Burp community forum

Confusion on InsertionPoints / active scan module

fenceposterror | Last updated: Mar 18, 2016 10:02AM UTC

Hi, I'm trying to make the DetectDynamicJS extension an active scanner extension instead of a passive scanner, which it is right now, to adhere to the rule that passive scanners don't issue requests. I'm a little confused about the workings of insertion point / active scan. All the extension needs to do is issue one, or sometimes two requests, which is by the way re-issuing the first one, trying to detect if the answer changed. My impression is that the predefined insertion points won't do, because the extension removes all cookies and when I chose Cookies as insertion point, it will give me each single one. If understand correctly, the active scanner extension only gets triggered if insertion points did get chosen in the configuration of the user. And there is the conflict, because I don't want the tool to rescan for every insertion point. It's not insertion point related (to me), I guess that's where I get stuck. How can I fit the idea of sending one/two requests for a request, if the user chose "do active scan", using the insertion point idea?

PortSwigger Agent | Last updated: Mar 18, 2016 01:15PM UTC

There is a limitation in the current API for custom active scan checks, in that your scan check gets called once for each configured insertion point. It sounds like your scan check needs to run once per request, not per insertion point. At present, there isn't a way to do this using the API, but a workaround would be to remember the requests that you have already scanned, and ensure that you only perform your scan check logic once per request, not for every insertion point.

Burp User | Last updated: Mar 18, 2016 01:43PM UTC

Thank you for your quick answer! In that case I'll leave it a passive scanner module for now, because I can't ensure that the first time a request gets scanned is the version that has the at scan time valid credentials.

Burp User | Last updated: Jan 01, 2017 09:52PM UTC

Just a +1 here for this feature of having an API for "once per request". As my active scan will do a lot of tests and a lot of requests, using the passive scan module is not a very clever idea. Also remembering all requests is a very ugly work around and will at one point fill up memory. Therefore a plugin I'm currently developing is abusing the IScannerInsertionPoint interface, where getInsertionPoints is exactly called once per active scanned request... ugly (eg. percentage of scans done is stuck with 0% until my plugin is done) but works.

You need to Log in to post a reply. Or register here, for free.