Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Confusion on InsertionPoints / active scan module

fenceposterror | Last updated: Mar 18, 2016 10:02AM UTC

Hi, I'm trying to make the DetectDynamicJS extension an active scanner extension instead of a passive scanner, which it is right now, to adhere to the rule that passive scanners don't issue requests. I'm a little confused about the workings of insertion point / active scan. All the extension needs to do is issue one, or sometimes two requests, which is by the way re-issuing the first one, trying to detect if the answer changed. My impression is that the predefined insertion points won't do, because the extension removes all cookies and when I chose Cookies as insertion point, it will give me each single one. If understand correctly, the active scanner extension only gets triggered if insertion points did get chosen in the configuration of the user. And there is the conflict, because I don't want the tool to rescan for every insertion point. It's not insertion point related (to me), I guess that's where I get stuck. How can I fit the idea of sending one/two requests for a request, if the user chose "do active scan", using the insertion point idea?

PortSwigger Agent | Last updated: Mar 18, 2016 01:15PM UTC

There is a limitation in the current API for custom active scan checks, in that your scan check gets called once for each configured insertion point. It sounds like your scan check needs to run once per request, not per insertion point. At present, there isn't a way to do this using the API, but a workaround would be to remember the requests that you have already scanned, and ensure that you only perform your scan check logic once per request, not for every insertion point.

Burp User | Last updated: Mar 18, 2016 01:43PM UTC

Thank you for your quick answer! In that case I'll leave it a passive scanner module for now, because I can't ensure that the first time a request gets scanned is the version that has the at scan time valid credentials.

Burp User | Last updated: Jan 01, 2017 09:52PM UTC