View profile

What's happening in the Burp-verse - Issue #13 📰

What's happening in the Burp-verse - Issue #13 📰
By Burp Suite Guide • Issue #13 • View online
I hope this newsletter increases your productivity and helps you find more bugs. 😊
I’m excited to tell you about new Burp features in the latest release, cool extensions, and loads of amazing articles, tips, and tricks in this newsletter issue.
If you got this newsletter for the first time, welcome onboard comrade!!! Signing up for the newsletter was your first step in becoming the up-to-date hero of Burp Suite.
Follow Burp Suite Guide on Twitter, LinkedIn, or Telegram channel to get instant updates on Burp Suite.
Now let’s continue.

This new stable release brings with it a lot of improvements and a few productivity hacks. Among all of them, the most interesting ones are:
1. Repeater allows you to organize tabs into color-coded groups. It also has a search feature to find individual tabs or groups. 
Source: Burp Release Notes
Source: Burp Release Notes
2. DOM Invader has a lot of improvements. It can now help test for client-side prototype pollution.
3. Intuitive Scan Configuration UI with new preset scan modes. It helps you quickly adjust the speed and coverage of the scan.
To see the full list of improvements, check out the release page.
Blog Posts
In this blog post, Gareth gives you an overview of Client-Side Prototype Pollution and how DOM Invader can help detect it. Since the DOM Invader extension only works on the Burp browser and not external Chrome/Chromium, he shows how one can use callbacks to automate the detection of gadgets at scale.
Check out the blog post.
Building on an AppSec Pipeline with Burp Suite data - Part 1 & Part 2 by Willis Vandevanter
Willis talks about his Burp extension burpsuite-project-file-parser and how you can use it to search requests/responses in Burp project files. In Part 1, he gives an overview of the extension and how to reduce the time taken to search using custom User Options. In Part 2, he provides practical examples where his extension could be helpful.  
If you are a bug hunter/pentester working on targets for a long time, this extension is a must-have in your arsenal. 
Check out the blog posts: Part 1 and Part 2.
Burp Suite Extension In Python - Blog Series
This is a 4 part blog series that walks you through building an extension from scratch using Python. 
Part 1 - “Hello World” Burp extension
Part 2 - Creating a custom tab using JPanel
Part 3 - Setting up Netbeans and enhancing the custom tab
Part 4 - Completing the extension and adding a shortcut to the Menu
Burp Suite extension to grab OAuth2 access tokens and add them to requests as a custom header.
This Burp extension improves automated and semi-automated active scanning. Burp’s active scans might often do things that don’t make sense, such as scanning GET requests to static .js files or scanning non-repeatable requests. 
This extension tries to improve it by adding checks like response status code, repeatability, and heuristics to find “interesting” requests and then use Burp’s scanner to scan them.
Web Security Academy
For anyone who hasn't tried the new JWT labs yet, and needs a little encouragement, the solutions are now live:
Burp Suite
How to exploit CSPP (on our early adopter channel)
1) Go to the proxy tab
2) Click Open Browser
3) Pin the extension
4) Enable prototype pollution
5) Visit
6) Open devtools > DOM Invader
7) Scan for gadgets
8) Open devtools > DOM Invader
9) Click exploit
*sigh* *inhales deeply with a tired face*
@Burp_Suite v2022.5.2 new JWT checks do not work. Having trouble with your own injection point logic? In the most common case of "Authorization: Bearer ey[...]" scanner won't change the JWT even a single time
This is an excellent academic paper that talks about black-box scanners’ capabilities to detect injection-based vulnerabilities like SQLi, NoSQLi, and SSTI. It compares multiple scanners (including Burp Suite and OWASP ZAP) by testing against OWASP JuiceShop and comparing its result.
TL;DR - Burp Suite and ZAP detect most injection bugs with lesser false positives and false negatives compared to other scanners. However, they fail to crawl the dynamic site completely by themselves. Also, Burp and ZAP found most vulnerabilities when the requests were sent via the proxy with manual pentester browsing the site.
PS: This study was done with available scanner versions in May 2021. Quite a few things have changed now in Burp Suite. But if you want to ever compare security scanners, then the metrics provided in the paper can be quite handy.
Check out the full paper.
Another blog post from PortSwigger’s Research team on Client-Side Prototype Pollution (CSPP). It’s related to the blog post Finding client-side prototype pollution with DOM Invader. But this post is on CSPP gadgets in browser APIs and how the team found them on common libraries.
Productivity Tip
Burp Suite doesn’t check the JWT token if it’s part of the Authorization header. If you want to scan the JWT in auth bearer token, then create a manual insertion point in Intruder and fire a scan.
Michael Stepankin
@floyd_ch @Burp_Suite In the interim, you can create a manual insertion point in Intruder and fire a scan from there. In this case JWT will be properly checked in Authorization: Bearer.
Did you learn something new from this newsletter? 🥺
Please share this newsletter with your friends, hackers & pentesters. Tweet about it, post it on social media, or forward this newsletter email to others.
If you liked the newsletter, click the 👍 button below. If you have any specific feedback, shoot an email to [email protected].
Many thanks for considering my request.
Until next time 👋
Did you enjoy this issue?
Burp Suite Guide

Your guide to all things Burp Suite !

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue