies from low priv user and paste in Autorize
Set filters (scope, regex)
Set Autorize ON
Navigate as high priv user
Turbo Intruder
basic.py -> Set %s in the injection point and specify wordlist in script multipleParameters.py -> Set %s in all the injection points and specify the wordlists in script
Match and Replace
https://github.com/daffainfo/match-replace-burp
Customize Audit Scans
Configure your audit profile -> Issues reported -> Individual issues -> right-click on "Extension generated issues" -> "Edit detection methods" Works on most of issues like SQLi
Send to local Burp from VPS
In local computer
ssh -R 8080:127.0.0.1:8080 root@VPS_IP -f -N
In VPS
curl URL -x http://127.0.0.1:8080
Ip rotation
https://github.com/ustayready/fireprox
Burp Bounty Pro: Active and passive checks customizable based on patterns.
Active Scan ++ More active and passive scans.
Software Vulnerability Scanner Passive scan to detect vulnerable software versions
Param Miner Passive scan to detect hidden or unlinked parameters, cache poisoning
Backslash Powered Scanner Active scan for SSTI detection
CSRF Scanner Passive CSRF detection
Freddy Active and Passive scan for Java and .NET deserialization
JSON Web Tokens decode and manipulate JSON web tokens
Reissue Request Scripter generates scripts for Python, Ruby, Perl, PHP and PowerShell
Burp-exporter other extension for export request to multiple languages
Retire.js Passive scan to find vulnerable JavaScript libraries
Web Cache Deception Scanner Active scan for Web Cache Deception vulnerability
Cookie decrypter Passive check for decrypt/decode Netscaler, F5 BigIP, and Flask cookies
Reflector Passive scan to find reflected XSS
J2EEScan Active checks to discover different kind of J2EE vulnerabilities
HTTP Request Smuggler Active scanner and launcher for HTTP Request Smuggling attacks
Flow History of all burp tools, extensions and tests
Taborator Allows Burp Collaborator in a new tab
Turbo Intruder Useful for sending large numbers of HTTP requests (Race cond, fuzz, user enum)
Auto Repeater Automatically repeats requests with replacement rules and response diffing
Upload Scanner Tests multiple upload vulnerabilities
poi Slinger: Active scan check to find PHP object injection
Java Deserialization Scanner Active and passive scanner to find Java deserialization vulnerabilities
Autorize Used to detect IDORs
Match/Replace Session Action Provides a match and replace function as a Session Handling Rule.
.NET Beautifier Easy view for VIEWSTATE parameter
Wsdler generates SOAP requests from WSDL request
Collaborator Everywhere Inject headers to reveal backend systems by causing pingbacks
Collabfiltrator Exfiltrate blind remote code execution output over DNS
Bypass WAF Add some headers to bypass some WAFs
SAMLRaider for testing SAML infrastructures, messages and certificates
GoldenNuggets-1 create wordlists from target
Logger++ Log for every burp tool and allows highlight, filter, grep, export...
OpenAPI Parser Parse and fetch OpenAPI documents directly from a URL
CO2: Multiple functions such sqlmapper, cewler
XSSValidator: XSS intruder payload generator and checker
Shelling: command injection payload generator
burp-send-to: Adds a customizable "Send to..."-context-menu.
ssrf-king: Automates SSRF detection
Last updated