I'm excited to announce another addition to the Burp Co2 extension bundle: The "Name Mangler."
Ever found yourself working on a web pentest for an organization where you have gathered a list of users and suspect a username harvesting vulnerability but have not yet worked out the username format for a login form? Is it jsmith or j-smith or smithj or james.smith or something else? This is the scenario that the Co2 Name Mangler module aims to assist with. Simply paste in your list of users on the left (First and Last name is required. Middle names are optional), optionally add some domains if you want to include email address variations, select any other options and press the "Mangle Names" button. A list of potential usernames is generated on the right that can be copied and pasted directly into Burp Intruder.
If you think of any username variants I missed I would really like to hear about it so I can get them added in.
The Co2 "About" tab has also been reworked to provide working informational links and a useful "check for updates" button, which will simply check a version file on the Co2 downloads website against your version and provide a link to the download if an update is available. There's even a checkbox to automate this process if you so desire (it is off by default, currently checks on startup and every 24 hours).
Want a team that builds custom Burp extensions for your assessments?
Our consultants develop and maintain open source security tools like Co2 and use them during every web application penetration test. Reach out to discuss a security assessment.
Talk to Our Team