https://github.com/nccgroup/BurpSuiteHTTPSmuggler

A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques
https://github.com/nccgroup/BurpSuiteHTTPSmuggler

burpsuite burpsuite-extender bypass waf

Last synced: 5 months ago
JSON representation

A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques

• Host: GitHub
• URL: https://github.com/nccgroup/BurpSuiteHTTPSmuggler
• Owner: nccgroup
• License: agpl-3.0
• Created: 2018-07-03T07:47:58.000Z (almost 7 years ago)
• Default Branch: master
• Last Pushed: 2019-05-04T06:15:42.000Z (almost 6 years ago)
• Last Synced: 2024-04-14T21:07:37.250Z (about 1 year ago)
• Topics: burpsuite, burpsuite-extender, bypass, waf
• Language: Java
• Homepage:
• Size: 2.6 MB
• Stars: 683
• Watchers: 28
• Forks: 110
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG
  • License: LICENSE

Awesome Lists containing this project

• awesome-rainmana - nccgroup/BurpSuiteHTTPSmuggler - A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques (Java)
• WebHackersWeapons - BurpSuiteHTTPSmuggler
• awesome-burp-extensions - BurpSuiteHTTPSmuggler - A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques. (Web Application Firewall Evasion / SSRF)
• awesome-hacking-lists - nccgroup/BurpSuiteHTTPSmuggler - A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques (Java)

README

        
# Burp Suite HTTP Smuggler

A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques. 

This extension has been developed by Soroush Dalili (@irsdl) from NCC Group.

The initial release (v0.1) only supports the Encoding capability that can be quite complicated to be performed manually. 

See the references for more details.

Next versions will include more techniques and possible bug fixes.

# Example Screenshots

![AppSec EU 18 - example1](screenshots/AppSecEU18-example1.jpg?raw=true "AppSec EU 18 - example1")

![AppSec EU 18 - example2](screenshots/AppSecEU18-example2.jpg?raw=true "AppSec EU 18 - example2")

# References:

* https://appseceurope2018a.sched.com/event/EgXc/waf-bypass-techniques-using-http-standard-and-web-servers-behavior

* https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/request-encoding-to-bypass-web-application-firewalls/

* https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/rare-aspnet-request-validation-bypass-using-request-encoding/

Released under AGPL v3.0 see LICENSE for more information