Burp Suite User Forum

Login to post

Burp Automation - Scanning for specific vulnerability

Zeeshan | Last updated: Jun 13, 2023 01:56AM UTC

Dear, I want to write a burp extension in java, that will use burp scanner. Can we scan a request with specific (user defined) audit configuration in burpsuite professional. Like, extension will check if there is an id parameter in url querystring only, then i will start audit using Burp->Configuration Library->User Defined->"Only SQL Injection Config". I dont want to run active scan that contains all scanning checks and want to keep specific checks like sql injection. My burp extension will be running in background monitoring proxy traffic, and whenever it sees id parameter, it will trigger sql injection audit. I have been exploring burp legacy and montoya API, but could not conclude how i can do this.

Hannah, PortSwigger Agent | Last updated: Jun 13, 2023 09:51AM UTC

Hi Unfortunately, you cannot set a scan configuration when scanning with the Montoya or Extender API. You can trigger a crawl or audit, which will run with the default configuration. Alternatively, you can provide your own scan check that will be run in addition to Burp's checks. You can also trigger a full crawl and audit using Burp's REST API. Using this, you would be able to specify a scan configuration. We have an ongoing feature request to be able to specify a configuration for crawling and auditing. We've added your +1 to this request. If there's anything else we can help with, then please let us know.

Zeeshan | Last updated: Jun 14, 2023 03:14AM UTC

Dear Hannah, Any timeline for this feature? I can see it is in progress from almost 2 years?

Hannah, PortSwigger Agent | Last updated: Jun 14, 2023 11:03AM UTC

Hi I'm sorry, but we cannot provide an estimate. It's not currently on our roadmap for this year, but this feature is fairly requested. You can check out our current roadmap here: https://portswigger.net/blog/burp-suite-roadmap-update-january-2023

You need to Log in to post a reply. Or register here, for free.