{"id":13801761,"url":"https://github.com/Contrast-Security-OSS/Burptrast","last_synced_at":"2025-05-13T11:31:51.399Z","repository":{"id":72669133,"uuid":"599068098","full_name":"Contrast-Security-OSS/Burptrast","owner":"Contrast-Security-OSS","description":"Burp Plugin for Contrast Security","archived":false,"fork":false,"pushed_at":"2024-10-16T11:30:55.000Z","size":5846,"stargazers_count":16,"open_issues_count":0,"forks_count":2,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-05-11T12:11:43.666Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Contrast-Security-OSS.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-02-08T11:41:51.000Z","updated_at":"2024-10-16T17:51:45.000Z","dependencies_parsed_at":null,"dependency_job_id":"faed8466-77c1-4d4f-8d4b-dd411124db60","html_url":"https://github.com/Contrast-Security-OSS/Burptrast","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2FBurptrast","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2FBurptrast/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2FBurptrast/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2FBurptrast/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Contrast-Security-OSS","download_url":"https://codeload.github.com/Contrast-Security-OSS/Burptrast/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253932958,"owners_count":21986484,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T00:01:27.004Z","updated_at":"2025-05-13T11:31:46.382Z","avatar_url":"https://github.com/Contrast-Security-OSS.png","language":"Java","funding_links":[],"categories":["Tool Integration"],"sub_categories":["SSRF"],"readme":"# Burptrast\n\nBurptrast is designed to pull endpoint information from Teamserver and import it into Burp's sitemap.\nThe endpoints come from two sources.\n * Assess Vulnerability information.\n * Endpoints detected by the agent.\n\nThe full HTTP Request that generated the Vulnerability is stored in TS and is available via the API. This is imported into Burp. While there is likely to be relatively few of these, they do have the advantage of having the information required to trigger the endpoint. Request/Path Params, Message Body etc.\nEndpoints detected by the agent will only have the Path and the HTTP Method ( if you are lucky ). But you are more likely to get all of the endpoints for this application. Hopefully more endpoint information can be gathered by the agent in the future.\n\n## CVE-2023-22725\nTo see what Burptrast can do see [README.md](docs%2FCVE-2023-33725%2FREADME.md) for details of a XSS to Admin Account Takeover in the Broadleaf Ecommerce platform.\n\n## Live Browsing\nLive Browsing when enabled, allows you to explore the application via the Burp proxy and get real time feedback from Assess.\nIt works by adding a Correlation ID Header to every HTTP request, when a vulnerability is found in Assess that is linked to one\nof your HTTP requests, it is automatically added to the Burp Issue tab within a few seconds of the request being made, giving near\nrealtime feedback of your exploration / pentest from Assess directly into your Burp UI.\n\nTo use this feature you need to do the following.\n * Select the Application in the Application drop down.\n * Enable Live Browsing\n * Browse the application via the Burp Proxy\n\n\n## Build\nRequires Java 11+\n\nTo build run \n```\nmvn clean install\n```\nImport the jar file named Burptrast-1.0-SNAPSHOT-jar-with-dependencies.jar into Burp as an extension.\n\n### Teamserver API Credentials\nYou will need your TS API Creds in a yaml file. This looks like this\n```\napi:\n  url: https://example.contrastsecurity.com/Contrast\n  api_key: aaabbbccc\n  service_key: aaabbbcccddd\n  user_name: aaabbbccc@ContrastSecurity\n```\nThis is your API credentials. Not what is used by the Agent.\nThis file is added in the Burptrast UI Tab in Burp.\nTo get your API Credentials, go to the user settings section of Teamserver as you can see below.\n![Burptrast Creds](screenshots/creds.png)\n\n\n### Corporate Proxies\nBurptrast requires access to the Teamserver API to function. If you need to use a Proxy to access Teamserver you can do\nso by configuring Burp's Upstream Proxy or SOCKS proxy ( this is different to Burps local proxy listener ) . This is available\nunder Settings -\u003e Network -\u003e Connections . More details can be found here https://portswigger.net/burp/documentation/desktop/settings/network/connections#upstream-proxy-servers\nOnce configured connections to Teamserver API by Burptrast will go via this proxy.\n\n\n\n\n![Burptrast Screenshot](screenshots/screenshot.png)\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FContrast-Security-OSS%2FBurptrast","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FContrast-Security-OSS%2FBurptrast","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FContrast-Security-OSS%2FBurptrast/lists"}