luh2

You get a login oracle if the second request is not a scannable request. You want to lose that information? Maybe it would be good to introduce a new finding....

So please take it out, and we'll fix that in a separate commit. It's true, we can stop earlier testing, but this is mixing up things, and is still a...

You could make js files not require authentication. Fairly simple. I guess most apps prefer to just leak their login state, which doesn't make me less want to know about...

Just merged another pull request - that might solve lots of what you were trying to achieve already. https://github.com/luh2/DetectDynamicJS/pull/16

I currently test manually. Debugging with print statements. I get around quite quick. It would be nice to have a proper test setup though. Do you have something in mind,...

I haven't looked at proper test suits for Burp Jython extensions, but if you have something that would be working, I am open. Does Gruyere have XSSI vulnerabilities, maybe that...