Skip to content

usage

Jump to bottom
wagiro edited this page Apr 13, 2020 · 30 revisions

BurpBounty Usage:

Config section

GitHub Logo1

  • Profiles reload: Reload the profiles directory, for example, when you add new external profile to directory.
  • Profiles Directory: Choose the profiles directory path.
  • Burp Collaborator: Now, Burp Collaborator thread will start automatically. For interact with Burp Collaborator you can put "{BC}" token in your payloads. This token will be replace for one burp collaborator host, and the thread will be searched interactions with it every ten seconds.

Profiles Definition

GitHub Logo2

  • Select Profile: Choose any profile, for modify and save it.
  • Save: Save the profile.
  • New Profile: Create new profile.
  • Name: You can define the name of the profile.
  • Author: You can put your twitter nickname.
  • Scanner: Choose the scanner type for your profile.

Request

Payload Sets

GitHub Logo3

  • You can add many payloads as you want.
  • Each payload of this section will be sent at each entry point (Insertion points provided by the burp api).
  • You can use BurpCollaborator in your payloads through "{BC}" token: ping -c 2 {BC}
  • You can link a payload to txt file using the load button. When the txt file is updated, the payloads will be updated automatically.

Payload Options


GitHub PayloadOptions

  • Choose if you want replace or append the payload for original request.
  • If you set true the "Path Discovery" checkbox, new insertion points will be added. For example in the request:
GET /dir1/dir2/file.php?param=value HTTP/1.1

Generate three new insertion points:

1- GET {HERE} HTTP/1.1
2- GET /dir1{HERE} HTTP/1.1
3- GET /dir1/dir2{HERE} HTTP/1.1

Then, if you put in payload /.git/HEAD, the three new request are:

1- GET /.git/HEAD HTTP/1.1
2- GET /dir1/.git/HEAD HTTP/1.1
3- GET /dir1/dir2/.git/HEAD HTTP/1.1

without param=value.

Another example, in request:

GET / HTTP/1.1

Generate one new insertion point:

1- GET {HERE} HTTP/1.1

Then, if you put in payload /assets../static/app.js, the one new request are:

1- GET /assets../static/app.js HTTP/1.1

Match and Replace

GitHub Headers

  • Add: Add new match and replace item.

  • Remove: Remove a match and replace item.

  • Item: You can choose between replace string or regex only in "Payload" or in entire "Request".

  • Match: Set string or regex to match or leave blank to add a new header.

  • Replace: Set string for replace the matched value or leave blank to remove a matched header

  • Type: You can choose between replace string or regex type.

  • Comment: You can put any description for match and replace item.

  • Tokens {BC} will be replaced by burpcollaborator host.

  • Tokens {PAYLOAD} will be replace by your payloads.


Payload Encoding

GitHub Logo5

  • You can choose multiple Encoders. For example, if you want encode the string alert(1), many times (in descendent order):

    1. Plain text: alert(1)

    2. HTML-encode all characters: alert(1)

    3. URL-encode all characters: %26%23%78%36%31%3b%26%23%78%36%63%3b%26%23%78%36%35%3b%26%23%78%37%32%3b%26%23%78%37%34%3b%26%23%78%32%38%3b%26%23%78%33%31%3b%26%23%78%32%39%3b

    4. Base64-encode: JTI2JTIzJTc4JTM2JTMxJTNiJTI2JTIzJTc4JTM2JTYzJTNiJTI2JTIzJTc4JTM2JTM1JTNiJTI2JTIzJTc4JTM3JTMyJTNiJTI2JTIzJTc4JTM3JTM0JTNiJTI2JTIzJTc4JTMyJTM4JTNiJTI2JTIzJTc4JTMzJTMxJTNiJTI2JTIzJTc4JTMyJTM5JTNi

  • If you choose "URL-Encode these characters" option, you can put all characters that you want encode with URL.


Response

Match Type

GitHub Logo7

  • Simple String: search for a simple string or strings.
  • Regex: search for regular expression.
  • Payload: search for payloads sended.
  • Payload without encode: if you encode the payload, and you want find for original payload, you should choose this.
  • Timeout equal or more than: You get an issue if the request delay your specified seconds or more.
  • Content Length difference: This option compare the content-length of the original request, with the content-length of the payload requests. You get an issue if the request content length differs your specified bytes.
  • Variations: if you find variations between the base response and the payloads responses. If you get the variations that you have marked in the attributes, you will get an issue.
  • Invariations: if you find invariations between the base response and the payloads responses. If you get the invariations that you have marked in the attributes, you will get an issue.

Grep Sets

GitHub Logo6

  • For each payload response, each string, regex or payload (depending of you choose) will be searched with the specific Grep Options.

Grep Options

GitHub Logo8

  • Negative match: if you want find if string, regex or payload is not present in response.
  • Case sensitive: Only match if case sensitive.
  • Exclude HTTP Headers: Only match if it's in the body request.
  • Only in HTTP Headers: Only match if it's in HTTP headers.
  • Content type (or negative match): you can specify one or multiple (separated by comma) content type to search the string, regex or payload. For example: text/plain, text/html, ...
  • Response Code (or negative match): you can specify one or multiple (separated by coma) HTTP response code to find string, regex or payload. For example. 300, 302, 400, ...

Redirections

GitHub Logo9

You can choose four options:

  • Never: You never follow the redirects.
  • On-site Only: You only follow if the domain is the same of the previus request.
  • In-Scope Only: You only follow if the domain is in the scope.
  • Always: You always follow the redirects.

In Max Redirections you can set the maximum redirects you want follow.


Issue

Issue Properties

In this section you can specify the issue that will be show if the condition match with the options specified.

GitHub Logo10

Obligatory fields:

  • Issue Name.
  • Severity.
  • Confidence.

GitHub Logo11


  • You can add the grep string or regex and the payloads to issue details through <grep> tag for replace by greps, or <payload> tag for replace by payloads.

Optative fields:

  • Issue Detail.
  • Issue Background.
  • Remediation Detail.
  • Remediation Background.

Tags

  • In this section you can specify the tags for organize your profiles by projects, vulnerabilities types, frameworks, etc.

Set Tags

GitHub Logo12

  • New Tag: Create new Tag.
  • Remove: Remove Tag for current profile.
  • Add: Add Tag for current profile.

Profiles Manager

GitHub Logo13

In this section you can manage the profiles, filter by tag, enable, disable or remove one or any of them.

The profiles are separated by scanner type: Active profiles, Passive Response profiles and Passive Request profiles.


Tags Manager

GitHub Logo14

In this section you can specify the tags for organize your profiles by projects, vulnerabilities types, frameworks, etc.

  • New: Create new Global Tag.
  • Remove: Remove Tag in the tags.txt.
  • Delete tag for all profiles: Delete the selected tag in the all profiles.

Examples of vulnerabilities that you can found

So, the vulnerabilities identified, from which you can make personalized improvements are:


Active Scan:

  • XSS reflected and Stored
  • SQL Injection error based
  • Blind SQL injection
  • Blind SQL injection time-based
  • XXE
  • Blind XXE
  • SSRF
  • CRLF
  • Information disclosure
  • Nginx off-by-slash vulnerability - From Orange Tsai
  • Command injection
  • Web cache poisoning
  • Blind command injection
  • Open Redirect
  • Local File Inclusion
  • Remote File Inclusion
  • Path Traversal
  • LDAP Injection
  • XML Injection
  • SSI Injection
  • XPath Injection
  • etc

Passive Response Scan

  • Security Headers
  • Cookies attributes
  • Endpoints extract
  • Software versions
  • Error strings
  • In general any string or regular expression in the response.

Passive Request Scan

  • Interesting params and values
  • In general any string or regular expression in the request.
Clone this wiki locally