A Burp Suite extension that passively captures every UUID seen in HTTP traffic (URL, headers and body, in both requests and responses) and lists them in a table, so you can collect object identifiers and later test for IDOR / BOLA.
- Adds a "UUID Capture" tab to Burp.
- Enable / disable capture with one checkbox. While enabled, it grabs UUIDs from all traffic that passes through Burp (Proxy, Repeater, Scanner, etc.).
- Shows a table with: UUID, version, direction (REQ/RESP), where it was found (URL / body / header), method, host, endpoint, tool and time.
- Deduplicates automatically.
- Export CSV (full context) and Export .txt (unique UUIDs only).
- Copy unique UUIDs to the clipboard (or copy selected ones via right-click).
- Live filter, "in-scope only" and "ignore nil UUID" options.
- Burp Suite 2022.9 or newer (Community or Professional).
- Download
uuid-capture.jar. - In Burp: Extensions tab → Installed → Add.
- Extension type: Java.
- Select
uuid-capture.jar→ Next. - The UUID Capture tab appears. Tick "Capture UUIDs" and browse normally.
For authorized security testing only (private bug bounty programs, engagements with explicit permission, or your own environments).