Most useful plugins for Burp Suite

This post is a supplement to my presentation at The Hack Summit 2023, where I will demonstrate how to accelerate and streamline web application penetration testing using several plugins for Burp Suite.

Below is a compilation of the most useful plugins for Burp Suite that I personally use. Some of them are not available in the built-in BApp Store, but you can easily find them on the creators’ GitHub repositories.

  • ATOR: Automates the login process for applications and maintains an active session.
  • Backslash Powered Scanner: Adds non-traditional test types to Burp’s active scanner, enabling the detection of atypical server behavior.
  • Collabfiltrator: Assists in exfiltrating output data from remote code executions through DNS using Burp Collaborator.
  • Hackvertor: Tool for quick conversion of various encodings, including HTML5, hexadecimal, octal, Unicode, and URL encoding.
  • http Request Smuggler: Used to search for vulnerabilities related to request smuggling security issues.
  • Java Deserialization Scanner: Finds vulnerabilities related to Java deserialization errors.
  • J2EEScan: Adds over 80 unique tests to the scanner to identify errors in J2EE applications.
  • JSON Web Tokens: Allows for decoding and manipulating JWT tokens, checking their validity, and automating attacks.
  • JS Miner: Helps find interesting things in static files, mainly in JavaScript and JSON files.
  • .NET Beautifier: Improves the readability of .NET requests.
  • OAUTH Scan: Detects vulnerabilities in OAUTHv2/OpenID security.
  • Param Miner: Identifies hidden parameters in requests.
  • RegexFinder: Enables passive scanning of server responses for regular expression patterns.
  • Request Timer: Measures server response time and compares it between individual requests.
  • Retire.js: Integrates Burp Suite with the Retire.js repository to detect vulnerable JavaScript libraries.
  • SAML Raider: Burp Suite extension for testing SAML infrastructures.
  • Turbo Intruder: Enables very fast sending of a large number of HTTP requests and analyzes responses.
  • Upload Scanner: Automates the discovery of security errors related to file uploads on the server.
  • Autorize: Assists in detecting authorization-related errors.
  • AutoRepeater: Allows for automatic repetition of requests with added elements.
  • Hopla: Adds autocomplete and context menu selection features for popular payloads used in attacks.

If you know of other plugins that significantly facilitate your work, please share them in the comments.

Chcesz wiedzieć więcej?

Zapisz się i bądź informowany o nowych postach (zero spamu!). Dodatkowo otrzymasz, moją prywatną listę 15 najbardziej przydatnych narzędzi (wraz z krótkim opisem), których używam przy testach penetracyjnych.

Nigdy nie podam, nie wymienię ani nie sprzedam Twojego adresu e-mail. W każdej chwili możesz zrezygnować z subskrypcji.

Bookmark the permalink.

Share your opinion about the article.