Wednesday, February 12, 2014

Announcing Burp Co2!

This is for those of you who do web pen testing with Portswigger's Burp proxy tool!  Over the past couple of months I have been using my Java skills and "free time" (lol) to build a collection of Burp extensions that have been dubbed "Co2".

Included in this version are a few useful modules.  The first is called SQLMapper, a sqlmap helper.  Simply right-click on any request in Burp and you will see a new menu option to send the request to SQLMapper.  The following screen will appear pre-populated with the URL, POST data (if applicable) and Cookies (if applicable) from the request.  You can then set any other options you need and then copy/paste the SQLMap Command to sqlmap on your command line.


A second module is called the User Generator (or User Lister, depending on who you ask).  For this one I collected publicly available census data from http://www.census.gov/genealogy/www/data/2000surnames/ (for surnames) and popular baby names from the social security website (http://www.ssa.gov/OACT/babynames/) to make a username generator based on this statistical data.  The interface (see below) allows you to tinker with the data sets a little bit, specify if you want full names, initials, a delimiter between first and last names, etc...  The tool will approximate which name combinations are the most common and sort the list accordingly.  The result set is currently limited to the top 200,000 names to avoid performance issues.


The Prettier JS module adds a tab to the main response window which will attempt to make the format more human-readable through the use of line feeds and indentation.  This is still a work in progress but based on a request to Google's hosted compressed jquery library (jquery.min.js) it is a definitely improvement.

Other Co2 Modules include:
  • OAuther - based on burp-oauth (https://github.com/dnet/burp-oauth), this version of the tool has a configuration screen rather than requiring recompilation when keys/tokens/secrets are changed.
  • ASCII Payload Processor - shows up as an Intruder payload.  It will convert payloads into ascii decimal (don't laugh, I wrote this after encountering the need for it twice in the wild!)
Although I have several additions planned soon, I feel version 0.4 is stable enough to release into the wild and get some feedback on these initial items.  So if you are a Burp user, please give Co2 a spin and let me know what works or doesn't work for you by leaving a comment or e-mailing me at the address below.

Additional information including download links is available at co2.professionallyevil.com.


Jason Gillam is a Senior Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at jgillam@secureideas.com or visit the Secure Ideas - ProfessionallyEvil site for services provided.

6 comments:

  1. Good job man, keep it up!

    ReplyDelete
  2. Thanks for the list!
    Wsdler plug-in is also a good one for assessing a Web Service

    ReplyDelete
  3. Nice job my friend. Just a suggestion is ask the user to add an enval $sqlmap_path with the path to the sqlmap in the system and add a button to call the sqlmap (opening the cmd/terminal) using the $sqlmap_path with the parameters. This approach is much better than copy the command and open the terminal and paste the command to run... Just a suggestion. BTW nice plugin.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. Thanks for the comments folks.

    Pankaj - I'm definitely looking to add some web services support to Co2 soon.

    Marcio - Good point. I had given this some thought but abandoned the idea for the first iteration because it seemed to become more complex to come up with a way to do it that is guaranteed to work across platforms. I've found pasting the command SQLMapper generates still saves a bunch of time over trying to piece it together bit by bit. Anyway - I'll circle back on this and see if I can do it in a way that works nicely across platforms.

    ReplyDelete
  6. As always, rocking it! Nice work and I would like to second Marcio's suggestion.

    ReplyDelete