Burp Suite Extension to Discover Assets

To develop modern web applications front-end, Javascript like ReactJS, AngularJS, or NodeJs, HTML, and CSS are very popular. 

Developers generally include comments and metadata in the code for the debugging purpose, and those comments and metadata sometimes contain information regarding critical and sensitive assets like internal IPs, Sensitive/Confidential domains, or URLs.

If the code with the comments and metadata is shipped to the production environment, the potential hackers use this data to perform more active attacks. 

Hence it is very important to check the front-end code like HTML, JavaScript, or CSS files for any sensitive assets information.

Manually reviewing all the front-end code is very time-consuming and not feasible, so to automate this task, we can use the Asset Discover extension for Burp Suite.

Asset Discovery Extension Overview

Asset Discovery Extension automates the task of assets discovery by reviewing all the HTTP responses as part of passive scanning to identify sensitive assets information like domain, subdomain, IP, S3 bucket, etc.

How to Install Asset Discovery Extension

Step 1: Open Terminal

Step 2: Enter the command  clone the Asset Discover Extension

git clone https://github.com/redhuntlabs/BurpSuite-Asset_Discover.git 

Step 3: Open Burp Suite 

Step 4: Click on the Extender tab.

Step 5: Click on the Add Button

Step 6: Set the Extension type as Python and Select the Asset_Discover.py file in the BurpSuite-Asset_Discover folder and click open.

Step 7: Click the Next Button and then click close.

Once the Asset Discover extension is installed, we can see the extension in the Burp Extension Tab.

How to use Asset Discover Extension

Asset Discover uses Burp Suite Passive Scanning to review HTTP responses to identify sensitive asset information.

Steps run the Asset Discovery Extension. 

Step 1: Go to Target Tab in Burp Suite

Step 2: Select and Right click on the Domain that you want to scan 

Once the scan is complete, we can see the results in the issue Tab. 

Sahil Gupta

Application Security | DevSecOps | Secure SDLC | Penetration Tester (Web and API) | CEHv10 | IBM Certified Cybersecurity Analyst Professional

Previous Post Next Post

Contact Form