scripts_brief_summary

This ReadMe is just a summary of what each of the scripts do. As I write more (or as you do) please take a few minutes to keep this up to date.

1. Search and fuzz all valid directories on a website - Burp Extensions/common_dir_search.py

Lots of times, directories containing sensitive content are left on the server. As testers, we could scan the server using a web server scanner, and that might search in Webroot for a lot of common directories. What it might not do, is search for those common directories in every single sub directory. Some good scanners might do this, but since I'm trying to integrate everything inside Burp, this was a nice script to write. This is best enabled AFTER you have browsed the entire application and have a huge number of requests in your proxy history. The script will extract all the requests that contain different directories in their URL path and send them to Intruder, where you can then fuzz them.

Secondly, before starting this extension, send 1 request to Intruder..any 1 request and set your fuzz lists. Then go to Intruder - New Tab behavior - Copy configuration from the first tab. This'll save you a lot of time and you wont have to set payloads for every request (as there'll be a few) :)

2. Detect CSRF tokens in requests - Burp Extensions/csrf_token_detect.py

Give this script the exact name of the token in the requests sent to your application. It'll then search for the absence of that token in every subsequent request and report all such URLs. Does it for GET and POST. It's nothing fancy and you can do this through Burp's filter bar, but Burp's died on me too many times while searching, so I got bored and wrote this.

3. Detecting invalid Referers in case a Referer is used for protecting against CSRF - BurpExtensions/csrf_valid_referer_detect.py

Many times there isn't an AntiCSRF token in place but the site protects against CSRF using Referer headers. This piece of code will detect a page which doesn't have a Referer header. It isn't going to do any kind of manipulation, but it'll flag pages with say no Referer headers, so you can then test them manually.

4. Download all JS files on a site - Burp Extensions/download_all_js_files.py

Many times I've wanted to look at a ton of JS files all at 1 shot. Usually it's filter by extension in Burp and then download one by one, or look ib %TEMP% or Firebug per page. This bit of code looks at the request, sees if it's JS and downloads it using Wget into a directory of your choice. Locations are tweakable. Not fancy again, but it can be useful at times..maybe for grepping through JS throughout the application for sensitive strings.

5. Recording all Set-Cookie headers in a file - Burp Extensions/record_set_cookie_headers.py

Some times an application sets cookie headers in an insecure manner. No secure attribute, no httponly. So Burp Scanner reports this. What happens though is that the application sets that cookie on the very very next page at times even before a successful login. So although the cookie did not have a secure attribute set at 1 point, it's not a valid finding at all. This'll just dump all the Set-Cookie headers into a file so you can manually look at it instead and decide for yourself.

6. Record third party referers - BurpExtensions/third_party_referer_record.py

Sites talk to sites. While talking there's sensitive information which leaks in referers many times. This extension will get all the requests made to third party sites and dump their referers into a file. The engineer can look at this file and decide if there's any leakage. There's ways to make this better but this is a start for sure for a very ignored and boring test case :)

7. Identify candidates for URL redirection, LFI and RFI - BurpExtensions/url_in_parameter_detect.py

Test cases such as URL redirection or LFI/RFI/Code Injection tend to be kinda ignored by me till the end, at which point I realize there's 1 day left and a bunch of test cases pending. Then er..er..you get it. So to make that a little smoother I wrote this extension, it'll look at patterns in parameter values and dump that URL and the parameter in question into a file. The engineer can then look at those URLs and test just those exhaustively instead of worrying about all the URLs that he/she might have missed all through the project.

8. Detect version information leakage in headers or response bodies - BurpExtensions/version_detect.py

Simple extension which just records banners from the Server: response header and also searches through response bodies for a set of common web/app servers. Many times the metadata of reports or other files leaks information and it isn't always caught. This'll help address that to some extent.

9. Remove session cookie and reissue request to check Direct requests - BurpExtensions/direct_request.py

Many times URLs that are accessible after logging in are also accessible directly. This extension strips the session cookie (add your cookie to an array inside code) and reissues the request without the cookie. It then prints the response code and the length of the response so the engineer can see if certain requests behaved differently to others and successfully completed even without a session cookie.

10. Test PUT and DELETE on every single directory that you browse - BurpExtensions/http_method_test.py

Sometimes the PUT and DELETE methods are enabled on the webserver but can be used only on a specific directory due to the permissions in place. This script will upload and delete a dummy file in every single directory that you browse through and record the results. This is best used at the end of a test when you have a huge huge list of directories that you have browsed in your proxy history, as that's where the script reads a list from.

11. Scan all SSL hosts in Proxy history - BurpExtensions/sslyze_scan.py

Checking SSL configurations of hosts is a very common test. Sometimes though the app you are testing makes connections to other hosts too. These hosts too might be in scope for you. This extension reads your entire proxy history, extracts all hosts that have had SSL connections made to them, and runs the cool tool sslyze against them. It's nothing you can't do by simply running sslyze but since I'm trying to use Burp as a one stop shop for as many tests as possible, this acts as a nice wrapper around them.

-------------
1) Request URLs over HTTP - ForceSSL/force_http_req_threaded.py

There's a test case which is in place to request every single HTTPS url over HTTP. Mixed content is dangerous and cookies can be stolen using Firesheep or similar tools. With that in mind I wrote a script which basically takes every single URL from Burp's site map/history/whatever (just need a big bunch of URLs somehow) and requests all of them over HTTP and generates a report. There's a more detailed ReadMe inside the directory.

2) Special Fuzz list - Fuzzlists/*

So there is FuzzDb and its great collection, and there are Burp Pro's own cool lists and features to mangle them. That apart I continuously keep adding my own lists for specific situations. As time goes by I'll keep adding to it.

3) Commonly used functions - modules/modules_functions_readme

Code for all extensions has been modularized. List of functions in modules is present in modules/modules_functions_readme