Awesome

BReWSki

BReWSki (Burp Rhino Web Scanner) is a Java extension for Burp Suite that allows user to write custom scanner checks in JavaScript. BReWSki provides Burp Suite users with a Javascript interface to write custom passive, and active scan definitions for Burp quickly without having to understand the internals of the Burp API. This makes writing scanner extensions much quicker, and sharing a library of them much easier than loading many different jar files.

Requirements

Java JRE 7 (JRE 8 is rumored to work on some devices, although it is erroring out for me. This is currently a known issue with Rhino/Nashborn to Java array conversions and we will be fixing it soon). If you have JRE7 still installed, you can force it by adding the "-version:1.7" switch when launching your JAR. - OVER 3 BILLION DEVICES RUN BREWSKI
BurpSuite - If you are using Burp Free, only the passive checks are supported by BReWSki and the output is to the console.

Downloading and Installing

BReWSki will be available in Burp's BApp store, and it also can be downloaded from this repository. You only need the .jar and the definitions to use it, which are included in the zip file (BReWSki-v0.1.zip) in the dist folder.

Usage

BReWSki Example

Scanner Example

How are the results?

Currently BReWSki checks provide tentative results that require more manual analysis. Some checks should never produce a false positive, and other checks will produce a high number of false positives.

Security

Scanner definition files have the same permissions as jar files and could compromise your machine.

Development

Please use this git repository for reporting issues, feature requests and pull requests. Alternatively, you may email alex(DOT)lauerman at gmail.