Burp Co2 Update v0.5 adds a Name Mangler module!

I’m excited to announce another addition to the Burp Co2 extension bundle in v0.5 of Burp Co2 (download):  The “Name Mangler”.

Ever found yourself working on a web pen test for an organization where you have gathered a list of users and suspect a username harvesting vulnerability but have not yet worked out the username format for a login form?  Is it jsmith or j-smith or smithj or james.smith or something else?  This is the scenario that the Co2 Name Mangler module aims to assist with.  Simply paste in your list of users on the left (First and Last name is required.  Middle names are optional), optionally add some domains if you want to include email address variations, select any other options and press the “Mangle Names” button.  A list of potential usernames is generated on the right than can be copied and pasted directly into Burp Intruder.

If you think of any username variants I missed I would really like to hear about it so I can get them added in.
The Co2 “About” tab has also been reworked to provide working informational links and a useful “check for updates” button, which will simply check a version file on the co2 downloads website against your version and provide a link to the download if an update is available.  There’s even a checkbox to automate this process if you so desire (it is off by default, currently checks on startup and every 24 hrs).
There’s more coming for Burp Co2, so stay tuned for the next cool module.  And as usual, if you run into trouble or have any feature or improvement ideas, let me know!



Jason Gillam is a Senior Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at jgillam@secureideas.com, on Twitter @JGillam, or visit the Secure Ideas – ProfessionallyEvil site for services provided.

Leave a Comment

Your email address will not be published. Required fields are marked *