burp 插件简介
burp自带插件store,可以直接安装,如下图:
插件功能及翻译:
.NET Beautifier:Masks verbose parameter details in .NET requests.
美化.NET请求中的详细参数详细信息。
Active Scan++:Extends Burp's active and passive scanning capabilities.
扩展了Burp的主动和被动扫描功能。
Add & Track Custom Issues:Create custom issues in Burp Scanner results, using predefined issue templates.
使用预定义的问题模板在Burp Scanner结果中创建自定义问题。
Add Custom Header:Add or update custom HTTP headers from session handling rules. Useful for JWT.
从会话处理规则添加或更新自定义HTTP标头。对JWT有用。
Additional CSRF Checks:Performs additional checks for CSRF vulnerabilities in a semi-automated manner.
以半自动方式对CSRF漏洞执行其他检查。
Additional Scanner Checks:Provides some additional passive Scanner checks.
提供一些额外的被动扫描仪检查。
AES Payloads:Allows encryption and decryption of AES payloads in Burp Intruder and Scanner.
允许在Burp Intruder和Scanner中加密和解密AES有效负载。
Attack Surface DetectorUse static analysis to identify web app endpoints by parsing routes and identying parameters.使用静态分析通过解析路由和识别参数来识别Web应用程序端点。
AuthMatrixProvides a simple way to test authorization in web applications and web services.提供在Web应用程序和Web服务中测试授权的简单方法。
AuthzHelps test for authorization vulnerabilities.帮助测试授权漏洞。
Auto RepeaterAutomatically repeat requests, with replacement rules and response diffing.使用替换规则和响应差异自动重复请求。
AutorizeAutomatically detects authorization enforcement.自动检测授权实施。
AWS Security ChecksAdditional Scanner checks for AWS security issues.此扩展提供额外的AWS(Amazon Web Services)网站安全扫描功能,需要申请亚马逊安全服务的key
Backslash Powered ScannerFinds unknown classes of injection vulnerabilities.查找未知类型的注射漏洞。
Batch Scan Report GeneratorGenerates multiple scan reports by host with just a few clicks.只需点击几下,即可通过主机生成多个扫描报告。
BlazerGenerates and fuzzes custom AMF messages.生成并模糊自定义AMF消息。
BradamsaGenerates Intruder payloads using the Radamsa test case generator.使用Radamsa测试用例生成器生成入侵者有效负载。
Brida, Burp to Frida bridgeA bridge between Burp Suite and Frida to help test Android applications.Burp Suite和Frida之间的桥梁,可帮助测试Android应用程序。
Browser RepeaterAutomatically renders Repeater responses in Firefox.在Firefox中自动呈现Repeater响应。
BubyAdds Ruby scripting capabilities to Burp.为Burp添加Ruby脚本功能。
Burp ChatEnables collaborative usage of Burp using XMPP/Jabber.使用XMPP / Jabber实现Burp的协作使用。
Burp CSJIntegrates Crawljax, Selenium and JUnit into Burp.将Crawljax,Selenium和JUnit集成到Burp中。
BurpelFishAdds Google Translate to Burp's context menu.将Google Translate添加到Burp的上下文菜单中。
Burp-hashIdentifies previously submitted inputs appearing in hashed form.标识以散列形式出现的先前提交的输入。
BurpSmartBusterLooks for files, directories and file extensions based on current requests received by Burp Suite.根据Burp Suite收到的当前请求查找文件,目录和文件扩展名。
Bypass WAFAdds headers useful for bypassing some WAF devices.添加用于绕过某些WAF设备的标头。
CarbonatorProvides a command-line interface to drive spidering and scanning.提供命令行界面以驱动抓取和扫描。
Cloud Storage TesterTest Amazon S3, Google Storage and Azure Storage for common misconfiguration issues.针对常见的错误配置问题测试Amazon S3,Google存储和Azure存储。
CMS ScannerScan for common vulnerabilities in popular CMS.扫描常用CMS中的常见漏洞。
CO2Adds various capabilities including SQL Mapper, User Generator and Prettier JS.添加各种功能,包括SQL Mapper,User Generator和Prettier JS。
Code DxUploads scan reports directly to CodeDx, a software vulnerability correlation and management system.将扫描报告直接上传到CodeDx,这是一个软件漏洞关联和管理系统。
Collaborator EverywhereAugments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator.通过注入非侵入式标头来扩充您的代理流量,这些标头旨在通过向Burp Collaborator进行pingback来显示后端系统。
Command Injection AttackerCustomizable payload generator to detect and exploit command injection flaws during blind testing.可定制的有效负载生成器,用于在盲测期间检测和利用命令注入缺陷。
CommentatorGenerates comments for selected requests based on regular expressions.基于正则表达式为选定请求生成注释。
Content Type ConverterConverts JSON To XML, XML to JSON, body parameters to JSON, and body parameters to XML.将JSON转换为XML,将XML转换为JSON,将体参数转换为JSON,将体参数转换为XML。
Copy as Node RequestCopies the selected requests as Node.JS request code.将所选请求复制为Node.JS请求代码。
Copy as PowerShell RequestsCopies the selected request(s) as PowerShell invocation(s).将所选请求复制为PowerShell调用。
Copy As Python-RequestsCopies selected request(s) as Python-Requests invocations.将选定的请求复制为Python-Requests调用。
Cryptojacking Mine SweeperDetects script includes from over 14000+ known cryptojacking domains.检测脚本包括超过14000多个已知的加密域。
CSP AuditorDisplays CSP headers for responses, and passively reports CSP weaknesses.显示响应的CSP标头,并被动地报告CSP漏洞。
CSP-BypassPassively scans for CSP headers that contain known bypasses or other potential weaknesses.被动扫描包含已知旁路或其他潜在弱点的CSP标头。
CSRF ScannerPassively scans for CSRF vulnerabilities.被动扫描CSRF漏洞。
CSRF Token TrackerProvides a sync function for CSRF token parameters.为CSRF令牌参数提供同步功能。
CSurferHides and automatically handles anti-CSRF token defenses.隐藏并自动处理反CSRF令牌防御。
Custom LoggerAdds a new tab to log all requests and responses.添加新选项卡以记录所有请求和响应。
Custom Parameter HandlerProvides a simple way to automatically modify any part of an HTTP message.提供一种自动修改HTTP消息任何部分的简单方法。
Custom Send ToAdd a customizable "Send to..." menu to the context menu将可自定义的“发送到...”菜单添加到上下文菜单中
CustomDeserializerSpeeds up manual testing of web applications by performing custom deserialization.通过执行自定义反序列化来加快Web应用程序的手动测试。
CVSS CalculatorCalculates CVSS v2 and v3 scores of vulnerabilities.计算CVSS v2和v3漏洞评分。
Decoder ImprovedA replacement for Burp decoder with tabs, an improved hex editor, and extensibiity.用标签,改进的十六进制编辑器和可扩展性替代Burp解码器。
DecompressorView and modify compressed HTTP messages without changing the content-encoding.查看和修改压缩的HTTP消息,而无需更改内容编码。
Detect Dynamic JSPassively checks for differing content in JavaScript files and aids in finding user/session data.被动检查JavaScript文件中的不同内容并帮助查找用户/会话数据。
Directory ImporterImport results from directory brute forcing tools including GoBuster and DirSearch从目录暴力强制工具导入结果,包括GoBuster和DirSearch
Distribute DamageEvenly distributes scanner load across targets.均匀地在目标上分配扫描仪负载。
Dradis FrameworkSend Scanner issues to Dradis collaboration and reporting framework.将扫描程序问题发送给Dradis协作和报告框架。
ElasticBurpStores requests/responses in an ElasticSearch index.在ElasticSearch索引中存储请求/响应。
Error Message ChecksPassively detects detailed server error messages.被动检测详细的服务器错误消息。
EsPReSSOProcesses and recognizes single sign-on protocols.处理并识别单点登录协议。
ExifTool ScannerReads metadata from various file types (JPEG, PNG, PDF, DOC, and much more) using ExifTool.使用ExifTool从各种文件类型(JPEG,PNG,PDF,DOC等)读取元数据。
ExtendedMacroProvides a similar but extended version of the Burp Suite macro feature.提供类似但扩展版本的Burp Suite宏功能。
FaradayIntegrates Burp with the Faraday Integrated Penetration-Test Environment.将Burp与法拉第集成渗透测试环境集成在一起。
Fast Infoset TesterAllows Burp to test applications that use Fast Infoset XML encoding允许Burp测试使用Fast Infoset XML编码的应用程序
File Upload TraverserChecks whether file uploads are vulnerable to path traversal检查文件上载是否容易受到路径遍历的影响
FlowProvides request history view for all Burp tools.为所有Burp工具提供请求历史记录视图。
Freddy, Deserialization Bug FinderHelps detect and exploit deserialization vulnerabilities in Java and .Net帮助检测和利用Java和.Net中的反序列化漏洞
Git BridgeLets Burp users store Burp data and collaborate via git.让Burp用户存储Burp数据并通过git进行协作。
Google AuthenticatorGenerate Google Authenticator OTPs in session handling rules.在会话处理规则中生成Google身份验证器OTP。
Google HackLets you run Google Hacking queries and add results to Burp's site map.允许您运行Google Hacking查询并将结果添加到Burp的站点地图中。
GWT Insertion PointsAutomatically identifies insertion points for GWT (Google Web Toolkit) requests.自动识别GWT(Google Web Toolkit)请求的插入点。
HackvertorConverts data using a tag-based configuration to apply various encoding and escaping operations.使用基于标记的配置转换数据以应用各种编码和转义操作。
Handy CollaboratorAssists with using Collaborator during manual testing.协助在手动测试期间使用Collaborator。
Headers AnalyzerReports security issues in HTTP headers.报告HTTP标头中的安全问题。
Headless BurpAllows Burp Scanner to be automated, using Spider or an existing Site Map.允许使用Spider或现有站点地图自动执行Burp Scanner。
HeartBleedChecks whether a server is vulnerable to the Heartbleed bug.检查服务器是否容易受到Heartbleed错误的影响。
HTML5 AuditorScans for usage of risky HTML5 features.扫描使用有风险的HTML5功能。
HTTP MockProvides mock responses that can be configured, based on real ones.提供可根据实际情况配置的模拟响应。
HTTPoxy ScannerScans for the HTTPoxy vulnerability.扫描HTTPoxy漏洞。
Identity CrisisChecks if a particular URL responds differently to various User-Agent headers.检查特定URL是否对各种User-Agent标头响应不同。
Image Location & Privacy ScannerPassively scans jpeg / png / tiff for embedded GPS, IPTC, and camera-proprietary location & privacy exposures.被动扫描jpeg / png / tiff,用于嵌入式GPS,IPTC和相机专有位置和隐私曝光。
Image MetadataExtracts metadata from image files.从图像文件中提取元数据。
Image Size IssuesDetects potential denial of service attacks in image retrieval functions.检测图像检索功能中的潜在拒绝服务攻击。
Intruder File Payload GeneratorAllows use of file contents and filenames as Intruder payloads.允许将文件内容和文件名用作入侵者有效负载。
Intruder Time PayloadsLets you include the current epoch time in Intruder payloads.允许您在Intruder有效负载中包含当前的纪元时间。
Issue PosterPosts discovered Scanner issues to an external web service.帖子发现扫描程序问题到外部Web服务。
J2EEScanAdds scan checks focused on Java environments and technologies.添加针对Java环境和技术的扫描检查。
Java Deserialization ScannerPerforms active and passive scans to detect Java deserialization vulnerabilities.执行主动和被动扫描以检测Java反序列化漏洞。
Java Serial KillerPerforms Java deserialization attacks using the ysoserial payload generator tool.使用ysoserial有效负载生成器工具执行Java反序列化攻击。
Java Serialized PayloadsGenerates Java serialized payloads to execute OS commands.生成Java序列化有效负载以执行OS命令。
JCryption HandlerAnalyze web applications that use JCryption分析使用JCryption的Web应用程序
JSON BeautifierBeautifies JSON content in the HTTP message viewer.在HTTP消息查看器中美化JSON内容。
JSON DecoderDisplays JSON messages in decoded form.以解码形式显示JSON消息。
JSON Web Token AttackerJOSEPH - JavaScript Object Signing and Encryption Pentesting HelperJOSEPH - JavaScript对象签名和加密Pentesting Helper
JSON Web TokensEnables Burp to decode and manipulate JSON web tokens.使Burp能够解码和操作JSON Web令牌。
JSWS ParserParses JSWS responses and generates JSON requests for all supported methods.解析JSWS响应并为所有支持的方法生成JSON请求。
JVM Property EditorAllows viewing and editing of JVM system properties.允许查看和编辑JVM系统属性。
Kerberos AuthenticationAdds support for performing Kerberos authentication.添加对执行Kerberos身份验证的支持。
LairSends Burp Scanner issues directly to a remote Lair project.将Burp Scanner问题直接发送到远程Lair项目。
Length Extension AttacksPerforms hash length extension attacks on weak signature mechanisms.对弱签名机制执行散列长度扩展攻击。
LightBulb WAF Auditing FrameworkAn open source python framework for auditing WAFs and Filters.用于审核WAF和过滤器的开源python框架。
Log Requests to SQLiteLog every request made by Burp to an SQLite database将Burp发出的每个请求记录到SQLite数据库
Log ViewerLets you view log files generated by Burp in a graphical enviroment.允许您在图形环境中查看Burp生成的日志文件。
Logger++Logs requests and responses for all Burp tools in a sortable table.在可排序表中记录所有Burp工具的请求和响应。
Manual Scan IssuesAllows users to manually create custom issues within the Burp Scanner results.允许用户在Burp Scanner结果中手动创建自定义问题。
Match/Replace Session ActionProvides a match and replace function as a Session Handling Rule.提供匹配和替换功能作为会话处理规则。
MessagePackAllows conversion of MessagePack messages to/from JSON format.允许将MessagePack消息转换为JSON格式或从JSON格式转换。
Meth0dManGenerates custom Intruder payloads based on the site map.根据站点地图生成自定义入侵者有效负载。
MindMap ExporterAids with documentation of OWASP Testing Guide V4 tests.帮助记录OWASP测试指南V4测试。
Multi Session ReplayAllows replay of requests in multiple sessions, to identify authorization vulnerabilities允许在多个会话中重播请求,以识别授权漏洞
Multi-Browser HighlightingHighlight the Proxy history to differentiate requests made by different browsers突出显示代理历史记录以区分不同浏览器发出的请求
Nessus LoaderParse Nessus output to detect web servers and add to Site Map解析Nessus输出以检测Web服务器并添加到站点地图
NGINX Alias TraversalDetects NGINX alias traversal due to misconfiguration.检测由于配置错误导致的NGINX别名遍历。
NMAP ParserParses Nmap output files and adds common web ports to Burp's target scope.解析Nmap输出文件并将常用Web端口添加到Burp的目标范围。
NotesLets you take notes and manage external documents from within Burp.让您在Burp中记笔记和管理外部文档。
NTLM Challenge DecoderDecode NTLM SSP headers and extract domain/host information解码NTLM SSP标头并提取域/主机信息
Office Open XML EditorLets you edit Office Open XML files directly in Burp; useful for exploiting XXE允许您直接在Burp中编辑Office Open XML文件;对于利用XXE很有用
OpenAPI ParserOpenAPI parser fully compliant with OpenAPI 2.0/3.0 Specifications (OAS). Supports both JSON and YAML formats.OpenAPI解析器完全符合OpenAPI 2.0 / 3.0规范(OAS)。支持JSON和YAML格式。
Param MinerThis extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.此扩展名标识隐藏的,未链接的参数。它对于查找Web缓存中毒漏洞特别有用。
ParamalyzerImproves efficiency of manual parameter analysis for web penetration tests.提高Web渗透测试的手动参数分析效率。
ParrotNGAdds a custom Scanner check to identify Flex applications vulnerable to CVE-2011-2461 (APSB11-25).添加自定义扫描程序检查以识别易受CVE-2011-2461(APSB11-25)影响的Flex应用程序。
Payload ParserGenerates payload lists based on a set of characters that are sanitized.根据已清理的一组字符生成有效负载列表。
Pcap ImporterImports and passively scans Pcap files.导入并被动扫描Pcap文件。
PDF MetadataProvides an additional passive Scanner check for metadata in PDF files.为PDF文件中的元数据提供额外的被动扫描程序检查。
PDF ViewerAllows viewing of PDF files directly within Burp.允许直接在Burp中查看PDF文件。
PeopleSoft Token ExtractorThis extension help test PeopleSoft SSO tokens.此扩展程序有助于测试PeopleSoft SSO令牌。
PHP Object Injection CheckFinds PHP object injection vulnerabilities.查找PHP对象注入漏洞。
Postman IntegrationIntegrate with the Postman tool by generating a collection file.通过生成集合文件与Postman工具集成。
Protobuf DecoderDecodes and beautifies protobuf responses.解码和美化protobuf响应。
Proxy Action RulesAutomatically forward, intercept and drop requests based on rules.根据规则自动转发,拦截和删除请求。
Proxy Auto ConfigAutomatically configures Burp upstream proxies to match desktop proxy settings.自动配置Burp上游代理以匹配桌面代理设置。
PsychoPATHA customizable payload generator suitable for detecting a variety of file path vulnerabilities.可定制的有效负载生成器,适用于检测各种文件路径漏洞。
Python ScripterAllows execution of a custom Python script on each HTTP request and response.允许在每个HTTP请求和响应上执行自定义Python脚本。
Qualys WASProvides a way to easily push Burp scanner findings to the Qualys Web Application Scanning (WAS) module.提供一种将Burp扫描仪结果轻松推送到Qualys Web应用程序扫描(WAS)模块的方法。
Random IP Address HeaderAutomatically generates fake source IP address headers to evade WAF filters.自动生成虚假的源IP地址标头以避开WAF过滤器。
Reflected File Download CheckerChecks for reflected file downloads.检查反映的文件下载。
Reflected ParametersMonitors traffic and looks for parameter values that are reflected in the response.监控流量并查找响应中反映的参数值。
Reissue Request ScripterThis extension generates scripts to reissue selected requests.此扩展生成脚本以重新发出所选请求。
ReplicatorHelps developers replicate findings discovered in pen tests.帮助开发人员复制笔测试中发现的结果。
Report To Elastic SearchReports issues discovered by Burp to an ElasticSearch database.将Burp发现的问题报告给ElasticSearch数据库。
Request HighlighterAutomatically highlights different HTTP requests based on headers content根据标头内容自动突出显示不同的HTTP请求
Request MinimizerMinimize requests by removing ad cookies, cachebusters, etc.通过删除广告Cookie,缓存等来最小化请求。
Request RandomizerPlaces a random value into a specified location within requests.将随机值放入请求中的指定位置。
Request TimerCaptures response times for requests made by all Burp tools.捕获所有Burp工具发出的请求的响应时间。
Response ClustererClusters similar responses together.集群类似的响应在一起。
Retire.jsIntegrates with the Retire.js repository to find vulnerable JavaScript libraries.与Retire.js存储库集成以查找易受攻击的JavaScript库。
Reverse Proxy DetectorDetects reverse proxy servers.检测反向代理服务器。
Same Origin Method ExecutionDetects same origin method execution vulnerabilities.检测相同的原始方法执行漏洞。
SAML EditorAdds a tab to Burp's message editor for decoding/encoding SAML messages.向Burp的消息编辑器添加一个选项卡,用于解码/编码SAML消息。
SAML Encoder / DecoderAdds a tab to Burp's main UI for decoding/encoding SAML messages.向Burp的主UI添加一个选项卡,用于解码/编码SAML消息。
SAML RaiderProvides a SAML message editor and a certificate management tool to help with testing SAML infrastructures.提供SAML消息编辑器和证书管理工具,以帮助测试SAML基础结构。
SAMLReQuestEnables you to view, decode, and modify SAML requests and responses.使您可以查看,解码和修改SAML请求和响应。
Scan Check BuilderExtend the Burp active and passive scanner by creating custom scan checks with an intuitive graphical interface.通过使用直观的图形界面创建自定义扫描检查,扩展Burp主动和被动扫描程序。
Scan manual insertion pointDo an active scan of just the insertion point defined by a selection in the UI.仅对UI中的选择定义的插入点进行主动扫描。
SentinelPerforms custom scanning for vulnerabilities in web applications.对Web应用程序中的漏洞执行自定义扫描。
Session AuthIdentifies authentication privilege escalation vulnerabilities.标识身份验证权限升级漏洞。
Session Timeout TestDetermines server session timeout intervals.确定服务器会话超时间隔。
Session Tracking ChecksChecks for the presence of known session tracking sites检查是否存在已知的会话跟踪站点
Similar Request ExcluderImproves efficiency by automatically marking similar requests as 'out-of-scope'.通过自动将类似请求标记为“超出范围”来提高效率。
Site Map ExtractorExtracts key data from the Site Map and allows export to CSV.从站点地图中提取关键数据,并允许导出为CSV。
Site Map FetcherFetches the responses of unrequested items in the site map.获取站点地图中未请求项目的响应。
Software Version ReporterPassively reports server software version numbers.被动报告服务器软件版本号。
Software Vulnerability ScannerSoftware vulnerability scanner based on Vulners.com audit API基于Vulners.com审计API的软件漏洞扫描程序
SpyDirEnumerates application endpoints via a local source code repository.通过本地源代码存储库枚举应用程序端点。
SQLiPy Sqlmap IntegrationInitiates SQLMap scans directly from within Burp.直接从Burp中启动SQLMap扫描。
SSL ScannerScan for SSL vulnerabilities using techniques from testssl.sh and a2sv.使用testssl.sh和a2sv中的技术扫描SSL漏洞。
TaboratorImproved Collaborator client in its own tab改进了Collaborator客户端在其自己的选项卡中
Target RedirectorRedirect requests to a new target, to cope with moved apps.将请求重定向到新目标,以应对移动的应用程序。
ThreadFixProvides an interface to the ThreadFix vulnerability management platform.提供ThreadFix漏洞管理平台的接口。
Token ExtractorExtract tokens from responses and use these in future requests从响应中提取令牌并在将来的请求中使用这些令牌
Token IncrementorIncrement a token in each request. Useful for parameters like username that must be unique.在每个请求中增加一个令牌。对于必须是唯一的用户名等参数很有用。
TokenJarManages tokens and updates request parameters with current values.管理令牌并使用当前值更新请求参数。
Turbo IntruderSend large numbers of HTTP requests and analyze the results发送大量HTTP请求并分析结果
Upload ScannerTest file uploads with payloads embedded in meta data for various file formats.测试文件上载,其中包含嵌入元数据中的有效负载,用于各种文件格式。
UUID DetectorPassively reports UUID/GUIDs observed within HTTP requests.被动地报告在HTTP请求中观察到的UUID / GUID。
WAF Cookie FetcherFetches JavaScript cookies into the Burp cookie jar; useful to handle WAFs.将JavaScript cookie提取到Burp饼干罐中;对处理WAF很有用。
WAFDetectPassively detects web application firewalls from HTTP responses.从HTTP响应中被动检测Web应用程序防火墙。
Wayback MachineGenerate a sitemap using Wayback Machine.使用Wayback Machine生成站点地图。
WCF DeserializerAllows Burp to view and modify binary SOAP objects.允许Burp查看和修改二进制SOAP对象。
Web Cache Deception ScannerDetect web cache misconfigurations with Burp.使用Burp检测Web缓存配置错误。
WebInspect ConnectorIntegrates Burp with HP WebInspect.将Burp与HP WebInspect集成。
WebSphere Portlet State DecoderDisplays information about IBM WebSphere Portlet state.显示有关IBM WebSphere Portlet状态的信息。
What-The-WAFExtends Intruder to aid in testing Web Application Firewalls.扩展入侵者以帮助测试Web应用程序防火墙。
Wordlist ExtractorScrapes all unique words and numbers for use with password cracking剪切所有用于密码破解的独特单词和数字
WordPress ScannerFind known vulnerabilities in WordPress plugins and themes using WPScan database.使用WPScan数据库查找WordPress插件和主题中的已知漏洞。
WSDL WizardScans a target server for WSDL files.扫描目标服务器以获取WSDL文件。
WsdlerParses WSDL files and generates SOAP requests to the enumerated endpoints.解析WSDL文件并生成对枚举端点的SOAP请求。
XChromeLogger DecoderAdds a new HTTP message editor tab to display X-ChromeLogger-Data in decoded form.添加新的HTTP消息编辑器选项卡以解码形式显示X-ChromeLogger-Data。
XSS ValidatorSends responses to a locally-running XSS-Detector server.将响应发送到本地运行的XSS-Detector服务器。
YaraIntegrates Yara scanner into Burp Suite.将Yara扫描仪集成到Burp Suite中。
