Burp Suite

Tips

- If Render Page crash:
sudo sysctl -w kernel.unprivileged_userns_clone=1
- If embedded browser crash due sandbox:
find .BurpSuite -name chrome-sandbox -exec chown root:root {} \; -exec chmod 4755 {} \;
- Scope with all subdomains:
.*\.test\.com$
- Use Intruder to target specific parameters for scanning
- Right click: actively scan defined insertion points
# Autorize Plugin
1. Login with lower user, get the cookie or token and paste in header inside Configuration tab.
2. In second browser, login with higher privilege user and start intercepting the requests of privilged functionality like admin-panel
# Configuration
- Project Options -> HTTP -> Redirections -> Enable JavaScript-driven
- User Options -> Misc -> Proxy Interception -> Always disabled
- Target -> Site Map -> Show all && Show only in-scope items
# XSS Validator extension
1) Start xss.js phantomjs $HOME/.BurpSuite/bapps/xss.js
2) Send Request to Intruder
3) Mark Position
4) Import xss-payload-list from $Tools into xssValidator
5) Change Payload Type to Extension Generated
6) Change Payload Process to Invoke-Burp Extension - XSS Validator
7) Add Grep-Match rule as per XSS Validator
8) Start.
# Filter the noise
https://gist.github.com/vsec7/d5518a432b70714bedad79e4963ff320
# Filter the noise TLDR
# TLS Pass Through
.*\.google\.com
.*\.gstatic\.com
.*\.googleapis\.com
.*\.pki\.goog
.*\.mozilla\.com
# Send swagger to burp
https://github.com/RhinoSecurityLabs/Swagger-EZ
# Hosted:
https://rhinosecuritylabs.github.io/Swagger-EZ/
# If some request/response breaks or slow down Burp
- Project options -> HTTP -> Streaming responses -> Add url and uncheck "Store streaming responses...."
# Burp Extension rotate IP yo avoid IP restrictions
https://github.com/RhinoSecurityLabs/IPRotate_Burp_Extension
# Collab/SSRF/pingback alternative
requestcatcher.com
canarytokens.org
webhook.site
1u.ms
ngrok.com
pingb.in
swin.es
ceye.io
requestbin.net
beeceptor.com
ssrftest.com
rbnd.gl0.eu
# Run private collaborator instance in AWS
https://github.com/Leoid/AWSBurpCollaborator
# Run your own collab server
https://github.com/yeswehack/pwn-machine
# Wordlist from burp project file
cat project.burp | strings | tok | sort -u > custom_wordlist.txt
# Autorize:
1. Copy cookies from low priv user and paste in Autorize
2. Set filters (scope, regex)
3. Set Autorize ON
4. Navigate as high priv user
# Autorize:
1. Copy cookies from low priv user and paste in Autorize
2. Set filters (scope, regex)
3. Set Autorize ON
4. Navigate as high priv user
# Turbo Intruder
basic.py -> Set %s in the injection point and specify wordlist in script
multipleParameters.py -> Set %s in all the injection points and specify the wordlists in script

Preferred extensions

Collaborator SSRF explotation mindmap