Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Ignore Macro for certain scan

mohit | Last updated: Nov 23, 2023 12:30PM UTC

I am currently working on developing a Python extension for active scanning. This extension has the ability to perform various types of scans, and as long as the user has configured macros, there are no issues with the extension. However, there is a particular check in the extension that sends multiple requests, and some of these requests require the removal of the cookie or auth header from the original request. If the user has configured a macro or hardcoded the session cookie in the session handling rules, then Burp will add the session to the request even if the extension removes it from the original request and sends the request. I am looking for a way to ignore the session or macro for a specific check in the extension.

Hannah, PortSwigger Agent | Last updated: Nov 24, 2023 10:37AM UTC

Hi To clarify, are you providing your changes as part of a scan check? If so, traffic from scan checks will still be passing through Burp's network stack after it's processed by your extension. The IHttpListener processing method is used after a request has passed through Burp's network stack. It's a bit of a workaround, but you could add some custom data to your request in the scan check phase, then use this data to identify a request passing through the IHttpListener. After identifying a request, you can remove your custom data as well as any other data that may be present.

mohit | Last updated: Dec 06, 2023 01:06PM UTC

Thank you for your input. I was curious if there is a built-in feature to ignore macros. I have a question about using IHttpListener to remove the cookie/token added by macros during active scans initiated by the extension. Instead, I am considering implementing Java's method to directly send requests (but only where I need to ignore macros, otherwise I will use Burp APIs). The only issue I am facing with this solution is how to detect if the scan is paused or cancelled by the user. Burp will pause all requests from the extension if the user pauses the scan, but only if the scanner sends requests using Burp APIs. Are there any ways to detect if the scanner is paused or cancelled so that I can pause/stop the requests sent by the extension through Java?

Hannah, PortSwigger Agent | Last updated: Dec 07, 2023 10:34AM UTC

Hi Unfortunately, using Java's networking libraries come with their own issues when using Burp. As requests are not passing through Burp's networking stack, then the appropriate rules are not applied. This includes things like upstream proxy handling, if the user needs traffic to go through a specific proxy, and in some cases, specific headers need to be added to a user's traffic to identify requests that are originating from them while performing testing. There is no built-in way to identify if a scan has been paused or finished. It is possible to infer when a scan has finished from a lack of requests in a specific timeframe passing through the IHttpListener with a tool source of the Scanner. Please let me know how you get on.

mohit | Last updated: Dec 09, 2023 07:02AM UTC

After considering different options, I have decided to go with the first way of using IHttpListener. While there were other potential solutions, the lack of an upstream proxy proved to be a significant obstacle for me. Therefore, I have opted to use the IHttpListener method as it is a more viable and practical approach for my needs.

Hannah, PortSwigger Agent | Last updated: Dec 11, 2023 11:38AM UTC

I'm glad to hear you've decided on a solution for your extension. If there's anything else we can help with, then please let us know.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.