Burp Suite User Forum

Login to post

How to set active scanner insertion points

vino | Last updated: Aug 09, 2019 05:32PM UTC

I'm trying to set custom insertion points for the header,query param and body parameters. Currently I'm using active scan method by passing manually caluculated offsetlist. LegacyBurpExtender.getInstance().getCallbacks().doActiveScan(host,80, false, buildRequest,offSetList); Is there any method to registerinsertion point in the payload and submit active scan?

Rose, PortSwigger Agent | Last updated: Aug 12, 2019 10:06AM UTC

We have a bit of a backlog in terms of Extensions issues. Please accept our apologies, we'll get back to you as soon as we can.

Ben, PortSwigger Agent | Last updated: Aug 14, 2019 12:12PM UTC

Hi Vino, Apologies for the length of time it has taken for us to get back to you. Firstly, can you confirm the version of Burp Suite that you are trying to extend? In the latest version of the extension API, you can register an IScannerInsertionPointProvider which will automatically be invoked when Burp Scanner is auditing a request. Your implementation of IScannerInsertionPointProvider.getInsertionPoints() will determine what insertion points are generated for that specific request. The following link provides information regarding the latest extension API documentation: https://portswigger.net/burp/extender/api/ Please let us know if you need any further assistance.

Ashish | Last updated: Jul 23, 2021 11:38AM UTC

Hi, I am trying to write an extension in Java, though I am new to Java. I want to initiate a scan through this extension which can be triggered by right clicking on Target Tree and selecting menu "Actively scan this host". For this I am implementing IScannerCheck interface along with IBurpExtender in my BurpExtender class. In the registerExtenderCallbacks method, I am registering scanner check by: callbacks.registerScannerCheck(this); I am implementing the method doActiveScan for it - public List<IScanIssue> doActiveScan( final IHttpRequestResponse iHttpRequestResponse, final IScannerInsertionPoint iScannerInsertionPoint) Please tell me what should I write in this method to initiate a generic active scan as mentioned above. You wrote above to implement IScannerInsertionPointProvider.getInsertionPoints(). How to implement this method and how to use it in doActiveScan method so as to complete my extension. Thanks Ashish Kulkarni

Uthman, PortSwigger Agent | Last updated: Jul 23, 2021 12:35PM UTC

Hi Ashish, You may want to look at the implementation in an existing extension (e.g. Burp Bounty, Scan Check Builder - https://portswigger.net/bappstore/618f0b2489564607825e93eeed8b9e0a). - https://github.com/wagiro/BurpBounty/blob/600b4d8a736071e1bd918e444ca8fdfd3fc0fa30/src/BurpBountyExtension.java We also have some helpful resources on getting started, including some sample extensions with example scanner checks: - https://portswigger.net/burp/extender#SampleExtensions - https://github.com/PortSwigger/example-scanner-checks/blob/master/java/BurpExtender.java - https://portswigger.net/burp/extender/writing-your-first-burp-suite-extension Unfortunately, we do not offer 1-1 support for writing extensions but if you notice any issues with the Extender API then please report them to us (either on the forum or by emailing support@portswigger.net).

You need to Log in to post a reply. Or register here, for free.