Included in this version are a few useful modules. The first is called SQLMapper, a sqlmap helper. Simply right-click on any request in Burp and you will see a new menu option to send the request to SQLMapper. The following screen will appear pre-populated with the URL, POST data (if applicable) and Cookies (if applicable) from the request. You can then set any other options you need and then copy/paste the SQLMap Command to sqlmap on your command line.
A second module is called the User Generator (or User Lister, depending on who you ask). For this one I collected publicly available census data from http://www.census.gov/genealogy/www/data/2000surnames/ (for surnames) and popular baby names from the social security website (http://www.ssa.gov/OACT/babynames/) to make a username generator based on this statistical data. The interface (see below) allows you to tinker with the data sets a little bit, specify if you want full names, initials, a delimiter between first and last names, etc... The tool will approximate which name combinations are the most common and sort the list accordingly. The result set is currently limited to the top 200,000 names to avoid performance issues.
The Prettier JS module adds a tab to the main response window which will attempt to make the format more human-readable through the use of line feeds and indentation. This is still a work in progress but based on a request to Google's hosted compressed jquery library (jquery.min.js) it is a definitely improvement.
Other Co2 Modules include:
- OAuther - based on burp-oauth (https://github.com/dnet/burp-oauth), this version of the tool has a configuration screen rather than requiring recompilation when keys/tokens/secrets are changed.
- ASCII Payload Processor - shows up as an Intruder payload. It will convert payloads into ascii decimal (don't laugh, I wrote this after encountering the need for it twice in the wild!)
Additional information including download links is available at co2.professionallyevil.com.
Jason Gillam is a Senior Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas - ProfessionallyEvil site for services provided.