Generates wordlists from the Burp sitemap.
Everyone in offensive cyber security (pentesting/bug bounty) uses the same wordlists (SecLists, WFuzz, Assetnode, etc.). Creating your own custom wordlists is necessary to differentiate yourself from hordes of automated scanners. This Burp extension extracts various kinds of data (path, parameter keys, parameter values, subdomains, etc.) from the Burp sitemap and stores this in respective wordlist files. These wordlists can then be used for directory/dns/parameter brute-forcing.
-
Currently, the following types of data are collected:
- Paths
- Subdomains
- Parameter keys
- Parameter values
- Parameter key-value pairs (query)
-
Data is only collected from the following parameter types. Parameters from cookies, multipart forms, and XML attributes are ignored.
- URL
- Body
- JSON
- XML
-
Only in-scope data is collected.
-
Only unique entries are stored (per project).
-
Either select the entire sitemap, only process the selected endpoints.
Inside Burp, go to Extender, select Add, set 'Extension type' to Python, and select the extension file.
Go to the 'Target' tab and right-click the sitemap.
Output can be seen by visiting the extension tab.
The wordlists are written to: <extension dir>/wordlists/<Burp project name>.
After creating different wordlists, they can be aggregated:
cat wordlists/*/paths.txt | sort | uniq
cat wordlists/*/keys.txt | sort | uniq
cat wordlists/*/values.txt | sort | uniq
cat wordlists/*/queries.txt | sort | uniq
cat wordlists/*/subdomains.txt | sort | uniq
At one point, an option for this may be added to the extension.
The generated wordlists can contain sensitive data such as usernames, password, and tokens. Review the wordlist before launching it against other systems.