Memory Considerations

The Attack Surface plugin loads all available response/request objects into memory to operate on them. As such, there is a potential for memory errors. Depending on the size of your web site, you should consider adding an appropriate amount of heap. For 32-bit JVMs, use as much as you can allocate. For 64-bit JVMs, start off by allocating 1-2 Gigabytes and add more if necessary.

Burp Installation

Let's first take a look at how to install the Burp version of the plugin. At the time of writing, the plugin is not accessible through the Burp App Store (BApp Store). However, it likely will be available there in the future, so it is worth mentioning how you might install via this route too. Assuming you have Burp up and running, click on the Extender tab to reveal this screen:

To access the Burp App Store, click the BApp Store tab. On the left you'll see a table of available plugins and on the right there is a description of each. If you select the .NET Beautifier app from the table and scroll the right pane to the bottom, you'll see the following screen:

The right pane has an Install button to install the plugin. In the future, you will be able to do this with the Attack Surface plugin. Until then, select the Extensions sub-tab and click the Add button to see this dialog:

Assuming you have already downloaded the Attack Surface plugin, click the Select file... button under Extension Details and select the plugin. Then click the Next button. Click the Close button in the remaining dialog. You should now see an Attack Surface tab on the far right of the top level tabs:

Now click the Attack Surface tab:

ZAP Installation

Let's now do the equivalent installation with ZAP. Once again, the Attack Surface plugin is not in the ZAP plugin Market Place, but likely be in the near future. If you are using a recent version of ZAP, you can click the Manage Add-ons button in the ZAP tool bar to get to this dialog:

Next, select the Market Place tab:

If Attack Surface was in the Market Place, you could install it by selecting the corresponding check box in the right-hand column and then clicking the Install Selected button.

Until it is available in the Market Place, you can install it manually by copying the downloaded Attack Surface plugin file to the plugin subdirectory where ever you installed ZAP. Once a plugin is installed you can manage it through the Installed tab of the Manage Add-ons dialog (accessible through the Manage Add-ons toolbar button).

Once Attack Surface is installed, you can access it through the Tools->Attack Surface menu:

Unlike Burp, Attack Surface will appear in its own window: