When you are doing a penetration test, there are certain tasks that you have to repeat over and over every single test you do. One of these tasks for a web application penetration test is checking the headers that the web server sends back to the user. These headers may contain interesting information that help to fingerprint and identify the technologies the website uses. There may be security related headers that are misconfigured or missing. Although it is not difficult to identify these headers and go through them, it is always nice to automate some tasks and save precious time that can be used to test other aspects of the website.
With this idea in mind, I’ve written a Burp extension that looks for both interesting headers, and misconfigured or missing security headers. The extension was written in Python, and it integrates itself seamlessly with Burp’s passive scanner. Once installed and configured, the extension will passively scan the items in the scope and report any issue it finds in the results tab.
The following image shows the configuration options found in the new tab the extension creates. It is possible to select the headers that the extension checks, as well as create a list of “boring headers” that will be omitted when looking for interesting headers. It is also possible to export all the results by just clicking on the button. This will copy the flagged issues in a report friendly format to the clipboard.
The image below shows how the extension flags the occurrences of the headers in the passive scanner tab. It uses the same format used by Burp to flag the default issues.
The extension and more details about it can be found in our GitHub account in the following URL: https://github.com/Dionach/HeadersAnalyzer. Problems you run into and suggestions to improve the extensions are highly appreciated!. Antonio.