Boost Web Privilege Testing with the XiaYue Burp Suite Plugin

Background

Company demands zero tolerance for privilege escalation; high rewards for finding issues motivate intensive testing.

Burp Suite Tool

Burp Suite is a powerful web application security testing platform that intercepts, inspects, and modifies web traffic.

“XiaYue” Plugin Introduction

XiaYue (XiaYue_Pro) is a Burp Suite extension that automatically detects privilege escalation vulnerabilities by comparing responses across three permission levels. GitHub: https://github.com/winezer0/XiaYue_Pro

Usage Effect

The plugin displays original, low‑privilege, and no‑privilege response lengths side‑by‑side; identical lengths indicate possible privilege issues, supporting vertical and horizontal checks.

Core Highlight Features

1. Intelligent Privilege Detection

Multi‑permission comparison : automatically compares responses for original, low, and no permission.

Smart deduplication : MD5‑based deduplication using URL, method, and parameter names.

Response length analysis : automatically analyzes length differences to spot failed access control.

2. Advanced Filtering System

HTTP method filter : batch filter specific methods such as OPTIONS, HEAD.

Endpoint path filter : precise path filtering with wildcard support.

Whitelist mechanism : flexible domain‑wide whitelist configuration.

Static resource filter : automatically skips images, CSS, JS, etc.

3. Parameter Replacement Engine

Smart parameter replacement : dynamic replacement for GET and POST parameters.

Multiple format support : compatible with form‑urlencoded, JSON, and other bodies.

Batch rule configuration : multiple lines of “parameter=newValue” rules.

参数名=新值

4. Visual Data Presentation

Real‑time data table : clear tables with clickable rows for detailed packets.

Smart sorting : sort by ID, method, URL, response length, etc.

✔ indicates equal length (possible privilege issue); ==> shows exact difference.

5. Authentication Management

Low‑privilege authentication : configure cookies, tokens, etc.

Unauthenticated mode : remove authentication fields to test unauthenticated access.

Universal cookie : generic cookie configuration for various scenarios.

Right‑click extraction : quick extraction of auth info from requests.

6. Persistent Configuration

Auto‑save : configurations saved locally.

Restart recovery : restores settings after Burp Suite restart.

Quick setup : right‑click dialog for fast configuration.

Config migration : import/export of configuration files.

7. Performance Optimizations

Smart caching : pre‑split filter arrays to avoid redundant string ops.

Asynchronous processing : non‑blocking request handling.

Memory management : automatic cleanup of old data.

Debug optimization : reduced redundant logging.

The plugin is intended for authorized security testing only; illegal use is prohibited.

How to Use the XiaYue Plugin

Download the release JAR (v2.3) and import it into Burp Suite.

Set low‑privilege cookies by logging in with a low‑privilege account, extracting the cookie via the browser, and placing it in the plugin’s privilege area.

Enable unauthenticated mode to test requests without proper credentials.

Intercept requests using Burp’s proxy, open the browser, and observe the request list; high‑privilege requests populate the list, and marked packets (✔) indicate potential privilege issues.

Summary

Problem: Manual privilege testing is time‑consuming and error‑prone, failing zero‑tolerance standards.

Solution: XiaYue uses three‑permission parallel comparison and response length differences, plus deduplication, filtering, and parameter replacement across seven modules, seamlessly integrating into Burp Suite.

Implementation: Download v2.3 JAR → import → configure low‑privilege credentials → enable unauthenticated mode → run high‑privilege scans, focusing on marked high‑risk requests.

Benefit: Detection efficiency improves >10×, false‑positive rate is controllable via whitelists and filters, and persistent configuration ensures cross‑session reuse.

Reminder: Marked results still require manual verification; conduct tests in authorized environments, regularly clean logs, and back up configurations.