Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

Is there some ways to create audit with some configuration by extender?

fa1ntStar | Last updated: Aug 21, 2023 01:52PM UTC

Hello: I'm developing my extender and I want to start a audit or crawler task by extender by montoya api.I notice that there some api like burp.api.montoya.scanner.Scanner#startAudit, and I can use it creat a new audit.But I can't set the configration when I create it, i'd like to to this: startAudit(AuditConfiguration.auditConfiguration("Audit checks - extensions only")) or startAudit(AuditConfiguration.auditConfiguration("Some other configuration I saved in the configuration libray")) and I also notic that there is a rest api like http://127.0.0.1:1337/v0.1/scan can create scan task by configration name.But the scan task it created include the crawl task and audit task, I don't need the crawl task. Is there some to create a audit task with the configuration without gui interaction?

Hannah, PortSwigger Agent | Last updated: Aug 21, 2023 02:08PM UTC

Hi.

Currently, it is not possible to specify a custom configuration with your audit. You can only use the defaults for active or passive scanning.

You can find an example of how to create an Audit here:
Audit audit = api.scanner().startAudit(AuditConfiguration.auditConfiguration(BuiltInAuditConfiguration.LEGACY_ACTIVE_AUDIT_CHECKS));

fa1ntStar | Last updated: Aug 21, 2023 02:55PM UTC

In addition, what i what to create is live audit task

Hannah, PortSwigger Agent | Last updated: Aug 22, 2023 09:31AM UTC

An extension-generated audit task is not quite the same as a live task. However, you could register an HttpHandler or ProxyHandler that adds requests to the configured Audit as they pass through.

For example:
Audit audit = api.scanner().startAudit(AuditConfiguration.auditConfiguration(BuiltInAuditConfiguration.LEGACY_ACTIVE_AUDIT_CHECKS));

api.proxy().registerRequestHandler(new ProxyRequestHandler()
{
    @Override
    public ProxyRequestReceivedAction handleRequestReceived(InterceptedRequest interceptedRequest)
    {
        return ProxyRequestReceivedAction.continueWith(interceptedRequest);
    }

    @Override
    public ProxyRequestToBeSentAction handleRequestToBeSent(InterceptedRequest interceptedRequest)
    {
        audit.addRequest(interceptedRequest);
        return ProxyRequestToBeSentAction.continueWith(interceptedRequest);
    }
});

You need to Log in to post a reply. Or register here, for free.