Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Extension driven passive audit

Jackson | Last updated: Nov 17, 2023 07:18PM UTC

I have recently started seeing "Extension driven passive audit" automatically get created while I am testing. I checked the forums and prior release notes and didn't see any good answers to my questions. So here they are: When I look at the details of the task, it doesn't have any details whatsoever. -What created it? -What checks is it performing? I thought it might just represent all of the processing done in extensions from calling the `doPassiveAudit()` function, but that doesn't seem to be right because if I filter the issues it finds to NOT include "extensions" there is still stuff in there. -What is its scope? The UI doesn't say, even in the details. -What traffic is it inspecting? The UI doesn't say. -I already had a "Live audit from Proxy (all traffic)" that I customized to include all passive, javascript, and extension generated issues... how is the "extension driven passive audit" different from my pre-existing live audit? Many issues seems to be identified in both scan tasks. -If it's possible to create an "extension driven passive audit"... is it possible to create an "extension driven active audit"? If so, how (asking both from UI / high-level AND extension developer level perspective).

Jackson | Last updated: Nov 17, 2023 07:20PM UTC

I should have mentioned that I'm on the latest early-adopter version of Burp, but I've noticed it for the past couple of versions now.

Hannah, PortSwigger Agent | Last updated: Nov 20, 2023 01:32PM UTC

Hi Do you have any extensions loaded in your project? Typically, an extension-generated task will occur if an extension has triggered an audit. For example, using "api.scanner().startAudit()", "callbacks.doPassiveScan()" or "callbacks.doActiveScan()" (the method used would depend on whether the extension is written with the Montoya API or the legacy Extender API). The extension determines which requests are sent to these scan tasks.

Jackson | Last updated: Nov 21, 2023 11:13PM UTC

Ah ok, that's the information I needed :) Thanks And I assume the checks that are performed in the extension-driven task are those that are defined by the extension. So for example, if the extension has "callbacks.doPassiveScan()" that uses a class to do some scanning... but also calls api.scanner().registerScanCheck() with the same class to do the checking... then if my normal live task includes extension generated issues, both the normal live task and the extension-driven task will have some of the same reported issue. Sorry that isn't very good English but hopefully it made enough sense. Do I have this about right?

Hannah, PortSwigger Agent | Last updated: Nov 22, 2023 09:59AM UTC

Hi The extension-generated scan tasks will use the default configuration, with a distinction between passive and active. This default configuration includes all scan checks of the required type. You are correct that both tasks will report the same issues. However, issue consolidation should mean that you don't receive any duplicated issues in your "Target > Site map". If an extension is registering an additional scan check or scan insertion point, then this will be used by both the extension-generated task as well as the regular running tasks. Please let us know if you need any further assistance.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.