Extension loaded in BurpSuite but not working

sting8k / BurpSuite_403Bypasser

Burpsuite Extension to bypass 403 restricted directory

1.55k stars 204 forks source link

Extension loaded in BurpSuite but not working #6

Open cybernova opened 3 years ago

cybernova commented 3 years ago

Hi,

I've loaded the extension in BurpSuite with no errors, but when requesting a resource with a 403 response, I don't see any other requests in the Proxy HTTP History.

I'm doing something wrong?

Thanks

sting8k commented 3 years ago

You ‘re doing fine. Normally, requests from any extension will not be logged to HTTP History. You can check Extender -> Output of any extension for more info.

cybernova commented 3 years ago

I don't see any output in the Extender -> Output section of the extension either.

sting8k commented 3 years ago

I don't see any output in the Extender -> Output section of the extension either.

Did you choose the extension you want to check output? Then you can refresh 403 page, and recheck output tab.

cybernova commented 3 years ago

Yes, I've done many times what you describe but still not working. No output and no error.

burp1

I'm using BurpSuite v2020.9.1 on Kali Linux

MMquant commented 3 years ago

@cybernova could you install Flow plugin and check the Burp outgoing traffic? (IMPORTANT: Flow plugin must be last item in "Burp extensions" list)

cybernova commented 3 years ago

@MMquant Ok, I tried but I don't see any useful output in Flow plugin tab. I've refreshed the 403 page, intercepted by the proxy but nothing.

burp2

MMquant commented 3 years ago

@cybernova could you

Screenshot your dashboard tab
Visit 403 page in browser
Screeshot the Flow tab (not Flow in Extender ... Flow has its own tab)

cybernova commented 3 years ago

@MMquant Sorry I didn't see the Flow tab, I was focusing on the Extender.

1) burp3

2) burp4

You can see the 403 resource requested.

sting8k commented 3 years ago

@cybernova i see, try to add “Live audit from proxy”. Guide: https://portswigger.net/burp/documentation/desktop/scanning/live-scans

cybernova commented 3 years ago

@sting8k Live audit can be enabled only with the Pro version which I don't have.

sting8k commented 3 years ago

@cybernova Try this: Right-click on any 403 request, Send to Passive scan. I am not sure if it is available on community version.

cybernova commented 3 years ago

@sting8k Nope, all the scan activities are not available for the Community version. So you guys tested the extension on the Pro version?

sting8k commented 3 years ago

@cybernova Yeah, I am using Pro version. I think you can use another tool like: https://github.com/lobuhi/byp4xx

cybernova commented 3 years ago

@sting8k Yes, I use that tool now. Thank you anyway

fordrink commented 3 years ago

i can't install it, how to fix? 2020-12-06_02-34 2020-12-06_02-38

cybernova commented 3 years ago

@zinminphyo0 you have to use not the Jython-installer.jar but the Jython-standalone.jar version

fordrink commented 3 years ago

It working , thank you so much @ cybernova