• Search by APIs
• Search by Words
• Search Projects

• Java
• Python
• JavaScript
• TypeScript
• C++
• Scala
• Blog

Project: BurpSuite-Team-Extension (GitHub Link)

• BurpSuite-Team-Extension-master
  • .github
    • ISSUE_TEMPLATE
      • feature_request.md
      • bug_report.md
  • src
    • teamextension
      • Cookie.java
      • CommentFrame.java
      • RequestCommentSerializer.java
      • ScopeChangeListener.java
      • RequestCommentModel.java
      • RequestComment.java
      • SharedValues.java
      • SharedLinksModel.java
      • ScanIssue.java
      • ScannerListener.java
      • ShareRequest.java
      • CustomURLServer.java
      • MessageEditorController.java
      • BurpTCMessage.java
      • ExtensionStateListener.java
      • HttpRequestResponse.java
      • RoomMembersListModel.java
      • BurpClient.java
      • MessageType.java
      • DateDeserializer.java
      • HttpService.java
      • ProxyListener.java
      • ServerListModel.java
      • ManualRequestSenderContextMenu.java
      • Room.java
      • BurpTeamPanel.java
    • burp
      • IMessageEditorController.java
      • BurpExtender.java
      • IBurpCollaboratorClientContext.java
      • IParameter.java
      • IIntruderAttack.java
      • IMenuItemHandler.java
      • IContextMenuInvocation.java
      • IProxyListener.java
      • ITempFile.java
      • IMessageEditorTab.java
      • IInterceptedProxyMessage.java
      • IScannerListener.java
      • IExtensionStateListener.java
      • IScannerCheck.java
      • IIntruderPayloadProcessor.java
      • IMessageEditorTabFactory.java
      • IBurpExtender.java
      • IScanIssue.java
      • .DS_Store
      • IScopeChangeListener.java
      • IHttpRequestResponse.java
      • IExtensionHelpers.java
      • IHttpListener.java
      • IRequestInfo.java
      • IHttpRequestResponsePersisted.java
      • IIntruderPayloadGenerator.java
      • IResponseInfo.java
      • IScannerInsertionPointProvider.java
      • ITextEditor.java
      • IContextMenuFactory.java
      • IBurpExtenderCallbacks.java
      • IIntruderPayloadGeneratorFactory.java
      • ISessionHandlingAction.java
      • ICookie.java
      • IScannerInsertionPoint.java
      • ITab.java
      • IResponseVariations.java
      • IMessageEditor.java
      • IBurpCollaboratorInteraction.java
      • IScanQueueItem.java
      • IResponseKeywords.java
      • IHttpService.java
      • IHttpRequestResponseWithMarkers.java
    • src.iml
  • images
  • pom.xml
  • .gitmodules
  • LICENSE
  • README.md
  • .idea
    • libraries
      • R_User_Library.xml
    • BurpSuite-Team-Extention.iml
    • statistic.xml
    • sonarlint-state.xml
    • compiler.xml
    • inspectionProfiles
      • Project_Default.xml
    • uiDesigner.xml
    • misc.xml
    • kotlinc.xml
    • sonarlint.xml
    • vcs.xml
  • target
    • classes
      • teamextension
        • BurpTeamPanel$4.class
        • ManualRequestSenderContextMenu$1.class
        • RequestCommentModel$1.class
        • MessageEditorController.class
        • HttpService.class
        • ManualRequestSenderContextMenu.class
        • BurpTeamPanel$3.class
        • BurpTeamPanel$8.class
        • CustomURLServer.class
        • ExtensionStateListener.class
        • BurpTeamPanel$1.class
        • CommentFrame$1.class
        • Cookie.class
        • ScanIssue.class
        • MessageType.class
        • CommentFrame.class
        • DateDeserializer.class
        • CommentFrame$2.class
        • BurpTeamPanel$6.class
        • ScopeChangeListener.class
        • HttpRequestResponse.class
        • BurpTeamPanel$1$1.class
        • BurpTCMessage.class
        • CommentPanel.class
        • BurpClient$3.class
        • SharedValues$1.class
        • BurpTeamPanel$2.class
        • BurpClient$2.class
        • ManualRequestSenderContextMenu$2.class
        • BurpClient.class
        • ScannerListener.class
        • BurpClient$1.class
        • ProxyListener.class
        • RequestCommentModel.class
        • RequestComment.class
        • CommentsPanel.class
        • BurpTeamPanel$7.class
        • BurpTeamPanel$5.class
        • ServerListModel.class
        • SharedValues.class
        • BurpTeamPanel.class
        • SharedLinksModel.class
      • burp
        • IContextMenuInvocation.class
        • ITempFile.class
        • IIntruderPayloadGeneratorFactory.class
        • IIntruderPayloadGenerator.class
        • IScannerCheck.class
        • IBurpExtenderCallbacks.class
        • IScannerInsertionPointProvider.class
        • ITextEditor.class
        • ISessionHandlingAction.class
        • IMenuItemHandler.class
        • IProxyListener.class
        • IHttpListener.class
        • IMessageEditor.class
        • IRequestInfo.class
        • IBurpExtender.class
        • IHttpService.class
        • IScanQueueItem.class
        • IResponseVariations.class
        • IScanIssue.class
        • BurpExtender.class
        • IHttpRequestResponsePersisted.class
        • IMessageEditorTab.class
        • IHttpRequestResponseWithMarkers.class
        • ICookie.class
        • IResponseInfo.class
        • IScopeChangeListener.class
        • IIntruderPayloadProcessor.class
        • IMessageEditorController.class
        • IScannerInsertionPoint.class
        • IIntruderAttack.class
        • IBurpCollaboratorInteraction.class
        • IInterceptedProxyMessage.class
        • IBurpCollaboratorClientContext.class
        • IContextMenuFactory.class
        • IExtensionStateListener.class
        • IScannerListener.class
        • ITab.class
        • IResponseKeywords.class
        • IHttpRequestResponse.class
        • IParameter.class
        • IExtensionHelpers.class
        • IMessageEditorTabFactory.class
    • archive-tmp
      • BurpSuiteCollaborationClient.jar
    • maven-archiver
      • pom.properties

BurpSuite-Team-Extension

This Burpsuite plugin allows for multiple testers to share live/historical proxy requests, scope and repeater/intruder payloads with each other in real time allowing for truly collaborative web app testing. When connected to the Team Sever and in a Team Room all requests coming through your Burp client are shared with the other testers in the room and vice-versa!

Request from clients to target propegated to other clients

Response from target to clients propegated to other clients

Features

• Real time request/response pairs shared between all clients

• Mutual TLS Encryption of all traffic between client and server

• Seperate Team Rooms to allow multiple teams on 1 server

• Mute individual team members or whole room

• Pause sending traffic to room

• Sync scope between all clients in a room

• Share Repeater/Intruder payloads with individual team members or whole room

• Share specific request/response pairs with individual team members or whole room

• Generate shareable links to Burp Suite Requests that can be shared outside of Burp Suite

• Add comments to Burp Suite requests that are v iewable by other teammates

• Automatic sharing of discovered Cookies

• Automatic sharing of discovered Passive/Active scan findings

• Configure sharing of all requests or just in scope ones

• Configure sharing/receiving Cookies

• Configure sharing/receiving Issues

• Save connection settings

How it works

There are two parts that make this collaborative web app testing possible. 1st is obviously a Burpsuite Plugin that uses the APIs to capture request/response pairs and ferry them to the server and receive other clients traffic. It is the main UI that users see when using this tool. 2nd is a lightweight server written in GO which manages the connections between the clients and the rooms.

How to start the Server

go get github.com/AonCyberLabs/BurpSuiteTeamServer/cmd/BurpSuiteTeamServer
cd ~/go/src/github.com/AonCyberLabs/BurpSuiteTeamServer/
go get ./...
go install ./...
~/go/bin/BurpSuiteTeamServer -h

Output:

Usage of BurpSuiteTeamServer:
  -host string
        host for TLS cert. Defaults to localhost (default "localhost")
  -port string
        http service address (default "9999")
  -serverPassword string
        password for the server

How to install the Burpsuite plugin

The jar file is prebuilt for you within the build/jar folder. To use the prebuilt jar:

1. Start Burpsuite
2. Navigate to the Extender tab
3. Click add and select the jar file from the git repository
4. New Burpsuite tab titled "Burp TC" should appear

How to use Burp Team Server Features

Server Actions

These actions can be taken by a client that has connected to a server

Connect to server

1. Navigate to the "Burp TC" tab
2. Enter a chosen username, the server IP address, port and server password (if required)
3. Navigate to the "Configuration" tab within the "Burp TC" tab
4. Using the "Select Certificate" file selection button, pick the server certificate generated when the server started
5. Using the "Select Certificate Key" file selection button, pick the server certificate key generated when the server started

6. Click the "Connect" button

   Disconnect from server

7. Click the "Disconnect" button

   Create a new room

8. Click the "New Room" button
9. Enter a room name
10. If desired, enter a room password

11. Click "Ok"

    Join a room

12. The middle right panel will show current server rooms or "No rooms currently" if none exist
13. Right click on the desired room and click "Join"

14. If a password is required a prompt will show, enter the room password

    Room Actions

    These actions can be taken by a client that has connected to a server and joined a room

    Leave a room

15. Click the "Leave Room" button

    Pause sending data to server

16. Click the "Pause" button

    Unpause sending data to server

17. Click the "Unpause" button

    Mute individual team member

18. The middle right panel will show current room members

19. Right click on the desired room and click "Mute"

    Unmute individual team member

20. The middle right panel will show current room members

21. Right click on the desired room and click "Unmute"

    Mute all team members

22. Click the "Mute All" button

    Unmute all team members

23. Click the "Unmute All" button

    Set room scope

    (This can only be done by the client that starts the room)

24. Use the Target tab to set the Burpsuite scope as desired

25. Within the "Burp TC" tab click the "Set Room Scope" button

    Get room scope

26. Click the "Get Room Scope" button

    Tool Actions

    These actions apply to Burpsuite tools outside of the "Burp TC" tab

    Share a Repeater payload with whole Team

27. Within the Repeater tab right click within the Request editor and mouse over "Share Repeater Payload"

28. Select "To Group"

    Share a Repeater payload with Team member

29. Within the Repeater tab right click within the Request editor and mouse over "Share Repeater Payload"
30. Mouse over "To Teammate"

31. Select the name of the desired team member

    Share an Intruder payload with whole Team

32. Within the Intruder tap navigate to the "Positions" tab
33. Within the "Positions" tab right click within the Request editor and mouse over "Share Intruder Payload"

34. Select "To Group"

    Share an Intruder payload with Team member

35. Within the Intruder tap navigate to the "Positions" tab
36. Within the "Positions" tab right click within the Request editor and mouse over "Share Intruder Payload"
37. Mouse over "To Teammate"

38. Select the name of the desired team member

    Share a Proxy Request with whole Team

39. Within the Target tap navigate to the "Site map" tab
40. Within the "Site map" tab right click on the entry you would like to share and mouse over "Share Request"

41. Select "To Group"

    Share a Proxy Request with Team member

42. Within the Target tap navigate to the "Site map" tab
43. Within the "Site map" tab right click on the entry you would like to share and mouse over "Share Request"
44. Mouse over "To Teammate"
45. Select the name of the desired team member

Custom Actions

Generate shareable links as a URL

1. Right click inside a repeater tab and select "create link"
2. Navigate to the "Shared Links" tab within the "Burp TC" extension tab

3. Right click on the link you would like to share and select "Get link"

   Generate shareable links as a HTML link

4. Right click inside a repeater tab and select "create Link"
5. Navigate to the "Shared Links" tab within the "Burp TC" extension tab

6. Right click on the link you would like to share and select "Get HTML Link"

   Remove generated link

7. Right click inside a repeater tab and select "create link"
8. Navigate to the "Shared Links" tab within the "Burp TC" extension tab

9. Right click on the link you would like to share and select "Remove link"

   Start commenting on request

10. Right click on a Proxy history line or a request inside the Site Map
11. Select "Comments"

12. The comment UI will appear, enter your comment in the bottom textfield and hit enter

    View comments on request

13. Navigate to the "Comments" tab within the "Burp TC" extension tab

14. Double click on any threads listed in the list of comments to open the Comment UI and begin commenting

    Set server certificate

15. Navigate to the "Configuration" tab within the "Burp TC" extension tab
16. Click the "Select Cetificate" button

17. Using the file picker, select the "BurpServer.pem" file generated by the server

    Set server certificate key

18. Navigate to the "Configuration" tab within the "Burp TC" extension tab
19. Click the "Select Cetificate Key" button

20. Using the file picker, select the "BurpServer.key" file generated by the server

    Configure sharing only in-scope requests

21. Navigate to the "Configuration" tab within the "Burp TC" extension tab

22. Uncheck the "Share all requests" check-box

    Configure sending discovered issues

23. Navigate to the "Configuration" tab within the "Burp TC" extension tab

24. Uncheck the "Share issues" check-box

    Configure sending discovered cookies

25. Navigate to the "Configuration" tab within the "Burp TC" extension tab

26. Uncheck the "Share cookies" check-box

    Configure receiving discovered issues

27. Navigate to the "Configuration" tab within the "Burp TC" extension tab

28. Uncheck the "Receive shared issues" check-box

    Configure receiving discovered cookies

29. Navigate to the "Configuration" tab within the "Burp TC" extension tab
30. Uncheck the "Receive shared cookies" check-box