Some of the useful extensions from the BApp Store are as follows:
β’ Active Scan++ β This extension is developed to further enhance the Burp Suiteβs passive and active scanning capabilities.
β’ Additional Scanner Checks β This extension adds a few more checks to a passive scanner like DOM-based XSS etc.
β’ CSRF Scanner β This extension helps passively scan for Cross-Site Request Forgery (CSRF) vulnerabilities.
β’ Discover Reverse Tabnabbing β This extension searches the HTML code for possible Tabnabbing vulnerabilities.
β’ Error Message Checks β This extension helps passively detect any error or exception messages that may contain sensitive information like stack traces.
β’ Headers Analyzer β This extension passively checks the response headers and flags all missing security headers like X-XSS-Protection, X-Frame-Options, and many more.
β’ HTML5 Auditor β This extension checks if any of the potentially unsafe HTML5 functions have been used like storing sensitive data on client-side storage, client geolocation, etc.
β’ J2EEScan β This extension helps improve test coverage for J2EE applications as well as adds additional test cases.
β’ Java Deserialization Scanner β This extension adds to the Burp Suite ability to detect Java Deserialization vulnerabilities.
β’ JavaScript Security β This extension further adds several passive checks related to JavaScript security like DOM issues, Cross-Origin Resource Sharing (CORS), etc.
β’ Retire.js β This extension passively monitors the traffic and detects the use of any vulnerable third-party library along with necessary CVE details.
β’ SameSite Reporter β This extension checks if the SameSite attribute has been set in cookies or not.
β’ Software Version Reporter β This extension passively parses the traffic and reports all the software version details. This information can further help in application enumeration.
β’ Upload Scanner β This extension adds capabilities to Burp Suite to detect file upload functionality and related vulnerabilities.
β’ Web Cache Deception Scanner β This extension scans the application for the presence of any Web Cache Deception vulnerability.
β’ CSP Auditor β This extension scans the response headers and checks if Content Security Policy (CSP) has been configured correctly or not.
β’ CVSS Calculator β This extension facilitates scoring vulnerabilities using CVSS methodology from within Burp Suite.
Β
Manual install to Burp Suite:
β’ sometime β This extension can be downloaded from https://github.com/linkedin/sometime. This extension passively monitors the traffic to check if the application is vulnerable to the Same Origin Method Execution.
β’ burp-suite-gwt-scan β This extension can be downloaded from https://github.com/augustd/ burp-suite-gwt-scan - This extension helps automatically identify insertion points for GWT (Google Web Toolkit) requests when sending them to the active Scanner or Burp Intruder.
β’ Admin panel finder β This extension can be downloaded from https://github.com/moeinfatehi/ Admin-Panel_Finder -This extension assists in the enumeration of infrastructure and application Admin Interfaces that might have been left open by mistake.
β’ Pwnback β This extension can be downloaded from https://github.com/P3GLEG/PwnBack. This extension helps to retrieve old and archived versions of the application if present. It can be useful to compare the old and current versions of the application to check the changes and associated vulnerabilities.
β’ Minesweeper β This extension can be downloaded from https://github.com/codingo/Minesweeper -This extension helps detect scripts being loaded from over 23000+ malicious cryptocurrency mining domains (cryptojacking).
For an additional and comprehensive list of the Burp Suite extensions, refer to https://github.com/snoopysecurity/awesome-burp-extensions.
Β