Burp Suite User Forum

Login to post

Expose IScanIssue Requests with Markers

Alex | Last updated: Jul 12, 2022 07:22PM UTC

Some scan issues contain marker information in the request/response for easier identification of issue, but there is no way to access these markers through the extender API. The IScanIssue.getHttpMessages() function currently returns an IHttpRequestResponse array, but it does not contain marker information. I'd like to request adding a new function such as IScanIssue.getHttpMessagesWithMarkers() that returns a IHttpRequestResponseWithMarkers array.

Hannah, PortSwigger Agent | Last updated: Jul 13, 2022 08:52AM UTC

Hi Could you explain your use case? Markers are used in various situations, such as specifying Intruder payload positions, Scanner insertion points, and highlights in Scanner issues. These aren't modifiable by the Extender API (although you can add additional scanner insertion points), as the user configures these as part of their intruder attack or scan configuration.

Alex | Last updated: Jul 13, 2022 04:27PM UTC

I'd like to write an extension that exports scanner issues to an external program for easier collaboration between testers. This program would have the ability to assign issues to different testers, add notes/evidence, and ultimately assist in creating the vulnerability write-up. It would be very helpful to see the markers in the example requests/responses from the external program. Currently, the only way I can think of doing this would be to save an HTML report and parse the results into the program, but this has many drawbacks, especially if we want to sync results in real time.

Hannah, PortSwigger Agent | Last updated: Jul 14, 2022 09:59AM UTC

There are a few extensions on the BApp Store that integrate with 3rd party issue tracking tools. Have you had a look at how they implement this functionality? You can find the source code for all BApp Store extensions here: https://github.com/PortSwigger You could use IBurpExtenderCallbacks.getScanIssues() to retrieve all issues. From there, you could format the issue details in the manner that you like for export to your tool. If your tool has a web interface, you could push a POST request to it at various time intervals with your issue details, using IBurpExtenderCallbacks.makeHttpRequest().

Alex | Last updated: Jul 18, 2022 08:58PM UTC

Yes, I've looked at the other extensions and have achieved similar functionality. I'm not aware of any existing extensions that can view exported scan issues' requests/responses *with markers*. In other words, When I view an exported scan issue in my external program, I'd like to be able to see the relevant markers. But there doesn't seem to be a good way to access the marker data.

Hannah, PortSwigger Agent | Last updated: Jul 19, 2022 02:59PM UTC

We'll raise this for further discussion with the team and get the relevant feature request made! If there's anything else we can help with then please let us know.

Alex | Last updated: Nov 22, 2022 10:12PM UTC

Hello! I wanted to provide an update here for future reference. I decided to check back into this, and I noticed it seems to be addressed in the the new Montoya API. The AuditIssue.requestResponses() method returns a MarkedHttpRequestResponse type, which contains the information I need. https://portswigger.github.io/burp-extensions-montoya-api/javadoc/burp/api/montoya/http/message/MarkedHttpRequestResponse.html Cheers!

Hannah, PortSwigger Agent | Last updated: Nov 23, 2022 09:49AM UTC

Glad to hear that this fits your use case! If there's anything else we can help with, then please let us know.

You need to Log in to post a reply. Or register here, for free.