Burp Extension for BFAC (Advanced Backup-File Artifacts Testing for Web-Applications).
Backup files are too often overlooked by web application auditors. With the objective of democratizing the backup file tests and integrating these tests into the most used tool for web auditors, SEC-IT auditors worked on the integration of the BFAC checks as a BurpSuite plugin.
BFAC is an automated tool that checks for backup artifacts that may disclose the web-application's source code. The artifacts can also lead to leakage of sensitive information, such as passwords, directory structure, etc. This a tool provided by @mazen160.
BurpSuite is a well known pentesting tool used in web application assessment.
The pluggin is written in Java for better integration with BurpSuite Extender API.
Download BFAC.jar on your computer. Then import the jar file as a Burp plugin :
- Open Burp
- Click on the "Extender" tab
- Click on the "Add" button
- Set extension type to Java and load BFAC.jar by clicking on "Select file..."
Once loaded, you should see a "BFAC" tab :
BFAC Burp Extension is designed to look for backup files from the Burpsuite sitemap. Therefore, it is better to run BFAC Burp extension when the sitemap is full enough. Sitemap fulfillment will not be covered here, however it can be accomplish using active scanners.
Once your sitemap is full, you have 2 options.
BFAC original tool may provide interesting options that are not provided by this extension. That why you can extract interesting URLs from the sitemap using the "Extract URL".
Then, you only have to provide the extracted URLs to the BFAC tool :
If you do not have BFAC on your computer or want to gain time, you can just click on "Run BFAC" to run a Java implementation of BFAC :
Burp Scanner already provides a backup file feature for the Burp Suite Enterprise and Burp Suite Professional (see #006000d8_backup-file).
- Performing a backup file check only will require more manual configuration on Burp scanner.
- Burp scanner will not cover multiple backup file formats (see Benchmark).
Note : This plugin has been considered by its author and PortSwigger as an alternative of the Burp scanner feature, that's why you won't find the extension on BApp store.
If you want to contribute or modify the existing plugin, you may need to build an edited JAR. In order to accomplish that task, you may have a look at PortSwigger website : Writing your first Burp Suite extension.
To build the jar, create new Java project under your Java IDE (i.e. Eclipse). Create new package named burp. Import "burp interface files" in this package. Theses files can be found in Burp tool : Extender tab > APIs > Save interfaces files (at the bottom left of the pane). Then import Java classes provided in the src folder, into the burp package. You can now modify the plugin as needed, and generate a JAR plugin (on Eclipse: File > Export > Java > JAR file > Select project and click on Finish).
The Site-map-extractor BurpSuite plugin written by @swright573 has been a great source of inspiration and helped us to better understand BurpSuite Extender API from a "sitemap" point of view.
Made by Alex G. (@zeecka_), pentester at SEC-IT.