Applications are hemorrhaging sensitive data. In many cases, the culprit is marketing and analytics libraries that indiscriminately collect user behavior data. And sometimes, sensitive data gets leaked because of poor design or programming errors.
A few years ago, I wrote an extension called Paramalyzer for one of my favorite web pentesting tools: Burp Suite. More recently, I have added a piece of functionality I call Secrets Hunter, which was built to help search for cases where applications expose sensitive data in URLs and out-of-scope services (such as analytics services). This is included in version 2.2.1 of Paramalyzer.
In Paramalyzer, a secret can be any sensitive information, such as usernames, passwords, tokens, or session cookies. It may also include Personally-Identifying Information (PII), such as names, addresses, and phone numbers, or even industry-specific information such as Protected Health Information (PHI) or Nonpublic Personal Information (NPI). The application should keep its secrets between itself and the user (including the user's browser). Yes, there are circumstances where an application may share secrets with other systems, such as when interacting with specific API endpoints. However, those systems should be considered part of the scope of the application.
I made the following video as a sort of TL/DR for those who are already familiar with Burp Suite and just want a quick 1-minute run-through:
-Video now unavailable.
The basic workflow for using Secrets Hunter is quite simple:
When you start searching for secrets, Paramalyzer will automatically perform the following actions:
This will identify two types of issues, as follows:
The results window can help you quickly examine and verify each instance.
That's all there is to it! Please visit the official documentation page if you are interested in a more detailed walkthrough of Paramalyzer's capabilities.
As of this blog post, Portswigger has not yet updated the BApp Store version of Paramalyzer to v2.2.1, but you can download the jar file from the releases tab of the Paramalyzer GitHub repo. Just make sure you first uninstall any previous versions to avoid confusion.
We will update this when it gets into the BApp store, don’t worry!
Paramalyzer is a bit of a complicated mess to develop, especially if you are unfamiliar with Java and Gradle, so I have no expectation of receiving pull requests (though they are very welcome). If you have ideas or issues with the extension, please submit them as an issue in the GitHub repository.