{"id":13843234,"url":"https://github.com/sec-it/BFAC-Burp-Extension","last_synced_at":"2025-07-11T18:30:57.980Z","repository":{"id":113298152,"uuid":"391885702","full_name":"sec-it/BFAC-Burp-Extension","owner":"sec-it","description":"Burp Extension for BFAC (Advanced Backup-File Artifacts Testing for Web-Applications)","archived":false,"fork":false,"pushed_at":"2021-08-09T12:20:12.000Z","size":460,"stargazers_count":20,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-11-21T14:38:45.560Z","etag":null,"topics":["backup-files","bugbounty","burp-extensions","burpsuite","pentest","recon"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sec-it.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-02T09:21:26.000Z","updated_at":"2023-10-17T09:58:08.000Z","dependencies_parsed_at":"2023-03-13T13:21:40.587Z","dependency_job_id":null,"html_url":"https://github.com/sec-it/BFAC-Burp-Extension","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/sec-it/BFAC-Burp-Extension","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sec-it%2FBFAC-Burp-Extension","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sec-it%2FBFAC-Burp-Extension/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sec-it%2FBFAC-Burp-Extension/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sec-it%2FBFAC-Burp-Extension/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sec-it","download_url":"https://codeload.github.com/sec-it/BFAC-Burp-Extension/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sec-it%2FBFAC-Burp-Extension/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264870076,"owners_count":23676158,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["backup-files","bugbounty","burp-extensions","burpsuite","pentest","recon"],"created_at":"2024-08-04T17:01:57.840Z","updated_at":"2025-07-11T18:30:57.965Z","avatar_url":"https://github.com/sec-it.png","language":"Java","funding_links":[],"categories":["Java"],"sub_categories":[],"readme":"# BFAC - Burp Extension\n\n![Build](https://img.shields.io/badge/Built%20with-Java-Blue)\n[![GitHub forks](https://img.shields.io/github/forks/sec-it/BFAC-Burp-Extension)](https://github.com/sec-it/BFAC-Burp-Extension/network)\n[![GitHub stars](https://img.shields.io/github/stars/sec-it/BFAC-Burp-Extension)](https://github.com/sec-it/BFAC-Burp-Extension/stargazers)\n[![GitHub](https://img.shields.io/github/license/sec-it/BFAC-Burp-Extension)](https://github.com/sec-it/BFAC-Burp-Extension/blob/master/LICENSE)\n\nBurp Extension for [BFAC][bfac] (Advanced Backup-File Artifacts Testing for Web-Applications).\n\n![Screenshot](static/screenshot_light.png)\n\n## What is BFAC - Burp Extension ?\n\nBackup files are too often overlooked by web application auditors. With the objective of democratizing the backup file tests and integrating these tests into the most used tool for web auditors, SEC-IT auditors worked on the integration of the BFAC checks as a BurpSuite plugin.\n\n[BFAC][bfac] is an automated tool that checks for backup artifacts that may disclose the web-application's source code. The artifacts can also lead to leakage of sensitive information, such as passwords, directory structure, etc. This a tool provided by [@mazen160][mazen160].\n\n[BurpSuite](https://portswigger.net/burp) is a well known pentesting tool used in web application assessment.\n\nThe pluggin is written in Java for better integration with BurpSuite Extender API.\n\n## How to install ?\n\nDownload [BFAC.jar][jar] on your computer. Then import the jar file as a Burp plugin :\n\n1. Open Burp\n2. Click on the \"Extender\" tab\n3. Click on the \"Add\" button\n4. Set extension type to Java and load [BFAC.jar][jar] by clicking on \"Select file...\"\n\n![Install step 1](static/install_step_1.png)\n\nOnce loaded, you should see a \"BFAC\" tab :\n\n![Install step 2](static/install_step_2.png)\n\n## How to use BFAC plugin ?\n\nBFAC Burp Extension is designed to look for backup files from the Burpsuite [sitemap].\nTherefore, **it is better to run BFAC Burp extension when the sitemap is full enough**.\nSitemap fulfillment will not be covered here, however it can be accomplish using active scanners.\n\nOnce your sitemap is full, you have 2 options.\n\n### The old way\n\n[BFAC][bfac] original tool may provide interesting options that are not provided by this extension. That why you can extract interesting URLs from the sitemap using the \"Extract URL\".\n\n![Extract URL](static/extract_urls.png)\n\nThen, you only have to provide the extracted URLs to the [BFAC][bfac] tool :\n\n![BFAC Console](static/bfac_console.png)\n\n### The Burp way\n\nIf you do not have [BFAC][bfac] on your computer or want to gain time, you can just click on \"Run BFAC\" to run a Java implementation of BFAC :\n\n![BFAC Console](static/screenshot_dark.png)\n\n## Why not using Burp scanner ?\n\nBurp Scanner already provides a backup file feature for the Burp Suite Enterprise and Burp Suite Professional ([see #006000d8_backup-file](https://portswigger.net/kb/issues/006000d8_backup-file)).\n\n1. Performing a backup file check only will require more manual configuration on Burp scanner.\n2. Burp scanner will not cover multiple backup file formats (see [Benchmark][DIFF]).\n\n\u003e Note : This plugin has been considered by its author and PortSwigger as an alternative of the Burp scanner feature, that's why you won't find the extension on [BApp store][BApp].\n\n## Build the JAR\n\nIf you want to contribute or modify the existing plugin, you may need to build an edited JAR. In order to accomplish that task, you may have a look at PortSwigger website : [Writing your first Burp Suite extension][devburp].\n\nTo build the jar, create new Java project under your Java IDE (i.e. Eclipse). Create new package named `burp`. Import \"burp interface files\" in this package. Theses files can be found in Burp tool : `Extender` tab \u003e `APIs` \u003e `Save interfaces files` (at the bottom left of the pane). Then import Java classes provided in the [src](src/) folder, into the `burp` package. You can now modify the plugin as needed, and generate a JAR plugin (on Eclipse: `File` \u003e `Export` \u003e `Java` \u003e `JAR file` \u003e Select project and click on `Finish`).\n\n![Java IDE](static/java_ide.png)\n\n## Acknowledgments\n\nThe [Site-map-extractor][sitemapextactor] BurpSuite plugin written by [@swright573][swright573] has been a great source of inspiration and helped us to better understand BurpSuite Extender API from a \"sitemap\" point of view.\n\n## Author\n\nMade by Alex G. ([@zeecka_](https://twitter.com/Zeecka_)), pentester at SEC-IT.\n\n[bfac]:https://github.com/mazen160/bfac\n[mazen160]:https://twitter.com/mazen160\n[sitemapextactor]:https://github.com/swright573/site-map-extractor\n[swright573]:https://github.com/swright573\n[jar]:bin/BFAC.jar\n[sitemap]:https://portswigger.net/burp/documentation/desktop/tools/target/site-map\n[devburp]:https://portswigger.net/burp/extender/writing-your-first-burp-suite-extension\n[BApp]:https://portswigger.net/bappstore\n[DIFF]:DIFF.md\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsec-it%2FBFAC-Burp-Extension","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsec-it%2FBFAC-Burp-Extension","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsec-it%2FBFAC-Burp-Extension/lists"}