Burp Suite is a powerful tool used by security researchers and hackers to test web application security. It includes a variety of features that allow you to find vulnerabilities in web apps and APIs and in turn exploit them.
While Burp Suite comes with a number of built-in tools, there are also a number of extensions that can be used to expand functionality. In this post, I’ll show you seven essential burp extensions that every API hacker should consider.
The first extension to consider is Logger++. Written by the NCCGroup, this extension is designed to replace the Proxy History tab with additional functionality.
Requests and responses from all Burp Suite tools can be logged in real time. The extension allows advanced filters to be defined to highlight interesting entries or to filter logs only to those that match the filter. It also includes a powerful built-in grep tool that allows you to delve deeper into your logs.
So that logs can also be used in other systems, the table can also be uploaded to Elasticsearch or exported to CSV.
During your recon, if you find API documentation for a target that conforms to Swagger/OpenAPI standards, you can take advantage of the OpenAPI parser extension. It was designed to make it easy to analyze Swagger documentation and baseline requirements directly in Burp Suite.
The beauty of this extension is that after parsing the API documentation, it comes straight from the OpenAPI parser tab you can right click on any endpoint you want to attack and send it to your favorite burp tools like amplifier or intruder.
Ever noticed that some API endpoints have optional parameters that can change how results are retired or modified? These parameters are often not documented. From record sizes to query filters, knowing the typical parameters developers use can help uncover interesting ways to trigger bugs in business logic.
Finding these parameters can be tedious.
Param Miner is a Burp Suite extension that allows you to quickly and easily extract parameter values from requests and responses. To do this, it scans all requests and responses in your proxy history and extracts any parameter values it can find.
The extension then presents these values in an easy-to-read table that you can export to CSV for further analysis. The collected data includes all parameter names along with their value, type and position. You can also filter the results by type or location.
This makes it a valuable tool for quickly identifying potential hidden parameters that can alter the behavior of an API endpoint. You can even export the results to a CSV file so you can use it for fuzzing inside intruder.
Authorize is an extension designed to help API hackers detect authorization vulnerabilities, one of the more time-consuming tasks in API security testing.
I’ve discussed in the past how to use Authorize to find potential authentication and authorization issues in API endpoints. Basically, you give the extension the cookies of a low-privilege user and navigate through a web application as a high-privilege user. The extension automatically retries each request with the low-privileged user’s session and detects authorization gaps. As it tracks it, it shows which API endpoints are being called that bypass authorization, color-coded for easy verification.
It is also possible to repeat each request without cookies in order to detect authentication gaps in addition to authorization gaps. This is great for exploring administrative API endpoints that don’t have any authorization checks at all.
It’s easy to bag those BOLA/IDOR vulns without having to do too much work!
JSON Web Token Attacker (JOSEPH)
JOSEPH is an extension that allows you to intercept and manipulate JSON Web Tokens (JWTs) as they are exchanged between the client and the server. JWTs are becoming increasingly popular for securing API calls, so being able to understand and manipulate them is important.
The extension provides an easy-to-use interface for editing the content of a JWT and adding or removing signing and encryption keys. This makes it possible to test for various vulnerabilities such as token replay attacks and signature forgery.
JOSEPH is a great tool for understanding how JWTs work and for testing API vulnerabilities. A free extension that should also be included is JSON Web Tokens. With it, you can quickly decode and manipulate JSON web tokens, verify their validity, and automate common attacks.
content type converter
The Burp Suite Content Type Converter extension is a handy tool that allows you to convert content between JSON and XML quickly and easily. This can be useful when you need to view or edit content in a different format, or when you need to use a specific format for input or output.
This is useful for hacking APIs to discover vulnerabilities that can only be found by converting the content type of a request. For example, if an API endpoint expects data in JSON format, we can try converting the data to XML to see if the application accepts data in XML format. If that’s the case, we can look for vulnerabilities like XXE injection that wouldn’t appear in the context of the original JSON endpoint. It may also be possible to find vulnerabilities behind web application firewalls (WAF) or other filters that assume incoming data is in a certain format while the application tolerates data in other formats.
This extension is a must-have for any API hacker working with JSON and XML content.
attack surface detector
The Attack Surface Detector extension is a powerful tool that helps you identify and understand the attack surface of your web apps and APIs under test. The extension scans all requests and responses, as well as cookies and session data, to create a comprehensive map of all potential attack surfaces. Each surface is then color-coded according to its risk level, making it easy to identify high-risk areas.
Attack Surface Detector is a must-have tool for any API hacker who wants to understand the full extent of the security risks posed by the web app in question. The extension performs static code analysis to identify endpoints by analyzing routes and identifying parameters (using supported languages and frameworks). This data is made available in Burp Suite to improve test coverage.
You can see the official OWASP project page here. I find the project fascinating because it was funded by a research grant sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD).
API security is a major concern for businesses and developers alike. To ensure our APIs are secure, we need the right tools and extensions at our disposal. The extensions covered in this article offer everything from content type conversion to attack surface mapping, making them indispensable for any API hacker.
So don’t go into your next API evaluation without them!
Want more helpful resources on API hacking? Then check out my Ultimate Guide to API Hacking Resources.
The 7 Essential Burp Extensions for Hacking APIs post first appeared on Dana Epp’s blog.
*** This is a Security Bloggers Network syndicated blog from Dana Epp’s blog written by Dana Epp. Read the original post at: https://danaepp.com/7-essential-burp-extensions-for-hacking-apis