Listen to this Post

Introduction:
Penetration testers often struggle to keep track of every discovered endpoint and parameter during an assessment, leading to incomplete attack surface coverage and potential security gaps. The Pentest Coverage Tracker Burp Suite extension automatically logs all discovered endpoints and verifies which have been tested, providing real-time visibility into your assessment completeness and helping teams demonstrate due diligence.
Learning Objectives:
- Understand the importance of endpoint coverage tracking in modern web application penetration testing.
- Learn to install, configure, and use the Pentest Coverage Tracker Burp extension effectively.
- Integrate automated coverage tracking into your testing workflow and generate compliance-ready reports.
You Should Know:
- Setting Up Burp Suite and the Pentest Coverage Tracker Extension
Before using the tracker, ensure Burp Suite is properly installed with Java support. This extension works with both Community and Professional editions.
Step‑by‑step guide:
- Install Java (required for Burp):
- Linux (Debian/Ubuntu): `sudo apt update && sudo apt install openjdk-17-jdk -y`
– Windows: Download from adoptium.net or use `winget install EclipseAdoptium.Temurin.17.JDK` - Download Burp Suite from PortSwigger and install it.
-
Install the Pentest Coverage Tracker extension:
- Download the JAR file from the GitHub release page: `https://github.com/codewithvamp/Burp-Pentest-Coverage-Tracker/releases`
- In Burp Suite, go to Extender → Extensions → Add.
- Select Extension Type: Java, then load the downloaded JAR file.
-
Verify installation: a new tab named “Coverage Tracker” should appear.
-
Configure tracking options:
- In the Coverage Tracker tab, enable “Log discovered endpoints” and “Mark as tested when request sent”.
- Set a project name to organize multiple assessments.
What this does: The extension hooks into Burp’s proxy and scanner, automatically recording every unique URL and parameter combination. When you send any request (manually or via Intruder/Scanner), it tags that endpoint as “tested,” giving you a live coverage map.
- Mapping the Attack Surface with Spider and Crawl
To build an initial endpoint list, use Burp’s automated crawling tools alongside the tracker.
Step‑by‑step guide:
- Launch Burp Suite and configure your browser proxy to
127.0.0.1:8080. -
Use Burp Spider (Professional) or manual crawling (Community):
- Right-click on your target in Target → Site map → Spider this host.
-
For Community edition, manually browse the application while the proxy is active.
-
Leverage passive scanning to catch endpoints from JavaScript and API responses:
- Go to Target → Scope → add your target domain.
-
Enable Passive Scanning under Scanner → Scan details.
-
Export discovered endpoints from the Coverage Tracker tab:
- Click “Export endpoints (JSON)” – this lists all URLs, methods, and parameters.
Linux/Windows command examples for additional endpoint discovery:
Linux: Use gau (Get All URLs) to fetch known endpoints from Wayback machine gau example.com | tee endpoints.txt Windows: Use ffuf for directory brute-forcing ffuf -u https://example.com/FUZZ -w /path/to/wordlist -o ffuf_results.json
Integrating with the tracker: Import these external endpoint lists via the Coverage Tracker’s “Import endpoints” button to ensure nothing is missed.
3. Tracking Endpoint Coverage During Active Testing
Once endpoints are discovered, you need to verify which parameters have been tested. The tracker automatically updates statuses.
Step‑by‑step guide:
- Send a request to Intruder for fuzzing:
- Highlight a request containing parameters (e.g.,
?id=1&user=admin). - Right-click → Send to Intruder.
- Configure payload positions and start attack.
-
Check coverage status in real time:
- Switch to the Coverage Tracker tab. Each endpoint appears with columns:
Discovered,Tested,Last Tested Time. -
As Intruder sends requests, the tracker marks those parameters as “Tested”.
-
Manually mark an endpoint as tested if you performed a non‑Burp test:
-
Right-click on an endpoint in the tracker → Mark as tested.
-
Identify untested attack surfaces:
- Filter the tracker by
Tested = No. These are high‑priority targets remaining.
Example vulnerability exploitation scenario:
Suppose you discover `/api/v1/users?role=guest` but never test the `role` parameter. An attacker could change it to `admin` – a classic IDOR. The tracker shows this endpoint as “discovered, not tested”, prompting you to insert a payload like `admin’ OR ‘1’=’1` and check for privilege escalation.
- Advanced Parameter Testing Using Burp Intruder and Custom Payloads
Combine the coverage tracker with aggressive fuzzing to ensure every parameter is automatically tested.
Step‑by‑step guide:
- Create a custom payload wordlist for parameter injection:
- Save this as
injection_payloads.txt:' OR '1'='1 " OR "1"="1 ; sleep 5 -- <script>alert(1)</script> ../../etc/passwd ${77} - Configure Intruder to test each parameter value:
- Choose Attack type: Pitchfork or Sniper.
- Under Payloads, load
injection_payloads.txt. -
Automatically log tested parameters:
- After the attack finishes, the Coverage Tracker will have marked every endpoint+parameter combination as Tested.
-
Review “Test count per endpoint” to see which received multiple payloads.
-
Linux command to monitor coverage in real time using
jq:Export tracker JSON and filter untested endpoints cat coverage_export.json | jq '.[] | select(.tested == false) | .url'
For API security: Use the tracker to validate that every API endpoint (especially undocumented ones) receives security tests. Combine with Postman and Burp’s API scanner by importing OpenAPI/Swagger files into Burp via the OpenAPI Parser extension.
- Generating Coverage Reports for Compliance and Team Handoff
Demonstrating thorough testing is critical for compliance (PCI DSS, ISO 27001, SOC2). The tracker exports detailed reports.
Step‑by‑step guide:
- Generate a HTML report from the Coverage Tracker:
- Click “Generate Report” → Choose HTML.
- The report includes:
- Total discovered endpoints
- Tested vs. untested counts
- Timestamp of last test per endpoint
- Parameters marked as high/medium/low risk (if you add manual tags)
-
Export in CSV format for integration with spreadsheets or vulnerability management tools:
-
Use “Export CSV” – import into Excel or Jira for actionable tickets.
-
Create a coverage dashboard using ELK stack or Splunk:
- Export JSON logs continuously via the extension’s “Log to file” option.
- Use Logstash to ingest and Kibana to visualize untested endpoints over time.
Windows PowerShell command to parse CSV and list untested endpoints:
Import-Csv coverage.csv | Where-Object {$_.Tested -eq 'False'} | Select-Object URL, Parameters | Out-File untested.txt
- Integrating Coverage Tracking into CI/CD for Continuous Security
Modern DevOps pipelines require automated security validation. While the Burp extension is GUI‑focused, you can script its functionality for headless environments.
Step‑by‑step guide:
- Use Burp’s REST API (Professional only) to automate coverage tracking:
Start Burp in headless mode (Linux) java -jar burpsuite_pro.jar --headless --project-file=coverage_project.burp
-
Write a Python script that uses `burp-api` to import endpoints and compare with tested status:
import requests, json burp_api = "http://localhost:8080/api/v1" Get discovered endpoints from a DAST scan (e.g., ZAP) zap_endpoints = json.load(open("zap_output.json")) for ep in zap_endpoints: r = requests.post(f"{burp_api}/coverage/import", json={"url": ep["url"]}) -
Integrate with GitHub Actions to fail builds if untested endpoints exceed a threshold:
- Export coverage JSON, then use `jq` to count
tested==false:</li> <li><p>name: Check coverage run: | UNTESTED=$(jq '[.[] | select(.tested==false)] | length' coverage.json) if [ $UNTESTED -gt 10 ]; then exit 1; fi
-
Cloud hardening tip: For AWS or Azure environments, combine coverage tracking with cloud security posture management (CSPM). Map discovered endpoints to cloud resources (e.g., API Gateway, Lambda) and ensure each has undergone IAM role testing and injection fuzzing.
- Mitigating OWASP API Security Risks Using Coverage Data
The top OWASP API risks (broken object level authorization, excessive data exposure, mass assignment) often hide in untested endpoints. Use tracker output to systematically mitigate them.
Step‑by‑step guide:
- Identify endpoints with untested parameters from the tracker CSV.
-
For each untested endpoint, run an automated exploit test:
- For BOLA: Send requests with sequential IDs (
/users/1,/users/2). The tracker will log both. -
For mass assignment: Include unexpected parameters (
/update_userwithis_admin=true). -
Use a command‑line fuzzer like `ffuf` on untested endpoints discovered by the tracker:
Extract all untested endpoints from tracker JSON (after export) jq -r '.[] | select(.tested==false) | .url' coverage.json > untested_urls.txt Run ffuf on each URL with parameter fuzzing ffuf -u <url> -w injection_payloads.txt -fc 404
-
Remediation guidance: For each untested endpoint that shows vulnerability, produce a mitigation step:
- Implement proper authorization checks.
- Use allowlists for parameter names.
- Rate‑limit and log anomalous parameter usage.
What Undercode Say:
- Key Takeaway 1: Automated coverage tracking eliminates human memory lapses, ensuring every discovered endpoint receives security testing – a critical step often omitted in time‑pressed assessments.
- Key Takeaway 2: Integrating the Pentest Coverage Tracker into CI/CD pipelines bridges the gap between DAST tools and manual penetration testing, providing continuous visibility of attack surface coverage.
The modern application landscape – with microservices, GraphQL, and REST APIs – presents hundreds of endpoints per release. Manual tracking leads to dangerous blind spots. The Pentest Coverage Tracker turns an ethical hacker’s chaotic checklist into a structured, verifiable, and reportable process. By adopting this tool, teams can move from “I think I tested everything” to “I know exactly what is untested and why.” Furthermore, combining coverage data with automated fuzzing (via Intruder, ffuf, or custom scripts) creates a powerful feedback loop: discover → test → mark → report → remediate. For red teams, this extension provides defensible evidence of scope completion; for blue teams, it highlights which parts of the application remain unvalidated. As attack surfaces grow exponentially, coverage tracking will become as fundamental as the proxy itself.
Prediction: Within two years, endpoint coverage tracking will be a built‑in feature of all major penetration testing frameworks (Burp, ZAP, Caido). Extensions like Pentest Coverage Tracker will evolve into AI‑driven modules that not only log endpoints but also prioritize untested ones based on risk (e.g., exposure of PII, authentication bypass potential). Compliance standards (PCI 4.0, ISO 27001:2025) will likely mandate automated coverage reporting for any external penetration test, turning “coverage completeness” into a contractual requirement. Additionally, we expect to see integration with LLMs that generate custom payloads specifically for untested parameter types, further reducing the manual burden while increasing test depth. The future of ethical hacking is not just about finding bugs – it’s about proving, beyond doubt, that you didn’t miss any.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Pethu Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


