Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
Root domains
Subdomain Enum
Webs recon
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
Burp Suite

Tips

- If Render Page crash:
sudo sysctl -w kernel.unprivileged_userns_clone=1
​
- If embedded browser crash due sandbox:
find .BurpSuite -name chrome-sandbox -exec chown root:root {} \; -exec chmod 4755 {} \;
​
- Scope with all subdomains:
.*\.test\.com$
​
- Use Intruder to target specific parameters for scanning
- Right click: actively scan defined insertion points
​
# Configuration
- Project Options -> HTTP -> Redirections -> Enable JavaScript-driven
- User Options -> Misc -> Proxy Interception -> Always disabled
- Target -> Site Map -> Show all && Show only in-scope items
​
# XSS Validator extension
1) Start xss.js phantomjs $HOME/.BurpSuite/bapps/xss.js
2) Send Request to Intruder
3) Mark Position
4) Import xss-payload-list from $Tools into xssValidator
5) Change Payload Type to Extension Generated
6) Change Payload Process to Invoke-Burp Extension - XSS Validator
7) Add Grep-Match rule as per XSS Validator
8) Start.
​
# Filter the noise
https://gist.github.com/vsec7/d5518a432b70714bedad79e4963ff320
​
# Filter the noise TLDR
# TLS Pass Through
.*\.google\.com
.*\.gstatic\.com
.*\.googleapis\.com
.*\.pki\.goog
.*\.mozilla\.com
​
# Send swagger to burp
https://github.com/RhinoSecurityLabs/Swagger-EZ
# Hosted:
https://rhinosecuritylabs.github.io/Swagger-EZ/
​
# If some request/response breaks or slow down Burp
- Project options -> HTTP -> Streaming responses -> Add url and uncheck "Store streaming responses...."
​
# Burp Extension rotate IP yo avoid IP restrictions
https://github.com/RhinoSecurityLabs/IPRotate_Burp_Extension
​
# Collab/SSRF/pingback alternative
interactsh.com
ceye.io
requestcatcher.com
canarytokens.org
webhook.site
ngrok.com
pingb.in
swin.es
requestbin.net
ssrftest.com
rbnd.gl0.eu
dnslog.cn
beeceptor.com
​
# Run private collaborator instance in AWS
https://github.com/Leoid/AWSBurpCollaborator
​
# Run your own collab server
https://github.com/yeswehack/pwn-machine
​
# Wordlist from burp project file
cat project.burp | strings | tok | sort -u > custom_wordlist.txt
​
# Autorize:
1. Copy cookies from low priv user and paste in Autorize
2. Set filters (scope, regex)
3. Set Autorize ON
4. Navigate as high priv user
# Turbo Intruder
basic.py -> Set %s in the injection point and specify wordlist in script
multipleParameters.py -> Set %s in all the injection points and specify the wordlists in script
​
# Match and Replace
https://github.com/daffainfo/match-replace-burp
​
# Customize Audit Scans
Configure your audit profile -> Issues reported -> Individual issues -> right-click on "Extension generated issues" -> "Edit detection methods"
Works on most of issues like SQLi
​
# Send to local Burp from VPS
# In local computer
ssh -R 8080:127.0.0.1:8080 [email protected]_IP -f -N
# In VPS
curl URL -x http://127.0.0.1:8080
​
# Ip rotation
https://github.com/ustayready/fireprox

Preferred extensions

  • ​Burp Bounty Pro: Active and passive checks customizable based on patterns.
  • ​Active Scan ++ More active and passive scans.
  • ​Software Vulnerability Scanner Passive scan to detect vulnerable software versions
  • ​Param Miner Passive scan to detect hidden or unlinked parameters, cache poisoning
  • ​Backslash Powered Scanner Active scan for SSTI detection
  • ​CSRF Scanner Passive CSRF detection
  • ​Freddy Active and Passive scan for Java and .NET deserialization
  • ​JSON Web Tokens decode and manipulate JSON web tokens
  • ​Reissue Request Scripter generates scripts for Python, Ruby, Perl, PHP and PowerShell
  • ​Burp-exporter other extension for export request to multiple languages
  • ​Retire.js Passive scan to find vulnerable JavaScript libraries
  • ​Web Cache Deception Scanner Active scan for Web Cache Deception vulnerability
  • ​Cookie decrypter Passive check for decrypt/decode Netscaler, F5 BigIP, and Flask cookies
  • ​Reflector Passive scan to find reflected XSS
  • ​J2EEScan Active checks to discover different kind of J2EE vulnerabilities
  • ​HTTP Request Smuggler Active scanner and launcher for HTTP Request Smuggling attacks
  • ​Flow History of all burp tools, extensions and tests
  • ​Taborator Allows Burp Collaborator in a new tab
  • ​Turbo Intruder Useful for sending large numbers of HTTP requests (Race cond, fuzz, user enum)
  • ​Auto Repeater Automatically repeats requests with replacement rules and response diffing
  • ​Upload Scanner Tests multiple upload vulnerabilities
  • ​poi Slinger: Active scan check to find PHP object injection
  • ​Java Deserialization Scanner Active and passive scanner to find Java deserialization vulnerabilities
  • ​Autorize Used to detect IDORs
  • ​Match/Replace Session Action Provides a match and replace function as a Session Handling Rule.
  • ​.NET Beautifier Easy view for VIEWSTATE parameter
  • ​Wsdler generates SOAP requests from WSDL request
  • ​Collaborator Everywhere Inject headers to reveal backend systems by causing pingbacks
  • ​Collabfiltrator Exfiltrate blind remote code execution output over DNS
  • ​Bypass WAF Add some headers to bypass some WAFs
  • ​SAMLRaider for testing SAML infrastructures, messages and certificates
  • ​GoldenNuggets-1 create wordlists from target
  • ​Logger++ Log for every burp tool and allows highlight, filter, grep, export...
  • ​OpenAPI Parser Parse and fetch OpenAPI documents directly from a URL
  • ​CO2: Multiple functions such sqlmapper, cewler
  • ​XSSValidator: XSS intruder payload generator and checker
  • ​Shelling: command injection payload generator
  • ​burp-send-to: Adds a customizable "Send to..."-context-menu.
  • ​ssrf-king: Automates SSRF detection

Private collaborator server

GitHub - putsi/privatecollaborator: A script for installing private Burp Collaborator with free Let's Encrypt SSL-certificate
GitHub
Setting a Private Burp Collaborator Server
Security Blog
Self-hosted Burp collaborator with custom domain
Team ROT Information Security

Collaborator SSRF explotation mindmap​

Mobile - Previous
iOS
Next - Others
Password cracking
Last modified 1mo ago
Export as PDF
Copy link
Edit on GitHub
Outline
Tips
Preferred extensions
Private collaborator server
Collaborator SSRF explotation mindmap