This Burp extension is free and can be used in either Burp Suite Community Edition or Professional. J2EEScan is a great burp extension for Java EE applications In my penetration testing assignments, I usually test J2EE web applications, which are Java web applications that support enterprise-level requirements, such as scalability.
Provides an extension to Burp that allows you to run Burp Suite's Spider and Scanner tools in headless mode via command-line.
However, it can do more!It can produce a JUnit like report which in turn could instruct the CI server (maybe Jenkins) to mark the build as 'failed' whenever any vulnerabilities are found. You can also mark some issues as false positives and those will not be reported anymore on the next scan reports.
Build¶
The extension is packaged as a fat jar at target/headless-burp-scanner-master-SNAPSHOT-jar-with-dependencies.jar- Experienced in Security Testing using Burp Suite. Executing the Automation tests in continuous integration using Jenkins to make sure that the application is stable after the changes made to the code base. Performing Exploratory testing at the end of each sprint and reporting the results to the team.
- Burp Suite offers three versions, Free, Professional and Enterprise, Burp Suite also provides integration for automation testing with Selenium and Jenkins, check below. What about Microsoft stack, the last version of Burp Suite offer the possibility to expose some API to trigger some events like scanning and retrieve information. Below how to do that.
Usage¶
Bu8ld the extension as shown above or install it from the BApp Store
Using the extension jar¶
On *nix:
On Cygwin:
Using the extension from BApp Store¶
On Cygwin:
Configuration¶
Adobe premiere cc 2020. For an example configuration file, see config.xml and headless-burp-scanner-config.xsd for the xsd
Command-line options¶
Scenarios¶
The extension has been designed to be versatile and support several scenarios
Scenario A: Scan URL(s) for security issues using Burp¶
- Create a file - config.xml like below and add the URL(s) to be scanned to the scope.
- Run as shown in the usage section
Scenario B: Scan URL(s) for security issues using Burp but exclude scanning of certain paths¶
- Add an exclusions block to the configuration file.
- Run as shown in the usage section
Scenario C: Scan URL(s) for security issues using Burp but suppress false positives from the scan report¶
- Add a false-positives block with the issue type and path (these can be retrieved from a burp scan report) to the configuration file.You can find more details about Issue Definitions here
- Run as shown in the usage section
Scenario D: Scan more than just GET requests - Use request.response data derived from running functional/integration tests as input to the scan¶
Sometimes, just spidering a target scope and and performing on a scope of URLs doesnt give much value. For e.g. when scanning a web application where routing is handled using JavaScript. Burp scans can discover more if it can scan more 'real-world' requests and responses. This way, it can attack the target URLs more effectively and potentially discover more than a shot in the dark spider + scan approach.
To handle such cases, it would be best to let the burp proxy intercept some real traffic to the target and build up a sitemap for itself. The Headless Burp Proxy extension provides an simple way to achieve this.
- Follow instructions at Headless Burp Proxy and start up burp proxy and remember to set the
--project-file
option. This is where the 'seed' data for scanning is going to be stored. - Configure your functional/integration tests to go through the burp proxy (defaults to
4646
if you use the extension) by setting HTTP_PROXY or similar. - Run the functional/integration tests against the target.
- Create a config.xml with the targetSitemap (typically, the base URL of the application), scope, exclusions, false-positives etc.
- Run as shown in the usage section and remember to set the
--project-file
option
Burp Suite Jenkins Integration Tools
tl;dr;¶
The headless burp scanner plugin can do these
- Run burp scan in headless or GUI mode
- Specify target sitemap and add URL(s) to Burp's target scope
- Use the 'seed' request/response data generated by any integration/functional tests you might have
- Mark issues as false positives, these will not be reported in the scan report anymore.
- Spider the target scope.
- Actively scan the target scope.
- Generate a scan report in JUnit/HTML/XML format.
- Shut down Burp
Hello ethical hackers and bug bounty hunters. Free snagit software download windows 10. Today, you will learn the top 10 Burp Suite extensions I found myself using over and over again. They assist me in different areas, such as pretty-printing data, actively testing for specific vulnerability classes, parsing API definitions and brute-forcing.
Wsdler is your burp extension for SOAP
During your penetration testing or bug bounty hunting, you might encounter SOAP-based APIs. They are web services that you can consume according to a file which describes the actions they expose and how to call them. This file is based on the Web Services Description Language (WSDL).
Whenever you find one, you can parse it using Wsdler. Additionally, this Burp extension constructs the HTTP requests as the API expects them.
JSON Beautifier
Burp Suite Pro Jenkins Integration
![Burp Suite Jenkins Integration Burp Suite Jenkins Integration](/uploads/1/3/7/4/137472962/259470157.png)
Before Burp Suite rolled its Pretty button feature, this was the first extension I needed to install after any fresh Burp Suite setup. Nowadays, the majority of web application use RESTful APIs which generally use JSON objects to transfer data between the client and the server. JSON Beautifier prettifies the inline JSON data to make your life easier.
This Burp extension is free and can be used in either Burp Suite Community Edition or Professional.
J2EEScan is a great burp extension for Java EE applications
In my penetration testing assignments, I usually test J2EE web applications, which are Java web applications that support enterprise-level requirements, such as scalability and availability. Therefore, I use J2EEScan to assist me in finding vulnerabilities for the most common CVEs that target J2EE technologies.
The extension adds test cases to the BurpSuite Scanner. Therefore, there no additional configuration after you install it. All you have to do is run a scan and wait for vulnerabilities in the Issue Activity panel in the Burp’s Dashboard tab.
JSON WEB Tokens, the Burp extension, not the standard
According to jwt.io, JSON Web Token is:
[…] an open standard […] that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
When you do bug bounty hunting or web application penetration testing, it is a pain to manually copy the tokens from Burp Suite and paste them into your favourite parsing tool, such as jwt.io. This extension allows you to parse the token within Burp, the same way JSON Beautifier prettifies inline JSON objects.
SAML Raider
For those of you who don’t know what SAML, it’s a standard used in Single Sign-On (SSO) for authentication. Here is a brief definition from Wikipedia:
Security Assertion Markup Language (SAML) […] is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions.
Since SAML requests contain long base64 encoded XML data, it is impractical to manually parse them. SAML Raider automatically performs the parsing within Burp Suite. Additionally, you can use it to perform known attacks against your target web application. In fact, it comes with pre-configured exploitation techniques, such as signature wrapping, that you can easily run to test for weaknesses in SAML implementations.
AuthMatrix burp extension for broken access control
I’ve already covered this great extension in a Youtube video. It allows you to test for broken access control vulnerabilities, such as IDOR, unprotected endpoints, etc. The flow is fairly simple. Firstly, you browse your target application and send any interesting requests to this extension. Then, you create the target users, such as the attacker and the victim. Logic pro 10.6. Then, for each user, you configure the session cookies, and any HTTP headers containing tokens such as JWT or API keys. Lastly, you hit the run button and let AuthMatrix highlight the suspicious requests in red.
HTTP request smuggler
This is the go-to Burp extension when you want to easily detect and exploit a web application through HTTP Request Smuggling.
It detects whether you have a CL.TE or TE.CL condition and reports it directly into Burp Suite’s Dashboard tab, under the Issue Activity menu where all the issues get listed.
If you have no clue about what do CL.TE and TE.CL means, I invite you to read this article from the authors of Burp Suite.
Turbo Intruder
This extension allows you to send large numbers of HTTP requests to a target web application. If you have Burp Community, you know that you can only work with a limited version of the Intruder which does not support multiple threads. Instead, you can use Turbo Intruder.
Since this Burp extension uses a Python snippet that you can edit, I recommend you get familiar with the basics of the Python programming language. That way, you can customize Turbo Intruder to bring more flexibility when you brute force.
Upload Scanner
Burp Suite Jenkins Integration Tool
Whenever you encounter a file upload feature that uses the multipart mime type, I encourage you to give this Burp extension a try. In fact, you can use it to probe the upload features for many security issues.
It fuzzes all the parameters using a set of organized categories that you can choose from. If the application retrieves the uploads, you can configure Upload Scanner to fetch the files to verify cases like XSS.
Burp Suite Jenkins Integration Tutorial
There are plenty of other features in this awesome Burp extension. I encourage you to learn more about it. Additionally, I prepared this Youtube video to show you how it works.
Java Deserialization Scanner
This Burp extension checks for insecure deserialization issues in Java applications. It uses pre-built serialized java objects to probe the application for a callback. You can configure this feedback to be either a time delay or a callback. If the application sleeps for some time before responding, or if you receive a hit as a callback, the extension highlights exactly what payload has triggered it. Therefore, you can prepare your own payload using tools such as ysoserial.
Burp Suite Integration With Jenkins
If you want to learn how insecure deserialization works and how to exploit it with real examples, I invite you to read this article.
Conclusion
There are so many tools, extensions and methodologies available a few clicks away. However, I should mention that you don’t have to use them all. Take some time to discover how they work, then pick the ones that suit your taste and your needs.
Hopefully, this episode has shown you some new Burp extensions that might help you in your next assignment.
Until the next episode, stay curious, keep learning and go find some bugs!