Introduction

When you use Burp Suite Community edition, there are several possibilites in terms of extensions we can use, however we are more limited. Some of the Proffesional edition extensions can be extremly useful for both bug bounty hunters and penters alike but the community edition certainly has some usefull extensions as well.

Add custom headers

Sometimes our targets require us to add custom headers, this usefull extension allows us to that easily.

Authorize

This amazing extension allows us to easily test for BAC and IDOR. We have a seperate chapter on this extension.

Bypass WAF

This extension add headers to all Burp requests to bypass some WAF products. The following headers are automatically added to all requests:

X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1

Headless mode

This extension allows you to run Burp Suite's Spider and Scanner tools in headless mode via the command-line. It can:

• Run burp scan in headless or GUI mode.
• Specify target sitemap and add URL(s) to Burp's target scope.
• Use the seed request/response data saved in a project file, generated by any integration, functional or manual testing.
• Mark issues as false positives, these will not be reported in the scan report anymore.
• Spider the target scope.
• Actively scan the target scope.
• Generate a scan report in JUnit, HTML, or XML format. The JUnit report can be used to instruct the CI server to fail the build when vulnerabilities are found.