Professional Community

Look Over There

This is a Burp Suite extension to help Burp know where to look during scanning.

What is it and what is it for?

This extension was created with Single Page Applications (SPAs) in mind, to try and reduce the amount of manual testing needed, especially when the application has an API that interacts with JavaScript

Usage

Look Over There is a simple bit of code, and at its most simple, you give it a trigger URI and a target URI. When the trigger URI is observed the extension inserts an HTTP 302 status code and a Location header to the target URI. This then means that Burp will (if it deems it necessary) follow the HTTP redirection and in doing so, should be able to see any successful attack results.

The extension is designed to be configurable in the following ways

  • enabled / disabled (disabled by default)
  • only inject into HTTP 200 responses (default)
  • only inject into resources within the project's scope
  • trigger and target URIs
  • HTTP POST / GET / PUT / OPTIONS methods (POST only by default)
  • debug level

As a precaution, the extension will only operate against requests made by appropriate Burp Suite tools. It won't do anything if the request is triggered by the Proxy / Spider / Sequencer (or Decoder / Comparer).

Author

Author

Felix Ryan

Version

Version

1.0

Rating

Rating

Popularity

Popularity

Last updated

Last updated

01 March 2023

Estimated system impact

Estimated system impact

Overall impact: Low

Memory
Low
CPU
Low
General
Low
Scanner
Low

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for all BApp Store extensions on our GitHub page.

Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore

Note:

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.