Announcing Burp Co2!

This is for those of you who do web pentesting with PortSwigger's Burp proxy tool! Over the past couple of months I have been using my Java skills and "free time" to build a collection of Burp extensions that have been dubbed "Co2".

Included in this version are a few useful modules. The first is called SQLMapper, a sqlmap helper. Simply right-click on any request in Burp and you will see a new menu option to send the request to SQLMapper. The following screen will appear pre-populated with the URL, POST data (if applicable) and Cookies (if applicable) from the request. You can then set any other options you need and then copy/paste the SQLMap Command to sqlmap on your command line.

A second module is called the User Generator. For this one I collected publicly available census data for surnames and popular baby names from the Social Security website to make a username generator based on this statistical data. The interface (see below) allows you to tinker with the data sets a little bit, specify if you want full names, initials, a delimiter between first and last names, etc. The tool will approximate which name combinations are the most common and sort the list accordingly. The result set is currently limited to the top 200,000 names to avoid performance issues.

The Prettier JS module adds a tab to the main response window which will attempt to make the format more human-readable through the use of line feeds and indentation. This is still a work in progress but based on a request to Google's hosted compressed jQuery library (jquery.min.js) it is a definite improvement.

Other Co2 Modules include:

• OAuther: Based on burp-oauth, this version of the tool has a configuration screen rather than requiring recompilation when keys/tokens/secrets are changed.
• ASCII Payload Processor: Shows up as an Intruder payload. It will convert payloads into ASCII decimal (don't laugh, I wrote this after encountering the need for it twice in the wild!).