View profile

What's happening in the Burp-verse - Issue #1

What's happening in the Burp-verse - Issue #1
By Burp Suite Guide • Issue #1 • View online
I’ve been using Burp Suite for quite a few years now. As a daily user of Burp Suite (and one of its proud fanboys), I try to get more out of Burp Suite every day. This makes my application security and pentest life easier.
Getting more out of Burp Suite involves exploring free content (blog posts & videos) on Burp Suite, keeping a tab on release notes, reading and reviewing books, and configuring Burp / writing extensions for custom requirements.
With this newsletter, I can consolidate all that I learn / discover into nuggets of knowledge. If you want to get the links to amazing resources on Burp Suite directly to your social media feed, you can follow me on Twitter and LinkedIn.

Updates in Burp Suite
There were 2 releases of Burp Suite Professional / Community Edition last month: 2021.2 and 2021.2.1. There are quite a few bug fixes shipped in both versions.
A new vulnerability definition “Vulnerable JavaScript dependencies” has been added to Burp Scanner. So there’s no more dependency on the RetireJS Burp extension.
Burp Suite
The latest Burp Scanner release natively reports vulnerable JavaScript libraries.
The annoying HTTP requests from embedded Chromium browser (to Google servers) when you open the browser are no longer present. 🎉 Instead, the default page contains few helpful links to Burp docs and Portswigger’s Web Security Academy.
Default page of Burp's embedded browser
Default page of Burp's embedded browser
Other updates include improved Intruder default payload lists (with new lists for SSRF and Common files & directories 🎉) and a way to get Burp’s new features fast.
New Extensions to Burp
The following extensions were recently added to Burp Suite:
NoSQLi Scanner by Gabriele Gristina
With no NoSQL injection detection in Burp Suite, this is extension tries to detect NoSQLi. It does so by passively monitoring for error messages in response and actively scanning requests with its custom and experimental payloads. Once an injection is detected, then a Scanner issue is created.
NOTE: This extension is available for Burp Pro.
Clipboard Repeater by Doug Everson
Looking for a fast way to right-click →copy→share the request from the Repeater tab to your pentest partner? And that too with exact protocol - hostname combination?
Then this is the extension you need.
Once you find an interesting response for the modified request in your repeater tab, this extension helps to copy the compressed base64 version of the request. All your partner needs to do is install the same extension in his/her Burp, copy the base64 request, right-click on Burp and select “Paste RepeaterClip to Repeater”.
Reshaper by Daquanne Dwight
This extension mimics IFTTT / Zapier but for Burp Suite. The extension allows creating rules that get triggered “when” a criteria matches and “then” performs the action that’s configured with the rule.
The “when” criteria can be event direction (if an HTTP message is a request/response), text matching, etc. The “then” action can include dropping the message, highlighting a message, and more. Check out its documentation to find out more “when” criteria and “then” actions.
Sharpener by Soroush Dalili
This extension adds some UI and functionality changes to Burp Suite. Some of the changes include changing the Burp Suite title and its icon, setting a theme to Burp (which adds icons to tabs), changing the style of Repeater / Intruder tabs, and more.
Game Theme
Game Theme
Hacker Theme
Hacker Theme
Gradient Theme
Gradient Theme
Mobster Theme
Mobster Theme
Office Theme
Office Theme
I also liked how the styles of Repeater / Intruder sub-tabs can be changed.
Don’t forget to try out Sharpener with Burp Customizer extension (by Corey Arthur).
Corey Arthur
@irsdl has smashed it with this new extension!

Burp Customizer's Dark Purple theme + Burp Sharpener's Gradient icons = ♥️

And never again will I lose an important repeater tab!
YesWeHack has started the PimpMyBurp series which discusses tips and tricks to find certain classes of bugs using Burp extensions. Even though I don’t like the name of the series, the articles published under the series are quite good.
PimpMyBurp #1 - PwnFox + Autorize: The perfect combo to find IDOR - Global Bug Bounty Platform
PimpMyBurp #2 – Auth Analyzer : How to test horizontal and vertical privileges escalation - Global Bug Bounty Platform
Allyson O'Malley has released “BurpParamFlagger”. It’s a simple extension that checks for certain parameters whose name or value might indicate a possible insertion point for SSRF or LFI.
Did you enjoy this issue?
Burp Suite Guide

Your guide to all things Burp Suite !

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue