Burp Suite Guide

What's happening in the Burp-verse - Issue #8 📰

#8・ Jul 7, 2021

issues

What's happening in the Burp-verse - Issue #8 📰

By Burp Suite Guide • Issue #8 • View online

Hi 👋,

I hope you are doing well.

When I sat down around mid-June to create the newsletter issue, I was upset to see that not much had happened in the Burp-verse. The early adopter features were released as part of the stable release 2021.6.2, and not many new resources/blog posts/tweets. 🤷

But then the situation changed fast. There are quite some new things in the Burp-verse. To simply put, most of the resources you see in this newsletter have been released in the last 15 days.

Let’s start.

Releases

Burp Professional / Community 2021.7 released!

Yo early adopters, Burp has added another powerful tool in its suite. What makes it even bigger news is it’s available for both Community and Professional editions.

Introducing DOM Invader - a tool that invades 😅 your target website’s DOM to make finding DOM XSS a lot easier.

This tool is not a new tab in Burp but rather an extension to Burp’s embedded browser. (Another good reason to use the embedded browser when hunting bugs).

DOM Invader settings

Using DOM invader, you can inject the canary into URL & HTML forms and detect sinks once it’s enabled. If the augmented DOM (part of this new tool) shows sinks and sources, you can be sure there’s a DOM XSS.

DOM Invader on DVWA

To know more about the capabilities of DOM Invader, check out this fantastic blog post on this tool by Gareth Heyes or the tool’s documentation.

This release has also improved Burp Scanner’s navigation of SPAs and added a beginner-friendly “Learn” tab and minor improvements. Check the release notes to know more.

Blog Posts

Intruder: Use the tool to its full advantage (PimpMyBurp series) by Nicolas Grégoire

As the title says, this blog post contains many tips and tricks when using Burp Intruder. Following them, I feel, will let you use Intruder to its full advantage.

Make sure to check this blog post.

iOS App Testing Through Burp on Corellium

In this blog post, Evan Custodio walks you through the process of setting up Burp Suite to test iOS apps. The process is tedious when compared to the same process for Android apps. But, at the same time, I haven’t found a detailed blog post like this one.

If you are beginning with iOS app pentesting, then check out the blog post.

How does burp proxy work?

The blog post talks about how Burp proxy works - from an OSI layer perspective. This blog post is theoretical as the OSI model in itself is theoretical. However, it gives an overview of what happens when using the Burp proxy to intercept HTTP(S) traffic.

Check out the blog post if you want to understand how Burp proxy works.

Extensions

Introducing the Extended BApp Store!

If you have missed my latest tweets/posts/email on the Extended BApp store, let me introduce it to you.

In a nutshell, the extended BApp store helps you find the right extension that you are looking for. Some of its features:

Searching using keywords/tags
Tags to include the dependencies, deprecation and more
Shows if the extension on the official BApp store has new features in its open-source repo
Finally, it includes extensions that are not yet added to the BApp store

To know more about it, check my email about the project.

Bookmark the site and check it out when you are searching for a Burp extension.

Tweets

Nicolas Grégoire talks about simplifying the development of extensions (Twitter thread)

Mastering Burp Suite Pro

@MasteringBurp

Simplifying the development of your own one-shot extensions, a thread ⤵️

9:15 PM - 4 Jun 2021

Saying you can do something and doing it are two different things. Bug hunters are already finding DOM XSS using the new DOM Invader tool. (This proves that the DOM Invader does what it tells 🔥)

Saajan Bhujel

@saajanbhujel11

Yesterday found two DOM XSS with the help of DOM Invader. Thank you @PortSwigger for making this amazing extension 😍🔥
Tip: Use DOM Invader for finding DOM XSS manually.
#burptips #bugbountytips https://t.co/ma4PScAffj

6:24 PM - 4 Jul 2021

Others

alert() is dead, long live print() by Gareth & James

Google Chrome has decided to disable the alert function for cross-domain iframes. So, if you can trigger XSS using a cross-domain iframe, use print() function instead of alert().

Check out the blog post to know more.

Burp Suite Extension Template by @tkmru

This repository contains the minimal code to create a Java-based Burp extension. It also uses GitHub Actions to build JAR files.

If you plan to develop an extension, just fork this repo and add/modify extension logic.

How to Perform Effective Web Application Security Assessments

This is a video recording of HackerOne’s webinar covering tips to use Burp effectively. It also covers common mistakes while using Burp and how you can avoid them.

Finally

If you learned something new about Burp Suite using this newsletter, please share it with your friends, hackers & pentester colleagues. Tweet about it, post about it on social media or even forward this newsletter email to others.

If you liked the newsletter, click the 👍 button below. If you have any specific feedback, shoot an email to [email protected].

Many thanks for considering my request.

Until next time 👋

Did you enjoy this issue?

By Burp Suite Guide

Your guide to all things Burp Suite !

Tweet

Share

In order to unsubscribe, click here.

If you were forwarded this newsletter and you like it, you can subscribe here.