View profile

What's happening in the Burp-verse - Issue #8 📰

What's happening in the Burp-verse - Issue #8 📰
By Burp Suite Guide • Issue #8 • View online
Hi 👋,
I hope you are doing well.
When I sat down around mid-June to create the newsletter issue, I was upset to see that not much had happened in the Burp-verse. The early adopter features were released as part of the stable release 2021.6.2, and not many new resources/blog posts/tweets. 🤷
But then the situation changed fast. There are quite some new things in the Burp-verse. To simply put, most of the resources you see in this newsletter have been released in the last 15 days.
Let’s start.

Releases
Yo early adopters, Burp has added another powerful tool in its suite. What makes it even bigger news is it’s available for both Community and Professional editions.
Introducing DOM Invader - a tool that invades 😅 your target website’s DOM to make finding DOM XSS a lot easier.
This tool is not a new tab in Burp but rather an extension to Burp’s embedded browser. (Another good reason to use the embedded browser when hunting bugs).
DOM Invader settings
DOM Invader settings
Using DOM invader, you can inject the canary into URL & HTML forms and detect sinks once it’s enabled. If the augmented DOM (part of this new tool) shows sinks and sources, you can be sure there’s a DOM XSS.
DOM Invader on DVWA
DOM Invader on DVWA
To know more about the capabilities of DOM Invader, check out this fantastic blog post on this tool by Gareth Heyes or the tool’s documentation.
This release has also improved Burp Scanner’s navigation of SPAs and added a beginner-friendly “Learn” tab and minor improvements. Check the release notes to know more.
Blog Posts
As the title says, this blog post contains many tips and tricks when using Burp Intruder. Following them, I feel, will let you use Intruder to its full advantage.
Make sure to check this blog post.
In this blog post, Evan Custodio walks you through the process of setting up Burp Suite to test iOS apps. The process is tedious when compared to the same process for Android apps. But, at the same time, I haven’t found a detailed blog post like this one.
If you are beginning with iOS app pentesting, then check out the blog post.
The blog post talks about how Burp proxy works - from an OSI layer perspective. This blog post is theoretical as the OSI model in itself is theoretical. However, it gives an overview of what happens when using the Burp proxy to intercept HTTP(S) traffic. 
Check out the blog post if you want to understand how Burp proxy works.
Extensions
Introducing the Extended BApp Store!
If you have missed my latest tweets/posts/email on the Extended BApp store, let me introduce it to you. 
In a nutshell, the extended BApp store helps you find the right extension that you are looking for. Some of its features:
  • Searching using keywords/tags
  • Tags to include the dependencies, deprecation and more
  • Shows if the extension on the official BApp store has new features in its open-source repo
  • Finally, it includes extensions that are not yet added to the BApp store
To know more about it, check my email about the project.
Bookmark the site and check it out when you are searching for a Burp extension.
Tweets
Nicolas Grégoire talks about simplifying the development of extensions (Twitter thread)
Mastering Burp Suite Pro
Simplifying the development of your own one-shot extensions, a thread ⤵️
Saying you can do something and doing it are two different things. Bug hunters are already finding DOM XSS using the new DOM Invader tool. (This proves that the DOM Invader does what it tells 🔥)
Saajan Bhujel
Yesterday found two DOM XSS with the help of DOM Invader. Thank you @PortSwigger for making this amazing extension 😍🔥
Tip: Use DOM Invader for finding DOM XSS manually.
#burptips #bugbountytips https://t.co/ma4PScAffj
Others
Google Chrome has decided to disable the alert function for cross-domain iframes. So, if you can trigger XSS using a cross-domain iframe, use print() function instead of alert().
This repository contains the minimal code to create a Java-based Burp extension. It also uses GitHub Actions to build JAR files. 
If you plan to develop an extension, just fork this repo and add/modify extension logic.
This is a video recording of HackerOne’s webinar covering tips to use Burp effectively. It also covers common mistakes while using Burp and how you can avoid them.
Finally
If you learned something new about Burp Suite using this newsletter, please share it with your friends, hackers & pentester colleagues. Tweet about it, post about it on social media or even forward this newsletter email to others.
If you liked the newsletter, click the 👍 button below. If you have any specific feedback, shoot an email to [email protected].
Many thanks for considering my request.
Until next time 👋
Did you enjoy this issue?
Burp Suite Guide

Your guide to all things Burp Suite !

If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue