When I previously wrote about the 7 Essential Burp Extensions for Hacking APIs that I felt everyone should be using, I had several members of the API Hacker Inner Circle ask what other extensions I recommend.
This article is the answer to those requests.
Let’s get right to it!
#1. JS Miner
Now, I have a whole article on how to use JS Miner. So I won’t go into huge details here on its value. The key things to know that it does include:
- It automatically scans for hardcoded secrets and credentials.
- It passively scans for subdomains the web app calls and pulls code and data from.
- It can actively try to construct source code from JavaScript Source Map Files (if found).
- It passively tries to detect API endpoints that use GET/POST/PUT/DELETE/PATCH.
The third item is what I care about the most. When you can conduct source code mapping, JS Miner will try to break apart the packaged web app into individual source files and directories. This then lets you have source code-level access to the front end.
What can you do with that? You can use code analysis tools like graudit to detect dangerous functions that may be used in the code.
#2. GAP
The GAP Burp extension helps you to find potential endpoints and parameters through the web app Javascript. It can even generate a custom target wordlist for you based on the data it collects.
What’s nice is that you can send your entire sitemap through GAP. It will not only look at the JS files but will also parse out from the inline Javascript as well.
One neat feature is that you can detect suspect parameters and map them to vulnerability classes when you check the Show “sus” checkbox. The screenshot below shows two specific parameters that may be vulnerable to XSS, SQLi, and even IDOR/BOLA. While the extension doesn’t check for those vulnerabilities for you, it does at least give you guidance to help prioritize your testing.
Here’s a tip if you use GAP. When potential params are found, it can be hard to figure out WHERE they are found. You can actually find that if you select the “Show Origin” checkbox at the top.
#3. VPS Proxy
The VPS Proxy extension for Burp allows for the automatic creation and deletion of an upstream SOCKS5 proxy on popular cloud services.
It automatically configures Burp to use the dynamically created proxy so that all outbound traffic comes from a cloud IP address. This is useful to prevent our main IP address from being blacklisted by popular WAFs while performing penetration testing and bug bounty hunting.
I’ve discussed using the ip-rotate extension to do this before, which relies on the AWS API Gateway to generate ephemeral IP addresses. However, VPS Proxy is different because it can work with lesser-known providers like Digital Ocean and Linode as well.
This extension isn’t in the BApp Store and will have to be installed manually. It’s as easy as downloading the release JAR and loading it in the Extensions tab of Burp Suite. Once done, you will get a config panel to select your provider and insert the appropriate API key to communicate with it to set up and tear down the cloud proxy.
It’s a nice extension to have when you want to mask your actual testing host from the target.
As a personal bias, I still prefer using the ip-rotate extension with AWS more. I know there are targets that go through services like CloudFlare and Akamai that may block AWS API Gateway proxies more than the other providers. But ip-rotate lets you select multiple regions to deploy to, allowing you to rotate the IP in more geographical regions than VPS Proxy allows.
I use VPS Proxy when I can see a WAF is pretty much blocking cloud providers like AWS completely. For some reason, very few of them block Linode IPs.
#4. Bypass WAF
Many WAF devices can be tricked into believing a request is from itself (and therefore trusted) if specific headers are present. The Bypass WAF extension was built to do just that.
Now, you can just as easily do this with “Match & Replace” rules as part of session handling. But this extension takes care of it all for you. As well as a bunch of other things…
Notice it can also modify the Host Header, perform HTTP Parameter Pollution attacks, and even change the encoding to try to bypass the WAF in use.
As the years have gone by, I am finding the WAFs are getting smarter and this extension isn’t succeeding as much. But when it does, it does so quite well.
#5. Nuclei Burp Integration
While many people consider Nuclei a good vulnerability scanner for finding known CVEs, it can be used for much more than that. I’ve actually talked about using Nuclei for hacking APIs before. But with the Nuclei Burp Integration extension, you can take that to the next level right in your hacking environment.
When you execute the extension within Burp, any detected findings are automatically pushed into the Issues panel in the Burp Suite dashboard. All the logs are stored in the extension for you to review.
You can even tailor your nuclei scan to route through Burp using the -proxy parameter in the “Custom nuclei arguments” field. Feel free to experiment with the arguments to get the exact type of scan you want.
Conclusion
Well, there you go. Five additional extensions you might find useful during your API security testing.
Combined with the previous seven I’ve recommended, you are arming yourself with a customized Burp environment that is tailored for API hacking. Of course, if you want to tweak it even more, you can read my step-by-step guide on writing your own extensions for Burp using Python, or writing your own BChecks directly in Burp Suite.
Good luck!
One last thing…
Have you joined The API Hacker Inner Circle yet? It’s my FREE weekly newsletter where I share articles like this, along with pro tips, industry insights, and community news that I don’t tend to share publicly. If you haven’t, subscribe at https://apihacker.blog.
The post 5 more Burp extensions for API hacking appeared first on Dana Epp’s Blog.
*** This is a Security Bloggers Network syndicated blog from Dana Epp’s Blog authored by Dana Epp. Read the original post at: https://danaepp.com/5-more-burp-extensions-for-api-hacking
Click Here For The Original Source.
————————————————————————————-