Open Mobile Menu

Blog

Ten Useful Burp Suite Pro Extensions for Web Application Testing

Views: 1197

Written By: Danielle Wong June 20, 2019

If you are an Information Security professional, it’s likely you have used Burp Suite by Portswigger - a proxy tool to intercept, analyze, and alter network traffic. A number of robust features come with both the Burp Suite Free and Professional versions that have caused it to be an industry leader. For any features that Burp Suite does not already come with, there’s likely a plugin for it.

The following is a quick overview of some handy extensions that you can add easily to your current Burp Suite setup.

Logger++

Ever wonder what your Burp Suite Pro scanner is doing? Have you ever wanted to know exactly how many requests are going through your spider? Logger++ is an extension that aggregates all requests and responses from your Burp Suite traffic. Logger++ will show you each and every request and response made by the scanner, spider, or any other automated tool. Traffic can be organized in a logical flow and also downloaded into a CSV file.

Below, you can see the layout of the Logger++ plugin. Each request and response sent through the proxy is logged in the Logger++ plugin tab.

SAML Raider

Single Sign On, or SSO has become a staple in many web applications today. SSO uses Security Assertion Markup Language, or SAML to allow an identity provider to securely pass a user’s credentials to a service provider. SAML Raider is a Burp Suite extension that assists with testing SAML infrastructures by manipulating SAML requests and certificates.

Requests containing SAML messages are automatically highlighted and decoded in the SAML Raider tab that appears in the proxy logs and in Repeater.

Notes

An important part of testing is documentation. Taking notes while performing a penetration test allows a tester to document findings as well as make notes regarding the testing process. Working without proper notes can make it difficult to commit everything to memory and increases the chances of duplicating work. The Notes plugin adds a note taking functionality to Burp, allowing text or spreadsheet files to be created, uploaded, and saved. Areas such as the Proxy history or Site Map will also have the added option of being able to send responses and requests directly to the notes section as a new file, or part of an existing file.

Software Version Reporter

A penetration test is a balance between being as thorough as possible while allocating time wisely to things that need the most manual testing. The Software Version Reporter plugin assists testers by passively scanning the traffic and identifying any software version numbers that are exposed. The scope of the plugin is set to the Proxy, and has the option to extend to the Repeater, Scanner, Spider, Sequencer, Intruder, or Extender. This saves a tester time by identifying software version numbers located in places that may not be viewed during the course of testing, such as in responses that are logged only in the Scanner or in error messages. The plugin is preloaded with match rules, and the user can also load their own set of match rules to be used.

Upload Scanner

A common functionality that is seen in many web applications are file uploads. The Upload Scanner plugin offers automated testing of file uploads with a number of configuration options. These configuration options include file formats, file size, throttling, and a number of modules that test for specific issues such as XXE, redownloading capability, or CVE vulnerabilities. The default settings are adequate for most tests with fuzzing and DoS modules turned off by default.

Error message Checks

While testing an application, a number of requests and responses may not be seen by a tester, such as traffic due to scanning, spidering, or just a large amount of proxy traffic. The Error message checks plugin passively scans for error messages that could potentially reveal a vulnerability or information about the application that would not be discovered otherwise.

Backslash-powered-scanner

The Burp Suite Professional scanner checks for a number of vulnerabilities application wide at a much higher rate than would be possible manually. This allows testers to focus on more areas that require manual testing. Backlash powered scanner extends the capabilities of the native Burp Suite Professional scanner and uses advanced techniques to identify server side injection vulnerabilities and evade web application firewalls.

AuthMatrix

Privilege escalation takes advantage of a vulnerability that allows access to a resource should be prohibited or protected. AuthMatrix is a plugin that provides testers an interface to visualize the different user roles of an application and repeat requests with alternating credentials. Testers can use the table provided to log the username and session token for each user role. Requests for testing can be sent from the Proxy history, Site Map, or another tab within Burp to AuthMatrix. For each request sent, a list of each user from the table will have a checkmark to specify which credentials AuthMatrix should test for access to the request. Responses for each user role are color coded for each request that is run: Green indicates that no vulnerability is detected, Red indicates that there may be a vulnerability, and Blue indicates that an error or some type occurred.

Site Map Extractor

The Site Map Extractor plugin extracts selected data from the application site map which can be saved externally to a CSV file or text file. Extracted data can be filtered by anchor links and response codes from the in-scope site map or the full site map.

JSON Beautifier

A number of applications use JSON requests and responses. The JSONBeautifier plugin detects any JSON requests or responses and converts them to an easily readable format, allowing testers to more easily to review large amounts of JSON output.

Danielle Wong

Danielle Wong is an Application Security Consultant at BSI | AppSec Consulting. Danielle has experience in web application penetration testing using both manual techniques and automated scanning tools such as Burp Professional, Qualys, and Nessus.

Danielle graduated from San Jose State University with a Bachelor’s degree in Management Information Systems. During her college experience, Danielle was a member of the Management Information Systems Association and Information Security Club. She also worked part time and interned during the summer for a variety of different companies doing IT related work, including systems implementation, deployment and end user support.

In her spare time, Danielle enjoys photography, blogging, aerial fitness, and reading interesting books.

read more articles by Danielle Wong