Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
top-burpsuite-plugins-extensions
https://github.com/Elsfa7-110/top-burpsuite-plugins-extensions
Last synced: 5 days ago
JSON representation
-
Scanners
- Yara - This extension allows you to perform on-demand Yara scans of websites within the Burp interface based on custom Yara rules that you write or obtain.
- WordPress Scanner - Find known vulnerabilities in WordPress plugins and themes using WPScan database.
- Web Cache Deception Burp Extension - This extension tests applications for the Web Cache Deception vulnerability.
- UUID Detector - This extension passively reports UUID/GUIDs observed within HTTP requests.
- SSL Scanner - This extension enables Burp to scan for SSL vulnerabilities.
- Software Vulnerability Scanner - This extension scans for vulnerabilities in detected software versions using the Vulners.com API.
- Reverse Proxy Detector - This extension detects reverse proxy servers.
- Reflected File Download Checker - This extension checks for reflected file downloads.
- Headers Analyzer - This extension adds a passive scan check to report security issues in HTTP headers.
- HeartBleed - This extension adds a new tab to Burp's Suite main UI allowing a server to be tested for the Heartbleed bug. If the server is vulnerable, data retrieved from the server's memory will be dumped and viewed.
- Image Size Issues - This extension passively detects potential denial of service attacks due to the size of an image being specified in request parameters.
- CMS Scanner - An active scan extension for Burp that provides supplemental coverage when testing popular content management systems.
- Detect Dynamic JS - This extension compares JavaScript files with each other to detect dynamically generated content and content that is only accessible when the user is authenticated.
-
Cryptography
-
Template Injection
- Length Extension Attacks - This extension lets you perform hash length extension attacks on weak signature mechanisms.
-
-
Custom Features
- Scan Manual Insertion Point - This Burp extension lets the user select a region of a request (typically a parameter value), and via the context menu do an active scan of just the insertion point defined by that selection.
- Distribute Damage - Designed to make Burp evenly distribute load across multiple scanner targets, this extension introduces a per-host throttle and a context menu to trigger scans from.
- Multi-Browser Highlighting - This extension highlights the Proxy history to differentiate requests made by different browsers. The way this works is that each browser would be assigned one color and the highlights happen automatically.
- Manual Scan Issues - This extension allows users to manually create custom issues within the Burp Scanner results.
- Decoder Improved - Decoder Improved is a data transformation plugin for Burp Suite that better serves the varying and expanding needs of information security professionals.
- Request Minimizer - This extension performs HTTP request minimization. It deletes parameters that are not relevant such as: random ad cookies, cachebusting nonces, etc.
- Handy Collaborator - Handy Collaborator is a Burp Suite Extension that lets you use the Collaborator tool during manual testing in a comfortable way.
-
Beautifiers and Decoders
- XChromeLogger Decoder - his extension adds a new tab in the HTTP message editor to display X-ChromeLogger-Data in decoded form.
- WebSphere Portlet State Decoder - This extension displays the decoded XML state of a WebSphere Portlet in a new tab when the request is viewed.
- PDF Viewer - This extension adds a tab to the HTTP message viewer to render PDF files in responses.
- NTLM Challenge Decoder - This extension decodes NTLM SSP headers.
- JCryption Handler - This extension provides a way to perform manual and/or automatic Security Assessment for Web Applications that using JCryption JavaScript library to encrypt data sent through HTTP methods (GET and POST).
- JSWS Parser - This extension can be used to parse a response containing a JavaScript Web Service Proxy (JSWS) and generate JSON requests for all supported methods.
- JSON Decoder - This extension adds a new tab to Burp's HTTP message editor, and displays JSON messages in decoded form.
- MessagePack - This extension supports: decoding MessagePack requests and responses to JSON format, converting requests from JSON format to MessagePack.
- Fast Infoset Tester - This extension converts incoming Fast Infoset requests and responses to XML, and converts outgoing messages back to Fast Infoset.
- BurpAMFDSer - BurpAMFDSer is a Burp plugin that will deserialze/serialize AMF request and response to and from XML with the use of Xtream library.
-
Scripting
- Reissue Request Scripter - This extension generates scripts to reissue a selected request.
- Copy as PowerShell Requests - This extension copies the selected request(s) as PowerShell invocation(s).
- Copy as Node Request - This extension copies the selected request(s) as Node.JS Request invocations.
-
OAuth and SSO
- SAML Encoder/Decoder - This extension adds a new tab to Burp's main UI, allowing encoding and decoding of SAML (Security Assertion Markup Language) formatted messages.
- SAML Editor - This extension adds a new tab to Burp's HTTP message editor, allowing encoding and decoding of SAML (Security Assertion Markup Language) formatted messages.
- PeopleSoft Token Extractor - This extension help test PeopleSoft SSO tokens.
- JSON Web Token Attacker - This extension helps to test applications that use JavaScript Object Signing and Encryption, including JSON Web Tokens.
- JSON Web Tokens - This extension lets you decode and manipulate JSON web tokens on the fly, check their validity and automate common attacks against them.
- SAMLReQuest - Enables you to view, decode, and modify SAML requests and responses.
-
Information Gathering
- Google Hack - This extension provides a GUI interface for setting up and running Google Hacking queries, and lets you add results directly to Burp's site map..
- Site Map Extractor - This extension extracts information from the Site Map. You can use the full site map or just in-scope items.
- Site Map Fetcher - This extension fetches the responses of unrequested items in the site map.
- Attack Surface Detector - The Attack Surface Detector uses static code analyses to identify web app endpoints by parsing routes and identifying parameters.
-
Vulnerability Specific Extensions
-
Cross-site scripting
- DOM XSS Checks - This Burp Suite plugin passively scans for DOM-Based Cross-Site Scripting.
-
Broken Access Control
- Auto Repeater - This extension automatically repeats requests, with replacement rules and response diffing. It provides a general-purpose solution for streamlining authorization testing within web applications.
-
Cross-Site Request Forgery
- Match/Replace Session Action - This extension provides match and replace functionality as a Session Handling Rule.
- CSRF Token Tracker - This extension provides a sync function for CSRF token parameters.
-
Deserialization
- PHP Object Injection Check - This extension adds an active scan check to find PHP object injection vulnerabilities..
- Java Serialized Payloads - This extension generates various Java serialized payloads designed to execute OS commands..
- Freddy, Deserialization Bug Finder - Helps with detecting and exploiting serialization libraries/APIs.
- CustomDeserializer - This extension speeds up manual testing of web applications by performing custom deserialization.
- BurpJDSer - BurpJDSer is a Burp plugin that will deserialze/serialize Java request and response to and from XML with the use of Xtream library.
-
Sensitive Data Exposure
- Param Miner - This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.
- MindMap Exporter - Aids with documentation of the following OWASP Testing Guide V4 tests: OTG-INFO-007: Map execution paths through application, OTG-INFO-006: Identify application entry points.
- Image Location and Privacy Scanner - Passively scans for GPS locations or embedded privacy related exposure (like camera serial numbers) in images during normal security assessments of websites via a Burp plug-in.
- Image Metadata - This extension extract metadata present in image files. The information found is rarely critical, but it can be useful for general reconnaissance. These information can be usernames who created the files, local paths and technologies used.
- ExifTool Scanner - This Burp extension reads metadata from various filetypes (JPEG, PNG, PDF, DOC, XLS and much more) using ExifTool. Results are presented as Passive scan issues and Message editor tabs.
- Secret Finder - A Burp Suite extension to help pentesters to discover a apikeys,accesstokens and more sensitive data using a regular expressions.
-
SQL Injection
- SQLiPy Sqlmap Integration - This extension integrates Burp Suite with SQLMap.
- InjectMate - Burp Extension that generates payloads for XSS, SQLi, and Header injection vulns
-
Insecure File Uploads
- File Upload Traverser - This extension verifies if file uploads are vulnerable to directory traversal vulnerabilities.
-
Session Management
- TokenJar - This extension provides a way of managing tokens like anti-CSRF, CSurf, Session IDs.
- Token Incrementor - A simple but useful extension to increment a parameter in each request, intended for use with Active Scan.
- Session Auth - This extension can be used to identify authentication privilege escalation vulnerabilities.
- Session Timeout Test - This extension attempts to determine how long it takes for a session to timeout at the server.
- Session Tracking Checks - This extension checks for the presence of known session tracking sites.
- ExtendedMacro - This extension provides a similar but extended version of the Burp Suite macro feature.
- Request Randomizer - This extension registers a session handling rule which places a random value into a specified location within requests.
- Burp Wicket Handler - Used as part of Burps Session Handling, Record a Macro which just gets the page you want to submit
- Token Extractor - This extension allows tokens to be extracted from a response and replaced in requests.
-
Template Injection
- tplmap Burp Extenson - Burp extension for Tplmap, a Server-Side Template Injection and Code Injection Detection and Exploitation Tool
-
-
Web Services
-
Template Injection
- Content Type Converter - Burp extension to convert XML to JSON, JSON to XML, x-www-form-urlencoded to XML, and x-www-form-urlencoded to JSON.
- BurpWCFDSer - BurpWCFDSer is a Burp plugin that will deserialze/serialize WCF request and response to and from XML.
- POST2JSON - Burp Suite Extension to convert a POST request to JSON message, moving any .NET request verification token to HTTP headers if present.
- WCF Deserializer - This extension allows Burp to view and modify binary SOAP objects.
- Postman Integration - This extension integrates with the Postman tool by generating a Postman collection JSON file.
- OpenAPI Parser - Parse OpenAPI specifications, previously known as Swagger specifications, into the BurpSuite for automating RESTful API testing – approved by Burp for inclusion in their official BApp Store.
-
-
Web Application Firewall Evasion
-
Template Injection
- WAFDetect - This extension passively detects the presence of a web application firewall (WAF) from HTTP responses.
- WAF Cookie Fetcher - This extension allows web application security testers to register various types of cookie-related session handling actions to be performed by the Burp session handling rules.
- LightBulb WAF Auditing Framework - LightBulb is an open source python framework for auditing web application firewalls and filters.
-
-
Logging and Notes
-
Template Injection
- Notes - This extension adds a new tab to Burp's UI, for taking notes and organizing external files that are created during penetration testing.
- Log Requests to SQLite - This extension keeps a trace of every HTTP request that has been sent via BURP, in an SQLite database. This is useful for keeping a record of exactly what traffic a pen tester has generated.
- Flow - This extension provides a Proxy history-like view along with search filter capabilities for all Burp tools.
- Custom Logger - This extension adds a new tab to Burp's main UI containing a simple log of all requests made by all Burp tools.
- Burp Savetofile - BurpSuite plugin to save just the body of a request or response to a file
-
-
Payload Generators and Fuzzers
-
Template Injection
- PsychoPATH - This extension provides a customizable payload generator, suitable for detecting a variety of file path vulnerabilities in file upload and download functionality.
- Meth0dMan - This extension helps with testing HTTP methods. It generates custom Burp Intruder payloads based on the site map, allowing quick identification of several HTTP method issues.
- Wordlist Extractor - Scrapes all unique words and numbers for use with password cracking.
- Intruder File Payload Generator - This extension provides a way to use file contents and filenames as Intruder payloads.
- Intruder Time Payloads - This extension lets you include the current epoch time in Intruder payloads.
-
-
Tool Integration
-
Template Injection
- Report To Elastic Search - This extension passes along issues discovered by Burp to either stdout or an ElasticSearch database.
- Qualys WAS - The Qualys WAS Burp extension provides a way to easily push Burp scanner findings to the Web Application Scanning (WAS) module within the Qualys Cloud Platform.
- NMAP Parser - This extension provides a GUI interface for parsing Nmap output files, and adding common web application ports to Burp's target scope.
- Faraday - This extension integrates Burp with the Faraday Integrated Penetration-Test Environment.
- Git Bridge - This extension lets Burp users store Burp data and collaborate via git. Users can right-click supported items in Burp to send them to a git repo and use the Git Bridge tab to send items back to the originating Burp tools.
- Issue Poster - This extension can be used to post details of discovered Scanner issues to an external web service.
- Code Dx - This extension uploads scan reports directly to CodeDx, a software vulnerability correlation and management system.
- ElasticBurp - This extension stores requests and responses from selected Burp tools in an ElasticSearch index including metadata like headers and parameters.
- Dradis Framework - This extension integrates Burp with the Dradis Framework.
- Pcap Importer - This extension enables Pcap and Pcap-NG files to be imported into the Burp Target site map, and passively scanned.
- Burp Chat - This extension enables collaborative usage of Burp using XMPP/Jabber. You can send items between Burp instances by connecting over a chat session.
- ThreadFix - This extension provides an interface between Burp and ThreadFix.
-
-
Misc
-
Template Injection
- CVSS Calculator - This extension calculates CVSS v2 and v3 scores of vulnerabilities.
- Target Redirector - This extension allows you to redirect requests to a particular target by replacing an incorrect target hostname/IP with the intended one. The Host header can optionally also be updated.
- Similar Request Excluder - Similar Request Excluder is an extension that enables you to automatically reduce the target scope of your active scan by excluding similar (and therefore redundant) requests.
- Request Timer - This extension captures response times for requests made by all Burp tools. It could be useful in uncovering potential timing attacks.
- Response Clusterer - This extension clusters similar responses together, and shows a summary with one request/response per cluster. This allows the tester to get an overview of the tested website's responses from all Burp Suite tools.
- Replicator - Replicator helps developers to reproduce issues discovered by pen testers.
- Kerberos Authentication - This extension provides support for performing Kerberos authentication. This is useful for testing in a Windows domain when NTLM authentication is not supported.
- JVM Property Editor - This extension allows the user to view and modify JVM system properties while Burp is running.
- Lair - This extension provides the facility to send Burp Scanner issues directly to a remote Lair project.
- Google Authenticator - This Burp Suite extension turns Burp into a Google Authenticator client.
- GWT Insertion Points - This extension automatically identifies insertion points for GWT (Google Web Toolkit) requests when sending them to the active Scanner or Burp Intruder.
- Headless Burp - This extension allows you to run Burp Suite's Spider and Scanner tools in headless mode via the command-line.
- HTTP Mock - This Burp extension provides mock responses that can be customized, based on the real ones.
- Carbonator - This extension provides a command-line interface to automate the process of configuring target scope, spidering and scanning.
- Batch Scan Report Generator - This extension can be used to generate multiple scan reports by host with just a few clicks.
- Decompressor - Often, HTTP traffic is compressed by the server before it is sent to the client in order to reduce network load.
- Custom Parameter Handler - This extension provides a simple way to modify any part of an HTTP message, allowing manipulation with surgical precision even (and especially) when using macros.
- Proxy Auto Config - This extension automatically configures Burp upstream proxies to match desktop proxy settings.
- Curlit - Burp Python plugin to turn requests into curl commands.
-
-
Burp Extension Training Resources
-
Template Injection
- Burp plugin development for java n00bs - Marc Wickenden
- Burp Extension Writing Workshop - Sanoop Thomas
- Extending Burp with Python
- Creating Burp Extensions in Python
- Burp Extensions in Python and Pentesting Custom Webservices - Neohapsis
- Writing Burp Suite Marcos and Plugins - Pluralsight
- Extending Burp with Extensions - Chris Bush
- Burp Suite Extension Development series - Prakhar Prasad
- BSidesCHS 2015: Building Burp Extensions - Jason Gillam
- Intro to Burp Extender Jython - nVisium
- Intro to Burp Extender Java - nVisium
- Web Penetration Testing with Burp and the CO2 Extension - Jason Gillam
- Developing Burp Suite Extensions with Luca Carettoni - eLearnSecurity
- Quick start your Burp Suite extensions Jython and automation - Marius Nepomuceno
- Writing a Burp Extension – Part One - Carl Sampson
- OWASP Bay Area - Writing Burp Extensons
-
Categories
Vulnerability Specific Extensions
28
Misc
19
Burp Extension Training Resources
16
Scanners
13
Tool Integration
12
Beautifiers and Decoders
10
Custom Features
7
OAuth and SSO
6
Web Services
6
Logging and Notes
5
Payload Generators and Fuzzers
5
Information Gathering
4
Web Application Firewall Evasion
3
Scripting
3
Cryptography
1