Burp Suite Professional extensions we love in our pentests
Just after Portswigger released the new 2023 roadmap for Burp Suite and the exciting news of HTTP/2 support, we want to share with you our favorite extensions, that help us in our everyday job.
Command Injection Attacker
Backslash Powered Scanner
SQL/NoSQLinjection, regex-based issue, formula injection or any other exploitable vulnerability.
GET/POST/JSONparameters, HTTP headers and cookie values. Uses relatively effective binary search algorithm for the processed input detection. Reports discovered inputs directly as normal scanner issues. Has a separate menu section Param Miner in UI with settings.
It is possible to use custom parameter wordlists and bruteforce mode.
Usage: select the request to investigate and select a required input flow discovery method from the right-click menu:
HTTP Request Smuggler
JS Link Finder
X-Forwarded-Forheaders for all requests from Scanner). It uses Extender API to manipulate Burp Suite entities, so refer to API manual to discover the possible functionality.