BurpSuite-Team-Extension
This Burpsuite plugin allows for multiple testers to share live/historical proxy requests, scope and repeater/intruder payloads with each other in real time allowing for truly collaborative web app testing. When connected to the Team Sever and in a Team Room all requests coming through your Burp client are shared with the other testers in the room and vice-versa!
Request from clients to target propegated to other clients
Response from target to clients propegated to other clients
Features
Real time request/response pairs shared between all clients
Mutual TLS Encryption of all traffic between client and server
Seperate Team Rooms to allow multiple teams on 1 server
Mute individual team members or whole room
Pause sending traffic to room
Sync scope between all clients in a room
Share Repeater/Intruder payloads with individual team members or whole room
Share specific request/response pairs with individual team members or whole room
Generate shareable links to Burp Suite Requests that can be shared outside of Burp Suite
Automatic sharing of discovered Cookies
Automatic sharing of discovered Passive/Active scan findings
Configure sharing of all requests or just in scope ones
Configure sharing/receiving Cookies
Configure sharing/receiving Issues
Save connection settings
How it works
There are two parts that make this collaborative web app testing possible. 1st is obviously a Burpsuite Plugin that uses the APIs to capture request/response pairs and ferry them to the server and receive other clients traffic. It is the main UI that users see when using this tool. 2nd is a lightweight server written in GO which manages the connections between the clients and the rooms.
How to start the Server
You can download the prebuilt Linux binary from the github Release
Or you can build it manually like so:
go get github.com/Static-Flow/BurpSuiteTeamServer/cmd/BurpSuiteTeamServer
cd ~/go/src/github.com/Static-Flow/BurpSuiteTeamServer/
go get ./...
go install ./...
~/go/bin/BurpSuiteTeamServer -h
How to install the Burpsuite plugin
The jar file is prebuilt for you within the build/jar folder. To use the prebuilt jar:
- Start Burpsuite
- Navigate to the Extender tab
- Click add and select the jar file from the git repository
- New Burpsuite tab titled "Burp TC" should appear
How to use Burp Team Server Features
Server Actions
These actions can be taken by a client that has connected to a server
Connect to server
- Navigate to the "Burp TC" tab
- Enter a chosen username, the server IP address, port and server password (if required)
- Navigate to the "Configuration" tab within the "Burp TC" tab
- Using the "Select Certificate" file selection button, pick the server certificate generated when the server started
- Using the "Select Certificate Key" file selection button, pick the server certificate key generated when the server started
Click the "Connect" button
Disconnect from server
Click the "Disconnect" button
Create a new room
- Click the "New Room" button
- Enter a room name
- If desired, enter a room password
Click "Ok"
Join a room
- The middle right panel will show current server rooms or "No rooms currently" if none exist
- Right click on the desired room and click "Join"
If a password is required a prompt will show, enter the room password
Room Actions
These actions can be taken by a client that has connected to a server and joined a room
Leave a room
Click the "Leave Room" button
Pause sending data to server
Click the "Pause" button
Unpause sending data to server
Click the "Unpause" button
Mute individual team member
- The middle right panel will show current room members
Right click on the desired room and click "Mute"
Unmute individual team member
- The middle right panel will show current room members
Right click on the desired room and click "Unmute"
Mute all team members
Click the "Mute All" button
Unmute all team members
Click the "Unmute All" button
Set room scope
(This can only be done by the client that starts the room)
- Use the Target tab to set the Burpsuite scope as desired
Within the "Burp TC" tab click the "Set Room Scope" button
Get room scope
Click the "Get Room Scope" button
Tool Actions
These actions apply to Burpsuite tools outside of the "Burp TC" tab
Share a Repeater payload with whole Team
- Within the Repeater tab right click within the Request editor and mouse over "Share Repeater Payload"
Select "To Group"
Share a Repeater payload with Team member
- Within the Repeater tab right click within the Request editor and mouse over "Share Repeater Payload"
- Mouse over "To Teammate"
Select the name of the desired team member
Share an Intruder payload with whole Team
- Within the Intruder tap navigate to the "Positions" tab
- Within the "Positions" tab right click within the Request editor and mouse over "Share Intruder Payload"
Select "To Group"
Share an Intruder payload with Team member
- Within the Intruder tap navigate to the "Positions" tab
- Within the "Positions" tab right click within the Request editor and mouse over "Share Intruder Payload"
- Mouse over "To Teammate"
Select the name of the desired team member
Share a Proxy Request with whole Team
- Within the Target tap navigate to the "Site map" tab
- Within the "Site map" tab right click on the entry you would like to share and mouse over "Share Request"
Select "To Group"
Share a Proxy Request with Team member
- Within the Target tap navigate to the "Site map" tab
- Within the "Site map" tab right click on the entry you would like to share and mouse over "Share Request"
- Mouse over "To Teammate"
- Select the name of the desired team member
Custom Actions
Set server certificate
- Navigate to the "Configuration" tab within the "Burp TC" extension tab
- Click the "Select Cetificate" button
Using the file picker, select the "BurpServer.pem" file generated by the server
Set server certificate key
- Navigate to the "Configuration" tab within the "Burp TC" extension tab
- Click the "Select Cetificate Key" button
Using the file picker, select the "BurpServer.key" file generated by the server
Generate shareable links as a URL
- Right click inside a repeater tab and select "create link"
- Navigate to the "Shared Links" tab within the "Burp TC" extension tab
Right click on the link you would like to share and select "Get link"
Generate shareable links as a HTML link
- Right click inside a repeater tab and select "create Link"
- Navigate to the "Shared Links" tab within the "Burp TC" extension tab
Right click on the link you would like to share and select "Get HTML Link"
Remove generated link
- Right click inside a repeater tab and select "create link"
- Navigate to the "Shared Links" tab within the "Burp TC" extension tab
Right click on the link you would like to share and select "Remove link"
Configure sharing only in-scope requests
- Navigate to the "Configuration" tab within the "Burp TC" extension tab
Uncheck the "Share all requests" check-box
Configure sending discovered issues
- Navigate to the "Configuration" tab within the "Burp TC" extension tab
Uncheck the "Share issues" check-box
Configure sending discovered cookies
- Navigate to the "Configuration" tab within the "Burp TC" extension tab
Uncheck the "Share cookies" check-box
Configure receiving discovered issues
- Navigate to the "Configuration" tab within the "Burp TC" extension tab
Uncheck the "Receive shared issues" check-box
Configure receiving discovered cookies
- Navigate to the "Configuration" tab within the "Burp TC" extension tab
- Uncheck the "Receive shared cookies" check-box