Burp Suite is a powerful tool used by security professionals and hackers to test the security of web applications. It contains a variety of features that allow you to find vulnerabilities in web apps and APIs, and in turn, exploit them.
While Burp Suite comes with a number of built-in tools, there are also a number of extensions available that can be used to extend its functionality. In this post, I’ll show you seven essential burp extensions every API hacker should consider using.
The first extension you should consider is Logger++. This extension was written by the NCCGroup and is designed as a replacement for the proxy history tab with added functionality.
Requests and responses from all Burp Suite tools can be logged in real-time. The extension allows advanced filters to be defined to highlight interesting entries or filter logs to only those which match the filter. It also includes a powerful built-in grep tool to let you dig deeper into your logs.
To enable logs to be used in other systems, the table can also be uploaded to elasticsearch or exported to CSV.
If during your recon you find API documentation for a target that follows Swagger / OpenAPI standards, you can leverage the OpenAPI Parser extension. It is designed to make it easy to parse swagger documentation and create baseline requests directly in Burp Suite.
What’s nice about this extension is that once it parses the API documentation, directly from the OpenAPI Parser tab you can right-click on any endpoint you want to attack and send it to your favorite Burp tools like Repeater or Intruder.
Ever notice that some API endpoints have optional parameters that can change how results are pulled back or modified? Many times, these parameters aren’t documented. From record set sizes to query filters, knowing the typical parameters developers use can help uncover interesting opportunities to trigger business logic flaws.
Finding these parameters can be a pain.
Param Miner is a Burp Suite extension that allows you to quickly and easily extract parameter values from requests and responses. It does this by scanning all the requests and responses in your proxy history and extracting all the parameter values it can find.
The extension then presents these values in an easy-to-read table, which you can export to CSV for further analysis. The data collected includes all the parameter names along with their value, type, and position. You can also filter the results by type or position.
This makes it a valuable tool for quickly identifying potential hidden parameters that can alter the behavior of an API endpoint. You can even export the results to a CSV, allowing you to use it for fuzzing within Intruder.
Autorize is an extension aimed at helping API hackers to detect authorization vulnerabilities, one of the more time-consuming tasks during API security testing.
I’ve discussed how to use Autorize to find potential authentication and authorization issues in API endpoints in the past. Basically, you give the extension the cookies of a low-privileged user and navigate a web application as a high-privileged user. The extension automatically repeats every request with the session of the low-privileged user and detects authorization vulnerabilities. As it tracks it, it shows which API endpoints are called that bypass authorization, color-coded for easy review.
It is also possible to repeat every request without any cookies in order to detect authentication vulnerabilities in addition to authorization ones. This is great to explore administrative API endpoints that have no authorization checks at all.
Easy to bag those BOLA/IDOR vulns without having to do too much work!
JSON Web Token Attacker (JOSEPH)
JOSEPH is an extension that allows you to intercept and tamper with JSON Web Tokens (JWTs) as they are passed between the client and server. JWTs are becoming more and more popular as a way to secure API calls, so it’s important to be able to understand and manipulate them.
The extension provides an easy-to-use interface for editing the contents of a JWT, as well as for adding or removing signature and encryption keys. This makes it possible to test for various vulnerabilities, such as token replay attacks and signature forgery.
JOSEPH is a great tool for understanding how JWTs work and for testing for API security vulnerabilities. A complimentary extension to also include is JSON Web Tokens. It lets you decode and manipulate JSON web tokens on the fly, check their validity and automate common attacks.
Content Type Converter
The Burp Suite Content Type Converter extension is a handy tool that allows you to quickly and easily convert content between JSON and XML. This can be useful when you need to view or edit content in a different format, or when you need to use a specific format for input or output.
For hacking APIs, this is useful for discovering vulnerabilities that can only be found by converting the content type of a request. For example, if an API endpoint expects data in JSON format, we can attempt to convert the data to XML, to see if the application accepts data in XML form. If so, we can then look for vulnerabilities like XXE injection which would not arise in the context of the original JSON endpoint. It might also be possible to find vulnerabilities behind web application firewalls (WAF) or other filters that assume the incoming data is in a specific format, while the application tolerates data in other formats.
This extension is a must-have for any API hacker working with JSON and XML content.
Attack Surface Detector
The Attack Surface Detector extension is a powerful tool that helps you to identify and understand the attack surface of your web apps and APIs under test. The extension scans all requests and responses, as well as the cookies and session data, to build a comprehensive map of all potential attack surfaces. It then color-codes each surface according to its risk level, making it easy to identify high-risk areas.
The Attack Surface Detector is an essential tool for any API hacker who wants to understand the full extent of the security risks posed by the web app in scope. The extension performs static code analyses to identify endpoints by parsing routes and identifying parameters (with supported languages and frameworks). This data is made available in Burp Suite to help improve testing coverage.
You can check out the official OWASP project page here. I find the project fascinating because it was funded through a research grant sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD).
API security is a critical concern for businesses and developers alike. In order to ensure that our APIs are secure, we need the right tools and extensions at our disposal. The extensions covered in this article provide everything from content type conversion to attack surface mapping, making them essential for any API hacker.
So don’t go into your next API assessment without them!
Want more helpful resources about API hacking? Then check out my Ultimate Guide to API Hacking Resources.