Burp Extensions - Page 41 - Burp Suite User Forum

API function to check if URL is in scope?

I have created a custom extension that takes all requests of a certain domain from the sitemap, does some magic on the insertion points and then adds the requests with custom insertion points to the active scanner. I'm...

How is PHP Object Injection is reported by burp extension "PHP Object Injection Check"?

While scanning the XVWA (Xtreme Vulnerable Web Application) consisting the vulnerability-PHP Object Injection i.e. Insecure Deserialization, burp extension "PHP Object Injection Check" doesn't report with the same...

How to deploy an extension

Any guides out there on getting started writing extensions? I've found sample extensions and I can build them with Intellij, but I'm not familiar enough with java to create the jar file. Thanks

Replicator: Not Able to Edit 'Grep Expression' field

Hi Burp, I have installed the Replicator extension and can send requests to it. However, when creating a replicator file as a tester, I am not able to edit the 'Grep Expression' field or add/select any expression to...

Type is showing up as "Legacy Java" ??

Hi, I am just starting to learn about writing extensions for Burp and am using Eclipse/Java. I have built and run my first "Hello World" extension and am wondering why Burp is showing it as "Legacy Java" on the...

BURP WS-Security SOAP Webservices security testing

I see the raw request with junk data for one of the operation in Wsdler. I added the Send to Intruder for the request in wsdler operation and when I navigate to Intruder, I encountered an error.Can you please suggest the way...

API proxy show as edited request

Using the "processHttpMessage" method I'm able to edit a request. How can I make this changed request show up in the proxy as an edited request (just like when a request is edited with proxy intercept)?

Highlighting a tab in JTabbedPane of an extension

Hi, I am working on an extension that has its own JTabbedPane. I am trying to highlight a tab in my extension's JTabbedPane but for some reason the call to setBackgroundAt() simply does nothing. Oddly enough I am able to...

CWE field in IScanIssue

I've noticed that XML exports of scan issues now include a <vulnerabilityClassifications> field that contains CWE information: <vulnerabilityClassifications><![CDATA[<ul> <li><a...

TSL 1.2

Hi All, thats my first post on Burp forum! :) I'm here for a noble cause I guess: trying to give TSL 1.2 support to the glorious (and mistreated) Windows XP. It seems infact the only way to do that, is to configure the...

Python Extension don't load in Burp on Fedora

I've create test python extension: <pre> from burp import IBurpExtender class BurpExtender(IBurpExtender): def registerExtenderCallbacks(self, callbacks): # your extension code here ...

Regarding Burp Extensions

Hi Team Currently I am using burp for sliverlight application which is developed in .NetFrame. .I am able to see the requests call in encrypted format which were developed in SOAP. Also I am unable to repeat the calls...

Nested message editors

Are there any artificial limitations regarding message editor nesting? By registering a message editor factory that creates instances of the class with the source code below, I expect it to act as as "proxy" and the...

Extension which scans a predined list of urls

Is there a current extension which will take a predefined list of URL's and scan them? I was writing my own extension and I was able to use sendToSpider(url) method to add my URL to the spider but I wanted to know if ...

Burp Store and burp app validation

Hi, Regarding the burp store, do you do any check regarding the content of the burp extension? How can we guarantee that there are 100% safe and no traffic will be sent to 3rd party? Appreciate your response. Thank...

Collaborator: What are the exploitability differences between DNS lookups from different headers?

Looking at the scan logs from Collaborator, I'm seeing medium severity for DNS lookups when the URL is supplied in either X-Forwarded-For or X-Wap-Profile, but red when it's caused by the Host header. I'm trying to...

Need an extension to do advanced substitution

We are using a commercial web app testing product to test a customer's massive application and we need to work around a problem in the webapp testing product. Turning the test, the product does a GET and the customer's...

IBurpExtenderCallbacks.makeHttpRequest() throws RuntimeException

If the network connection fails, callbacks.makeHttpRequest throws a RuntimeException. Any way we could get that method to declare that it throws a proper subclass of (presumably) IOException so we could check for and handle...

How to retrieve only body of response

Hello team I am making http requests to a site and how to get only body of the response. here is the code :- req = self._helpers.buildHttpMessage(headers, body) print self._helpers.bytesToString(req) resp =...

Updating a parameter inline

Hey, When updating a query parameter through the "IExtensionHelpers.updateParameter" method, the parameter is removed from the query parameters, then updated and appended to the end. Is this intended functionality and if...