Burp Suite User Forum

Create new post

BCheck Multiple Request for Run For Each definitions

DL | Last updated: Jun 11, 2024 02:36PM UTC

BCheck has this "run for each" definition which will send a request for each instance of the variable. How can I display in the advisory all the requests and responses? So far, I am only seeing one request and one response

Hannah, PortSwigger Agent | Last updated: Jun 12, 2024 09:56AM UTC

In this case, it sounds like writing an extension for your scan check would be more appropriate, as it would allow you to attach multiple request/response pairs to the raised issue. You can find an example extension for writing scan checks here: https://github.com/PortSwigger/burp-extensions-montoya-api-examples/tree/main/customscanchecks To help us better understand your use case, could you give us a bit more information around what test you are trying to perform and why you would like all requests and responses displayed in the issue? We may be able to raise a feature request to track this functionality for future iterations.

DL | Last updated: Jun 12, 2024 02:36PM UTC

I am trying to run a bcheck to test for authentication & authorization. But it seems like I will only be able to do this one bcheck by one bcheck or using the custom scan check extension for now T_T ``` run for each: token = "token","token2","token3" given request then: // token replacing bcheck request function ```

Hannah, PortSwigger Agent | Last updated: Jun 12, 2024 04:03PM UTC

Hi When reporting, are you using "report issue and continue"? This allows the BCheck to continue to run after having found an issue previously, which means you will iterate through all token values rather than testing one, finding an issue and stopping.

DL | Last updated: Jun 12, 2024 05:15PM UTC

sounds like a good workaround, but will still prefer multiple request / response displayed so that I can see what the requeset/responses flagged are and confirm the issue.

Hannah, PortSwigger Agent | Last updated: Jun 13, 2024 04:46PM UTC

Thanks for that information - in this case, it seems like an extension would be better suited for your use case. These need to be written in Java to use our Montoya API. However, our old Extender API is compatible with Python 2.7 if you're more comfortable with Python. You can find out more about writing extensions here: https://portswigger.net/burp/documentation/desktop/extensions/creating Please let us know how you get on!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.