This one is for you web penetration testers! This new Burp extension is designed to help with efficiency when you are testing a complex application full of parameters or a series of applications and just do not have enough time to thoroughly analyze each one. It analyzes all the parameters in your in-scope traffic and presents them in a table. But that’s just the start! In addition to generating some basic statistics, it will intelligently attempt to determine the format of each parameter based on the values seen in the traffic. Correlator will automatically and recursively base64 and URL decode, check for known hash lengths (e.g. MD5, SHA1, etc…), make note of familiar formats (e.g. 123-45-6789), decode BigIP cookies, and more! It will also check to see if the value shows up in the response (i.e. was it reflected), and even whether the URL decoded version was.
It is a lot easier to explain how this works with a demonstration, so I made a video:
I’m very hopeful that this extension will make large-scale manual web penetration testing more palatable and significantly more efficient. But I need help! Please check it out and give me all your feedback so I can make it even better.
Look for the Correlator (beta) download link on http://burpco2.com.
Jason Gillam is a Senior Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at jgillam@secureideas.com, on Twitter @JGillam, or visit the Secure Ideas – ProfessionallyEvil site for services provided.