Burp Suite is one of the popular tools for performing security assessment/testing for web applications. It can be used to run both manual and automated scans and consist of different tools such as a proxy server, a web spider, scanner, intruder, repeater, sequencer, decoder, collaborator and extender. Among all these functionalities intruder and scanner are most commonly use tools which can perform automated attacks on web applications.
Both these tools (intruder and scanner) use a default set of attack vectors(Fig. 1) to test and detect vulnerabilities like SQL Injection, Cross Site Scripting(XSS) and many more.
These vectors are limited in number for almost all injections based attacks as shown in Fig. 2 , 20 payload count for XSS. Additional payloads can also be added using “Load…” option under Intruder ->Payloads(Fig. 3), but these additional payloads cannot be used by the scanner tab for automated scans, also these additional vectors need to be uploaded every single time after Burp Suite gets reopened
Permanently adding these payloads to the Burp Suite default list will make tasks easy for the tester and will also make testing more efficient. It is suggested that testing team should have common repositories for attack vectors that can be updated on a regular basis as new attack vectors originate on daily basis, the same can be shared among all team members.
Step 1:- Open BurpSuite.jarfile using 7-Zip File Manager or any other file archive tool. BurpSuite.jarfile contains folders and files as shown below.
Step 2:- Open Burp -> PayloadStrings folder. PayloadStrings folder contains multiple payload files as shown below.
Step 3:- Open any of these payload file for which you want to add attack vector. For this scenario we are updating Fuzzing – XSS.pay file.
Step 4:- Add new attack vectors (one in each line)
Step 5:- Save the file and update the archive
Step 6:- Now reopen the BurpSuit.jar and go to Intruder->Payloads->Add from List and select “Fuzzing-XSS”. Now check the default payload count. This default list will also now be used every time we use the Scanner tab for automated scanning.