Whenever performing any security assessment, identifying the Attack Surface is one of the first and foremost tasks. As they say, you can’t secure what is not known to you.
As mentioned in one of our previous tool-releases, for web application pentests, we always use our BurpSuite Extension – Asset Discover to identify if there are any other related assets that should be part of the scope. Another prominent technique that has helped us uncover critical security issues in our pentests/bughunting journeys, is looking at the history of the identified/target assets, for which one of the tools that we use is WayBackurls by Tom Hudson.
During an assessment recently, we realized that this is something we need to do each time, so why not automate this and make it a part of the process. Hence, we created a BurpSuite Extension which could quickly track the history of the assets in scope and we came up with ‘Asset History‘. The idea of the extension is to have a quick and easy way to track historic details of an asset in the Burp interface without the need to run another command or invoke another interface.
Extension Name: Asset History
Download Link: https://github.com/redhuntlabs/BurpSuite-Asset_Discover
Scanner Mode: Passive
Many times this will help uncover URLs/parameters which you might not discover while crawling the application as there are no more direct links to these pages on the website anymore, but the pages are still active (e.g. limited-time promotional code, online contest pages, etc.). Probing these hidden pages (and sometimes interesting dynamic parameters like &url=, &file=, etc.) uncover serious security issues at times as these are not caught by security scanners and also identified by the teams performing such assessments.
How it works?
The extension acts as a passive scanner which extracts the domain(s) that are in scope, identifies their historic URLs from WayBackMachine (http://web.archive.org/) and lists them under the issues section. The URLs can be easily copied from their and tested further for security issues.
The extensions aims to add more such sources as well as asset types be a one stop shop for all things related to the history of assets.
Please note that no crawling is done during the assessment. It uses the already crawled / historic urls from WayBackMachine.
To use the extension, start BurpSuite application and set up a python environment by providing the jython.jar file in the Options tab under Extender.
Now perform the following steps:
- Download the extension.
- In the ‘Extensions‘ tab under Extender, select Add.
- Change the extension type to Python.
- Provide the path of the file Asset_History.py, as shown in the figure below.
Once imported, the extension will be listed in the Burp Extensions (under the Extensions tab).
Since the setup is now complete. Let’s pick a target application and add the URL to the scope. While you do manual testing or browse through the website, the extension will use the passive scanner to make a request WayBackMachine (web.archive.org) and identify historic URLs and list them under the Issues section.
The issues reported will appear as ‘Asset History: URL’ with a nested list of identified historic URLs. Voila!
For this first release we have added only WayBackMachine, however, there are a few future development ideas that we plan to add, such as:
- Adding AlienVault Open Threat Exchange
- Adding Domain History
- Adding IP History
- Handle Errors/Exceptions
- Remove False Positives etc.