Burp Suite User Forum

Login to post

GraphQL mutation for extensions

Chris | Last updated: Dec 20, 2021 03:27PM UTC

Does graphql support mutations of a given site to add an extension?

James, PortSwigger Agent | Last updated: Dec 21, 2021 09:12AM UTC

Hi Chris,

Thanks for getting in touch.

Yes the Burp Enterprise GraphQL API does support this. We recently added some functionality for extensions to this, which is in the process of being updated in the documentation.

I have listed some examples below for you. You can also fetch the schema documentation if you are using a tool such as Insomnia.

1) Upload your desired extension(s) to the Burp Enterprise extension library

2) Fetch the list of extensions in the Burp Enterprise library and their corresponding ID numbers using a GraphQL query:

Query Extensions (Library)
query extensions {
extensions {
name
description
id
uploaded_by
uploaded_date
uploaded_filename
bapp_details {
author
bapp_uuid
version
}
}
}
Example response of the above:
{
"data": {
"extensions": [
{
"name": "Log4Shell Scanner",
"description": "Enumerates hidden Log4Shell-affected hosts.",
"id": "9c87c758-a29c-476e-b5d8-e4f4e4bbcd8f",
"uploaded_by": "administrator",
"uploaded_date": "2021-12-13T13:38:25.981Z",
"uploaded_filename": "log4shell-scanner.bapp",
"bapp_details": {
"author": "SilentSignal",
"bapp_uuid": "b011be53649346dd87276bca41ce8e8f",
"version": "0.2.1"
}
}
The main thing we need here is the "id": "9c87c758-a29c-476e-b5d8-e4f4e4bbcd8f".

2) Optional - check which extensions, if any, are already applied to a particular site

Query GetSiteTree (with extensions field added)
query GetSiteTree {
site_tree {
sites {
id
name
parent_id
extensions {
id
}
}
}
}
Example response of the above:
{
"data": {
"site_tree": {
"sites": [
{
"id": "1",
"name": "PortSwigger Labs",
"parent_id": "0",
"extensions": [
{
"id": "9c87c758-a29c-476e-b5d8-e4f4e4bbcd8f"
}
]
}
This shows that the Log4Shell Scanner extension is already applied to my site in this case.

3) Update the extension(s) that are attached to a site, that will be used for scanning

Mutation UpdateSiteExtensions
mutation update_site_extensions {
update_site_extensions(input: {id: "1", extension_ids: "9c87c758-a29c-476e-b5d8-e4f4e4bbcd8f"}) {
site {
id
name
parent_id
}
}
}
This would update my site with ID "1" to attach the Log4Shell Scanner extension in this case.

You need to Log in to post a reply. Or register here, for free.