# This Feature in Burp Suite Low-Key Changes Everything

## Метаданные

- **Канал:** NahamSec
- **YouTube:** https://www.youtube.com/watch?v=cy-crkgLPvI

## Содержание

### [0:00](https://www.youtube.com/watch?v=cy-crkgLPvI) Segment 1 (00:00 - 05:00)

Burp introduced their Burp Suite actions a little while ago and I've been poking around their public actions library on GitHub and look they are cool. They're very clever and there is some fun stuff in there, but honestly nothing really jumps out to me as a bug bounty hunter and nothing has made me go, "Yeah, I'm slapping this thing into my daily workflow immediately. " So, I finally had to sit down and ask myself the real question, what problem do I actually want to solve with custom actions to make this video? and what would make my life a whole lot easier inside of Burp Street instead of just adding more toys that I can click on. If you're not familiar with Burp actions, think of them like tiny little helpers that are programmable inside of Burp. You can just create them however you want and then they can do things like modify request, run external scripts, automate repetitive tasks, or trigger whatever logic you want based on what you're intercepting. So basically, it's Burp giving you a build your own future without having to just write a full extension, right? So, that's just what you can do with it. For this video, I figured we can take two different angles. First, something that actually helped me find vulnerabilities, something that can surface signals or poke at the target in a way I normally have to do manually. Second, I wanted to kind of take a moment and come up with something that makes me more efficient. That's stuff that trims down the friction and speeds up the back and forth that I have between Burpuite and my terminal while I'm hacking on a target. And don't worry, everything that I show you throughout this video will be also going into my GitHub, so you can grab them and you can use the code for free. But the full disclosure, I did vibe code these and they work. So, I'm just going to share them with you, but I have to give you that heads up before we get into this video. So, in order to be able to get our custom actions to work, we need to import them. And to do that, all you have to do is go to your extensions, go to your Bamba library here, and you can already see that I have my copy to SQL mapping here. But all I can do is just import an imported file or I can just go to a new and start one from a template or just do a blank one like I have one right here and I've created this for this example. But what we have to do really quick before I show you the code is we have to make sure that we do set this in the right place or otherwise it won't compile. So this is a custom action that would only work in repeater. Otherwise, if you wanted to do something along the lines of creating something for the filters, match and replace, and things like that, you would have to go through these and set them up and make sure that you are actually using these uh Mononttoya APIs with the following objects. So, for this one, we are doing a custom action and we're going to put it in repeater. And all this code does, as you can see, I've also broken up for you in a pretty easy way to understand it. We're just fetching the request and response. We need to have it to see where the reflection happens. Then, we're looking for reflection points and context. So whether a uh value that we're putting in our any of our requests is it going to show up in a script tag, a block tag or anything like that or any attributes. So what this code does is first it's going to fetch a response and request that we have. We need that to kind of analyze it. Then we're giving it the context to where to look for the text. So we're defining things like script. We're matching for things like attributes, equal signs, and things like that. And then at the bottom on the third section, we're actually doing a detection to see is this value actually appearing in the response body. count the total times and then detect the context of the first hit. And then of course we're going to report into our report formatting of showing it to us which I'll show you in just a bit. And then of course at the end we're going to put that in our clipboard so we can copy the results and run it. So now that we have everything set up again this will be on my GitHub. You can analyze it and learn from it if you want. But to save us time I'm going to just quickly save this. And we're going to call this the reflector detector. I don't know if that's a good name for it but we'll leave it at that. You can see it's been immediately imported into here. here and I can go to my repeater where I have all of my requests. And all these requests that you see are different labs that I'm using from my bug bounty course right here. You don't have to purchase it. You can enjoy it with this video for free. But if you want to do it, there'll be a link down below in the comment section. But what I'm doing here is pretty much sending these requests. And once it is set, I can see the response and I can go into here and load my reflector detector. So it is in there now. You can see it's ready. And each time I want to test this out, all I have to do is press play right here. And you can see it says analysis copy to clipboard. If I just paste the results in here, you can see that the value of test 123 has been shown one time inside of the HTML attribute and it tells you where it is. So I can see that it is into an input right there. So it's inside of an attribute as we expected it. The same thing we can go to our next example. I'm going to run the same exact thing. I'm going to click this. It's going to paste it for us. We can take it into our report. notes app. Whatever it is, we can see in this one it's a reflected parameter. It is an HTML of attribute again value and it is right here and it's saying hey the value for name test123 has one hit. So if this was multiple uh it would also do that for us as well. And then third one is within a script I think right here that we have a name being shown in the script tag. If I run this same thing we can see that it's saying hey there was one inside of a script log. This may seem really simple especially for a lab like this that is just super simplistic and is only one point of entry. But imagine you're testing 20 different variables and it's a massive page that is just showing everything that you put in those different uh parameters within a URL or

### [5:00](https://www.youtube.com/watch?v=cy-crkgLPvI&t=300s) Segment 2 (05:00 - 10:00)

anything that you have on the page that you want to track every single one of them. And I think you can do that easily in the response by opening up your dev tools and doing Ctrl F and looking for it. But this just makes it a whole lot easier to just browse everything through that page and just looking at all the different and easy reflection points that we can use to export. But me being someone that looks for XSS a lot in my pentest and my bug bounty and also analyze where my user input goes a lot of times. This was the reason why I built this. But also for entertainment purposes, it makes it a whole lot easier to demonstrate the power that Burpuite has, especially for people that are like me in the web realm that want to do just quick tasks that makes them efficient while doing their bug hunting. But all right, that was just one of them. That was just us taking this and looking at it at the context of a bug bounty hunter and how do I just find vulnerabilities, right? like help me be efficient, help me analyze a response for this specific task, for example, XSS that I'm doing. Obviously, you can take this code and edit it however you want. But then the other approach is I catch myself a lot of times and I just copy the entire request from Burpuite and I save it onto my file and then I feed it to tools like my SQL map or maybe I feed it into an AI wrapper that I want to analyze it with AI or even better I want to maybe just feed it to my fuzzer for example and fuzz for different things, right? So, if you want to do that, you can. You can select this whole thing, copy it, go into your terminal, open up a file, and just paste it in there and do it, right? But I want to make this easy. it super easy where I could just arbitrarily just take this and feed it into a different tool. So, what I'm going to do in this example is I'm going to quickly show you this extension that I've created for my copy to SQL map. This is just going to use my user home directory and I've given it SQL map where it belongs or where it is. And then it's going to just run Python 3 SQL map uh. py pi and then it's giving it the uh r request and random agent. Obviously, if the -ash r is something else that we wanted to do, we could do that as well. But you can just see this could just be easily replaced with whatever command that we want to as long as we know where the binary file for it is. So, if you want to feed this to a go binary for like your fuff, you can also do that in here as well. But the reason why I do this is for something like SQL injections that I want to use SQL map to just do the detection for me perhaps in a lot of ways. This is a whole lot easier. And let me show you what that looks like. So for this example now we have another lab and this one is just uh we're going to assume there's an SQL injection here and we want to see if we can just convert this directly to using this with our command line or our terminal. So we're going to send this request again and it's going to do this. The response really doesn't matter in this case because again we're not doing anything with the response. We just want something that would rip this entire request and can just put it into another tool. So, I can just go into here and load our copy to SQL map, which is what's going to do the command for us. And if I press play right here, it looks like there is an error that got sent to here. Actually, no, it is fine. It says it's uh there's no error. It's actually writing that file for us into our machine and giving us a command. So if I go into my terminal and I paste this, you can see that it is doing the entire Python 3 on my machine right here to SQL map doing random agent and then giving the -ash r for the request. And this is where the request is saved. So there are two things here that's really important. One is we are saving this request to file. So we can even skip doing the tooling and just having something that just saves a request to a file if we really need that. And second thing, it is just creating the command for us. So I don't have to type this in every single time that I want to run SQL mapping. If I do this right away right here, it's going to just uh start doing this thing with SQL map and it's going to just see if it can find a vulnerability within this and it just saves me a ton of time by doing this. The other thing that's really important here is this is just one example. I don't usually just use SQML for a lot of things. Like I mentioned, I have fuzzers that I use. Maybe I want to feed something to a wayback URL and see if that subdomain has something in it or maybe I don't just use this and feed it to a param miner and all these different tools that I use. So, it's really important for us to be able to have these different methods that we can just be efficient and just have Burpuite write these different command line tools or outputs for us and we can just push one button, take that output, put it into our terminal and run it for us. And as you can see right now, it is just doing this and it's saying, "Yep, I am getting the ID parameter that is looking to be vulnerable to an SQL injection. " Obviously, this is a lab that I've created for CTFs. to show you that's vulnerable. But I want to kind of show you what the output looks like when you run something like this and how much time you save instead of doing all the, you know, clicks of copying the request, putting it somewhere, deleting it, and so on. And this is all just temporary files that we can use. And one more thing I want to show you quickly, this is just again an example of something really simple, and I want to kind of live do this. I didn't prep for this, but I think it would be cool for us to do this live for the video example is if I want to just send this to maybe uh my fuzzer. So I can just do a fuzz like this. Make that request to be a fuzz. go into here and if I know where uh fuff is set up on my machine. It's probably somewhere in my go bin and uh fuff. Go into my terminal really quick and just do an ls go bin.

### [10:00](https://www.youtube.com/watch?v=cy-crkgLPvI&t=600s) Segment 3 (10:00 - 11:00)

Make sure fuff is in there. Yep, there we go. So, we can just put that in there and then go all the way down here and change the entire command and make it like this. So, we are running our tool right there and we're just giving it the dash r just to see if this works really quickly. We're going to test it. I'm going to go to terminal, run it, and let's see what went wrong with it really quickly. It looks like we do have fuzz in there. Let's see what went wrong really quickly. There is no U. It could be a dash request. So, we got to go back into our fix it really quick. So, the syntax is what matters. Just want to show you a live example of other things that I would do. And let's see if this works. Now, go back to our terminal. Remove everything. Still doesn't want to put And we have to also give it a word list. So, if I have a word list here somewhere, I'm just going to make one really quickly that just says test article. php, it won't care about this. I just want to show you the syntax that I would use for here if I were to just run this. And we can just do same thing as test. txt. Again, these are all should be hard-coded. It should be a variable somewhere up here. Just to kind of show you the gist of this, you can see that it's going to run it for us and send us all this request immediately. Here's my challenge for you. If you're watching this video and you're going, "This seems really simple. What else can I do? " Think of all the different tools that you can create. Maybe you can find somewhere creative to do this also, honestly. Or drop me a comment and say, "Hey, I want to see different custom actions using X, Y, and Z. Maybe we can make a part two of this. " This is something that I've just started playing around with, and I love the semi-automated approach that we're giving to bug bounty hunting and looking for vulnerabilities. And I think it just makes us hackers a lot more efficient. So, let me know in the comments what do you think. Do you want more content like this? As always, do me a favor. If you haven't already, hit that subscribe button, become a homie, and help us get to 200,000 homies. All right, that's it. I'll see you all in next week's video. Peace.

---
*Источник: https://ekstraktznaniy.ru/video/38614*