Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Can't check if URL is in scope with Burps Custom Scope

Jack | Last updated: Jul 25, 2023 04:11PM UTC

I have used the burp-extender-api previously to build an extension to Burp. One of the features of this extension was to check whether a request was in scope. I had the following lines of code to do this: URL intercepted_url = ResponsePatternMatcher.helpers.analyzeRequest(messageInfo).getUrl(); if (!inScopeOnly || ResponsePatternMatcher.callbacks.isInScope(intercepted_url))) { .. do stuff } Which only performs the functionality if the request is in scope. I have noticed recently since the changes to the scope control that it's no longer possible to check if the request is in the scope and callbacks.isInScope(intercepted_url) always returns false even if the intercepted URL is in scope. Is there anything I am doing wrong, or any alternative functionality in the burp-extender-api that will enable me to check if a URL is in scope? Thanks

Jack | Last updated: Jul 25, 2023 04:14PM UTC

Just FYI the isInScope method is the: boolean isInScope(java.net.URL url); method from: IBurpExtenderCallbacks

Dominyque, PortSwigger Agent | Last updated: Jul 26, 2023 12:36PM UTC

Hi Jack I can see that you are using the legacy API. We do recommend using the Montoya API to write your extensions (https://portswigger.github.io/burp-extensions-montoya-api/javadoc/burp/api/montoya/MontoyaApi.html) Would you be able to send us a screenshot of your scope rules as well as the URL you are passing?

Jack | Last updated: Jul 26, 2023 05:39PM UTC

Hi Dominyque, That makes sense, this is an extension I built a while back when only the legacy API was available hence why I am using the legacy methods - I will look to change to the Montoya API with this extension soon, but for now I would really like to fix this using the legacy API. Regarding additional screenshots, I can't attach them here unless there is a support email address I can use? Alternatively I will past the code in here. ------------------------------ Initially the call starts off from my processHttpMessage function within my main ResponsePatternMatcher class which implements the processHttpMessage method stub from the IHttpListener interface: public class ResponsePatternMatcher implements IBurpExtender, ITab, IHttpListener, IMessageEditorController, IExtensionStateListener { //Static Burp objects public static IBurpExtenderCallbacks callbacks; public static IExtensionHelpers helpers; ... @Override public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo){ service.execute(new MessageProcessor(toolFlag, messageIsRequest, messageInfo, gui)); } My processHttpMessage implementation makes a new thread passing the IHttpRequestResponse object (messageInfo) to it as well as a gui object which is a class that records the state of the GUI, such as whether the checkbox "inScopeOnly" has been ticked. The thread then invokes it's run() function, which starts off as follows: public void run() { try { URL intercepted_url = ResponsePatternMatcher.helpers.analyzeRequest(messageInfo).getUrl(); if (!inScopeOnly || ResponsePatternMatcher.callbacks.isInScope(intercepted_url)) { // Main functionality here that is no longer reached the inScopeOnly boolean value is set when the threads constructor: this.inScopeOnly = gui.getInScopeOnly(); ------------------------------ This used to work fine and I tested it extensively when I first implemented it. But I suspect since Burp's new method of defining scope and the option to use advance scope control has broken or changed the way callbacks.isInScope works. If I run this in debug mode and add https://portswigger.net/ to the scope either as a string or using advanced scope control, set a breakpoint at the above lines to check the values of the variables in run time, I can make see the following evaluations: intercepted_url > URL Object containing "https://portswigger.net:443/" ResponsePatternMatcher.callbacks.isInScope(new URL ("https://portswigger.net:443/")) > FALSE ResponsePatternMatcher.callbacks.isInScope(new URL ("https://portswigger.net/")) > FALSE ResponsePatternMatcher.callbacks.isInScope(new URL ("http://portswigger.net/")) > FALSE I am on the following platforms: Compiled with: Oracle OpenJDK 17.0.8 Tested against: Burp Suite Community Edition (2023.7.1) burp-extender-api (2.3) Thanks

Dominyque, PortSwigger Agent | Last updated: Jul 27, 2023 07:34AM UTC

Hi Jack Thank you for pasting the code. You can send the screenshots to support@portswigger.net. From there, we will have the complete picture to do our investigation.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.