Image Location and Privacy Scanner

This extension passively scans HTTP responses for embedded images and attempts to identify whether any contain GPS location metadata or potentially sensitive personal information. It is useful for spotting privacy issues in image uploads, such as photos unintentionally disclosing a user's location or other identifying details.

More information on this topic, including a white paper based on a real-world site audit given as a presentation at the New Jersey chapter of the OWASP organization, can be found at https://www.veggiespam.com/ils.

Features

• Scans images in HTTP responses for embedded metadata
• Detects GPS coordinates in EXIF data
• Flags personal metadata such as author name, device information, or timestamps
• Adds issues to Burp Scanner when sensitive metadata is found
• Provides a clear summary of detected metadata in the scan issue detail

Usage

Once the extension is loaded, it automatically scans HTTP responses containing images and raises issues for images with embedded metadata.

Note: By default, Burp hides images. This has the side effect of also hiding any alerts detected by this plug-in. So, you will need to enable "Show Images" in the Target tab filter before you begin your testing. Then, in the "Target → Issues" pane, you will see the privacy exposure alerts raised.

1. Send requests containing image responses to Burp Scanner.
2. The extension will analyze the image data for EXIF metadata.
3. If location or personal metadata is detected, a scan issue will be raised.
4. Review the issue details to examine the specific metadata that triggered the alert.