Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

How to detect active and/or passive scanning activity is done

Hui | Last updated: Mar 17, 2016 03:50AM UTC

Hi, I need help on the Burp Extensions. I would like to generate customized issue reports once active and/or passive scanning activity is done. But how to get ScanQueueItem status or percentage in order to know if the scanning activities are done when the request is triggered by browser, not by Burp Extension itself?

PortSwigger Agent | Last updated: Mar 17, 2016 09:05AM UTC

Unfortunately there isn't currently a neat way in the API to be notified when scanning is complete. The current workaround is to retain a reference to each active scan queue item when your extension sends items for active scanning, and then periodically ask each item for its progress. Maintain a list of non-complete items, and when that list is empty you'll know that scanning is finished. There isn't an equivalent for passive scanning, but passive-only scans are typically very fast, and passive scanning is performed as part of active scanning when your extension sends an item for active scanning. If you are wanting to detect when user/browser-driven scanning is complete, the technique described above won't work since you don't get access to the scan queue items. But if the user is driving the scanning in this way, the simplest thing would be to have a button in your extension UI that the user can click when they are done scanning.

Burp User | Last updated: Mar 18, 2016 01:50AM UTC

Hi Dafydd, Really thanks for the feedback. Is there any plan to have this as a new API in future? "But if the user is driving the scanning in this way, the simplest thing would be to have a button in your extension UI that the user can click when they are done scanning." Actually there is no "human" user in our case as the browser is triggered by our Test Automation, so the above suggestion is not applicable here. Anyway, any suggestions are welcome if you have more. Thanks.

PortSwigger Agent | Last updated: Mar 18, 2016 08:55AM UTC

We do plan at some stage to offer a means of being notified via the API that scan activity is completed. This will hopefully be available within the coming year. If your test automation is driving traffic through Burp, then your extension can only really tell that the automation has finished by monitoring requests and waiting for them to stop. You could do this by registering an IHttpListener. It might be more effective to let your test automation communicate with your extension to tell it when it has completed.

Burp User | Last updated: Mar 18, 2016 09:10AM UTC

Really hope to see that API soon. And thanks for your further suggestion.

PortSwigger Agent | Last updated: Mar 18, 2016 09:11AM UTC

We don't currently have a firm ETA on this request, sorry.

Burp User | Last updated: Jan 02, 2017 01:35PM UTC

May I know if the above mentioned API is available now? or any ETA for availability. It would be extremely useful for automating the scans from end to end :)

Burp User | Last updated: Jun 20, 2017 08:49AM UTC