This Burp Suite plugin allows for two or more Burp Suite users to share web traffic, findings and specific requests in real time. Users can share cookies, active and passive findings, repeater payloads, and generic burp traffic to enable collaboration on application security engagements without ever leaving Burp. The extension and its required server can be found here: https://github.com/AonCyberLabs/BurpSuite-Team-Extension
As a part of my job performing application security tests for clients, I often have to work with other testers when the scope is too large for one person to handle in an acceptable time. These co-testers are often not in close physical proximity, which means to collaborate with them I generally either use a chat service or call them on the phone. It was after a particularly taxing week of testing, which required constant messaging back and forth, that I decided to look for a better solution. A weekend of searching later, still without a solution, I decided to take the initiative and build it myself. Thus was born the Burp Suite Team Collaborator Plugin!
Current Collaboration Abilities in Burp Suite
None. Okay I kid, there’s one, but you aren’t going to like it. Say you want to get me caught up on a project that’s already a week underway, how would you send me all those historical requests? The answer is Burp Suite’s project export functionality which exports the whole project at the time you click export and saves it for storage. This certainly works but comes with a downside. The files are massive! For projects over a few days they can be on the order of gigabytes. That rules out email and eats into a significant chunk of chat applications storage quotas which leaves you with just enterprise file sharing platforms. These should require 2 factor logins for both you and I, along with sharing a download link. That’s all just one way! Imagine then if I spider another host in the scope and want you to have that. Time to re-export and share it back to you over that same process. This gap in collaboration support is what my plugin aims to address.
Introducing the Burp Suite Team Collaborator Plugin
The Burp Suite Team Collaborator is a two-piece client/server extension for Burp Suite that allows two or more testers to share their Burp traffic, payloads, and other associated metadata with each other in real time. Using this plugin, teams of testers around the globe can collaborate while staying within Burp Suite! The server, written in Golang, is in charge of ferrying messages between all clients and keeping track of state. The client, which the testers use to share information between each other, is the actual Burp Suite plugin and is written in Java. With that overview out of the way, let’s look at what the server and client can do to help facilitate collaboration!
Using the Plugin
Getting started with the plugin is fairly straightforward. First follow the instructions found here: https://github.com/AonCyberLabs/BurpSuite-Team-Extension/#how-to-start-the-server to get the server running. Once the server is running, follow these instructions to install the Burp Extension which acts as the client: https://github.com/AonCyberLabs/BurpSuite-Team-Extension/#how-to-install-the-burpsuite-plugin. Now that the server and client are running it’s time to connect the two together.
Connecting to a Server
Connecting to a server is very simple. First pick a unique name for yourself that will identify you to others on the server. Then enter the IP/hostname of the server and the port that it is running on. The last step is to copy the server generated password that was created at startup and paste it into the Collaborator Plugin Password field. Once all the connection info has been supplied, click “Connect” to join the server.
Creating or Joining a Room
Once you’ve joined a server, the list to the right of the connection panel will contain any rooms currently running on the server. If this list is empty, you will need to create a room to join by clicking the “New Room” button and entering a room name. If the list does contain room names, simply join one by right clicking on its name and clicking “Join”.
The server is the hub where all clients connect to begin sharing Burp Suite data between each other. It is responsible for handling the client sockets and keeping track of client’s state such as who they have muted. While not as feature-rich as the client, its features enable a more robust and secure collaboration experience.
Encryption between clients and the server is currently handled using a single shared secret with AES128 in CFB mode. This is a quick and simple implementation not intended to be relied upon in a production environment. At this time, we recommend running all clients and the server on the same trusted network. TLS support is planned for a future release.
Each server instance can support multiple rooms which can contain multiple users. This allows one server to host multiple projects simultaneously, each with their own scopes, issues, and members.
Now that the server features have been covered, let’s look at some of the features present within the plugin. We’ll look at sharing live traffic as it comes through Burp, sharing custom built repeater payloads both to those in the server with you and those outside it, sharing the contents of your cookie jar, sharing Burp discovered issues as they happen live, as well as the ability to mute other server members and pause sending your own traffic.
Sharing Live Proxy Traffic
This is the main feature and forms the bedrock of what this tool is for. When two or more testers join a room together, they can begin sharing request/response pairs that come through the Burp Suite Proxy to all other clients in real time.
Sharing Repeater Payloads
Along with sharing generic Proxy traffic between all other clients, users can manually share custom built repeater payloads with other room members or generate shareable links for use in blog posts or sending through chat applications.
Sharing with other room members
To share a repeater payload with another member, right-click within the repeater window, select “Share Repeater Payload” then select either “To Group” to share it with all room members or select the room member’s name to send it directly to them.
Sharing with External Clients
To share a custom repeater payload with another Burp Suite user who has the Team Collaborator Plugin installed but isn’t on your server, right-click within the repeater window, select “Create Link”, navigate to the “Burp TC” tab, right-click on the new URL in the bottom left table, select “Get Link” and send the generated link to whomever you wish to view it. If you wish to embed the generated link within a blog post or other HTML document, select “Get HTML Link” to generate a link wrapped in html link tags. To use these generated links, ensure you have the Team Collaborator Plugin installed then paste the link into any browser set to forward traffic through Burp. The newly imported Repeater payload will appear within the Repeater tab.
Sharing Cookie Jar Contents
This feature enables cookies added to a client’s Cookie Jar to be automatically shared between all other clients which allows quick server-wide usage of discovered accounts.
Sharing Discovered Issues
Like Proxy traffic and Cookie Jar contents, any issues discovered by Burp Suite, whether passive or active, are shared between all clients to ensure no duplicate work is performed scanning the same endpoint twice as well as ensuring a common view of issues discovered is shared by all clients.
Muting Team Members and Pausing Your Traffic
While all this collaboration is great, sometimes you may want to put it on hold without leaving the server. The Burp Suite Team Collaborator allows you to mute individual team members or the whole server to temporarily stop receiving their traffic. Is there something you are working on you don’t want shared with the whole server? Simply click the Pause button and none of your Burp Suite traffic will be sent.
While this tool is already packed full of features, there still exists room for improvement and additional features. Over the next few months, more features will be rolled out that hopefully add to the existing collaboration features. Below are a few of the features in the works:
- Sharing websocket traffic (when Burp Suite allows API access to Websockets)
- Comments on requests (to allow sharing information on a request directly in Burp Suite)
- Rebuild net code with Websockets (for a simpler communication stack)
- Create a server dashboard (to see all issues found across all clients and all projects)
- Encryption per room (to ensure one room cannot see another rooms traffic)
- Mutual TLS authentication between client & server
- Selective sharing (to cut down on bandwidth, users can pick what they send/receive)
- Configurable server listen IP and port (to not tie it to 0.0.0.0:8989)
- Allow room owners to remove members (to remove unwanted or dead clients)
- Manual project sync (allow clients to request project data from server)
- User suggestions I haven’t thought of