ReconAggregator

[gr4ytips]

Extension URL

https://github.com/gr4ytips/ReconAggregator

Version number

1.0.0

Select additional compatible products and features

• Community
• DAST
• Burp AI

Author display name

Shafeeque Olassery Kunnikkal

Contact details (optional)

skunnikkal@gmail.com

Discord username (optional)

No response

I confirm that the following is true:

• I have permission from all relevant persons to submit this extension to the BApp Store for public use, under the terms and conditions of the EULA.
• I have read and understood the submission requirements for the BApp Store.

Extension overview

Bug bounty recon finds endless URLs. Testing is the hard part!

Web archives provide a gold mine of historical data and forgotten attack surfaces: Old endpoints and old parameters keep showing up long after UI changes. Sometimes they still work and lead to auth issues, injection bugs, or hidden routes.

EnhancedRecon + ReconAggregator to turn archive recon into a focused Burp Suite testing queue:

Automate OSINT: pull endpoints from Wayback, CommonCrawl, URLScan, and OTX.

Keep source info: track where every URL came from so you can prioritize high-signal data.

Find gaps: see recon-only endpoints inside Burp that you have not tested yet.

Track drift: detect new routes and old routes returning between runs.

Target payloads: find parameter hotspots so you can focus fuzzing where it matters.

Key features

Discovery ≠ Coverage. Recon Automation + ReconAggregator is an end-to-end, coverage-first reconnaissance pipeline and Burp Suite extension. It converts multi-source OSINT and archive-driven recon into a Burp-native truth layer, allowing security practitioners to measure coverage closure, track provenance, and turn diffs into testable work queues.

The Problem Solved

Discovery does not guarantee testing: Massive endpoint lists generated by passive recon often never get exercised in Burp Suite.

Coverage gaps are invisible: It is difficult to see which endpoints exist only in recon data vs. which paths were only found dynamically during testing.

Changing attack surfaces: Deployments introduce new routes, legacy APIs persist in the background, and environments (Prod vs. UAT) drift out of sync.
System Components

1. Automation Pipeline (Phases 0–3)

A guardrailed, repeatable Bash/Python pipeline that safely scales from seed to offline intelligence.

Phase 0 (Scope Governance): Strict enforcement of exact-host allowlists, suffix bounds, and denylists to build a safe IP/Domain inventory.

Phase 1 (Passive OSINT): Archive mining (Wayback, CommonCrawl) and passive intelligence gathering (OTX, URLScan, CT, PDNS) without touching live infrastructure.

Phase 2 (Harvest & Analysis): Controlled DOM rendering, source-map recovery, static analysis (UCA, Retire.js, TruffleHog), and parameter mining.

Phase 3 (Offline Intelligence & Truth): Endpoint clustering, parameter hotspot analysis, metadata forensics, and an optional HTTP truth validation layer
.
2. ReconAggregator (Burp Suite Extension)

A Montoya API extension that ingests the artifacts generated by the pipeline (and other tools) and normalizes them into a per-project SQLite database.

Coverage Measurement: Compares ingested recon data against Burp's Proxy history/Sitemap to highlight untested endpoints.

Orphans & Diffs: Visualizes recon-only accessible routes and compares run-to-run tree diffs to flag surface area regressions.

Parameter Intelligence: Highlights high-value untested parameters.

Full Provenance: Maintains an unbroken chain of evidence from the initial OSINT source down to the final accessibility proof.

Usage instructions

Building the Burp Extension

ReconAggregator requires Java 17 and Burp Suite (Montoya API 2025.8+).

cd ReconAggregator
./gradlew clean build

Open Burp Suite.

Go to Extensions → Installed → Add.
Select Extension Type: Java and choose the compiled .jar located in ReconAggregator/build/libs/.

Setting up the Automation Pipeline

The pipeline scripts are located in the EnhancedRecon directory.

cd EnhancedRecon

Install dependencies for all phases

./phase0_install.sh
./phase1_install.sh
./phase2_install.sh
./phase3_install.sh

Quick Start

1. Define Scope
   Edit allowed_exact_hosts.txt, allowed_suffixes.txt, and out_of_scope_hosts.txt in the pipeline root.

2. Run Pipeline
   ./run_phase0.sh
   ./run_phase1_passive.sh
   ./run_phase2.sh
   ./run_phase3.sh

3. Ingest into Burp Suite

Open the ReconAggregator tab in Burp.

Go to the Settings sub-tab and set your Phase 1 and Phase 2 Root directories to point to your output folders (e.g., passive_enum_phase1/phase1_iter_1/).

Click Run Full Backfill in the Import tab.

Explore the Coverage, Compare, and Orphans tabs to prioritize your manual testing queues.

Template identifier (Internal use only - please ignore)

• template:01-submit-extension

[github-actions]

❌ Submission failed.

Error: No build system found. Please ensure your repository contains pom.xml (Maven) or build.gradle (Gradle).

Please correct the issue and submit a new request.

[gr4ytips]

We can build this extension using https://github.com/gr4ytips/ReconAggregator/blob/main/ReconAggregator/gradlew

./gradlew clean build