This extension contains various modules for enhancing Burp's capabiities.
Warning: take care scanning untrusted sites. The SQLMapper component has had command injection flaws in the past.
The extension has its own configuration tab with sub-tabs for each Co2 module.
Modules that interact with other Burp tools can be disabled from within the Co2 configuration tab, so there is no need to disable the entire extension when using just part of the functionality.
O2 includes the following modules:
SQLMapper, a sqlmap helper.
Simply right-click on any request in Burp and you will see a new menu option to send the request to SQLMapper.
The SQLMapper screen will appear pre-populated with the URL, POST data (if applicable) and Cookies (if applicable) from the request.
You can then set any other options you need and then copy/paste the SQLMap Command to sqlmap on your command line.
User Generator -
For this one I collected publicly available census data from http://www.census.gov/genealogy/www/data/2000surnames/ (for surnames)
and popular baby names from the social security website (http://www.ssa.gov/OACT/babynames/) to make a username generator based on this statistical data.
The interface allows you to tinker with the data sets a little bit, specify if you want full names, initials, a delimiter between first and last names, etc.
The tool will approximate which name combinations are the most common and sort the list accordingly.
The result set is currently limited to the top 200,000 names to avoid performance issues.
Name Mangler -
Given some names and domains it will mangle them to generate a list of potential usernames that can be dropped into
Intruder to test for valid logins.
Based on Digininja's command-line CeWL script for extracting a wordlist from HTML files, this version works with a list of responses
directly inside of Burp.
Masher - Given a seed list of words and a password specification this tool will generate a fuzzy list of possible
passwords. Masher will start with combining words from the provided list, then append and replace characters to build
BasicAuther - Given a list of usernames and a list of passwords it will output proper BasicAuth strings
that can then be dropped into Intruder.
20 July 2017
You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.
You can view the source code for this BApp by visiting our GitHub page.
Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.