Burp CO2 is an extension for the popular web proxy / web application testing tool called Burp Suite, available at Portswigger. You must install Burp Suite before installing the Burp CO2 extension!. The CO2 extension includes a variety of functionality to enhance certain web penetration test tasks, such as an interface to make interacting with SQLMap more efficient and less error-prone, various tools for generating lists of users, a Laudanum exploitation shell implementation, and even a word masher for generating passwords.
The SQLMapper module provides an interface to the popular SQLMap tool for discovering and exploiting SQL Injection flaws. SQLMapper improves the efficiency of using SQLMap during a web penetration test.
This module uses name statistics to generate names or usernames. First name statistics are based on date ranges of common baby names. Last name statistics are based on census data.
Given a short list of first and last names, the name mangler will put them together in different orders and with different separation characters to generate a potential list of usernames.
This tool is based on the popular CeWL - Custom Word List generator, by DigiNinja. Rather than re-crawling the site, this module pulls words from existing Burp history.
Given a list of dictionary words and a password specification, Masher will begin generating potential passwords that can be used with Burp Intruder. This is a useful tool for generating a custom password dictionary for login forms that do not have effective lockout mechanisms.
Given a set of usernames and password this tool will generate a list of encoded payloads that can be submitted directly into the BASIC auth position of a request in Intruder.
With a background in software development, the author of Burp CO2 (Jason Gillam), has designed each tool in the suite to work efficiently and in harmony with Burp Suite. The objectives of all CO2 modules include: