Skip to content

Latest commit

 

History

History
1517 lines (1063 loc) · 144 KB

Readme_en.md

File metadata and controls

1517 lines (1063 loc) · 144 KB

All Resource Collection Projects

BurpSuite

  • 400+ open source Burp plugins, 400+ posts and videos.
  • 中文版本

Directory

Resource Collection

Tools

  • [1197Star][1m] snoopysecurity/awesome-burp-extensions A curated list of amazingly awesome Burp Extensions
  • [1167Star][9d] [Py] bugcrowd/hunt Burp和ZAP的扩展收集
  • [108Star][2m] [Java] jgillam/burp-co2 A collection of enhancements for Portswigger's popular Burp Suite web penetration testing tool.
  • [87Star][11m] [Py] laconicwolf/burp-extensions A collection of scripts to extend Burp Suite
  • [67Star][12d] [Py] lich4/personal_script 010Editor/BurpSuite/Frida/IDA tools and scripts collection
    • 010Editor 010Editor scripts
    • ParamChecker Burp插件
    • Frida Frida Scripts
    • IDA IDA Scripts
    • IDA-read_unicode.py When there is chinese unicode character in programe, due to python's shortage, ida could not recongnized them correctly, it's what my script just do
    • IDA-add_xref_for_macho When you deal with macho file with ida, you'll find out that it's not easy to find Objc-Class member function's caller and callee, (because it use msgSend instead of direct calling convention), so we need to make some connection between the selector names and member function pointers, it's what my script just do
    • IDA-add_info_for_androidgdb When you debug android with IDA and gdbserver, you'd find that the module list and segment is empy, while we can read info from /proc/[pid]/,
    • IDA-trace_instruction this script is to trace instruction stream in one run
    • IDA-detect_ollvm this script is to detect ollvm and fix it in some extent, apply to android and ios
    • IDA-add_block_for_macho this script is used to analysis block structure exist in macho file, target NSConcreteStackBlock/NSConcreteGlobalBlock currently, also contain some wonderful skills
  • [23Star][4y] [Java] ernw/burpsuite-extensions A collection of Burp Suite extensions
  • [16Star][9d] [Batchfile] mr-xn/burpsuite-collections burpsuite-pro burpsuite-extender burpsuite cracked-version hackbar hacktools fuzzing fuzz-testing burp-plugin burp-extensions bapp-store brute-force-attacks brute-force-passwords waf sqlmap jar

Post

Burp Component

Collaborator

Tools

Post

Intruder

Tools

  • [2081Star][1y] [BitBake] 1n3/intruderpayloads A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists.

Post

Repeater

Tools

  • [66Star][19d] [Java] coreyd97/stepper A natural evolution of Burp Suite's Repeater tool
  • [52Star][29d] [Java] portswigger/stepper A natural evolution of Burp Suite's Repeater tool
  • [36Star][1m] [Kotlin] typeerror/bookmarks A Burp Suite Extension to take back your repeater tabs
  • [6Star][6y] [Perl] allfro/browserrepeater BurpSuite extension for Repeater tool that renders responses in a real browser.

Post

Extender

Tools

  • [192Star][2y] [Java] p3gleg/pwnback Burp Extender plugin that generates a sitemap of a website using Wayback Machine
  • [143Star][1y] [Java] tomsteele/burpbuddy burpbuddy exposes Burp Suites's extender API over the network through various mediums, with the goal of enabling development in any language without the restrictions of the JVM
  • [59Star][5y] [Ruby] tduehr/buby A JRuby implementation of the BurpExtender interface for PortSwigger Burp Suite.
  • [33Star][2y] [Java] dnet/burp-oauth OAuth plugin for Burp Suite Extender
  • [28Star][2y] [Java] bit4woo/gui_burp_extender_para_encrypter Burp_Extender_para_encrypter
  • [19Star][1y] [Java] nccgroup/wcfdser-ngng A Burp Extender plugin, that will make binary soap objects readable and modifiable.
  • [15Star][4m] [Java] twelvesec/jdser-dcomp A Burp Extender plugin that will allow you to tamper with requests containing compressed, serialized java objects.
  • [10Star][2y] [Py] sahildhar/burpextenderpractise burp extender practise
  • [6Star][2y] [Java] secureskytechnology/burpextender-proxyhistory-webui Burp Extender . Proxy History viewer in Web UI
  • [4Star][2y] [Java] pentestpartners/fista A Burp Extender plugin allowing decoding of fastinfoset encoded communications.
  • [3Star][6y] [Java] directdefense/noncetracker A Burp extender module that tracks and updates nonce values per a specific application action.

Post

Macros

Tools

Post

Extractor

Spider

Platform

Web

WAF

Tools

  • [421Star][10m] [Java] nccgroup/burpsuitehttpsmuggler A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques
  • [269Star][3y] [Java] codewatchorg/bypasswaf Add headers to all Burp requests to bypass some WAF products
  • [8Star][7m] [Py] bao7uo/waf-cookie-fetcher WAF Cookie Fetcher is a Burp Suite extension written in Python, which uses a headless browser to obtain the values of WAF-injected cookies which are calculated in the browser by client-side JavaScript code and adds them to Burp's cookie jar. Requires PhantomJS.

Post

HTTP/HTTPS

Tools

  • [403Star][5m] [Java] nccgroup/autorepeater Automated HTTP Request Repeating With Burp Suite
  • [396Star][21d] [Java] portswigger/http-request-smuggler an extension for Burp Suite designed to help you launch HTTP Request Smuggling attack
  • [391Star][11d] [Kotlin] portswigger/turbo-intruder a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
  • [240Star][2m] [Py] m4ll0k/burpsuite-secret_finder Burp Suite extension to discover apikeys/accesstokens and sensitive data from HTTP response.
  • [128Star][15d] [Py] redhuntlabs/burpsuite-asset_discover Burp Suite extension to discover assets from HTTP response.
  • [103Star][2y] [Java] gosecure/csp-auditor Burp and ZAP plugin to analyse Content-Security-Policy headers or generate template CSP configuration from crawling a Website
  • [69Star][12d] [Java] c0ny1/httpheadmodifer 一款快速修改HTTP数据包头的Burp Suite插件
  • [54Star][6m] [Py] gh0stkey/jsonandhttpp Burp Suite Plugin to convert the json text that returns the body into HTTP request parameters.
  • [51Star][2y] [Java] netspi/burpextractor A Burp extension for generic extraction and reuse of data within HTTP requests and responses.
  • [33Star][12m] twelvesec/bearerauthtoken This burpsuite extender provides a solution on testing Enterprise applications that involve security Authorization tokens into every HTTP requests.Furthermore, this solution provides a better approach to solve the problem of Burp suite automated scanning failures when Authorization tokens exist.
  • [30Star][7m] [Java] bit4woo/burp-api-drops burp suite API 处理http请求和响应的基本流程
  • [29Star][2m] [Java] ibey0nd/nstproxy 一款存储HTTP请求入库的burpsuite插件
  • [13Star][5y] [Py] enablesecurity/identity-crisis A Burp Suite extension that checks if a particular URL responds differently to various User-Agent headers
  • [11Star][3y] [Ruby] crashgrindrips/burp-dump A Burp plugin to dump HTTP(S) requests/responses to a file system
  • [8Star][2y] [Py] andresriancho/burp-proxy-search Burp suite HTTP history advanced search
  • [8Star][7y] [Java] cyberisltd/post2json Burp Suite Extension to convert a POST request to JSON message, moving any .NET request verification token to HTTP headers if present
  • [8Star][3y] [Java] eonlight/burpextenderheaderchecks A Burp Suite Extension that adds Header Checks and other helper functionalities
  • [6Star][2y] [Java] stackcrash/burpheaders Burp extension for checking optional headers
  • [6Star][2m] [Java] iamaldi/rapid Rapid is a Burp extension that enables you to save HTTP Request / Response to file in a user friendly text format a lot faster.
  • [5Star][3y] [Py] floyd-fuh/burp-collect500 Burp plugin that collects all HTTP 500 messages
  • [3Star][2y] [Py] externalist/aes-encrypt-decrypt-burp-extender-plugin-example A POC burp extender plugin to seamlessly decrypt/encrypt encrypted HTTP network traffic.

Post

XSS

Tools

  • [308Star][1y] [Java] elkokc/reflector Burp plugin able to find reflected XSS on page in real-time while browsing on site
  • [306Star][3y] [Java] nvisium/xssvalidator This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.
  • [166Star][4m] [Py] wish-i-was/femida Automated blind-xss search for Burp Suite
  • [102Star][1y] [Java] mystech7/burp-hunter XSS Hunter Burp Plugin
  • [48Star][11d] [Py] bitthebyte/bitblinder Burp extension helps in finding blind xss vulnerabilities
  • [34Star][3y] [Py] attackercan/burp-xss-sql-plugin Burp plugin which I used for years which helped me to find several bugbounty-worthy XSSes, OpenRedirects and SQLi.
  • [34Star][2m] [JS] psych0tr1a/elscripto XSS explot kit/Blind XSS framework/BurpSuite extension
  • [29Star][3y] [Java] portswigger/xss-validator This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.
  • [24Star][23d] [Py] jiangsir404/xss-sql-fuzz burpsuite 插件对GP所有参数(过滤特殊参数)一键自动添加xss sql payload 进行fuzz
  • [23Star][3m] [Py] hpd0ger/supertags 一个Burpsuite插件,用于检测隐藏的XSS
  • [2Star][3m] [Java] conanjun/xssblindinjector burp插件,实现自动化xss盲打以及xss log

Post

CSRF

Tools

  • [12Star][2y] [Java] ah8r/csrf CSRF Scanner Extension for Burp Suite Pro

Post

REST

Tools

Post

JWT

Tools

Post

Windows

Post

Linux

Post

Apple

Post

Android

Tools

  • [282Star][3y] [Java] mateuszk87/badintent Intercept, modify, repeat and attack Android's Binder transactions using Burp Suite
  • [12Star][21d] [JS] shahidcodes/android-nougat-ssl-intercept It decompiles target apk and adds security exception to accept all certificates thus making able to work with Burp/Charles and Other Tools

Post

AWS

Tools

Vulnerability

Tools

Post

Scan

Tools

Post

Fuzz

Tools

Post

SQL

Tools

Post

Logging

Tools

Payload

Tools

Post

Develop&&Debug

Tools

Post

Brute Force

Tools

Post

Captcha

Tools

Post

Encode/Decode

Tools

Post

Authenticate/Login

Tools

  • [350Star][20d] [Py] securityinnovation/authmatrix AuthMatrix is a Burp Suite extension that provides a simple way to test authorization in web applications and web services.
  • [295Star][1m] [Py] quitten/autorize Automatic authorization enforcement detection extension for burp suite written in Jython in order to ease application security people work and allow them perform an automatic authorization tests
  • [74Star][6m] [Java] nccgroup/berserko Burp Suite extension to perform Kerberos authentication
  • [40Star][7y] [Java] wuntee/burpauthzplugin Burp plugin to test for authorization flaws
  • [9Star][1y] [Java] sampsonc/authheaderupdater Burp extension to specify the token value for the Authenication header while scanning.
  • [0Star][2y] [Java] insighti/burpamx AMX Authorization Burp Suite Extension

Post

Brida

Tools

Post

Proxy

Tools

  • [919Star][3y] [Java] summitt/burp-non-http-extension Non-HTTP Protocol Extension (NoPE) Proxy and DNS for Burp Suite.
  • [354Star][2y] [Shell] koenbuyens/kalirouter intercepting kali router
  • [318Star][1m] [Java] ilmila/j2eescan a plugin for Burp Suite Proxy. The goal of this plugin is to improve the test coverage during web application penetration tests on J2EE applications.
  • [253Star][2y] [Java] portswigger/collaborator-everywhere A Burp Suite Pro extension which augments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator
  • [230Star][1y] [Py] audibleblink/doxycannon A poorman's proxycannon and botnet, using docker, ovpn files, and a dante socks5 proxy
  • [151Star][7m] [Py] kacperszurek/burp_wp Find known vulnerabilities in WordPress plugins and themes using Burp Suite proxy. WPScan like plugin for Burp.
  • [89Star][8m] [Java] rub-nds/burpssoextension An extension for BurpSuite that highlights SSO messages in Burp's proxy window..
  • [73Star][10d] [Py] jiangsir404/pbscan 基于burpsuite headless 的代理式被动扫描系统
  • [71Star][4m] [Java] static-flow/burpsuite-team-extension This Burpsuite plugin allows for multiple web app testers to share their proxy history with each other in real time. Requests that comes through your Burpsuite instance will be replicated in the history of the other testers and vice-versa!
  • [49Star][2y] [Py] mrschyte/socksmon Monitor arbitrary TCP traffic using your HTTP interception proxy of choice
  • [27Star][2y] [Py] mrts/burp-suite-http-proxy-history-converter Python script that converts Burp Suite HTTP proxy history files to CSV or HTML
  • [26Star][8m] [Java] static-flow/directoryimporter a Burpsuite plugin built to enable you to import your directory bruteforcing results into burp for easy viewing later. This is an alternative to proxying bruteforcing tools through burp to catch the results.
  • [13Star][1y] [Java] retanoj/burpmultiproxy Burpsuite 切换代理插件
  • [11Star][4y] [Py] vincd/burpproxypacextension Exemple d'extension Burp permettant d'utiliser les fichiers de configuration de proxy PAC
  • [5Star][3y] [Java] mrts/burp-suite-http-proxy-history-viewer Burp Suite HTTP proxy history viewer
  • [5Star][3y] [Java] netspi/jsws JavaScript Web Service Proxy Burp Plugin
  • [3Star][2y] [Kotlin] pajswigger/filter-options Burp extension to filter OPTIONS requests from proxy history
  • [2Star][1y] [Java] coastalhacking/burp-pac Burp Proxy Auto-config Extension

Post

Domain

Tools

  • [383Star][1m] [Java] bit4woo/domain_hunter A Burp Suite Extender that try to find sub-domain, similar-domain and related-domain of an organization, not only a domain!
  • [147Star][8m] [Py] codingo/minesweeper A Burpsuite plugin (BApp) to aid in the detection of scripts being loaded from over 23000 malicious cryptocurrency mining domains (cryptojacking).
  • [133Star][4m] [Py] prodigysml/dr.-watson a simple Burp Suite extension that helps find assets, keys, subdomains, IP addresses, and other useful information!
  • [17Star][4m] [Java] phefley/burp-javascript-security-extension A Burp Suite extension which performs checks for cross-domain scripting against the DOM, subresource integrity checks, and evaluates JavaScript resources against threat intelligence data.

Post

Tools

Recent Add

Documentation

Post

Recent Add

Contribute

Contents auto exported by Our System, please raise Issue if you have any question.