Skip to content

gand3lf/semgrepper

Repository files navigation

▶️ Semgrepper

The current project provides a Burp Suite extension to allow users to include Semgrep results to extend the checks in use by the passive scanner. By visiting repositories that collect Semgrep rules, it is possible to verify the large number of rules related to the front-end environment written by the community, such as: https://github.com/returntocorp/semgrep-rules/tree/develop/javascript.

By using this plugin, Burp Suite users can include the Semgrep rules YAML files and define the scope of the analysis, as shown in the following screenshot:

semgrepper2

Main features

This is what Semgrepper implements:
   ✔️ multiple tabs to use different Semgrep rules with different scopes
   ✔️ select files or directories containing Semgrep rules in YAML format
   ✔️ define a scope by specifing what can be or not be present in the response header/body
   ✔️ deactivate the checks without unloading the plugin

Prerequisites

The plugin needs that Semgrep CLI is installed in your machine.
Please, follow these instructions to install Semgrep:

  • For Ubuntu, Windows through Windows Subsystem for Linux (WSL), Linux, macOS

    python3 -m pip install semgrep

  • For macOS

    brew install semgrep

Tutorial

  1. Add the Semgrepper extension to Burp Suite.
  2. From the section "Rules Files", select the Semgrep rules you want to use. rulesfiles
  3. From the section "Scope", it is possible to configure some constraints to apply or not a rule to a specific response.
    scope
  4. Enable the rules by toggling the button "Current Semgrepper is off/on".
    semgrepperbutton
  5. Passively scan the target host.

Special thanks

Current status

License Compatibility
GNU v3 Python 3