Research Academy
My account Customers About Blog Careers Legal Contact Resellers
  1. Support Center
  2. BApp Store
  3. Detect Dynamic JS

Professional

Detect Dynamic JS

Download BApp

This extension compares JavaScript files with each other to detect dynamically generated content and content that is only accessible when the user is authenticated. This occasionally contains not only code but also data with user or session information. User/session information can then be checked for potential leakage. This extension is supposed to help hunting for exploitable situations.


To trigger the extension, simply launch a passive scan of your JavaScript files that you have requested as authenticated user. Despite being a passive scan, the extension will generate one or sometimes two request per script without cookies to get the non-authenticated version of the script.

If the same script is found to contain differing content, the extension will report an issue in the Target tab.


Requires Jython 2.7 and difflib.

More information about Dynamically Generated JavaScript and hunting for related bugs can be found on the project page: https://github.com/luh2/DetectDynamicJS

Author

 Author

Veit Hailperin

Version

 Version

0.10

Rating

 Rating

Popularity

 Popularity

Last updated

 Last updated

17 December 2018

Estimated system impact

 Estimated system impact

Overall impact: Low

Memory
Low
CPU
Low
General
Low
Scanner
Low

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for all BApp Store extensions on our GitHub page.

Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore

Note:

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.