1. Support Center
  2. BApp Store
  3. CO2
Professional Community


This extension contains various modules for enhancing Burp's capabiities.

Warning: take care scanning untrusted sites. The SQLMapper component has had command injection flaws in the past.

The extension has its own configuration tab with sub-tabs for each Co2 module. Modules that interact with other Burp tools can be disabled from within the Co2 configuration tab, so there is no need to disable the entire extension when using just part of the functionality.

O2 includes the following modules:

  • SQLMapper, a sqlmap helper. Simply right-click on any request in Burp and you will see a new menu option to send the request to SQLMapper. The SQLMapper screen will appear pre-populated with the URL, POST data (if applicable) and Cookies (if applicable) from the request. You can then set any other options you need and then copy/paste the SQLMap Command to sqlmap on your command line.
  • User Generator - For this one I collected publicly available census data from http://www.census.gov/genealogy/www/data/2000surnames/ (for surnames) and popular baby names from the social security website (http://www.ssa.gov/OACT/babynames/) to make a username generator based on this statistical data. The interface allows you to tinker with the data sets a little bit, specify if you want full names, initials, a delimiter between first and last names, etc. The tool will approximate which name combinations are the most common and sort the list accordingly. The result set is currently limited to the top 200,000 names to avoid performance issues.
  • Name Mangler - Given some names and domains it will mangle them to generate a list of potential usernames that can be dropped into Intruder to test for valid logins.
  • CeWLer - Based on Digininja's command-line CeWL script for extracting a wordlist from HTML files, this version works with a list of responses directly inside of Burp.
  • Masher - Given a seed list of words and a password specification this tool will generate a fuzzy list of possible passwords. Masher will start with combining words from the provided list, then append and replace characters to build new passwords.
  • BasicAuther - Given a list of usernames and a list of passwords it will output proper BasicAuth strings that can then be dropped into Intruder.
Author Jason Gillam
Version 1.1.12
Last updated 20 July 2017

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for this BApp by visiting our GitHub page.
Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.
Download BApp

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore