{"id":13542392,"url":"https://github.com/PortSwigger/backslash-powered-scanner","last_synced_at":"2025-04-02T10:30:44.674Z","repository":{"id":52918766,"uuid":"72623489","full_name":"PortSwigger/backslash-powered-scanner","owner":"PortSwigger","description":"Finds unknown classes of injection vulnerabilities","archived":false,"fork":false,"pushed_at":"2025-03-25T12:37:46.000Z","size":40578,"stargazers_count":656,"open_issues_count":3,"forks_count":95,"subscribers_count":28,"default_branch":"master","last_synced_at":"2025-03-27T03:07:08.444Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PortSwigger.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-11-02T09:20:09.000Z","updated_at":"2025-03-27T02:37:44.000Z","dependencies_parsed_at":"2023-10-16T23:53:06.314Z","dependency_job_id":null,"html_url":"https://github.com/PortSwigger/backslash-powered-scanner","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PortSwigger%2Fbackslash-powered-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PortSwigger%2Fbackslash-powered-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PortSwigger%2Fbackslash-powered-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PortSwigger%2Fbackslash-powered-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PortSwigger","download_url":"https://codeload.github.com/PortSwigger/backslash-powered-scanner/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246796775,"owners_count":20835445,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T10:01:06.239Z","updated_at":"2025-04-02T10:30:43.844Z","avatar_url":"https://github.com/PortSwigger.png","language":"Java","funding_links":[],"categories":["Miscellaneous","Scanners","Java","Java (504)"],"sub_categories":["Vulnerability Scanners"],"readme":"# backslash-powered-scanner\nThis extension complements Burp's active scanner by using a novel approach capable of finding and confirming both known and unknown classes of server-side injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.\n\nFor more information, please refer to the whitepaper at http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html\n\nThe code can be found at https://github.com/portswigger/backslash-powered-scanner Contributions and feature requests are welcome.\n\n# Changelog\n**1.21 20211015**\n - Support for detecting iterable inputs\n - Support for Burp Suite Enterprise Edition\n\n**1.10 20210407**\n - Major refactor\n - Support for bulk-scanning\n - Misc bugfixes\n \n**1.03 20190814**\n - Detect path normalization exploits based on Orange Tsai's research\n \n**1.02 20180606**\n - Add MD5/SHA-1 lax comparison to magic value attacks\n - Misc bugfixes\n \n**1.01 20180509**\n - Add 'COM1' Windows reserved filename to magic value attacks\n - Support custom magic value attacks\n - Don't attempt filepath related attacks in the request path\n \n**1.0 20180214**\n - Provide a configuration dialog\n\n**0.91 20170612**\n - Detect alternative code paths triggered by keywords like 'null', 'undefined' etc\n \n**0.9 20170520**\n - Detect JSON Injection and escalate into RCE where possible\n - Detect Server-Side HTTP Parameter Pollution\n - Support bruteforcing backend parameter names\n - Improve evidence clarity and reduce false positives\n - Find vulnerabilities with subtler evidence\n - Detect escape sequence injection\n - Improve LFI detection\n - Misc tweaks, bugfixes and efficiency improvements\n \n**0.86 20161004**\n - First public release\n\n# Installation\nThis extension requires Burp Suite Pro 1.7.10 or later. To install it, simply use the BApps tab in Burp.\n\nIf you want to manually build/install it from source, you'll need to add the following JAR to your libraries: https://commons.apache.org/proper/commons-lang/download_lang.cgi\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPortSwigger%2Fbackslash-powered-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FPortSwigger%2Fbackslash-powered-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPortSwigger%2Fbackslash-powered-scanner/lists"}