Worthwhile BurpSuite Plugins

Thoughts on BurpSuite plugins that might lead you to a few bugs.

Overview

BurpSuite is pretty much the defacto tool security professionals use and this post is not supposed to discuss the pros/cons of it as a tool versus other tools (like OWASP ZAP). Instead, this post is about the available plugins and their quality. All plugins in this post are NOT sorted by ranking.

Plugins

Functionality

What I mean by functionality plugins are plugins that will not find security issues for you, but save time for you in some other way.

  1. JSON Beautifier. A must add, and probably should be built into BurpSuite as time goes on. Any detected JSON in request/response will be properly (‘pretty’) formatted instead of no formatting. Immense time saver and no brainer which doesn’t intrude on your workflow.

  2. Content Type Converter. Save some time jumping between different Content-Type. I have mostly used this to jump to XML formatting without me having to do all the mindless work. Useful for looking for XXE on JSON endpoints since most cases I have seen default to JSON.

  3. Copy As Python-Requests (possibly other ‘Copy As’ plugins). For people who are comfortable in Python this plugin is very nifty. Right click on your request and get the correct Python-Requests code. Generally I don’t use this as much for security but in development it can be very helpful to troubleshoot/debug.

  4. HUNT. A newish plugin created by the folks at Bugcrowd. Meant to aid you in your workflow. For me, the best thing about this plugin is the possibility to add information thats related to a specific environment. Perhaps you have work specific exploits or chains that you have to check. Wouldn’t it be nice to pass that information to new hires easily? Add it to this plugin and have a methodology that can be replicated.

  5. Metadata. Right now, PDF Metadata and Image Metadata can be very useful. To me, doing these checks manually is a huge pain and something that a lot of hunters do not look for. The severity of this is usually pretty low but something that is good to point out and fix.

Bugs

Everyone wants some easy bugs. What are some plugins that can get me there?

  1. Literally anything by James Kettle. Works at PortSwigger, publishes great new research, and can code, easy wins. Big mentions here are backslash-powered-scanner and ActiveScan++. A caveat to this mention is you should really do some reading on what he has published. Someone that doesn’t know about the techniques in these plugins will not get their full benefits.

  2. Reflected Parameters. A difficult mention for me personally, only including because of the bugs I have found with it. This plugin dumps A LOT of information into its tab for you to parse manually which can be very tedious because its code/logic are so simple. See a parameter sent that was included in the response (unchanged)? Then it might be vulnerable. Good bugs to look for from this plugin are XSS and CRLF.

  3. Cloud Storage Tester. Super cool plugin and has some great checks. Reads responses for links to different cloud services (Amazon, Microsoft, Google) and does some security checks on those objects. Right now there are a lot of tools that do S3 things, and I would rather add this plugin and trust its results than spending time running other tools manually.

  4. Retire.js (Honorable Mention). Updated regularly and contains good information on the framework you are working with. However, it does usually create a lot of issues that are not of help or are not exploitable at all.

Thoughts

As you can see, I am more inclined to ‘functionality’ plugins that improve workflow. The problem with some security plugins is that you do not know EXACTLY how they work and cannot trust their output and do checks yourself instead. Of course, reading source code can solve this problem but many times the code is a mess and it is almost easier to do the checks yourself at that point to ensure a bug is not missed.

I believe that the most benefit you will receive from BurpSuite plugins are not plugins that are available on the BApp store. Instead, they are plugins which you have created and are tailored to your own workflow. Spending some time learning how to code and write plugins can save you immeasurable time in the future. Learn it, apply it, and achieve greatness.

Written on November 12, 2017