Burp Suite extension to scan for sensitive strings in HTTP messages

• SensitiveDiscoverer
  • Introduction
    • Features
    • Screenshots
    • About the used regexes
  • Installation
    • Using the BApp Store
    • Manual install
  • Usage
    • Importing Lists
  • How to compile from source code
    • Using Maven from CLI
  • About us
  • References

Burp Suite is a useful tool used to do web application security testing. While Burp Suite provides a lot of functionalities, it does not offer the opportunity to scan for particular pattern or file extensions inside HTTP messages. Checking every message by hand can be a very tedious process.

SensitiveDiscoverer is a Burp Suite extension that solves this problem. With this extension you can automatically search sensitive strings in HTTP messages.

It uses a list of Regular Expressions and File Extensions to match for in each message. The plugin is available with a pre-defined set of Regular Expression and File Extensions, but you can also add your custom lists.

• Multithreaded scan of messages
• Pre-defined set of regex
• Many filters to skip irrelevant messages
• Customizable regexes lists
• Import/Export regexes with CSV files

Main page with the results of the scan:

Options tab to configure filters and scanner options:

We aim to provide a default set of regexes that can be used in as many cases as possible without numerous false positives.

As the source, many regexes are written by us, and any other should have the appropriate mention in the References section.

Each Proxy list row is divided into sections to improve the matching results and reduce the scan times. As of now, there are five sections:

• Request
  • Request URL
  • Request Headers
  • Request Body
• Response
  • Response Headers
  • Response Body

The extension works with two lists of regexes. One list is for general regexes, which only matches within the Response sections; The other is for filename extensions and only matches the Request URL.

The extension is available in the BApp Store inside Burp's Extender tab

To install the SensitiveDiscoverer extension manually:

1. Download newest SensitiveDiscoverer from the Release page.
2. Go to Extender -> Extension. Click Add. Set Extension type to Java. Set the path of the (.jar) to the file downloaded at step 1.
3. SensitiveDiscoverer should appear inside Burp Extension list, and a new tab will appear.

The default configuration already has a list of regular expressions and file extensions.

To see the predefined list go to the Options tab. There you can choose which of them to activate, and you can also insert your own regular expressions.

These are the actions available to manage the lists:

• New: a pop-up will appear to insert a new regex or extension.
• Delete: the currently selected row will be deleted from the list.
• Clear: the list will be emptied.
• Reset: the plugin will reset to the default list.
• Open: a pop-up will appear to import a list of regex or extensions from a .csv file. For the required file format, refer to the Importing Lists section.
• Save: the current list will be saved to a .csv.
• Enable all: disable all the regexes in the current section.
• Disable all: enable all the regexes in the current section.

After customizing the lists it is now possible to start scanning for sensitive information inside HTTP messages. The plugin offers the following mode of operations:

1. Analyze HTTP History: the plugin will parse all http history generated up to that moment, matching all active patterns.

Using the "Open" and "Save" buttons it's possible to import custom lists, and save the current list to a file.

The files must have the .csv extension.

Each line in the file represents an entry and should have the following format: "Description","Regex". The quotation marks and the comma are required.

Regexes must be compliant with the Java's Regexes Style. If in doubt, use regex101 with the Java 8 flavour to test regexes.

The extension was compiled with OpenJDK 17.

The BApp can be compiled with Maven by following these steps:

1. View > Tool Windows > Maven.
2. On the new right panel expand the Lifecycle folder.
3. Double-click on "Install".

The compiled extension will be in the "/target" folder.

As an alternative, run the following command:

mvn clean package

Since 2014 we have been working with our customers to shield their critical business infrastructures. We are qualified security specialists with a strong commitment to addressing our clients' needs, and keeping them secured against today's cyber threats.

Check out our site and our blog for more information.

The following is a list of sources for some regexes used in this extension. Many thanks to all!

• https://github.com/eth0izzle/shhgit
• https://github.com/streaak/keyhacks