HUNT: HUNT Burp Suite Extension
HUNT is a Burp Suite extension to:
- Identify common parameters vulnerable to certain vulnerability classes.
- Organize testing methodologies inside of Burp Suite.
This extension does not test these parameters but rather alerts on them
so that a bug hunter can test them manually (thoroughly). For each class
of vulnerability, Bugcrowd has identified common parameters or
functions associated with that vulnerability class. We also provide
curated resources in the issue description to do thorough manual testing
of these vulnerability classes.
This extension allows testers to send requests and responses to a
Burp tab called “HUNT Methodology”. This tab contains a tree on the left
side that is a visual representation of your testing methodology. By
sending request/responses here testers can organize or attest to having
done manual testing in that section of the application or having
completed a certain methodology step.
Getting Started with HUNT
- First ensure you have the latest standalone Jython JAR set up under “Extender” -> “Options”.
- Add HUNT via “Extender” -> “Extensions”.
- HUNT Scanner will begin to run across traffic that flows through the proxy.
- First request of an active scan
- Proxy requests
- Any time “Do a passive scan” is selected from the context menu
- On every active scan response
- On Repeater responses
- On Intruder responses
- On Sequencer responses
- On Spider responses
HUNT Scanner Vulnerability Classes
- SQL Injection
- Local/Remote File Inclusion & Path Traversal
- Server Side Request Forgery & Open Redirect
- OS Command Injection
- Insecure Direct Object Reference
- Server Side Template Injection
- Logic & Debug Parameters
Authors
- JP Villanueva
- Jason Haddix
- Ryan Black
- Fatih Egbatan
- Vishal Shah
No comments:
maheshcyberadvisor@gmail.com