A Burp Suite extension for analyzing Next.js Server Actions - server-side functions identified by hash IDs and Next-Action headers.
- Auto-detection: Captures Server Actions from proxy history or live browsing
- Function mapping: Extracts actual function names from JavaScript chunks
- Security analysis: Identifies missing auth, sensitive parameters, errors, and IDORs
- Unused action discovery: Finds actions defined but never executed (by function name)
- Testing tools: Send to Repeater/Intruder with auto-marked parameters
- Export: Save analysis with customizable options (JSON format)
- Download
nextjs_actions.py - Burp Suite → Extender → Extensions → Add
- Select Python file (requires Jython 2.7+)
- Scan Proxy History - Analyzes requests and auto-discovers all actions
- Browse the app - Captures new Server Actions in real-time
- Review actions - Check the Action Discovery tab for unused actions
- Test & Export - Use Repeater/Intruder for testing
- Burp Suite Professional or Community
- Jython 2.7+ configured
- Target use Next.js Server Actions and probably have
productionBrowserSourceMapsenabled
For authorized security testing only. Ensure permission before testing.