Cyber Security Technical Blog

5 Useful & Free Burp Suite Plugins

Written by Brett DeWall | Oct 11, 2024 5:13:37 PM

At White Oak Security, we do a variety of engagement types. Previously, we’ve written several posts on some of the tools we use, including Burp Suite. To take full advantage of the Burp Suite platform, this post will review some of the super useful BApp Store plugins that are freely available.

Best Free Burp Suite Plug-ins

The list of plugins we will cover in this post are:

  • PDF Viewer
  • Wsdler
  • ExifTool Scanner
  • Logger++
  • InQL – Introspection GraphQL Scanner Plugin

PDF Viewer Burp Suite Plugin 

PDF Viewer adds an additional tab to the HTTP message viewer to allow for the rendering of PDF files within the Response view. I tend to make use of this when I have discovered JavaScript injection within a PDF file, I can then quickly render the PDF without having to download the file and open it with a native application. 

PDF Viewer Extension Example

Here is an example of utilizing the PDF Viewer extension within the Repeater tab. Prior to using the PDF viewer, a HTTP response loading a PDF file will look like the following screenshot.

After selecting “PDF” from the drop-down menu – the PDF will be rendered within the HTTP response, like below.

Wsdler Burp Suite Plugin

Wsdler takes a WSDL request, parses out the operations that are associated with the targeted web server, and generates SOAP requests that can be sent to the SOAP endpoints. I’ve used this extension many times to quickly parse the WSDL files are start utilizing the SOAP requests Burp Suite generates.

Wsdler Extension Example

Navigate to a WSDL file. Example of a HTTP response with a WSDL file below:

Utilizing Burp Suite – right click the HTTP request, select Extensions, select, Wsdler, and then select Parse WSDL (shown below).

Burp Suite then parses the WSDL file and populates the Wsdler tab with the SOAP requests (see screenshot below).

ExifTool Scanner Burp Suite Plugin

The ExifTool Scanning reads metadata from various filetypes utilizing ExifTool. These files include JPEG, PNG, PDF, DOC, XLS, etc. Details from the metadata could include information useful to an attacker – file creation data, author (usernames), and application version utilized to create the file.

ExifTool Scanner Example

When performing a passive scan of a host, if Burp Suite comes across a filetype extension that ExifTool can scan, it will create an “Information” finding within the issues tab of the host. Here is an example result for a PDF file that was scanned.

Logger++ Burp Suite Plugin

Logger++ is a multithreaded logging extension for Burp Suite. In addition to logging requests and responses from all Burp Suite tools, the extension allows advanced filters to be defined to highlight interesting entries or filter logs to only those which match the filter.” I have run into multiple situations where clients have requested that all requests being sent to the application to be logged. This extension has a multitude of options and configurations that can be fine-tuned to your needs. Here is screenshot of the options section of the Logger++.

InQL – Introspection GraphQL Scanner Plugin

The InQL plugin is utilized to facilitate GraphQL security auditing efforts. The InQL extension can quickly discover exposed GraphQL development consoles, discover known GraphQL URL paths, quickly generate documentation for available GraphQL entities, and many other options. I don’t have an example screenshot off hand but be sure if you identify an application utilizing GraphQL – be sure to load of the InQL extension to do some further digging.

Burp Suite Plug-ins Review 

This was a quick overview of some freely available Burp Suite plugins that can assist with identification of vulnerabilities, logging output, and improving your Burp Suite experience. If you are looking for a quality security partener to help with any web application penetration testing, be sure to reach out through our White Oak Security contact page

MORE FROM WHITE OAK SECURITY 

White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion. 

Read more from White Oak Security’s pentesting team…