5 open source Burp Suite penetration testing extensions you should check out
When it comes to assessing the security of computer systems, penetration testing tools are critical for identifying vulnerabilities that attackers may exploit. Among these tools, Burp Suite stands out as one of the most popular and widely used options among security professionals and enthusiasts alike.
Here’s a collection of Burp Suite extensions to make it even better.
Auth Analyzer
The Auth Analyzer extension helps you find authorization bugs. Navigate through the web application as a privileged user and let the Auth Analyzer repeat your requests for any defined non-privileged user. With the possibility to define parameters, the extension is able to extract and replace parameter values automatically.
Autowasp
Autowasp is a Burp Suite extension that integrates Burp issues logging with the OWASP Web Security Testing Guide (WSTG) to provide a web security testing flow. This tool will guide new penetration testers to understand the best practices of web application security and automate OWASP WSTG checks.
Burp_bug_finder
Burp_bug_finder is a Burp Suite plugin (written in Python) that makes the discovery of web vulnerabilities accessible. This version focuses only on XSS, and error-based SQLi. There’s no need to send XSS payload either for reflected or stored payload manually. You need to browse the pages where you want to check XSS vulnerability or error-based SQL injection.
Nuclei
Nuclei is a simple extension that allows you to run Nuclei scanner directly from Burp Suite and transforms JSON results into the issues.
Pentest Mapper
Pentest Mapper is a Burp Suite extension that integrates the Burp Suite request logging with a custom application testing checklist. The extension provides a straightforward flow for application penetration testing. The extension includes functionalities allowing users to map the application flow for pentesting to analyze the application and its vulnerabilities better. The API calls from each flow can be connected with the function or flow name. The extension allows users to map or connect each flow or API to vulnerability with the custom checklist.
