Burp Suite User Forum

Create new post

Create a multi-task extension

Bajii0 | Last updated: Jun 26, 2023 10:07AM UTC

Hello, I would like to create a multi-task extensions, checking for a lot of different things such as header presence, injection, or even broken access control. In order to do it, I though need to separate things and I cannot find a good way to do it. For example, i don't want my extension to be testing for broken access control at the same time than checking injection. Is there a correct way to do that ? Or is it better to do a bunch of differents extensions and launch it from a main extensions ? Should I stored the request once to replay it with different tests ? I'm looking forward for yours answers ! PS : I'm new to burp extensions creation, so sorry in advance if I said absurd things. If you have any other user post that could be help, I would be really gratefull if you can send the link below. Thanks again for your help !

Hannah, PortSwigger Agent | Last updated: Jun 26, 2023 10:44AM UTC

Hi It sounds like you want to provide a number of additional scan checks to Burp. You can find an example extension written in the Montoya API to add an additional scan check to Burp here: https://github.com/PortSwigger/burp-extensions-montoya-api-examples/tree/main/customscanchecks You can register multiple scan checks in one extension, in the same manner that a scan check is registered in the example extension.

Bajii0 | Last updated: Jun 28, 2023 08:04AM UTC

I'll check it thanks, is there any similar project in python ?

Hannah, PortSwigger Agent | Last updated: Jun 28, 2023 08:50AM UTC

We'd recommend using the Montoya API as it has additional functionality over our previous Extender API. The Montoya API is only available in Java. Our previous Extender API can be used with Java, Jython, and JRuby. Using Jython is similar to writing in Python2. You can find an example for writing a scan check extension here: https://github.com/PortSwigger/example-scanner-checks We've also recently released some new functionality around writing your own scan checks without creating a full extension. These are called BChecks, and are currently available on our Early Adopter channel (these should be coming to Stable soon). You can find out more information about these here: https://portswigger.net/burp/documentation/scanner/bchecks

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.