Professional

Image Location and Privacy Scanner

This extension passively scans HTTP responses for embedded images and attempts to identify whether any contain GPS location metadata or potentially sensitive personal information. It is useful for spotting privacy issues in image uploads, such as photos unintentionally disclosing a user's location or other identifying details.

More information on this topic, including a white paper based on a real-world site audit given as a presentation at the New Jersey chapter of the OWASP organization, can be found at https://www.veggiespam.com/ils.

Features

  • Scans images in HTTP responses for embedded metadata
  • Detects GPS coordinates in EXIF data
  • Flags personal metadata such as author name, device information, or timestamps
  • Adds issues to Burp Scanner when sensitive metadata is found
  • Provides a clear summary of detected metadata in the scan issue detail

Usage

Once the extension is loaded, it automatically scans HTTP responses containing images and raises issues for images with embedded metadata.

Note: By default, Burp hides images. This has the side effect of also hiding any alerts detected by this plug-in. So, you will need to enable "Show Images" in the Target tab filter before you begin your testing. Then, in the "Target → Issues" pane, you will see the privacy exposure alerts raised.

  1. Send requests containing image responses to Burp Scanner.
  2. The extension will analyze the image data for EXIF metadata.
  3. If location or personal metadata is detected, a scan issue will be raised.
  4. Review the issue details to examine the specific metadata that triggered the alert.

Author

Author

Jay Ball @veggiespam www.veggiespam.com

Version

Version

1.2

Rating

Rating

Popularity

Popularity

Last updated

Last updated

13 June 2025

Estimated system impact

Estimated system impact

Overall impact: Low

Memory
Low
CPU
Low
General
Low
Scanner
Low

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for all BApp Store extensions on our GitHub page.

Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore

Note:

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.