Burp Suite User Forum

Login to post

Is there some ways to create audit with some configuration by extender?

fa1ntStar | Last updated: Aug 21, 2023 01:52PM UTC

Hello: I'm developing my extender and I want to start a audit or crawler task by extender by montoya api.I notice that there some api like burp.api.montoya.scanner.Scanner#startAudit, and I can use it creat a new audit.But I can't set the configration when I create it, i'd like to to this: startAudit(AuditConfiguration.auditConfiguration("Audit checks - extensions only")) or startAudit(AuditConfiguration.auditConfiguration("Some other configuration I saved in the configuration libray")) and I also notic that there is a rest api like can create scan task by configration name.But the scan task it created include the crawl task and audit task, I don't need the crawl task. Is there some to create a audit task with the configuration without gui interaction?

Hannah, PortSwigger Agent | Last updated: Aug 21, 2023 02:08PM UTC


Currently, it is not possible to specify a custom configuration with your audit. You can only use the defaults for active or passive scanning.

You can find an example of how to create an Audit here:
Audit audit = api.scanner().startAudit(AuditConfiguration.auditConfiguration(BuiltInAuditConfiguration.LEGACY_ACTIVE_AUDIT_CHECKS));

fa1ntStar | Last updated: Aug 21, 2023 02:55PM UTC

In addition, what i what to create is live audit task

Hannah, PortSwigger Agent | Last updated: Aug 22, 2023 09:31AM UTC

An extension-generated audit task is not quite the same as a live task. However, you could register an HttpHandler or ProxyHandler that adds requests to the configured Audit as they pass through.

For example:
Audit audit = api.scanner().startAudit(AuditConfiguration.auditConfiguration(BuiltInAuditConfiguration.LEGACY_ACTIVE_AUDIT_CHECKS));

api.proxy().registerRequestHandler(new ProxyRequestHandler()
    public ProxyRequestReceivedAction handleRequestReceived(InterceptedRequest interceptedRequest)
        return ProxyRequestReceivedAction.continueWith(interceptedRequest);

    public ProxyRequestToBeSentAction handleRequestToBeSent(InterceptedRequest interceptedRequest)
        return ProxyRequestToBeSentAction.continueWith(interceptedRequest);

You need to Log in to post a reply. Or register here, for free.