The Top 8 Burp Suite Extensions That I Use to Hack Web Sites

When doing Web Application Penetration Tests, one tool dominates the desktops of most Security Consultants: Burp Suite Professional (https://portswigger.net). This comes as no surprise. It has solid performance, a ton of features, and most importantly, extensibility. Users can add features for nearly every type of web technology out there.

Here’s a short list of extensions, in no particular order, that we use on nearly every engagement in 2019.


Flow

Link: https://portswigger.net/bappstore/ee1c45f4cc084304b2af4b7e92c0a49d

What it does

If you have used Burp Suite for any extended period of time, you will fall in love with being able to see everything that your browser is communicating to a web application. Trouble is, with some Burp Suite functions such as Scanner, Extender or Sequencer, the traffic is not visible within Burp Suite. Here is where you need Flow. It logs everything that Burp Suite sends. This comes in really handy when ensuring Scanner is still authenticated or ensuring Macros are working properly.

How to use it

Flow is easy to use, just install it and watch it proxy previously-hidden functions such as Active Scan.

Customize what tools you see or don’t see by clicking the Filter bar at the top.

Pro tip

Move flow down to the bottom of all your extensions like so:

Extensions are used in the order they appear on that list and Flow may not log a particular extension if it is above that extension on the list.


Autorize

Link: https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f

What it does

Testing for authorization issues on a site is tedious. In the past, testing involved:

  1. making a privileged function call
  2. sending that call to Repeater
  3. replacing privileged session tokens with a low-level user’s session tokens
  4. then re-sending the request to see if the low-level user can perform a privileged function

On an average site with 20-30 different administrative functions and a handful of different roles, this type of manual checking could take days. Thank goodness for Autorize. This plugin allows you to pop-in some session tokens and repeats each request it sees with those tokens.

How to use it

Log in as an unprivileged user and grab their session tokens. This can be a cookie or a header. Put those values in Autorize and it will replace then and resend each request it sees with those tokens.

Now all you have to do is browse the site as an administrator and perform privileged functions. Autorize keeps a running list of privileged requests side-by-side with unprivileged ones so you can see at a glance if a low-level user can do things they should not be allowed to do.

Pro tip

Paste the whole cookie header into Autorize, including the “Cookie: “ text.


Cloud Storage Tester

Link: https://portswigger.net/bappstore/04adbe101f544c88b2497a9a25ffaab4

What it does

This extension can identify and test S3 buckets, as well as Google Storage buckets and Azure Storage containers, for common misconfiguration issues. With more and more sites utilizing cloud infrastructure, these types of misconfigurations become more and more important to watch out for.

How to use it

If you have the AWS Access Key and AWS Secret Key, then plug them in and click save. The extension will perform cloud storage tests while doing active scans using these keys. It is more likely that on an engagement, these keys will not be available. Without keys, Cloud Storage tester will still perform passive checks such as looking for public S3 buckets. The extension will add any issues it finds to the Target tab.

Pro tip

Verify AWS Access Key and AWS Secret Key using something like AWS CLI to ensure the tokens are working before using them in the Cloud Storage Tester extension.


RetireJS

Link: https://portswigger.net/bappstore/36238b534a78494db9bf2d03f112265c

What it does

RetireJS passively looks for out of date JavaScript libraries while you browse a site. Since the world is now obsessed with using JavaScript for everything, this type of extension is worth its weight in gold.

How to use it

Install the extension and browse/test the site as usual. Any out-of-date JavaScript libraries that are discovered will be flagged and included in Target tab with any other issues discovered.

Pro tip

The extension links to known public vulnerabilities for the out-of-date libraries to give you hints on how to attack the application.


Active Scan++

Link: https://portswigger.net/bappstore/3123d5b5f25c4128894d97ea1acc4976

What it does

ActiveScan++ extends Burp Suite’s active and passive scanning capabilities. Designed to add minimal network overhead, it identifies application behavior that may be of interest to advanced testers:

  • Potential host header attacks (password reset poisoning, cache poisoning, DNS rebinding)
  • Edge side includes
  • XML input handling
  • Suspicious input transformation (eg 7*7 => ’49’, \x41\x41 => ‘AA’)
  • Passive-scanner issues that only occur during fuzzing (install the ‘Error Message Checks’ extension for maximum effectiveness)

It also adds checks for the following issues:

  • Blind code injection via expression language, Ruby’s open() and Perl’s open()
  • CVE-2014-6271/CVE-2014-6278 ‘shellshock’ and CVE-2015-2080, CVE-2017-5638, CVE-2017-12629, CVE-2018-11776

How to use it

Install the plugin and perform an Active Scan (Audit) of the web application. ActiveScan++ will perform the additional checks.

Pro tip

I used to avoid installing ActiveScan++ because it would never really find anything. But when a colleague of mine found Remote Code execution on a site using the extension, I was sold. This extension may not find things 98% of the time, but when it does, you will be glad you installed it.


Upload Scanner

Link: https://portswigger.net/bappstore/b2244cbb6953442cb3c82fa0a0d908fa

What it does

We know that file upload functions are ripe for vulnerabilities. However, these vulnerabilities can sometimes be tricky to find. For example, if you upload a file and it is renamed and appears on another page, Burp Scanner will generally not know how to check these separate pages. This is where Upload Scanner comes in handy.

How to use it

Upload a file in the web application. In Burp Suite Proxy tab right click the upload request and select “Send to Upload Scanner”. There are so many options that another blog post is probably required, but the high-level workflow is like this:

  1. you have the actual File upload request and response
  2. you have a place where the file can be downloaded (ReDownloader request).
  3. you define start and ending markers in the original file upload response for pulling out values needed to make the ReDownloader request
  4. you set up a ReDownloader request to use these values.
  5. Test all this out using “Send preflight request” and “Send ReDownloader request”
  6. Click Start Scan to scan thousands of file upload tests

Pro tip

Watch file download requests and responses in Flow to make sure the scan is not encountering any errors.


JSON Web Tokens

Link: https://portswigger.net/bappstore/f923cbf91698420890354c1d8958fee6

What it does

JSON Web Tokens (JWT) are popping up everywhere. There are some common attacks that are easy enough to test for, but manually decoding and re-encoding the base64 values acan be tedious. This Extension makes it easy to decode and manipulate JSON web tokens (JWT) and automate common attacks.

How to use it

Send a request to Repeater and if there is a JWT in the request you will see a new tab like this:

From this tab you can select any one of the common JWT attacks and re-send the request to see if it is successful.

Pro tip

That tab will not appear if there is not a JWT in the request.


HTTP Request Smuggler

Link: https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646

What it does

Request Smuggling is a newer class of vulnerabilities presented at BlackHat in 2019 by James Kettle (https://www.blackhat.com/us-19/briefings/schedule/index.html#http-desync-attacks-smashing-into-the-cell-next-door-15153). By tampering with Content-Length headers and Transfer-Encoding headers, you may be able to confuse load balancers, CDNs, WAFs or any number of HTTP proxies that sit in front of the actual web application server. This can lead to some interesting attack vectors as outlined in Kettle’s talk here: https://www.youtube.com/watch?v=-y82LadA7N4.

How to use it

This extension will automatically perform checks when doing Active Scanning on the web application and flag any suspicious behavior. Additionally, you can right-click an item in the Proxy History tab and select “Launch Smuggle Probe”. This could help determine if the application is vulnerable to TE-CL attacks or CL-TE attacks. Based on that, a Proof-of-Concept attack could be created manually.

Pro tip

Do the labs over at Portswigger (https://portswigger.net/web-security/request-smuggling) to get a better idea of how to exploit these types of attacks.


 

Of course this is just a sample of the Burp extensions out there. When performing Web Application Penetration Testing, we always select Burp extensions based on the observed technology. Contact us for more information about our penetration testing methodology.

Is there an extension we missed? Let us know in the comments below.