Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/allyomalley/BurpParamFlagger
A Burp extension adding a passive scan check to flag parameters whose name or value may indicate a possible insertion point for SSRF or LFI.
https://github.com/allyomalley/BurpParamFlagger
Last synced: 22 days ago
JSON representation
A Burp extension adding a passive scan check to flag parameters whose name or value may indicate a possible insertion point for SSRF or LFI.
- Host: GitHub
- URL: https://github.com/allyomalley/BurpParamFlagger
- Owner: allyomalley
- Created: 2021-02-11T01:58:30.000Z (almost 4 years ago)
- Default Branch: master
- Last Pushed: 2021-02-19T07:00:58.000Z (almost 4 years ago)
- Last Synced: 2024-08-05T17:45:12.866Z (4 months ago)
- Language: Python
- Size: 261 KB
- Stars: 131
- Watchers: 6
- Forks: 23
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - allyomalley/BurpParamFlagger - A Burp extension adding a passive scan check to flag parameters whose name or value may indicate a possible insertion point for SSRF or LFI. (Python)
README
# BurpParamFlagger
A Burp extension adding a passive scan check to flag parameters whose name or value may indicate a possible insertion point for SSRF or LFI.
*Note:* I believe that Burp Pro is required to use this extension, since it adds onto the scanner functionality, which isn't included in the Community version.
![ScreenShot](issue.png)
The extension will look at both the **name** of a parameter and the **value** of that parameter and look for any common words or patterns indicating that it could be an insertion point for SSRF or LFI.
For example, SSRF checks include looking for parameter names like 'redirect', 'url', or 'domain', as well as looking for values that look like a URL.
LFI checks look for names like 'include', 'attach', or 'file', and look for values that have a file extension.
A few basic examples:
![ScreenShot](paramname.png)
![ScreenShot](value.png)## Installation
Just clone the repo and load the extension into Burp: Go to the Extender tab, click 'Add', change the extension type to 'Python', provide the cloned BurpParamFlagger.py file, and follow the next prompts.
## Usage
Once the extension is loaded, nothing more is needed. You should start seeing any flagged requests with your other scanner issues on the Dashboard.