Burp Suite

Tips
- If Render Page crash:
sudo sysctl -w kernel.unprivileged_userns_clone=1
​
- If embedded browser crash due sandbox:
find .BurpSuite -name chrome-sandbox -exec chown root:root {} \; -exec chmod 4755 {} \;
​
- Scope with all subdomains:
.*\.test\.com$
​
- Use Intruder to target specific parameters for scanning 
  - Right click: actively scan defined insertion points 
​
# Configuration
- Project Options -> HTTP -> Redirections -> Enable JavaScript-driven
- User Options -> Misc -> Proxy Interception -> Always disabled
- Target -> Site Map -> Show all && Show only in-scope items
​
# XSS Validator extension
1) Start xss.js phantomjs $HOME/.BurpSuite/bapps/xss.js
2) Send Request to Intruder
3) Mark Position 
4) Import xss-payload-list from $Tools into xssValidator
5) Change Payload Type to Extension Generated
6) Change Payload Process to Invoke-Burp Extension - XSS Validator
7) Add Grep-Match rule as per XSS Validator
8) Start.
​
# Filter the noise
https://gist.github.com/vsec7/d5518a432b70714bedad79e4963ff320
​
# Filter the noise TLDR
# TLS Pass Through
.*\.google\.com
.*\.gstatic\.com
.*\.googleapis\.com
.*\.pki\.goog
.*\.mozilla\.com
​
# Send swagger to burp
https://github.com/RhinoSecurityLabs/Swagger-EZ
# Hosted: 
https://rhinosecuritylabs.github.io/Swagger-EZ/
​
# If some request/response breaks or slow down Burp
- Project options -> HTTP -> Streaming responses -> Add url and uncheck "Store streaming responses...."
​
# Burp Extension rotate IP yo avoid IP restrictions
https://github.com/RhinoSecurityLabs/IPRotate_Burp_Extension
​
# Collab/SSRF/pingback alternative
interactsh.com
ceye.io
requestcatcher.com
canarytokens.org
webhook.site
ngrok.com
pingb.in
swin.es
requestbin.net
ssrftest.com
rbnd.gl0.eu
dnslog.cn
beeceptor.com
​
# Run private collaborator instance in AWS
https://github.com/Leoid/AWSBurpCollaborator
​
# Run your own collab server
https://github.com/yeswehack/pwn-machine
​
# Wordlist from burp project file
cat project.burp | strings | tok | sort -u > custom_wordlist.txt
​
# Autorize:
  1. Copy cookies from low priv user and paste in Autorize
  2. Set filters (scope, regex)
  3. Set Autorize ON
  4. Navigate as high priv user
  
# Turbo Intruder
basic.py -> Set %s in the injection point and specify wordlist in script
multipleParameters.py -> Set %s in all the injection points and specify the wordlists in script
​
# Match and Replace
https://github.com/daffainfo/match-replace-burp
​
# Customize Audit Scans
Configure your audit profile -> Issues reported -> Individual issues -> right-click on "Extension generated issues" -> "Edit detection methods"
Works on most of issues like SQLi
​
# Send to local Burp from VPS
# In local computer
ssh -R 8080:127.0.0.1:8080 [email protected]_IP -f -N
# In VPS
curl URL -x http://127.0.0.1:8080
​
# Ip rotation
https://github.com/ustayready/fireprox
Preferred extensions
​Burp Bounty Pro: Active and passive checks customizable based on patterns.
​Active Scan ++ More active and passive scans.
​Software Vulnerability Scanner Passive scan to detect vulnerable software versions
​Param Miner Passive scan to detect hidden or unlinked parameters, cache poisoning
​Backslash Powered Scanner Active scan for SSTI detection
​CSRF Scanner Passive CSRF detection
​Freddy Active and Passive scan for Java and .NET deserialization
​JSON Web Tokens decode and manipulate JSON web tokens
​Reissue Request Scripter generates scripts for Python, Ruby, Perl, PHP and PowerShell
​Burp-exporter other extension for export request to multiple languages
​Retire.js Passive scan to find vulnerable JavaScript libraries
​Web Cache Deception Scanner Active scan for Web Cache Deception vulnerability
​Cookie decrypter Passive check for decrypt/decode Netscaler, F5 BigIP, and Flask cookies
​Reflector Passive scan to find reflected XSS
​J2EEScan Active checks to discover different kind of J2EE vulnerabilities
​HTTP Request Smuggler Active scanner and launcher for HTTP Request Smuggling attacks
​Flow History of all burp tools, extensions and tests
​Taborator Allows Burp Collaborator in a new tab
​Turbo Intruder Useful for sending large numbers of HTTP requests (Race cond, fuzz, user enum)
​Auto Repeater Automatically repeats requests with replacement rules and response diffing
​Upload Scanner Tests multiple upload vulnerabilities
​poi Slinger: Active scan check to find PHP object injection
​Java Deserialization Scanner Active and passive scanner to find Java deserialization vulnerabilities
​Autorize Used to detect IDORs
​Match/Replace Session Action Provides a match and replace function as a Session Handling Rule.
​.NET Beautifier Easy view for VIEWSTATE parameter
​Wsdler generates SOAP requests from WSDL request
​Collaborator Everywhere Inject headers to reveal backend systems by causing pingbacks
​Collabfiltrator Exfiltrate blind remote code execution output over DNS
​Bypass WAF Add some headers to bypass some WAFs
​SAMLRaider for testing SAML infrastructures, messages and certificates
​GoldenNuggets-1 create wordlists from target
​Logger++ Log for every burp tool and allows highlight, filter, grep, export...
​OpenAPI Parser Parse and fetch OpenAPI documents directly from a URL
​CO2: Multiple functions such sqlmapper, cewler
​XSSValidator: XSS intruder payload generator and checker
​Shelling: command injection payload generator
​burp-send-to: Adds a customizable "Send to..."-context-menu.
​ssrf-king: Automates SSRF detection
Private collaborator server
GitHub - putsi/privatecollaborator: A script for installing private Burp Collaborator with free Let's Encrypt SSL-certificate
GitHub
Setting a Private Burp Collaborator Server
Security Blog
Self-hosted Burp collaborator with custom domain
Team ROT Information Security
Collaborator SSRF explotation mindmap​
Last modified 5mo ago
Burp Suite

Tips

Preferred extensions

Private collaborator server

Collaborator SSRF explotation mindmap​

Collaborator SSRF explotation mindmap
