Releases: JGillam/burp-paramalyzer
version 2.2.2
V2.2.1
- Added secrets tab for hunting secrets (i.e. looking for sensitive information leakage)
- Export feature (thanks @Rhynorater)
- Some UI cleanup
- Refined parameter type detections
Contributors
Assets 3
V2.2.0 Beta
This release is meant to include a new feature called Secrets Hunter. This feature is intended to help discover when parameters that are intended to be secret (e.g. passwords, tokens, account numbers, usernames, etc...) are either exposed in the URL or inadvertently sent to any out-of-scope host. A common example of where this might happen is a web-analytics provider.
To use Secrets Hunter, start by running a normal paramalyzer scan. Once that is complete, you will notice that some of the parameters are market as secrets with a checkmark. Switch to the secrets tab and use the Import Secrets button to copy those parameters over. Make any adjustments to your list, and press the Hunt Secrets! button. After the process completes you can analyze the results.
Version 2.1.0
This release is mostly under-the-covers improvements.
- Enumerates path elements as REST parameters (new type REST)
- Full parsing of JSON. If paramalyzer identifies a string as JSON, it will parse it and add each key:value pair to the table. (new type JSON Part)
- Improvements to the analyzer engine for better recognition of serialized PHP.
- JSON Web Tokens should now be recognized. The payload section will be parsed as JSON (see above).
- More informative Deep analysis tab (i.e. Right-Click a hash value to search for reverse match).
Version 2.0.0
2.0 Release of Paramalyzer (Burp Extension) with Parameter and session analysis.
Version 2.0.0 beta
This release adds session analysis, which is to say that given one authenticated request, Paramalyzer will issue subsequent requests, each of which will omit a cookie. The result are displayed in a table, making it quick and easy to determine which cookies are essential to maintain authentication.
Version 1.1.1
Added support for identifying PHP serialized objects.
Version 1.1.0 beta
Added some deep analysis capability. This is accessed by the popup-menu on a value in the bottom left window of the Analysis tab.
Currently the deep analysis is just across other parameters. It will look to see where a value shows up. For example, if a parameter is encoded in one place and decoded somewhere else, this should become evident. In addition, you can check if any parameters resolve to a target Message Digest value (currently supports MD5, SHA-1, SHA-256). Some checking is also done for Base62 encoded matches (sometimes used for URL shortener algorithms).
This release is marked as beta because I'm still improving the functionality and interface for the new feature but it should still be functional.
Version 1.0.2
The primary addition to this version is support for JSON data types in two ways:
- There is some basic support for recognizing that a parameter is actually a JSON object and not just a string of printable characters. Currently this is limited to the most common form of JSON object used in input, which does not include any lists or embedded objects (this is something to improve on later, I know).
- The main table now lists JSON parameters, for which values are analyzed. Like everything else, this is just looking at input (i.e. the request).
Some of the analysis logic has been improved as well.
Version 1.0.1
This version fixes a null pointer condition that sometimes occurs in version 1.0.0 as part of the new cookie statistics tab.