Search

Top 10 Burpsuite extension that Help You to find SSRF, SQLI, SSTI

Greeting Everyone!

Hope Everything Is Going Well Today in this Blog we will discuss 10 Common Burpsuite Extensions that You Need Before Start Your Testing   We will Explore How These Common Extensions Help You In Your Testing phase If You Doing Web Penetration Testing Or Bugbounty.

What is Burpsuite Extensions?

Burp Extension Automate Our Testing phase easily with Some Known Scripts. Burpsuite extensions customize Burp’s  Functionality in different ways, such as modifying HTTP requests and responses, customizing the UI, adding custom Scanner checks, and accessing key runtime information, including the Proxy history, Target site map, and Scanner issues.

Top 10 Common Burpsuite Extensions That Open Source –

  • Active scanner ++
  • Param-miner
  • Collaborator Everywhere
  • Logger ++
  • Authorize
  • Retire.js
  • JSON Beautifier
  • XSS Validator
  •   backslash-powered-scanner

Active Scanner ++ :

Active scanner ++ is a Commonly Used Burp Extension Which Helps Us with Different Security Issue Against Our Targeted Website Such As SSTI, Host header Injection,  cache poisoning, DNS rebinding, XML input handling ETC.

Extension On Github: https://github.com/PortSwigger/active-scan-plus-plus

Param-miner :

Param-miner is an Awesome extension That Helps A Tester To Validate issues with hidden parameters, and unlinked parameters. It’s particularly useful for finding web cache-poisoning vulnerabilities.

Tutorials Found: https://github.com/PortSwigger/param-miner

Collaborator Everywhere :

Collaborator Everywhere This I recommend To Use if You’re Looking For Blind SSRF Types Of Security Issue By adding Unique Headers On request designed to reveal backend systems by causing pingbacks to Burp Collaborator. This We can Defile as Out of band Response From Server. This Extension Also helps to find Blind SQLI, Command Injection, etc.

For Tutorial And More info Found Here: https://portswigger.net/burp/documentation/collaborator

Logger ++ :

Logger++ is a multithreaded logging extension for Burp Suite which help a tester to filter highlight interesting entries or filter logs to only those that match the filter.  A built-in grep tool allows the logs to be searched to locate entries that match a specified pattern and extract the values of the capture groups.

For More Information Found Here: https://github.com/PortSwigger/logger-plus-plus

Authorize:

Autorize Is an Extension Based On finding Authorization Issue Against Our Targeted Website  This is one of the time-consuming tasks we can make it automate in a web application penetration test phase as it helps us to Find out Authorization Related Issue, IDOR Insecure Direct access control. This Help Us to validate issues based On the extension of the cookies of a low-privileged user and navigate the website with a high-privileged user.  

More Information Found here: https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f

Retire.js :

Retire.js  this tool We  Have a Browser Extension Based Or Burp Extension Also

Retire.js  It helps us to extract all JS Files from Our Targeted Website  This helps us to validate all js libraries based On vulnerable Versions We can easily Verify Which JS Library They Are using and we can easily validate security issues According to Library Version.

Information Or Extension Details Found here: https://github.com/retirejs/retire.js/

JSON Beautifier:

This extension helps Us to read Json and js files In a good manner  It is difficult for a web application security tester to analyze the JS files which are compressed to increase the loading speed. This extension helps us to verify Resources based On JSON or JS

More Information Found Here: https://github.com/PortSwigger/json-js-beautifier

XSS  validator :

XSS Validator Is Burp Extension That help us to validate XSS cross Site Scripting Related Security loopholes Against Our targeted Website using different regex value  This extension sends a Response  to the server based on Phantom.js and/or Slimer.js

backslash-powered-scanner

This extension Is based On a Burp Active Scanner which commonly validates Known and unknown classes of Server Side Injection  Security issue.

It Test For Issues Such As:

  • Detect JSON Injection and escalate into RCE where possible
  • Detect Server-Side HTTP Parameter Pollution
  • Support brute-forcing backend parameter names
  • Improve evidence clarity and reduce false positives
  • Find vulnerabilities with subtler evidence
  • Detect escape sequence injection
  • Improve LFI detection

For More Information Can be Found:  https://github.com/PortSwigger/backslash-powered-scanner

For Installation Extension: https://portswigger.net/support/how-to-install-an-extension-in-burp-suite

You must Need Jython Before Installation Extensions: https://www.jython.org/download

Conclusion:

In today’s blog We discussed How to implement Your  Web Application Penetration Testing Phase Using Different Common extensions Which Help us to Validate Different Security loopholes Against Our Targeted Website. We Discuss Common Extensions Which You Easily Configured On Your Domain.

Thanks For Reading……. See You In Another Blog!

Stick With Our Blog: https://securiumsolutions.com/blog/

Author: Pallab Jyoti Borah | VAPT Analyst

Table of Contents

Social Media
Facebook
Twitter
WhatsApp
LinkedIn