From Craig in Tester’s Chat, 2024-02
Since they added the handy dandy system impact meter thingy, I’ve started loading and unloading extensions based on what I’m doing. This is basically what I have loaded based on activity:
Manual enumeration and automated content discovery: Retired.js, JS Miner, JS Link Finder, Reflected Paramerters, Log4Shell Everywhere, Software Version Reporter, Error Message Checks, Collaborator Everywhere (careful with this one; I’ve had it cause issues with authentication flows).
Scanning/fuzzing: Active Scan++, Software Vulnerability Scanner, Additional Scanner Checks, Backslash Powered Scanner, Command Injection Attacker, Error Message Checks, J2EEScan (if applicable), Freddy Deserialization Bug Finder (if applicable), Java Deserialization Scanner (if applicable).
Autorize for checking access control.
Upload Scanner for file uploads.
Various JWT extensions when they’re in play.
GraphQL raider if that’s in play.
Turbo Intruder if I want to go fast with content brute forcing or API enumeration stuff.
I typically prefer using IP Ricochet over IPRotate. It’s external to burp and frankly easier to use, just connect and go.