Burp Suite User Forum

Create new post

How to create a bcheck that injects something into each level of an existing path

xxpay.com | Last updated: Nov 20, 2023 04:24PM UTC

Hello, I'm trying to create a bcheck that runs for each request, and then send a request to inject something in the middle of the path (after each level of directory "/"). For example: https://test.com/xxx-ecp/api/v1/ads?language=1&platform=1. Required request-> Https://test.com/payloads Https://test.com/xxx-ecp/payloads Https://test.com/xxx-ecp/api/payloads Https://test.com/xxx-ecp/api/v1/payloads given request then send request called check: method: "GET" replacing path: `{regex_replace({base.request.url.path}, "[^/]*$", "")}{potential_paths}` The following "/" is realized through the above fragment. How to implement directory injection for each level of directory, or general specified directory test depth.Is that all right now? Thank you!

Michelle, PortSwigger Agent | Last updated: Nov 21, 2023 02:05PM UTC

Hi In the latest update to BChecks (v2-beta), there is now an option that allows you to run the BCheck per path, so the check runs once for each unique path audited. To make sure I'm understanding what you want to achieve correctly, can you give me a couple of examples showing the requests you would like the BCheck to send given a specific request or path? In the example above, would you be using the BCheck to inject something just where you've used the word payloads?

xxpay.com | Last updated: Nov 22, 2023 06:25AM UTC

Hello, I need to inject payloads into all links within and outside the scope of the test, at different directory levels. For example, directory traversal is required when testing Spring information disclosure.

Michelle, PortSwigger Agent | Last updated: Nov 22, 2023 09:31AM UTC

Hi Can you explain what you mean by 'all links within and outside the scope of the test' please? In your scenario, are you running an audit-only scan on one specific request and then wanting the BCheck to send requests to multiple locations within the same domain? Or would you be using the BCheck in a full crawl and audit scan where the crawl would detect multiple paths?

xxpay.com | Last updated: Nov 22, 2023 12:58PM UTC

All links within and outside my test scope refer to all links within the test scope and from the agent.Now with the scan settings I set up via Live audit from Proxy (all traffic) in the library select Audit checks - BChecks only.Https://test.com/frontend/prod/fe-lib/lottie/5.7.3/lottie.min.js. How to write such a link so that every directory can be injected into payloads?

Michelle, PortSwigger Agent | Last updated: Nov 23, 2023 11:27AM UTC

Thanks for the additional information. I think we now understand what you are trying to achieve. You can't currently do this with BChecks. If you could, as you then browse to other locations, such as ttps://test.com/frontend/prod/fe-lib/another.js, numerous duplicate requests would be sent as BChecks have no state. It would probably be best to create a Montoya-based scan check for this scenario, as this will allow you to keep a set of paths that have already been scanned, and you should find looping and path manipulation easier. You could then set a Live task just to perform checks for Extension generated issues. I hope this helps. You can find more about creating extensions here: https://portswigger.net/burp/documentation/desktop/extensions/creating

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.