This Burpsuite plugin allows for multiple testers to share live/historical proxy requests, scope and repeater/intruder payloads with each other in real time allowing for truly collaborative web app testing. When connected to the Team Sever and in a Team Room all requests coming through your Burp client are shared with the other testers in the room and vice-versa!
-
Real time request/response pairs shared between all clients
-
Mutual TLS Encryption of all traffic between client and server
-
Seperate Team Rooms to allow multiple teams on 1 server
-
Mute individual team members or whole room
-
Pause sending traffic to room
-
Sync scope between all clients in a room
-
Share Repeater/Intruder payloads with individual team members or whole room
-
Share specific request/response pairs with individual team members or whole room
-
Generate shareable links to Burp Suite Requests that can be shared outside of Burp Suite
-
Add comments to Burp Suite requests that are v iewable by other teammates
-
Automatic sharing of discovered Cookies
-
Automatic sharing of discovered Passive/Active scan findings
-
Configure sharing of all requests or just in scope ones
-
Configure sharing/receiving Cookies
-
Configure sharing/receiving Issues
-
Save connection settings
There are two parts that make this collaborative web app testing possible. 1st is obviously a Burpsuite Plugin that uses the APIs to capture request/response pairs and ferry them to the server and receive other clients traffic. It is the main UI that users see when using this tool. 2nd is a lightweight server written in GO which manages the connections between the clients and the rooms.
go get github.com/Static-Flow/BurpSuiteTeamServer/cmd/BurpSuiteTeamServer
cd ~/go/src/github.com/Static-Flow/BurpSuiteTeamServer/
go get ./...
go install ./...
~/go/bin/BurpSuiteTeamServer -h
Output:
Usage of BurpSuiteTeamServer:
-host string
host for TLS cert. Defaults to localhost (default "localhost")
-port string
http service address (default "9999")
-serverPassword string
password for the server
The jar file is prebuilt for you within the build/jar folder. To use the prebuilt jar:
- Start Burpsuite
- Navigate to the Extender tab
- Click add and select the jar file from the git repository
- New Burpsuite tab titled "Burp TC" should appear
These actions can be taken by a client that has connected to a server
- Navigate to the "Burp TC" tab
- Enter a chosen username, the server IP address, port and server password (if required)
- Navigate to the "Configuration" tab within the "Burp TC" tab
- Using the "Select Certificate" file selection button, pick the server certificate generated when the server started
- Using the "Select Certificate Key" file selection button, pick the server certificate key generated when the server started
- Click the "Connect" button
- Click the "Disconnect" button
- Click the "New Room" button
- Enter a room name
- If desired, enter a room password
- Click "Ok"
- The middle right panel will show current server rooms or "No rooms currently" if none exist
- Right click on the desired room and click "Join"
- If a password is required a prompt will show, enter the room password
These actions can be taken by a client that has connected to a server and joined a room
- Click the "Leave Room" button
- Click the "Pause" button
- Click the "Unpause" button
- The middle right panel will show current room members
- Right click on the desired room and click "Mute"
- The middle right panel will show current room members
- Right click on the desired room and click "Unmute"
- Click the "Mute All" button
- Click the "Unmute All" button
(This can only be done by the client that starts the room)
- Use the Target tab to set the Burpsuite scope as desired
- Within the "Burp TC" tab click the "Set Room Scope" button
- Click the "Get Room Scope" button
These actions apply to Burpsuite tools outside of the "Burp TC" tab
- Within the Repeater tab right click within the Request editor and mouse over "Share Repeater Payload"
- Select "To Group"
- Within the Repeater tab right click within the Request editor and mouse over "Share Repeater Payload"
- Mouse over "To Teammate"
- Select the name of the desired team member
- Within the Intruder tap navigate to the "Positions" tab
- Within the "Positions" tab right click within the Request editor and mouse over "Share Intruder Payload"
- Select "To Group"
- Within the Intruder tap navigate to the "Positions" tab
- Within the "Positions" tab right click within the Request editor and mouse over "Share Intruder Payload"
- Mouse over "To Teammate"
- Select the name of the desired team member
- Within the Target tap navigate to the "Site map" tab
- Within the "Site map" tab right click on the entry you would like to share and mouse over "Share Request"
- Select "To Group"
- Within the Target tap navigate to the "Site map" tab
- Within the "Site map" tab right click on the entry you would like to share and mouse over "Share Request"
- Mouse over "To Teammate"
- Select the name of the desired team member
- Right click inside a repeater tab and select "create link"
- Navigate to the "Shared Links" tab within the "Burp TC" extension tab
- Right click on the link you would like to share and select "Get link"
- Right click inside a repeater tab and select "create Link"
- Navigate to the "Shared Links" tab within the "Burp TC" extension tab
- Right click on the link you would like to share and select "Get HTML Link"
- Right click inside a repeater tab and select "create link"
- Navigate to the "Shared Links" tab within the "Burp TC" extension tab
- Right click on the link you would like to share and select "Remove link"
- Right click on a Proxy history line or a request inside the Site Map
- Select "Comments"
- The comment UI will appear, enter your comment in the bottom textfield and hit enter
- Navigate to the "Comments" tab within the "Burp TC" extension tab
- Double click on any threads listed in the list of comments to open the Comment UI and begin commenting
- Navigate to the "Configuration" tab within the "Burp TC" extension tab
- Click the "Select Cetificate" button
- Using the file picker, select the "BurpServer.pem" file generated by the server
- Navigate to the "Configuration" tab within the "Burp TC" extension tab
- Click the "Select Cetificate Key" button
- Using the file picker, select the "BurpServer.key" file generated by the server
- Navigate to the "Configuration" tab within the "Burp TC" extension tab
- Uncheck the "Share all requests" check-box
- Navigate to the "Configuration" tab within the "Burp TC" extension tab
- Uncheck the "Share issues" check-box
- Navigate to the "Configuration" tab within the "Burp TC" extension tab
- Uncheck the "Share cookies" check-box
- Navigate to the "Configuration" tab within the "Burp TC" extension tab
- Uncheck the "Receive shared issues" check-box
- Navigate to the "Configuration" tab within the "Burp TC" extension tab
- Uncheck the "Receive shared cookies" check-box