anof-cyber / pentest-mapper Goto Github PK

A Burp Suite Extension for pentester and bug bounty hunters an to maintain checklist, map flows, write test cases and track vulnerabilities

Home Page: https://anof-cyber.github.io/Pentest-Mapper/

License: Apache License 2.0

Python 97.04% HTML 2.96%

burp burp-extensions burp-plugin burpsuite burpsuite-extender burpsuite-tools appsec bugbounty infosec pentesting

pentest-mapper's Introduction

Pentest Mapper

Pentest Mapper is a Burp Suite extension that integrates the Burp Suite request logging with a custom application testing checklist. The extension provides a straightforward flow for application penetration testing. The extension includes functionalities to allow users to map the flow of the application for pentesting to better analyse the application and its vulnerabilities. The API calls from each flow can be connected with the function or flow name. The extension allows users to map or connect each flow or API to vulnerability with the custom checklist.

Installation

Extension is available on Burp Suite BApp Store

Documentation

https://anof-cyber.github.io/Pentest-Mapper/

Features Summary

1. Checklist

Allows to load the custom checklist

2. API Mapper

Allow to keep track of each API call, Flow and Test Cases for each API calls.

3. Vulnerability

Allows to keep track of vulnerabilities, Map each paramter and API call to vulnerability from the Checklist and severity

4. Config

Allow to set Auto save the project or extension data and auto load the checklist. Also import and export all data with one click

Features

1. Checklist

The checklist allows users to create or upload the custom checklist to map each API call to the vulnerability from the custom uploaded checklist.

2. API Mapper

The API Mapper tab allows logging the HTTP request from the poxy or repeater tab and mapping the request with the flow and sorting the request based on the flow. Also, the tab allows users to write the comment or test cases for each API call logged into the extension. The tab allows mapping each API with the vulnerability from the checklist.

3. Vulnerabilities

The tab stores the URL and parameters and allows users to map the selected API to the vulnerabilities.

4. Config

The config tab allow you to set time for auto save after specific time peried and select the output location. You can also set the auto load the checklist file and Import and export data with one click. You can also turn on off the Auto Save and Auto Logging request from proxy for scope domain

Sending Request

TBD

~~Single Click Import and Export~~
~~Auto Save the project Data~~
~~Auto Logging Scope APIs and requests with Optional mode~~
~~Seach option for all 3 tables to manage long table~~
~~Solving long checklist selection from vulnerability~~
~~Updating checklist file automatically~~
~~Map Vulnerabilities with Severity~~
Custom and Default CVSS score generation
Multiple row selection for API Mapper
~~Turn on off auto save from config~~
~~Optimization of code~~
~~Allowing individual request to mark as completed~~
~~Allowing Request and Response for Vulnerability~~

pentest-mapper's People

Contributors

Stargazers

Watchers

Forkers

portswigger allabouthack thegetch yekutielyehuda sdsan21 ktiyaav yogikortisa mkdirlove md-lost mounishperiasamy soumikhasan696 jamoski3112 orinocoz tonykhoriaty victoryxing126 chriss-0x01

pentest-mapper's Issues

Sending from API Mapper to Repeater doesn't work.

Describe the bug
Sending request from API Mapper to Repeater doesn't work.

To Reproduce
Steps to reproduce the behavior:

Add item to API mapper.
Right click on it and choose Send request to repeater.
Item is not added to repeater.
In case it was added correctly try to clear all request from repeater and repeat steps. I think it triggers the problem.

Expected behavior
Request is added to repeater.

Desktop (please complete the following information):

OS: Apple M1 Pro 13.4.1

Additional context
Visible error in extension logs:
Traceback (most recent call last): File "/Users/<my_user>/.BurpSuite/bapps/af490ae7e79546fa81a28d8d0b90874e/PentestMapper.py", line 931, in sendRepeaterItem self.callbacks.sendToRepeater(hostname,port, True, request, func) TypeError: sendToRepeater(): 2nd arg can't be coerced to int

[BUG] Sorting based on columns in API Mapper tab results in the Post Body no longer matching what's shown in the Request box

In the below you can see the GET request is selected (line 2) yet in the Request section the PUT body from line 1 is shown

[FR] - Might be nice to store the baseline response for each item on the API Mapper tab also.

That way its not lost when you send to repeater and have to go looking for it from the original source (before you sent it to the extension).

Great extension by the way.

Deleting multiple API entries doesn't work as expected

Describe the bug
When deleting entries by multi-selecting with SHIFT when you delete 6 entries only 3 are deleted. Doing so for the remaining 3 only deletes two entries and so on.

Expected behaviour
A delete should delete all the records selected.

Screenshots
Index out of range errors also experienced

Desktop:
Window 10 latest.
Burp v2022.8.2.
Burps own Java

Additional context
Not sure how to resolve this one otherwise would raise a PR myself. Looks like an issue with how the data is being structured.

Can't sorting row number more than nine on API Mapper as well as Save TestCases not save on the right row number

Describe the bug
If there is more than nine row on the API Mapper, I can't sorting the row number (minimum/maximum) as well as when Save TestCases it's not saved on the right row number.