PortSwigger/param-miner PortSwigger/param-miner

  • Stars
    star
    1,001
  • Rank 44,365 (Top 0.9 %)
  • Language
    Java
  • License
    Other
  • Created almost 6 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
PortSwigger/param-miner
github

PortSwigger

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

param-miner

This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.

It combines advanced diffing logic from Backslash Powered Scanner with a binary search technique to guess up to 65,000 param names per request. Param names come from a carefully curated built in wordlist, and it also harvests additional words from all in-scope traffic.

To use it, right click on a request in Burp and click "Guess (cookies|headers|params)". If you're using Burp Suite Pro, identified parameters will be reported as scanner issues. If not, you can find them listed under Extender->Extensions->Param Miner->Output

You can also launch guessing attacks on multiple selected requests at the same time - this will use a thread pool so you can safely use it on thousands of requests if you want. Alternatively, you can enable auto-mining of all in scope traffic. Please note that this tool is designed to be highly scalable but may require tuning to avoid performance issues.

For further information, please refer to the whitepapers:

2020: https://portswigger.net/research/web-cache-entanglement

2018: https://portswigger.net/research/practical-web-cache-poisoning

The code can be found at https://github.com/portswigger/param-miner

If you'd like to rate limit your attack, use the Distribute Damage extension.

Contributions and feature requests are welcome.

Web Cache Entanglement update

Here's a video of the new features being used to find a fat GET cache poisoning vulnerability in a demo site using Rack::Cache

Param Miner demo video

Another video targeting a real site is coming soon - I'm just waiting on the target to patch.

Changelog

1.21 2020-09-02

  • Non-default settings are now highlighted, and can be reset to default
  • Various bugfixes

1.20 2020-08-05

  • Major update for Web Cache Entanglement

1.07 2018-12-06

  • Fix config window size for small screens (thanks @misoxxx)

1.06 2018-10-10

  • Support custom wordlists
  • Support fuzz-based detection
  • Numerous bug fixes and quality of life tweaks

1.03 2018-08-09

  • First public release

Installation

This extension requires Burp Suite 2021.9 or later. To install it, simply use the BApps tab in Burp.

Development

Linux: ./gradlew build fatjar

Windows: gradlew.bat build fatjar

Grab the output from build/libs/param-miner-all.jar

More Repositories

1

turbo-intruder

Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
Kotlin
1,112
star
2

http-request-smuggler

Java
934
star
3

backslash-powered-scanner

Finds unknown classes of injection vulnerabilities
Java
606
star
4

collaborator-everywhere

A Burp Suite Pro extension which augments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator
Java
395
star
5

xss-cheatsheet-data

This repository contains all the XSS cheatsheet data to allow contributions from the community.
380
star
6

hackability

Probe a rendering engine for vulnerabilities and other features
JavaScript
362
star
7

BChecks

BChecks collection for Burp Suite Professional
320
star
8

dastardly-github-action

Runs a scan using Dastardly by Burp Suite against a target site and creates a JUnit XML report for the scan on completion.
Dockerfile
126
star
9

pentest-mapper

A Burp Suite Extension for Application Penetration Testing to map flows and vulnerabilities
Python
98
star
10

authz

Java
96
star
11

portable-data-exfiltration

This repo contains all the injections mentioned in my talk and enumerators.
JavaScript
87
star
12

distribute-damage

Evenly distributes scanner load across targets
Java
76
star
13

httpoxy-scanner

A Burp Suite extension that checks for the HTTPoxy vulnerability.
Java
76
star
14

replicator

Burp extension to help developers replicate findings from pen tests
Java
64
star
15

burp-extensions-montoya-api

Burp Extensions Api
Java
64
star
16

burp-extender-api

Burp Wiener API (Legacy)
Java
54
star
17

python-scripter

Sourced from gist: https://gist.github.com/mwielgoszewski/7026954
Python
50
star
18

css-exfiltration

HTML
43
star
19

serialization-examples

Java
33
star
20

aws-security-checks

AWS Security Checks
Python
31
star
21

example-hello-world

Java
31
star
22

server-side-prototype-pollution

Java
22
star
23

wordlist-extractor

Java
21
star
24

burp-extensions-montoya-api-examples

Examples for using the Montoya API with Burp Suite
Java
20
star
25

example-intruder-payloads

Java
19
star
26

example-scanner-checks

Java
18
star
27

reflected-parameters

Java
18
star
28

nice-script

A JavaScript sandbox using proxies
JavaScript
17
star
29

custom-logger

Java
16
star
30

example-custom-editor-tab

Java
15
star
31

example-event-listeners

Java
15
star
32

bseept

Burp Suite Enterprise Edition Power Tools
Python
13
star
33

kerberos-authentication

Burp Suite extension to perform Kerberos authentication
Java
12
star
34

3d-css-tutorial

HTML
12
star
35

example-custom-scan-insertion-points

Java
12
star
36

proxy-action-rules

Python
10
star
37

token-extractor

A Burp extension for generic extraction and reuse of data within HTTP requests and responses.
Java
7
star
38

enterprise-reference-stack-for-aws

Smarty
7
star
39

viewstate-editor

Burp extension to add a view state tab to the message editor
Java
6
star
40

random-ip-address-header

Java
5
star
41

html5-auditor

Java
5
star
42

certsquirt

A golang PKI in less than 1000 lines of code.
Go
3
star
43

cstc

CSTC is a Burp Suite extension that allows request/response modification using a GUI analogous to CyberChef
Java
3
star
44

example-custom-session-tokens

Java
2
star
45

example-custom-logger

Java
2
star
46

manual-scan-issues

Java
2
star
47

websphere-portlet-state-decoder

Python
1
star
48

burp-jenkins-integration

Enterprise integration with Jenkins
Java
1
star
49

open-day

1
star
50

enterprise-helm-charts

Helm charts for BSEE Kubernetes installation.
Smarty
1
star