Pentest Book
Search…
Burp Suite

Tips

1
- If Render Page crash:
2
sudo sysctl -w kernel.unprivileged_userns_clone=1
3
​
4
- If embedded browser crash due sandbox:
5
find .BurpSuite -name chrome-sandbox -exec chown root:root {} \; -exec chmod 4755 {} \;
6
​
7
- Scope with all subdomains:
8
.*\.test\.com$
9
​
10
- Use Intruder to target specific parameters for scanning
11
- Right click: actively scan defined insertion points
12
​
13
# Configuration
14
- Project Options -> HTTP -> Redirections -> Enable JavaScript-driven
15
- User Options -> Misc -> Proxy Interception -> Always disabled
16
- Target -> Site Map -> Show all && Show only in-scope items
17
​
18
# XSS Validator extension
19
1) Start xss.js phantomjs $HOME/.BurpSuite/bapps/xss.js
20
2) Send Request to Intruder
21
3) Mark Position
22
4) Import xss-payload-list from $Tools into xssValidator
23
5) Change Payload Type to Extension Generated
24
6) Change Payload Process to Invoke-Burp Extension - XSS Validator
25
7) Add Grep-Match rule as per XSS Validator
26
8) Start.
27
​
28
# Filter the noise
29
https://gist.github.com/vsec7/d5518a432b70714bedad79e4963ff320
30
​
31
# Filter the noise TLDR
32
# TLS Pass Through
33
.*\.google\.com
34
.*\.gstatic\.com
35
.*\.googleapis\.com
36
.*\.pki\.goog
37
.*\.mozilla\.com
38
​
39
# Send swagger to burp
40
https://github.com/RhinoSecurityLabs/Swagger-EZ
41
# Hosted:
42
https://rhinosecuritylabs.github.io/Swagger-EZ/
43
​
44
# If some request/response breaks or slow down Burp
45
- Project options -> HTTP -> Streaming responses -> Add url and uncheck "Store streaming responses...."
46
​
47
# Burp Extension rotate IP yo avoid IP restrictions
48
https://github.com/RhinoSecurityLabs/IPRotate_Burp_Extension
49
​
50
# Collab/SSRF/pingback alternative
51
interactsh.com
52
requestcatcher.com
53
canarytokens.org
54
webhook.site
55
ngrok.com
56
pingb.in
57
swin.es
58
requestbin.net
59
ssrftest.com
60
rbnd.gl0.eu
61
dnslog.cn
62
beeceptor.com
63
​
64
# Run private collaborator instance in AWS
65
https://github.com/Leoid/AWSBurpCollaborator
66
​
67
# Run your own collab server
68
https://github.com/yeswehack/pwn-machine
69
​
70
# Wordlist from burp project file
71
cat project.burp | strings | tok | sort -u > custom_wordlist.txt
72
​
73
# Autorize:
74
1. Copy cookies from low priv user and paste in Autorize
75
2. Set filters (scope, regex)
76
3. Set Autorize ON
77
4. Navigate as high priv user
78
79
# Turbo Intruder
80
basic.py -> Set %s in the injection point and specify wordlist in script
81
multipleParameters.py -> Set %s in all the injection points and specify the wordlists in script
82
​
83
# Customize Audit Scans
84
Configure your audit profile -> Issues reported -> Individual issues -> right-click on "Extension generated issues" -> "Edit detection methods"
85
Works on most of issues like SQLi
86
​
87
# Send to local Burp from VPS
88
# In local computer
89
ssh -R 8080:127.0.0.1:8080 [email protected]_IP -f -N
90
# In VPS
91
curl URL -x http://127.0.0.1:8080
92
​
93
# Ip rotation
94
https://github.com/ustayready/fireprox
Copied!

Preferred extensions

  • ​Burp Bounty Pro: Active and passive checks customizable based on patterns.
  • ​Active Scan ++ More active and passive scans.
  • ​Software Vulnerability Scanner Passive scan to detect vulnerable software versions
  • ​Param Miner Passive scan to detect hidden or unlinked parameters, cache poisoning
  • ​Backslash Powered Scanner Active scan for SSTI detection
  • ​CSRF Scanner Passive CSRF detection
  • ​Freddy Active and Passive scan for Java and .NET deserialization
  • ​JSON Web Tokens decode and manipulate JSON web tokens
  • ​Reissue Request Scripter generates scripts for Python, Ruby, Perl, PHP and PowerShell
  • ​Burp-exporter other extension for export request to multiple languages
  • ​Retire.js Passive scan to find vulnerable JavaScript libraries
  • ​Web Cache Deception Scanner Active scan for Web Cache Deception vulnerability
  • ​Cookie decrypter Passive check for decrypt/decode Netscaler, F5 BigIP, and Flask cookies
  • ​Reflector Passive scan to find reflected XSS
  • ​J2EEScan Active checks to discover different kind of J2EE vulnerabilities
  • ​HTTP Request Smuggler Active scanner and launcher for HTTP Request Smuggling attacks
  • ​Flow History of all burp tools, extensions and tests
  • ​Taborator Allows Burp Collaborator in a new tab
  • ​Turbo Intruder Useful for sending large numbers of HTTP requests (Race cond, fuzz, user enum)
  • ​Auto Repeater Automatically repeats requests with replacement rules and response diffing
  • ​Upload Scanner Tests multiple upload vulnerabilities
  • ​poi Slinger: Active scan check to find PHP object injection
  • ​Java Deserialization Scanner Active and passive scanner to find Java deserialization vulnerabilities
  • ​Autorize Used to detect IDORs
  • ​.NET Beautifier Easy view for VIEWSTATE parameter
  • ​Wsdler generates SOAP requests from WSDL request
  • ​Collaborator Everywhere Inject headers to reveal backend systems by causing pingbacks
  • ​Collabfiltrator Exfiltrate blind remote code execution output over DNS
  • ​Bypass WAF Add some headers to bypass some WAFs
  • ​SAMLRaider for testing SAML infrastructures, messages and certificates
  • ​GoldenNuggets-1 create wordlists from target
  • ​Logger++ Log for every burp tool and allows highlight, filter, grep, export...
  • ​OpenAPI Parser Parse and fetch OpenAPI documents directly from a URL
  • ​CO2: Multiple functions such sqlmapper, cewler
  • ​XSSValidator: XSS intruder payload generator and checker
  • ​Shelling: command injection payload generator
  • ​burp-send-to: Adds a customizable "Send to..."-context-menu.
  • ​ssrf-king: Automates SSRF detection

Private collaborator server

GitHub - putsi/privatecollaborator: A script for installing private Burp Collaborator with free Let's Encrypt SSL-certificate
GitHub
Setting a Private Burp Collaborator Server
Security Blog
Self-hosted Burp collaborator with custom domain
Team ROT Information Security

Collaborator SSRF explotation mindmap​