Burp - Some Recommended Extensions

Throw in some Scanners Extensions for more lazy hacking:

1. Software Vulnerability Scanner — compares found technology version numbers with reported issues on vulners.com to let you know of any outstanding CVEs
2. Active Scan++ — adds a host of scanner checks from Host header attacks, input transformation and several RCE CVEs
3. Backslash Powered Scanner — uses an advanced attack & response investigation engine to bypass WAFs and uses many peculiar insertion techniques
4. Additional Scanner Checks — checks for DOM XSS and best practice HTTP headers
5. Error Message Checks — shows user of robust error messages in responses
6. Collaborator Everywhere — injections header with a known endpoint that listens for ping backs. Can be paired with Taborator to make it a manual tool

Manual Tools

Turbo Intruder

Turbo Intruder is similar to the regular Intruder, except it was rebuilt from the ground up for the purpose of pure speed. Turbo is an invaluable tool for testing race conditions vulnerabilities.
The simplest definition of a race condition vulnerability is when you are able to perform an action more times that you should have been able to. An example of where to look is anytime you come across something that should only be done once: casting a vote, cashing in promo code, checkout when using store credit.

How to test for race vulnerabilities

1. Right click on an HTTP request and select “Send to Turbo Intruder”
2. In the Request put a %s in an unused HTTP header (used to match requests/responses)
3. Paste in a python script to fire off 30 requests https://github.com/PortSwigger/turbo-intruder/blob/master/resources/examples/race.py
4. Click attack and review the responses!

AutoRepeater

The AutoRepeater tool allows a user to create replacement rules that will automatically be applied to a and resubmit a proxy request and present the request/response history in a comparative manner.

This tool is especially helpful when doing authorization testing, making it easy to swap out cookies or Auth HTTP headers for lower access users and going thru higher access functionality in the browser.

Logger++

Under Proxy/HTTP history you will find, in order, all of the HTTP requests that have been captured in your current session from your browser. But while scanners and extensions are sending 1000s of other requests, how can you be sure to track what exactly is being sent from your machine?
The answer is a Logger++. Available in the BApp store, it gives the user an easy way to search through the entire history of requests/responses in a Burp session. It is especially useful when tracking down an oddity that has been spotted after a scan sent out some thousand requests.