![Building](https://res.aon.com/image/fetch/ar_16:9,c_fill,f_auto,g_auto,h_184,w_327/https://assets.aon.com//-/media/images/photos/places/city-dallas-buildings-1288537096.jpg)
Support
This Burp Suite plugin allows for two or more Burp Suite users to share web traffic, findings and specific requests in real time. Users can share cookies, active and passive findings, repeater payloads, and generic burp traffic to enable collaboration on application security engagements without ever leaving Burp. The extension and its required server can be found here: https://github.com/AonCyberLabs/BurpSuite-Team-Extension
As a part of my job performing application security tests for clients, I often have to work with other testers when the scope is too large for one person to handle in an acceptable time. These co-testers are often not in close physical proximity, which means to collaborate with them I generally either use a chat service or call them on the phone. It was after a particularly taxing week of testing, which required constant messaging back and forth, that I decided to look for a better solution. A weekend of searching later, still without a solution, I decided to take the initiative and build it myself. Thus was born the Burp Suite Team Collaborator Plugin!
None. Okay I kid, there’s one, but you aren’t going to like it. Say you want to get me caught up on a project that’s already a week underway, how would you send me all those historical requests? The answer is Burp Suite’s project export functionality which exports the whole project at the time you click export and saves it for storage. This certainly works but comes with a downside. The files are massive! For projects over a few days they can be on the order of gigabytes. That rules out email and eats into a significant chunk of chat applications storage quotas which leaves you with just enterprise file sharing platforms. These should require 2 factor logins for both you and I, along with sharing a download link. That’s all just one way! Imagine then if I spider another host in the scope and want you to have that. Time to re-export and share it back to you over that same process. This gap in collaboration support is what my plugin aims to address.
The Burp Suite Team Collaborator is a two-piece client/server extension for Burp Suite that allows two or more testers to share their Burp traffic, payloads, and other associated metadata with each other in real time. Using this plugin, teams of testers around the globe can collaborate while staying within Burp Suite! The server, written in Golang, is in charge of ferrying messages between all clients and keeping track of state. The client, which the testers use to share information between each other, is the actual Burp Suite plugin and is written in Java. With that overview out of the way, let’s look at what the server and client can do to help facilitate collaboration!
Getting started with the plugin is fairly straightforward. First follow the instructions found here: https://github.com/AonCyberLabs/BurpSuite-Team-Extension/#how-to-start-the-server to get the server running. Once the server is running, follow these instructions to install the Burp Extension which acts as the client: https://github.com/AonCyberLabs/BurpSuite-Team-Extension/#how-to-install-the-burpsuite-plugin. Now that the server and client are running it’s time to connect the two together.
Connecting to a server is very simple. First pick a unique name for yourself that will identify you to others on the server. Then enter the IP/hostname of the server and the port that it is running on. The last step is to copy the server generated password that was created at startup and paste it into the Collaborator Plugin Password field. Once all the connection info has been supplied, click “Connect” to join the server.
Once you’ve joined a server, the list to the right of the connection panel will contain any rooms currently running on the server. If this list is empty, you will need to create a room to join by clicking the “New Room” button and entering a room name. If the list does contain room names, simply join one by right clicking on its name and clicking “Join”.
The server is the hub where all clients connect to begin sharing Burp Suite data between each other. It is responsible for handling the client sockets and keeping track of client’s state such as who they have muted. While not as feature-rich as the client, its features enable a more robust and secure collaboration experience.
Encryption between clients and the server is currently handled using a single shared secret with AES128 in CFB mode. This is a quick and simple implementation not intended to be relied upon in a production environment. At this time, we recommend running all clients and the server on the same trusted network. TLS support is planned for a future release.
Each server instance can support multiple rooms which can contain multiple users. This allows one server to host multiple projects simultaneously, each with their own scopes, issues, and members.
Now that the server features have been covered, let’s look at some of the features present within the plugin. We’ll look at sharing live traffic as it comes through Burp, sharing custom built repeater payloads both to those in the server with you and those outside it, sharing the contents of your cookie jar, sharing Burp discovered issues as they happen live, as well as the ability to mute other server members and pause sending your own traffic.
This is the main feature and forms the bedrock of what this tool is for. When two or more testers join a room together, they can begin sharing request/response pairs that come through the Burp Suite Proxy to all other clients in real time.
Along with sharing generic Proxy traffic between all other clients, users can manually share custom built repeater payloads with other room members or generate shareable links for use in blog posts or sending through chat applications.
To share a repeater payload with another member, right-click within the repeater window, select “Share Repeater Payload” then select either “To Group” to share it with all room members or select the room member’s name to send it directly to them.
To share a custom repeater payload with another Burp Suite user who has the Team Collaborator Plugin installed but isn’t on your server, right-click within the repeater window, select “Create Link”, navigate to the “Burp TC” tab, right-click on the new URL in the bottom left table, select “Get Link” and send the generated link to whomever you wish to view it. If you wish to embed the generated link within a blog post or other HTML document, select “Get HTML Link” to generate a link wrapped in html link tags. To use these generated links, ensure you have the Team Collaborator Plugin installed then paste the link into any browser set to forward traffic through Burp. The newly imported Repeater payload will appear within the Repeater tab.
This feature enables cookies added to a client’s Cookie Jar to be automatically shared between all other clients which allows quick server-wide usage of discovered accounts.
Like Proxy traffic and Cookie Jar contents, any issues discovered by Burp Suite, whether passive or active, are shared between all clients to ensure no duplicate work is performed scanning the same endpoint twice as well as ensuring a common view of issues discovered is shared by all clients.
While all this collaboration is great, sometimes you may want to put it on hold without leaving the server. The Burp Suite Team Collaborator allows you to mute individual team members or the whole server to temporarily stop receiving their traffic. Is there something you are working on you don’t want shared with the whole server? Simply click the Pause button and none of your Burp Suite traffic will be sent.
Support
While this tool is already packed full of features, there still exists room for improvement and additional features. Over the next few months, more features will be rolled out that hopefully add to the existing collaboration features. Below are a few of the features in the works:
Capability Overview
Cyber Resilience
Product / Service
Penetration Testing Services
About Cyber Solutions:
Cyber security services are offered by Stroz Friedberg Inc., its subsidiaries and affiliates. Stroz Friedberg is part of Aon’s Cyber Solutions which offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.
General Disclaimer
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own professional advisors or IT specialists before implementing any recommendation, following any of the steps or guidance provided herein. Although we endeavor to provide accurate and timely information and use sources that we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.
Expert Views on Today's Risk Capital and Human Capital Issues
Expert Views on Today's Risk Capital and Human Capital Issues
Expert Views on Today's Risk Capital and Human Capital Issues
The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.
Stay in the loop on today's most pressing cyber security matters.
Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.
Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.
Explore Aon's latest environmental social and governance (ESG) insights.
Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.
How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.
Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.
Explore our hand-picked insights for human resources professionals.
Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.
Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.
Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.
Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.
Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.
Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.
Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.
With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.
Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.
Cyber Labs 3 mins
This client alert provides an overview of the current global IT outage that is related to a CrowdStrike update. We provide an overview of CrowdStrike's response and guidance, and Aon Cyber Solutions' recommendations for affected clients.
Cyber Labs 8 mins
Stroz Friedberg Digital Forensics and Incident Response has observed an uptick in SIM swapping across multiple industries, with several recent incidents targeting crypto and crypto-adjacent companies.