Burp CO2 – A Collection Of Enhancements for Burp Suite

Burp CO2 an extension for the popular web proxy / web application testing tool called Burp Suite.

The CO2 extension includes a variety of functionality to enhance certain web penetration test tasks, such as an interface to make interacting with SQLMap more efficient and less error-prone, various tools for generating lists of users, a Laudanum exploitation shell implementation, and even a word masher for generating passwords.


  • Free and open source
  • Works on both Free and Pro versions of Burp (except where Free version limits functionality, e.g. Intruder rate limits)
  • Lightweight with respect to memory and CPU utilization
  • Avoid third party library dependencies
  • Help available (online help, examples, etc…)

Suite Modules:

  • SQLMapper – It provides an interface to the popular SQLMap tool for discovering and exploiting SQL Injection flaws. SQLMapper improves the efficiency of using SQLMap during a web penetration test.
  • User Generator – This module uses name statistics to generate names or usernames. First name statistics are based on date ranges of common baby names. Last name statistics are based on census data.
  • Name Mangler – Given a short list of first and last names, the name mangler will put them together in different orders and with different separation characters to generate a potential list of usernames.
  • CeWLer – This tool is based on the popular CeWL – Custom Word List generator, by DigiNinja. Rather than re-crawling the site, this module pulls words from existing Burp history.
  • Masher – Given a list of dictionary words and a password specification, Masher will begin generating potential passwords that can be used with Burp Intruder. This is a useful tool for generating a custom password dictionary for login forms that do not have effective lockout mechanisms.
  • BasicAuther – Given a set of usernames and password this tool will generate a list of encoded payloads that can be submitted directly into the BASIC auth position of a request in Intruder.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: