burp plug-in - automatically mark sensitive information

Posted by millikan at 2020-02-28


This article was first published in freebuf tidesec column by Nianhua, a member of the tide security team:

The target systems mentioned in this paper are all test environments built by local area network, for example, it is a coincidence that IP or URL are identical. The technologies, ideas and tools involved in this article are only for learning and exchange for safety purposes, and no one is allowed to use them for illegal purposes and profit purposes, or the consequences will be borne by themselves!

If you like, just click a little star in GitHub. Download from:

Configure Jython environment

First go to Jython official website to download the installation files

Just click the next step in the installation process, but remember the installation location:

Open the extension of burp after successful installation:

Select jython.jar under the installation path just remembered

Load the extension we just wrote.

Use of extensions

To view the proxy history:

If there is ID information in the returned packet, it will be marked in red

If the returned packet contains mobile number information, it will be marked in blue

If the returned packet contains GPS position information, it will be marked in green

In the output window of the burp extension, the sensitive information matched will be output in detail for future query.

The function of JSON decoder is an open source function on GitHub, but it does not support modifying the parsed data, so I modified it and added it to my program,


If you think there is anything else to mark, you can leave a message below. If you have any suggestions or comments, please visit my personal blog.

Download address:

If you like, order a star

I'm a member of the tide security team. Small partners interested in information security can follow us. The tide security team (