Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Headers Analyzer Burp Extension

When you are doing a penetration test, there are certain tasks that you have to repeat over and over every single test you do. One of these tasks for a web application penetration test is checking the headers that the web server sends back to the user. These headers may contain interesting information that help to fingerprint and identify the technologies the website uses. There may be security related headers that are misconfigured or missing. Although it is not difficult to identify these headers and go through them, it is always nice to automate some tasks and save precious time that can be used to test other aspects of the website.

With this idea in mind, I’ve written a Burp extension that looks for both interesting headers, and misconfigured or missing security headers. The extension was written in Python, and it integrates itself seamlessly with Burp’s passive scanner. Once installed and configured, the extension will passively scan the items in the scope and report any issue it finds in the results tab.

The following image shows the configuration options found in the new tab the extension creates. It is possible to select the headers that the extension checks, as well as create a list of “boring headers” that will be omitted when looking for interesting headers. It is also possible to export all the results by just clicking on the button. This will copy the flagged issues in a report friendly format to the clipboard.


The image below shows how the extension flags the occurrences of the headers in the passive scanner tab. It uses the same format used by Burp to flag the default issues.


The extension and more details about it can be found in our GitHub account in the following URL: https://github.com/Dionach/HeadersAnalyzer. Problems you run into and suggestions to improve the extensions are highly appreciated!. Antonio.

Find out how we can help with your cyber challenge

Please enter your contact details using the form below for a free, no obligation, quote and we will get back to you as soon as possible. Alternatively, you can email us directly at busdev@www.dionach.com
Contact Us

Contact Us Reach out to one of our cyber experts and we will arrange a call