Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Dynamically Applying Highlight Markers

Li | Last updated: Apr 06, 2017 08:27PM UTC

Hi, Currently I am working on an extension to dynamically apply markers (user defined) to highlight certain specific areas within requests and responses. This works well if I have an "issue" with only one request-response combo. When encountering issues with multiple requests-responses, I therein stumble upon an error message which reveals that overlapping string indexes, marked for highlighting, should not be used. Which sounds fair, but indicates a limitation to where someone is allowed to place highlights. Basically, I am trying to point out that within the IHttpRequestResponseWithMarkers class interface, the get methodes are limited to what you want to be highlighted but only if you want that to be replicated across all your requests and responses. Hence why I could not apply different markers within other requests or responses. The ideal scenario would be if one could apply markers based on the "id" of response-request combo within a specific Issue. If someone has any suggestions or a different approach on tackling this particular problem, I am all ears. Thank you!

PortSwigger Agent | Last updated: Apr 07, 2017 08:02AM UTC

IHttpRequestResponseWithMarkers represents a single request/response so the markers apply to that request/response. If you report an issue with multiple request/responses, then you need the issue to return multiple IHttpRequestResponseWithMarkers objects from the issue's getHttpMessages() method. Each IHttpRequestResponseWithMarkers object should be set up with the relevant markers for that request/response.

Burp User | Last updated: Apr 07, 2017 12:26PM UTC

Hi, Dafydd! Good news! Thank you so much for your suggestion, but I already knew that. While debugging I realized I was passing the exact same temporary ArrayList to my CustomHttpRequestResponseWithMarkers object; which should have been a different one, each time I looped through my requests/responses. So basically, it was a programming mistake from my end. Future perspectives: when I have completed this extension I would like to share it with the community. It's a polished version of ManAddScan extension, with added features and improvements. Best Regards.

PortSwigger Agent | Last updated: Apr 07, 2017 02:09PM UTC

Glad you got things working.

Burp User | Last updated: Aug 15, 2017 05:58PM UTC

Here is a generic implementation that highlight string in the request or source. https://github.com/GoSecure/csp-auditor/blob/master/csp-auditor-burp-plugin/src/main/java/burp/scanner/MockHttpRequestResponse.java Note : It will highlight the first instance only.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.