I want a "Red Teaming"
Michael Schneider
Today scip AG releases a new extension for the de facto standard web application audit tool Burp Suite. The extension was written by Veit Hailperin and is titled DetectDynamicJS. It compares JavaScript files to determine if they were dynamically generated. There are various reasons why JavaScript content is dynamically generated. Occasionally the generated JavaScript does not only contain code, but also sensitive data such as usernames and session information. Sebastian Lekies, Ben Stock, Martin Wentzel and Martin Johns describe the dangers that arise from dynamically generated JavaScript in their paper The Unexpected Dangers of Dynamic JavaScript. This extension is intended to facilitate the hunt for vulnerabilities by providing publicly available code that automates the first two steps outlined in the paper. This extension is licensed under GNU Public License and is available for free.
The extension can be loaded through the Extender tab. To trigger the extension start a passive scan of JavaScript files. To get actually helpful results, an authenticated user should first identify as many existing JavaScript files as possible. This process can be assisted by the use of Burp Spider. Afterwards all JavaScript files should be accessed again, but this time without being authenticated. Having collected the JavaScript files as authenticated and unauthenticated it is now time to run the passive scanner on all JavaScript files. If differing content was discovered, the finding is reported as issue in the Target tab.
The Response tabs will feature the different files and display the differences.
Note: It is worth scanning files that have the same file size, because the difference can also be the same length.
After successful identification of differences and elimination of false positives (e.g. advertisement banners), the real work starts and the test can be concluded manually.
The extension is now available in the official BApp Store.
We are going to monitor the digital underground for you!
Michael Schneider
Marisa Tschopp
Michèle Trebo
Andrea Covello
Our experts will get in contact with you!