malerisch.net

I have received many questions on how to properly handle authentication when using BurpCSJ , so here is a short tutorial on how to properly manage authentication. If you are looking for how to use this Burp extension, here is a basic tutorial  as well. In this post, we are going to use BurpCSJ against the Altoro bank (vulnerable web application made on purpose), which is available online here: http://demo.testfire.net/ First, start clean (the reasons will be clear at the end of this tutorial): - Start Burp; - Start browser and configure proxy settings to work with Burp; - Browse to target site: http://demo.testfire.net/ - Perform login: user: jsmith - password: Demo1234 - Check Burp cookie jar (under options/sessions), this should be populated with some cookies: - Configure BurpCSJ (Crawljax tab) and make sure that "Use Manual Proxy" is ticked and it is pointing to Burp and that the "Use cookie jar" option is ticked as well: - Start/Launch Bur

As part of my research and talk titled " Augmented Reality in your web proxy " presented during the HackPra AllStars program / OWASP AppSec EU 2013   security conference in Hamburg, I decided to release a new Burp Pro extension which integrates  Crawljax , Selenium and JUnit . I decided to take this approach to increase application spidering coverage (especially for Ajax web apps), speed up complex test-cases and take advantage of the Burp Extender API . Downloads BurpCSJ extension JAR - download (all dependencies included) BurpCSJ source code - github "Augmented Reality in your web proxy" - presentation (slideshare) Getting started Download BurpCSJ ; Load BurpCSJ extension jar via the Extender tab; Choose the URL item from any Burp tab (e.g. target, proxy history, repeater);  Right click on the URL item; Choose menu item "Send URL to Crawljax"; Crawljax will automatically start crawling the URL that you choose. Tutorials

This is a simple tutorial to get you started with BurpCSJ and Crawljax. Installation is easy - just download the BurpCSJ and import it in Burp via the extender tab, as shown below: Extender -> Add -> Choose File Once the extension is loaded, two new tabs will appear on the right side: Start crawling To start crawling, grab an URL item from any Burp tab (e.g. proxy history), right-click on the item and choose "Send to URL to Crawljax", as shown below: After this, Crawljax session will start based on settings configured via the Crawljax tab. It is always recommended to choose a web root URL item for Crawljax e.g. http://yoursite.xxx/ instead of a specific page or folder. This is typically the URL that you have configured under Target/Scope in Burp. Crawling with a different browser Under the Crawljax tab, it possible to configure the path to the browser drivers, proxy settings and other options for Crawljax. If you need to use a d