BurpSuite Extension – Asset Discover
Burp Suite extension to discover assets from HTTP response using passive scanning. Refer our blog Asset Discovery using Burp Suite for more details.
The extension is now part of the BApp store and can be installed directly from the Burp Suite. https://portswigger.net/bappstore/d927f0065171485981d6eb49a860fc3e
Description
Passively parses HTTP response of the URLs in scope and identifies different type assets such as domain, subdomain, IP, S3 bucket etc. and lists them as informational issues.
How it works?
The extension acts as a passive scanner which parses the response of the pages that are in scope and constantly keep an eye for an asset. These assets are identified and classified based on RegEx patterns for different kinds of assets.
Setup
- Setup the python environment by providing the jython.jar file in the ‘Options’ tab under ‘Extender’ in Burp Suite.
- Download the extension.
- In the ‘Extensions’ tab under ‘Extender’, select ‘Add’.
- Change the extension type to ‘Python’.
- Provide the path of the file ‘Asset_Discover.py’ and click on ‘Next’.
Usage
Add a URL to the ‘Scope’ under the ‘Target’ tab. The extension will start identifying assets through passive scan.
Requirements
Code Credits
A large portion of the base code has been taken from the following sources:
Really no matter if someone doesn’t understand then its up
to other people that they will assist, so here it takes place.