Burp Suite Extensions for Effective Web Application Testing

Burp Suite is a web application security audit platform. It contains tools for mapping a web application, searching for files and folders, modifying queries, fuzzing, password selection, and much more. There is also a BApp store of add-ons containing additional extensions that increase the functionality of the application. This article will look at tools that increase the effectiveness of Burp Suite when testing for penetration of web applications.
Earlier, I described the main features of this utility , in this article I will focus on the Extender module - extension management in BurpSuite.

Despite the fact that Burp Suite itself is a pretty good tool, its capabilities can be significantly expanded with the help of add-ons - both extensions located in a special store - BAppStore, and third-party ones.

There is a specialized API that allows you to integrate your own extension written in Pyhton, Java or Ruby.
Extensions
HUNT Proxy Extension
A good practice for testing web applications is to follow the testing methodologies in order to fully explore the web application and its components. To facilitate this task, there is an excellent HUNT Proxy Extension.
This extension does not check vulnerable parameters, but rather warns about them so that the pentester can check them manually (more carefully). For each vulnerability class, the HUNT defines the general parameters or functions associated with this vulnerability class.

This extension allows pentesters to send requests and responses to the Burp tab called “HUNT Methodology”. This tab contains a tree on the left side, which is a visual representation of the testing methodology. By sending requests, pentesters can verify that they have completed a certain step of the methodology.

→ Download
burp-vulners-scanner
extension In BAppStore it is called Software Vulnerability Scanner. This is an extension from the creators of the vulners.com vulnerability database. Using this extension, you can identify vulnerable components of a web application and immediately get a link to a description / exploit.

This extension can significantly save time for identifying vulnerable plugins of popular CMS.
→ Download extension
Burp Automator
As an automation tool, you can use the built-in scanner, or use the Burp Automator tool. This tool will allow you to automate checks using Burp Suite, slackclient and burp-rest-api as the basis.

→ Download
burp-xss-sql-plugin extension
Quite popular in narrow circles plug-in from Vladimir Ivanov to detect XSS, OpenRedirects and SQLi. Repeatedly assisted the author in successfully participating in BugBounty programs.
→ Download
Autorize Extension
This extension for automatically detecting web authorization authorization problems. Autorize was designed to help Pentesters perform automated tests of authorization parameters. In the latest version, Autorize provides automatic authentication.

→ Download
burplay extension Burplay
is a Burp Extension whose main purpose is to help you find vulnerabilities that lead to privilege escalation.
→ Download extension
Conclusion
In addition to the above-mentioned add-ons, you can always use the application store in order to install one or another extension that can improve the efficiency of testing web applications.
In the next article, I will consider the OWASP ZAP utility, which is an equally popular tool for testing web applications.
Only registered users can participate in the survey. Please come in.
The most preferred web application testing tool for you is:
- 77.5% Burp Suite. 38
- 16.3% Owasp ZAP. 8
- 6.1% Other (your answer in the comments). 3