Announcing Burp Co2!


This is for those of you who do web pen testing with Portswigger’s Burp proxy tool!  Over the past couple of months I have been using my Java skills and “free time” (lol) to build a collection of Burp extensions that have been dubbed “Co2”.

Included in this version are a few useful modules.  The first is called SQLMapper, a sqlmap helper.  Simply right-click on any request in Burp and you will see a new menu option to send the request to SQLMapper.  The following screen will appear pre-populated with the URL, POST data (if applicable) and Cookies (if applicable) from the request.  You can then set any other options you need and then copy/paste the SQLMap Command to sqlmap on your command line.

A second module is called the User Generator (or User Lister, depending on who you ask).  For this one I collected publicly available census data from http://www.census.gov/genealogy/www/data/2000surnames/ (for surnames) and popular baby names from the social security website (http://www.ssa.gov/OACT/babynames/) to make a username generator based on this statistical data.  The interface (see below) allows you to tinker with the data sets a little bit, specify if you want full names, initials, a delimiter between first and last names, etc…  The tool will approximate which name combinations are the most common and sort the list accordingly.  The result set is currently limited to the top 200,000 names to avoid performance issues.

 
The Prettier JS module adds a tab to the main response window which will attempt to make the format more human-readable through the use of line feeds and indentation.  This is still a work in progress but based on a request to Google’s hosted compressed jquery library (jquery.min.js) it is a definitely improvement.
 
Other Co2 Modules include:
  • OAuther – based on burp-oauth (https://github.com/dnet/burp-oauth), this version of the tool has a configuration screen rather than requiring recompilation when keys/tokens/secrets are changed.
  • ASCII Payload Processor – shows up as an Intruder payload.  It will convert payloads into ascii decimal (don’t laugh, I wrote this after encountering the need for it twice in the wild!)

Although I have several additions planned soon, I feel version 0.4 is stable enough to release into the wild and get some feedback on these initial items.  So if you are a Burp user, please give Co2 a spin and let me know what works or doesn’t work for you by leaving a comment or e-mailing me at the address below.

Additional information including download links is available at co2.professionallyevil.com.

Jason Gillam is a Senior Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at jgillam@secureideas.com or visit the  Secure Ideas – ProfessionallyEvil  site for services provided.

Similar posts