Burp CO2 an extension for the popular web proxy / web application testing tool called Burp Suite.
The CO2 extension includes a variety of functionality to enhance certain web penetration test tasks, such as an interface to make interacting with SQLMap more efficient and less error-prone, various tools for generating lists of users, a Laudanum exploitation shell implementation, and even a word masher for generating passwords.
- Free and open source
- Works on both Free and Pro versions of Burp (except where Free version limits functionality, e.g. Intruder rate limits)
- Lightweight with respect to memory and CPU utilization
- Avoid third party library dependencies
- Help available (online help, examples, etc…)
- SQLMapper – It provides an interface to the popular SQLMap tool for discovering and exploiting SQL Injection flaws. SQLMapper improves the efficiency of using SQLMap during a web penetration test.
- User Generator – This module uses name statistics to generate names or usernames. First name statistics are based on date ranges of common baby names. Last name statistics are based on census data.
- Name Mangler – Given a short list of first and last names, the name mangler will put them together in different orders and with different separation characters to generate a potential list of usernames.
- CeWLer – This tool is based on the popular CeWL – Custom Word List generator, by DigiNinja. Rather than re-crawling the site, this module pulls words from existing Burp history.
- Masher – Given a list of dictionary words and a password specification, Masher will begin generating potential passwords that can be used with Burp Intruder. This is a useful tool for generating a custom password dictionary for login forms that do not have effective lockout mechanisms.
- BasicAuther – Given a set of usernames and password this tool will generate a list of encoded payloads that can be submitted directly into the BASIC auth position of a request in Intruder.