In the context of an internal evaluation, we recently had a look at most of the burp plugins available from the BApp store. The following overview represents our personal top 9 plugins, categorized in “Scanner Extensions”, “Manual Testing” and “Misc” in alphabetic order:
This plugin adds some tests for Dynamic code injection, Host header attacks (password reset poisoning, cache poisoning, DNS rebinding), OS command injection and Relative path overwrite. In some internal tests, it seemed to deliver what it promises.
Additional Scanner Checks
Checks for a few (server) best practices (Strict-Transport-Security, X-Content-Type-Options: nosniff, X-XSS-Protection) and has also a DOM XSS module which however seems to need some additional work (it detected DOM XSS e.g. in binary files (like pictures)). Besides the domxss (which can be activated/deactivated in the configuration tab), it is a useful addition to the burp scanner engine.
The CSRF Scanner is very handy plugin when working with a web application which implements a CSRF protection. The main feature is to scan all requests for non existent CSRF tokens (configurable in the CSRF tab), where you might want to have a closer look at 😉 and reports them to the scanner.
The HTML5 Auditor states to detect specific HTML5 functionality like client side storage, client geo-location, HTML5 client caches and web sockets, which are usually worth a closer look during a web application test. In a quick test, the plugin successfully detected client side storage functionality, but failed to report web socket functionality (like on http://websocket.org/echo.html). Despite the need for some additional work, the plugin is still a useful addition.
Software Version Reporter
This is a really helpful plugin, when you are in the need to quickly modify HTTP requests and/or responses as they come by and you don’t want to spend the effort to build a Burp Plugin for it. The only drawback: coding/debugging a script is a bit tough, as the code has to be developed in a plain text field and the plugin does not really give much feedback (except for exceptions on really hard errors). But besides of that, it is a great plugin for every manual tester, and can also be used to help with modifications on the scanner and others. As i didn’t manage to find a good example script, feel free to have a look at this little example script: pythonScriptExample.py
It provides an extra tab for notes, where HTTP requests/responses can be send to and offers also a simple spreadsheet implementation. Very useful especially on pentests lasting more than a few days.