Burp Suite Extension to Discover Assets



To develop modern web applications front-end, Javascript like ReactJS, AngularJS, or NodeJs, HTML, and CSS are very popular. 


Developers generally include comments and metadata in the code for the debugging purpose, and those comments and metadata sometimes contain information regarding critical and sensitive assets like internal IPs, Sensitive/Confidential domains, or URLs.


If the code with the comments and metadata is shipped to the production environment, the potential hackers use this data to perform more active attacks. 


Hence it is very important to check the front-end code like HTML, JavaScript, or CSS files for any sensitive assets information.


Manually reviewing all the front-end code is very time-consuming and not feasible, so to automate this task, we can use the Asset Discover extension for Burp Suite.


Asset Discovery Extension Overview


Asset Discovery Extension automates the task of assets discovery by reviewing all the HTTP responses as part of passive scanning to identify sensitive assets information like domain, subdomain, IP, S3 bucket, etc.


How to Install Asset Discovery Extension


Step 1: Open Terminal


Step 2: Enter the command  clone the Asset Discover Extension


git clone https://github.com/redhuntlabs/BurpSuite-Asset_Discover.git 



Step 3: Open Burp Suite 


Step 4: Click on the Extender tab.



Step 5: Click on the Add Button



Step 6: Set the Extension type as Python and Select the Asset_Discover.py file in the BurpSuite-Asset_Discover folder and click open.




Step 7: Click the Next Button and then click close.


Once the Asset Discover extension is installed, we can see the extension in the Burp Extension Tab.



How to use Asset Discover Extension


Asset Discover uses Burp Suite Passive Scanning to review HTTP responses to identify sensitive asset information.


Steps run the Asset Discovery Extension. 


Step 1: Go to Target Tab in Burp Suite


Step 2: Select and Right click on the Domain that you want to scan 




Once the scan is complete, we can see the results in the issue Tab. 






Sahil Gupta

Application Security | DevSecOps | Secure SDLC | Penetration Tester (Web and API) | CEHv10 | IBM Certified Cybersecurity Analyst Professional

Previous Post Next Post

Contact Form