search

luh2 / DetectDynamicJS

The DetectDynamicJS Burp Extension provides an additional passive scanner that tries to find differing content in JavaScript files and aid in finding user/session data.
GNU General Public License v3.0
64 stars 19 forks source link

Testing and Debugging #10

Open soffensive opened 6 years ago

soffensive commented 6 years ago

How do you test and / or debug the extension? I am currently trying to make it work and add features

luh2 commented 6 years ago

I currently test manually. Debugging with print statements. I get around quite quick. It would be nice to have a proper test setup though. Do you have something in mind, that goes well with burp extensions?

soffensive commented 6 years ago

Unfortunately, I think Java extensions would be easier to debug than Python extensions. Do you have a standard vulnerable app you use for testing? I tried Google Gruyere and found that the extension did not report the XSSI vulnerability, which is why I became curious in the first place and started digging in the extension's source code. It seems that the extension has not worked since at least July 2016 (commit 99ea4de339da0272451f2bb40b5153a97e9a8d3f)

Overall, I would suggest that before releasing a version it should be tested against a range of known vulnerabilities on a constructed web app.

luh2 commented 6 years ago

I haven't looked at proper test suits for Burp Jython extensions, but if you have something that would be working, I am open. Does Gruyere have XSSI vulnerabilities, maybe that could be an option for testing.