Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Can BChecks call the specified check module?

cyvk | Last updated: Jul 13, 2023 09:27AM UTC

My idea is to dynamically call other checks through one check for further processing The first check can hit sensitive information, and then call another bchecks file for further inspection. I don’t know if you can understand this way. ============== first check ============= metadata: language: v1-beta name: "Spring_404_test_01" description: "Tests for exposed git directory" author: "cyvk" define: payload = "/ddikggckiik" given request then send request called req : method : {latest.request.method} path: `{latest.request.url.path}{payload}` if "\"status\":404" in {req.response.body} then report {api.bchecks({req})} # I want this function end if ============ api.bchecks file ================== metadata: language: v1-beta name: "api-docs Exposed" description: "Test" author: "cyvk" tags: "demo" run for each: payload = "/v2/api-docs","/v2;/api-docs;.js" given request then send request called req : appending path: {payload} if "200" is {req.response.status_code} then report issue: severity: high confidence: firm detail: "java API exposed" remediation: "close site" end if

Maia, PortSwigger Agent | Last updated: Jul 13, 2023 04:53PM UTC

Hi, thank you for your message. You won't be able to call another BCheck from within a BCheck. We are looking into adding further functionality which would allow you to add a list of payloads and expected responses which should allow you to keep everything within one BCheck. If this would meet your needs please let me know and I will +1 you to the feature request.

cyvk | Last updated: Jul 15, 2023 01:01PM UTC

I make strategies based on different responses, which may be complicated, but if Montoya Api can dynamically instantiate BChecks and perform checks, it should be able to solve my problem

cyvk | Last updated: Jul 17, 2023 06:44AM UTC

+1

Maia, PortSwigger Agent | Last updated: Jul 17, 2023 03:33PM UTC

I've added you to the feature request. The Montoya API isn't able to dynamically instantiate BChecks. It sounds like it may be better to do everything through the Montoya API instead of crossing into BChecks.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.