Breaking

ERNW’s Top 9 Burp Plugins

In the context of an internal evaluation, we recently had a look at most of the burp plugins available from the BApp store. The following overview represents our personal top 9 plugins, categorized in “Scanner Extensions”, “Manual Testing” and “Misc” in alphabetic order:

Scanner Extensions

ActiveScan++

This plugin adds some tests for Dynamic code injection, Host header attacks (password reset poisoning, cache poisoning, DNS rebinding), OS command injection and Relative path overwrite. In some internal tests, it seemed to deliver what it promises.

Additional Scanner Checks

Checks for a few (server) best practices (Strict-Transport-Security, X-Content-Type-Options: nosniff, X-XSS-Protection) and has also a DOM XSS module which however seems to need some additional work (it detected DOM XSS e.g. in binary files (like pictures)). Besides the domxss (which can be activated/deactivated in the configuration tab), it is a useful addition to the burp scanner engine.

CSRF Scanner

The CSRF Scanner is very handy plugin when working with a web application which implements a CSRF protection. The main feature is to scan all requests for non existent CSRF tokens (configurable in the CSRF tab), where you might want to have a closer look at 😉 and reports them to the scanner.

HTML5 Auditor

The HTML5 Auditor states to detect specific HTML5 functionality like client side storage, client geo-location, HTML5 client caches and web sockets, which are usually worth a closer look during a web application test. In a quick test, the plugin successfully detected client side storage functionality, but failed to report web socket functionality (like on http://websocket.org/echo.html). Despite the need for some additional work, the plugin is still a useful addition.

Software Version Reporter

This plugin does exactly what it states: it detects and reports version numbers during testing. This includes not only the HTTP “Server” headers (Server, X-Powered-By, …), but also version numbers contained within the HTTP response (e.g. <script type=”text/javascript” src=”scripts/jquery/1.4.2/jquery.min.js”></script>).

Manual Testing

Python Scripter

This is a really helpful plugin, when you are in the need to quickly modify HTTP requests and/or responses as they come by and you don’t want to spend the effort to build a Burp Plugin for it. The only drawback: coding/debugging a script is a bit tough, as the code has to be developed in a plain text field and the plugin does not really give much feedback (except for exceptions on really hard errors). But besides of that, it is a great plugin for every manual tester, and can also be used to help with modifications on the scanner and others. As i didn’t manage to find a good example script, feel free to have a look at this little example script: pythonScriptExample.py

XSS Validator

This plugin implements a great idea: it uses scriptable browsers like SlimerJS and PhantomJS to automatically detect whether or not injected code leads to the successful execution of script code. In some internal tests using phantomjs, it delivered exactly what it promises. But again, there is a little drawback: the payloads it uses for detection are hard coded within the plugin, relying on a (obfuscated) script tag. So if the script is e.g. reflected within an attribute, it doesn’t work anymore. So we did a little modification of the plugin to provide a possibility for the user to define the injectable strings and shared it with the author. Hopefully, the next release provides a more dynamic approach, but as said before: it is a great idea and a really good plugin! (For the impatient, find our modified resources of the plugin with the following links. Little HowTo: The first additional text field is for JavaScript functions the plugin should use (if you are adding some others than the pre defined ones, you have to add an handler in the respective JS files), and the Text area defines the surrounding payload (note the marker “########” on the pre defined attack payloads). It should be noted, that the current version of xss_modified.js only supports mousevents on “a” tags. More functionality might come within the next weeks.). Download: xss-validator_modified.jar, xss_modified.js

Misc

JS Beautifier

This plugin beautifies not only JavaScript, but also other file types (e.g. JSON obects), and does that either automatically as a response modification (which I personally do not like very much; I like to keep the state of the original answer as far as possible) or selectively, by right clicking the response, which opens a new window ( a little bit unhandy ). Despite the little drawback of visualisation (again: my personal opinion; but maybe the authors add an additional sub-tab on responses for the beautified view on a follow up release), this plugin is very useful and worked well in practical tests.

Notes

It provides an extra tab for notes, where HTTP requests/responses can be send to and offers also a simple spreadsheet implementation. Very useful especially on pentests lasting more than a few days.

 

Cheers,

Frank

Comments

Leave a Reply to kingthorin Cancel reply

Your email address will not be published. Required fields are marked *