Utilizing Burpsuite Extensions

December 29, 2017

So it’s almost of the end of the year 2K17, and guess what we wanted to tell you people a really cool stuff which will definitely help you in your penetration testing or bug bounty works in the upcoming year. This post is on Burp-suite and if you don’t know anything about it or maybe installed it but aren’t using it so much, then take a look at this post. We have discussed in details about the different features of Burpsuite(Both free and pro versions).

So what this post is all about?

Okay, let us ask you something, which features do you use while using Burpsuite? There are several options on the top like in the below picture.

If you are using it normally, then mostly you will require Target, Proxy, Repeater, and Intruder. Yes, we do mean so. It really becomes a habit to just keep using these 4 because yes you don’t require anything more while doing testing most of the times. Even we used to do the same until we became acquainted with the Extender options. Yes, the one we rarely noticed when we started using BurpSuite.

What is Extender actually?

According to the Official Documentation at Portswigger,

Burp Extender lets you use Burp extensions, to extend Burp’s functionality using your own or third-party code. You can load and manage extensions, view details about installed extensions, install extensions from the BApp Store, view the current Burp Extender APIs, and configure options for how extensions are handled.

In simpler terms, just think of it as different extensions you must have used in your browser. Extensions like adblocker or pop up blocker which helps you do certain kind of things in your browser. The same is with the Burp Extensions.

This is a sample screenshot of the BApp store in the Extender options of Burpsuite.

You can see that there are some extensions which are only for Pro versions but there are many cool ones available for the free Burpsuite version also. One of them is Active Scan++. We will get into the details of the most used ones in later posts. But for this one, it will be better to get a knowledge of the Extender option so you could try the different option yourself.

How to install the extensions?

It’s really simple. Just click on the extension and on the right side you will get the whole details that what this extension is all about. If you think you will need it then just press the Install button and you are good to go. It will start showing at the top like other Burp Features. Some BApps are written in specific languages like Python or Ruby and require you to download Jython or JRuby and configure Burp with the location of the relevant language interpreters. Some BApps may require a more recent version of Burp or a different edition of Burp.

If you check the Extensions option of the Extender now, you will be able to see the whole list of Extensions you have installed and their types. Here is a screenshot of my Burp version.

Now the best part of this is you can write your own extension according to your needs. If you know how to code in Python, Java or Ruby or have been in the software development role, then it will be quite easy for you to get your extension up and ready. And if you are facing any difficulties, see this post which will help you if you want to create your own extension. But if you are just starting out, it’s no need to get so fancy and do these advance stuff. Just use the different extensions and maybe the extension you thought of creating will have been written by someone else earlier. So no need to reinvent the wheel.

What is BApp store?

If you noticed correctly, then the whole list of Burpsuite extensions is in the BApp store and you will install everything from that. Burp has a big community of active members because it is widely used for penetration testing and Bug Bounty purposes. If you want to know why see this post. These members have written these extensions and these extensions were uploaded to the BApp store which is getting updated with time. As soon as a researcher thinks that a new functionality is required, they create an extension and after verification, it gets uploaded to the store. Now, since you are also using Burpsuite, you are also a member and you can also contribute to the security industry by writing your own extensions after getting a good knowledge of it.

Final note

So this is the Burp Extender and in recent years it’s development has greatly increased because it really simplifies many things while testing. There are a whole lot of extensions out there and you just need to see the details and install them if you like. Some of my all-time favorites are JSON Beautifier and Active Scan++. If you want to learn more about the Burp Extender, see the official documentation here or enrol yourself in certification course on udemy on- ‘Web Application Penetration Testing Using Burp Suite‘ by Enciphers for all the labs and setup, how to download, install and use Burpsuite will build upon that slowly and steadily. There is a specific video for each tool making it easy for you to refer again in the future if you get stuck on how to use that tool.

Make sure you give Extender a try as it will definitely help you with testing. Feel free to comment if you are facing any problems.

I hope this was a good security gift from ENCIPHERS to the infosec community for the new year. So keep learning and start hacking.:)