Today scip AG releases a new extension for the de facto standard web application audit tool Burp Suite. The extension was written by Veit Hailperin and is titled DetectDynamicJS. It compares JavaScript files to determine if they were dynamically generated. There are various reasons why JavaScript content is dynamically generated. Occasionally the generated JavaScript does not only contain code, but also sensitive data such as usernames and session information. Sebastian Lekies, Ben Stock, Martin Wentzel and Martin Johns describe the dangers that arise from dynamically generated JavaScript in their paper The Unexpected Dangers of Dynamic JavaScript. This extension is intended to facilitate the hunt for vulnerabilities by providing publicly available code that automates the first two steps outlined in the paper. This extension is licensed under GNU Public License and is available for free.

Usage

The extension can be loaded through the Extender tab. To trigger the extension start a passive scan of JavaScript files. To get actually helpful results, an authenticated user should first identify as many existing JavaScript files as possible. This process can be assisted by the use of Burp Spider. Afterwards all JavaScript files should be accessed again, but this time without being authenticated. Having collected the JavaScript files as authenticated and unauthenticated it is now time to run the passive scanner on all JavaScript files. If differing content was discovered, the finding is reported as issue in the Target tab.

The Response tabs will feature the different files and display the differences.

Note: It is worth scanning files that have the same file size, because the difference can also be the same length.

After successful identification of differences and elimination of false positives (e.g. advertisement banners), the real work starts and the test can be concluded manually.

Update 2016/01/12, 9.15am

The extension is now available in the official BApp Store.

About the Author

Veit Hailperin has been working in information security since 2010. His research focuses on network and application layer security and the protection of privacy. He presents his findings at conferences.

Links

• http://portswigger.net/burp
• https://github.com/luh2/DetectDynamicJS
• https://www.kittenpics.org/wp-content/uploads/2015/05/script-leakage.pdf