Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Extension guideline for scanner

thanhpt | Last updated: Sep 12, 2023 04:19AM UTC

Hi, I plan to write an extension to scan Remote File Inclusion for Burp Scanner. Where can I find guideline to create extension and integrate to my BurpSuite for automation scan with this extension?

Hannah, PortSwigger Agent | Last updated: Sep 12, 2023 08:49AM UTC

thanhpt | Last updated: Sep 12, 2023 11:21AM UTC

I have a list of payloads and need to load to each request that Scanner send. I wonder if BCheck can do that. Also, I run BurpSuite on my server for scan only and it can only runs in headless mode but I can not find any document on how to import Bcheck to BurpSite headless mode

Hannah, PortSwigger Agent | Last updated: Sep 13, 2023 09:20AM UTC

You could do this via BChecks. However, BChecks can only be imported via Burp's UI. If that's the case, then you may prefer to write an extension for Burp, to be imported as part of the User Options.

thanhpt | Last updated: Sep 14, 2023 08:53AM UTC

Does Burpsuite have any plan on implement importing BCheck from headless mode? I think Bcheck is so good on defining new vuln for Burp Scanner. I love it. Does Montoyal API has any API that I can view Event Log ?

Hannah, PortSwigger Agent | Last updated: Sep 14, 2023 09:30AM UTC

This mechanism may change in the future, but we don't have any current plans to change this. The Montoya API does not have any functionality to access the contents of the event log. However, we do have a feature request for this, to which I have added your +1. Burp Suite Professional is not designed to be used headlessly, as many of the different tools require user interaction. If you want to automate the scanning of sites in a headless environment, Burp Suite Enterprise Edition may be better suited for how you want to use Burp. It has a centralized server with distributed Scanning Machines, and a web interface to access the product. It also has a GraphQL API that you can use to retrieve information or make it perform actions, amongst various other features to help with automation and scanning at scale. If it sounds like it may be useful, you can find more information and request a free trial here: https://portswigger.net/burp/enterprise

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.