It’s Here, Version 1.0

The Official v1.0 release of the Image Location & Privacy Scanner has arrived! This security tool plugin for Burp or OWASP ZAP security proxy tools will scan images for privacy exposure including GPS locations, camera serial numbers, even facial recognition tags. See my presentation about this software at this link.

Version 1.0 of the Image Location & Privacy Scanner software is available in the Burp BApp Store (Extender Tab). Just enable or update and images will be passively scanned. It is also included ZAP‘s passive scanner rules (alpha). In either case, you can find the code on GitHub.

ZAP Marketplace showing ILS v1.0

Changes since v0.4

  • Gradle build automatically downloads the Burp API jar, so no need to include code in Git repo any longer
  • Fixed mixed spaces-and-tabs, thanks to ZAP’s @kingthorin
  • Fixed a chance of an image causing HTML-injection inside of Burp; I theorized it existed (maybe a non-Burp app calling ILS would result in full-blown XSS against the infosec tester), but @pajswigger from Burp/Portswigger actually exploited this type of injection in the form of <i> tags, since Burp rejects <script> tags
  • Nicer Makefile (sigh, yes, I still use make)
  • Enhanced READMEs, FAQs, screenshots, etc

    Version 1.0 in Burp App

  • ZAP now auto-scans images without the need to “un-hide” images
  • Lots of unit tests via junit inside of ZAP, @kingthorin helped a bit

Send feedback as a GitHub bug report, via a tweet, or email.