Use burp's JS static code analysis on code from your local system. Here's generally how the process works:
- Go static file server is started to host the specified directory
- Add file server URL to burp's scope
- Walk the directory
- For every file make a request to the file server
- Send the raw request and response to burp's passive scanner through burpbuddy
- Issues can be seen in burp
$ ./burpstaticscan -dir ./foo
2014/11/02 18:11:22 Static file server listening on http://localhost:9999, serving /foo
2014/11/02 18:11:22 Adding http://localhost:9999 to scope
2014/11/02 18:11:22 Walking directory, each file sent to burp's passive scan
2014/11/02 18:11:22 1 file sent to burp
2014/11/02 18:11:22 http://localhost:9999 removed from scope
Depends on the burpbuddy extension. Binary packages for most operating systems are available here. There are no external dependencies, just extract and run with ./burpstaticscan.
$ ./burpstaticscan -h
Usage of ./burpstaticscan:
-burpbuddy="http://localhost:8001": HTTP API URL for burpbuddy
-dir="": directory with code to scan
-host="localhost": host for the file server to listen on
-port="9999": port for the file server to listen on