"SensitiveDiscoverer”: a Burp Suite extension to automate the process of scanning for sensitive strings in HTTP messages.

This thesis focuses on the development and enhancement of "SensitiveDiscoverer," a Burp Suite extension created to automate the detection of sensitive information in HTTP messages. As web applications continue to handle vast amounts of critical data, the need for effective tools to identify and mitigate security vulnerabilities has become increasingly urgent. Initially developed during an internship at CYS4, a leading cybersecurity company, the extension offered basic functionality for detecting sensitive data using regular expressions. However, its limited capabilities, outdated interface, and performance bottlenecks revealed significant room for improvement. In this work, the extension was extensively refined, addressing software bugs, improving its regex-based detection mechanisms, and adding new features, including better detection of sensitive data types like API keys, authentication tokens, and weak Content Security Policy (CSP) configurations. The user interface was redesigned to be more intuitive and efficient, incorporating real-time progress tracking, customizable settings, and persistent configurations. Rigorous testing validated the extension’s reliability and effectiveness, while user feedback highlighted its value in real-world cybersecurity tasks, such as penetration testing. Some challenges, like the complexity of regex patterns and processing efficiency, were also addressed during development. This project demonstrates how automated tools can evolve to meet the growing demands of web application security. By improving both its functionality and usability, this enhanced extension provides a practical and powerful resource for cybersecurity professionals. The findings also open pathways for future improvements, including better handling of duplicate detections and expanding its detection capabilities.