Top 10 Burpsuite extension that Help You to find SSRF, SQLI, SSTI

Greeting Everyone ! Hope Everything Is going Good Today in this Blog we will discuss about 10 Common burp extension that You Need Before Start Your Testing   We will Explore How this Common Extension Help You In Your Testing phase If Your Doing Web Penetration Testing Or Bugbounty .

What is Burp Extension ?

Burp Extension Which Automate Our Testing phase easily with Some Known Script . burp Extension which  customize Burp’s  Functionality in different  ways, such as modifying HTTP requests and responses, customizing the UI, adding custom Scanner checks, and accessing key runtime information, including the Proxy history, Target site map and Scanner issues.

Top 10 Common Extensions That Open source  –

  • Active scanner ++
  • Param-miner
  • Collaborator Everywhere
  • Logger ++
  • Autorize
  • Retire.js
  • Json Beautifier
  • XSS Validator
  •   backslash-powered-scanner

Active Scanner ++ :

Active scanner ++ is commonly Used Burp Extension Which Help Us to Different Security Issue Against Our Targeted Website Such As SSTI, Host header Injection,  cache poisoning, DNS rebinding, XML input handling ETC.

Extension On Github : https://github.com/PortSwigger/active-scan-plus-plus

Param-miner :

Param-miner is Awesome extension Which Help A Tester To Validate issues hidden parameter,  unlinked parameters. It’s particularly useful for finding web cache poisoning vulnerabilities.

Tutorials Found : https://github.com/PortSwigger/param-miner

Collaborator Everywhere :

Collaborator Everywhere This I recommend To Use if Your Looking For Blind SSRF Types Of Security Issue By adding Unique Headers On request  designed to reveal backend systems by causing pingbacks to Burp Collaborator. This We can Defile as Out of band Response From Server . This Extension Also help to find Blind SQLI , Command Injection etc.

For Tutorial And More info Found Here : https://portswigger.net/burp/documentation/collaborator

Logger ++ :

Logger++ is a multithreaded logging extension for Burp Suite which help a tester to filter highlight interesting entries or filter logs to only that match the filter .  A built in grep tool allows the logs to be searched to locate entries which match a specified pattern, and extract the values of the capture groups.

For More Information Found Here : https://github.com/PortSwigger/logger-plus-plus

Autorize:

Autorize Is Extension Based On finding Authorization Issue Against Our Targeted Website  This is one of the  time-consuming tasks we can make it automate in a web application penetration test phase such as it help us to Find out Authorization Related Issue , IDOR Insecure Direct access control . This Help Us to validate issue based On extension the cookies of a low privileged user and navigate the website with a high privileged user.  

More Information Found here : https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f

Retire.js :

Retire.js  this tool We  Have Browser Extension Based Or Burp Extension Also

Retire.js  It help us to extract all JS Files from Our Targeted Website  This help us to validate all js library based On vulnerable Version and We can easily Verify Which JS Library They Are using  and we can easily validate security issue According to Library Version .

Information Or Extension Details Found here : https://github.com/retirejs/retire.js/

JSON Beautifier:

This extension help Us to read Json and js  file In good manner  It is diffcult for web application security tester  to analyse the JS files which are compressed to increase the loading speed. This extension help us to verify Resources based On JSON or JS

More Information Found Here : https://github.com/PortSwigger/json-js-beautifier

XSS  validator :

XSS Validator Is Burp Extension Which help us to validate XSS cross Site Scripting Related Security loopholes Against Our targeted Website using different regex value  This extension send Response  to server Which based on Phantom.js and/or Slimer.js

backslash-powered-scanner

This extension Is based On Burp Active Scanner which commonly validate Known and unknown classes of Server Side Injection  Security  issue .

It Test For Issue’s Such As:

  • Detect JSON Injection and escalate into RCE where possible
  • Detect Server-Side HTTP Parameter Pollution
  • Support bruteforcing backend parameter names
  • Improve evidence clarity and reduce false positives
  • Find vulnerabilities with subtler evidence
  • Detect escape sequence injection
  • Improve LFI detection

For More Information Can be Found :  https://github.com/PortSwigger/backslash-powered-scanner

For Installation Extension : https://portswigger.net/support/how-to-install-an-extension-in-burp-suite

You must Need Jython Before Installation Extensions: https://www.jython.org/download

Conclusion: In today’s blog We discussed How implement Your  Web Application Penetration Testing Phase Using Different Common Extension Which Help us to Validate Different Security loopholes Against Our Targeted Website . We Discuss Common Extension Which You Easily Configured On Your Domain.

Thanks For Reading……. See You In Another Blog!

Stick With Our Blog : https://securiumsolutions.com/blog/

Author : Pallab Jyoti Borah | VAPT Analyst

Leave a Comment

Your email address will not be published. Required fields are marked *