Home

Awesome

HUNT Suite Proxy Extensions

HUNT Logo

What is HUNT Suite?

HUNT Parameter Scanner - Vulnerability Classes

TODO

Authors

Contributors

HUNT Suite for Burp Suite Pro/Free

HUNT Parameter Scanner (hunt_scanner.py)

HUNT Scanner

This extension does not test these parameters, but rather alerts on them so that a bug hunter can test them manually. For each class of vulnerability, Bugcrowd has identified common parameters or functions associated with that vulnerability class. We also provide curated resources in the issue description to do thorough manual testing of these vulnerability classes.

HUNT Testing Methodology (hunt_methodology.py)

HUNT Methodology

This extension allows testers to send requests and responses to a Burp Suite tab called "HUNT Methodology". This tab contains a tree on the left side that is a visual representation of your testing methodology. By sending request/responses here testers can organize or attest to having done manual testing in that section of the application or having completed a certain methodology step.

Installing HUNT Suite for Burp Suite Pro/Free

Getting Started

  1. Download the latest standalone Jython jar.
  2. Navigate to Extender -> Options. Adding Jython
  1. Navigate to Extender -> Extensions. Adding Extension
  1. The HUNT Parameter Scanner will begin to run across traffic that flows through the proxy.

Setting Scope

This is an important step to set your testing scope as the passive scanner is incredibly noisy. Instead of polluting the Scanner window, the HUNT Parameter Scanner creates its own window with its own findings.

  1. Navigate to Target -> Scope. Target Scope
  1. Navigate to Scanner -> Live scanning.

Important Notes

HUNT Parameter Scanner leverages the passive scanning API within Burp. Here are the conditions under which passive scan checks are run:

Passive scans are not run on the following:

HUNT Scanner for OWASP ZAP (Alpha - Contributed by Ricardo Lobo @_sbzo)

Hunt scanner is included into community scripts for ZAP Proxy.

  1. Find the "Manage Addons" icon, ensure you have Python Scripting and Community Scripts installed.
  2. Ensure "show All Tabs" icon is clicked
  3. Click the Tools menu, navigate to the Options section. Select Passive Scanner and check the box Scan messages only in scope and then OK
  4. Click into the Scripts tab (next to the Sites tab)
  5. Look for Hunt.py should appear under passive rules
  6. Right click in the script under passive rules and enable it and save it
  7. Browse sites and receive alerts from the sites included in contexts!

License

Licensed with the Apache 2.0 License here