This is a simple extension for Burp Suite which takes your current site map, extracts each request parameter, and searches for responses where its value is present. This tool was developed with output validation testing (e.g. XSS) in mind.
The tool respects the scope that you indicated in the "Scope" tab of the "Target" module.
- Clone this repository somewhere or download
tracer.py - Download Jython (http://www.jython.org/downloads.html) and install it anywhere you like.
- In Burp Suite, go to Extender > Options > Python Environment > Select File
- In the browsing window, go to the install location of Jython and select jython.jar
- In Burp Suite, go to Extender > Extensions > Add
- In the Extension Type dropdown, select Python
- In the Extension File field, select the
tracer.pyfile that you acquired earlier - A new Tracer tab should pop up in Burp Suite
It's simple. Just click "Start" and wait for it to complete.
The output tree's hierarchy is formatted in the following order:
- Input Website
- Input Endpoint
- Input Request
- Input Parameter
- Output Website
- Output Endpoint
- Output Request
- Output Excerpts
This way, you can see the corresponding responses where each input value is rendered.
How is this different from Reflected Parameters or the "Input Returned" result generated by the Scanner?
I honestly can't say for sure since, as of the time I wrote the tool, I never touched the Scanner nor the Reflected Parameters extension (primarily because I'm too poor to afford Burp Suite Pro).
However, by reading the description of the Reflected Parameters extension...
This extension monitors traffic and looks for request parameter values (longer than 3 characters) that are reflected in the response.
...I can say that the main difference between this tool and Reflected Parameters is that the parameter values in Reflected Parameters are searched for in the corresponding response of the request that issued the parameter rather than the entire site map.
Tracer searches the entire site map. So, say for example, you registered an account for a website. You issued the username parameter to the /register.php endpoint. Reflected Parameters would light up if the corresponding response to the POST to /register.php contains the username you entered. Tracer, on the other hand, would light up even if the corresponding response to /register.php doesn't contain the username you entered as long as it pops up elsewhere in the site.
Well, one, you're not going to have to manually sift through all parameter values present on your site map and do a search for each and every one of them. This tool hunts down those parameter values for you and does the searching for you at the same time.