Release of Burp Extension DetectDynamicJS

Release of Burp Extension DetectDynamicJS

Veit Hailperin
by Veit Hailperin
time to read: 4 minutes

Today scip AG releases a new extension for the de facto standard web application audit tool Burp Suite. The extension was written by Veit Hailperin and is titled DetectDynamicJS. It compares JavaScript files to determine if they were dynamically generated. There are various reasons why JavaScript content is dynamically generated. Occasionally the generated JavaScript does not only contain code, but also sensitive data such as usernames and session information. Sebastian Lekies, Ben Stock, Martin Wentzel and Martin Johns describe the dangers that arise from dynamically generated JavaScript in their paper The Unexpected Dangers of Dynamic JavaScript. This extension is intended to facilitate the hunt for vulnerabilities by providing publicly available code that automates the first two steps outlined in the paper. This extension is licensed under GNU Public License and is available for free.

Usage

The extension can be loaded through the Extender tab. To trigger the extension start a passive scan of JavaScript files. To get actually helpful results, an authenticated user should first identify as many existing JavaScript files as possible. This process can be assisted by the use of Burp Spider. Afterwards all JavaScript files should be accessed again, but this time without being authenticated. Having collected the JavaScript files as authenticated and unauthenticated it is now time to run the passive scanner on all JavaScript files. If differing content was discovered, the finding is reported as issue in the Target tab.

Screenshot of the Extension

The Response tabs will feature the different files and display the differences.

Differences Between Files Are Highlighted

Note: It is worth scanning files that have the same file size, because the difference can also be the same length.

After successful identification of differences and elimination of false positives (e.g. advertisement banners), the real work starts and the test can be concluded manually.

Update 2016/01/12, 9.15am

The extension is now available in the official BApp Store.

About the Author

Veit Hailperin

Veit Hailperin has been working in information security since 2010. His research focuses on network and application layer security and the protection of privacy. He presents his findings at conferences.

Links

Is your data also traded on the dark net?

We are going to monitor the digital underground for you!

×
I want a "Red Teaming"

I want a "Red Teaming"

Michael Schneider

Human and AI

Human and AI

Marisa Tschopp

Vehicle forensics

Vehicle forensics

Michèle Trebo

Isn’t business continuity part of security?

Isn’t business continuity part of security?

Andrea Covello

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here