Many applications will hash parameters such as ID numbers and email addresses for use in secure tokens, like session cookies. A java extension for Burp Suite, burp-hash will passively scan requests and responses looking for hashed values. Once a hashed value is found, it is compared to a table of parameters already observed in the application to find a match. The extension keeps a lookout for parameters such as usernames, email addresses, and ID numbers. It also keeps a lookout for hashes (SHA, MD5, etc). It hashes new data and compares to observed hashes. The user receives a notification if any hashes match. This automates the process of trying to guess common parameters used in the generation of hashes observed in an application.