1. Support Center
  2. BApp Store
  3. JavaScript Security

JavaScript Security


  • Linux OS
  • Ensure that Chrome/Chromium installed in a standard location
  • Obtain the appropriate chromedriver for your OS and version of Chrome (see: http://chromedriver.chromium.org/downloads/version-selection). Note the file location.

Adds passive checks to the Burp scanner. The following is a list of items it will look for:

  • Cross-Domain Script Includes (DOM)
  • JavaScript Missing Subresource Integrity Attributes
  • CORS Headers Do Not Require Subresource Integrity
  • Malicious/Vulnerable JavaScript Includes
  • Subresource Integrity Failed Validation
  • Cross-Domain Script Includes where DNS Resolution Fails

It does this by looking at the HTML received and loads the DOM via a headless Chromium instance using Selenium.


A "JavaScript Security" tab will appear in your burp session which allows you to configure two things:

  • The path to the chromedriver binary you want to use. This defaults to the bundled version appropriate for your operating system. Setting a chromedriver here will override the default.
  • The delay before evaluating the DOM (in seconds). As all of the JavaScript is gathered and run, the DOM may change over time. For advanced pages or slow connections, you might want to bump this up, but passive scans will take longer. The default, which I've had luck with, is 10 seconds.
  • It is possible to load indicators of compromise (IOCs) as JSON files through the GUI tab. Examples are provided in the intel folder.


    When you run passive checks, the checks installed will run. Any output or errors will appear on the Extender/Extensions tab under "JavaScript Security -- SRI and Threat Intel".

Author Peter Hefley
Version 1.1
Last updated 10 September 2019

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for this BApp by visiting our GitHub page.
Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.
Download BApp

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore