Site icon API Security Blog

GAP-Burp-Extension – Burp Extension To Find Potential Endpoints, Parameters, And Generate A Custom Target Wordlist

This is an evolution of the original getAllParams extension for Burp. Not only does it find more potential parameters for you to investigate, but it also finds potential links to try these parameters on, and produces a target specific wordlist to use for fuzzing. The full Help documentation can be found here or from the Help icon on the GAP tab. TL;DR Installation Visit Jython Offical Site, and download the latest stand alone JAR file, e.g. jython-standalone-2.7.3.jar. Open Burp, go to Extensions -> Extension Settings -> Python Environment, set the Location of Jython standalone JAR file and Folder for loading modules to the directory where the Jython JAR file was saved. On a command line, go to the directory where the jar file is and run java -jar jython-standalone-2.7.3.jar -m ensurepip. Download the GAP.py and requirements.txt from this project and place in the same directory. Install Jython modules by running java -jar jython-standalone-2.7.3.jar -m pip install -r requirements.txt. Go to the Extensions -> Installed and click Add under Burp Extensions. Select Extension type of Python and select the GAP.py file. Using Just select a target in your Burp scope (or multiple targets), or even just one subfolder or endpoint, and choose extension GAP: Or you can right click a request or response in any other context and select GAP from the Extensions menu. Then go to the GAP tab to see the results: IMPORTANT Notes If you don't need one of the modes, then un-check it as…Read More

Exit mobile version