Burp Suite User Forum

Login to post

loadConfigFromJson() is not working as expected

Bhaskar | Last updated: Aug 05, 2021 04:26AM UTC

Hi Team, I am trying update scanner configuration in my extender. It seems the scanner configurations are not getting updated. Initially I am reading the scanner config, it is showing as null. Then I am updating with my custom scanner configurations. after putting into an object, tried reading the scanner audit speed property. it is giving the value as expected. But after loading the complete object using "loadConfigFromJson" and try reading the same scanner property, it is throwing an error saying that "scanner" config not found at all. tried saving the config and check, it shows no scanner properties. It looks like the "loadConfigFromJson" is not working as expected. Below is my source code. could you please check. Code: public void updateScannerConfig() { String jsonConfig = callbacks.saveConfigAsJson(); JSONObject obj = new JSONObject(jsonConfig); JSONObject current_scan_config = obj.optJSONObject("scanner"); if(current_scan_config==null) { debug.println("scanner config not found"); } else { } String string = "{\"scanner\":{\"audit_optimization\":{\"consolidate_passive_issues\":true,\"follow_redirections\":true,\"maintain_session\":true,\"scan_accuracy\":\"normal\",\"scan_speed\":\"fast\",\"skip_ineffective_checks\":true},\"error_handling\":{\"consecutive_audit_check_failures_to_skip_insertion_point\":12,\"consecutive_insertion_point_failures_to_fail_audit_item\":12,\"number_of_follow_up_passes\":1,\"pause_task_failed_audit_item_count\":10111,\"pause_task_failed_audit_item_percentage\":0},\"frequently_occurring_insertion_points\":{\"quick_scan_body_params\":true,\"quick_scan_cookies\":true,\"quick_scan_entire_body\":true,\"quick_scan_http_headers\":true,\"quick_scan_param_name\":true,\"quick_scan_url_params\":true,\"quick_scan_url_path_filename\":true,\"quick_scan_url_path_folders\":true},\"ignored_insertion_points\":{\"skip_all_tests_for_parameters\":[],\"skip_server_side_injection_for_parameters\":[{\"enabled\":true,\"expression\":\"aspsessionid.*\",\"item\":\"name\",\"match_type\":\"matches_regex\",\"parameter\":\"cookie\"},{\"enabled\":true,\"expression\":\"asp.net_sessionid\",\"item\":\"name\",\"match_type\":\"is\",\"parameter\":\"cookie\"},{\"enabled\":true,\"expression\":\"__eventtarget\",\"item\":\"name\",\"match_type\":\"is\",\"parameter\":\"body_parameter\"},{\"enabled\":true,\"expression\":\"__eventargument\",\"item\":\"name\",\"match_type\":\"is\",\"parameter\":\"body_parameter\"},{\"enabled\":true,\"expression\":\"__viewstate\",\"item\":\"name\",\"match_type\":\"is\",\"parameter\":\"body_parameter\"},{\"enabled\":true,\"expression\":\"__eventvalidation\",\"item\":\"name\",\"match_type\":\"is\",\"parameter\":\"body_parameter\"},{\"enabled\":true,\"expression\":\"jsessionid\",\"item\":\"name\",\"match_type\":\"is\",\"parameter\":\"any_parameter\"},{\"enabled\":true,\"expression\":\"cfid\",\"item\":\"name\",\"match_type\":\"is\",\"parameter\":\"cookie\"},{\"enabled\":true,\"expression\":\"cftoken\",\"item\":\"name\",\"match_type\":\"is\",\"parameter\":\"cookie\"},{\"enabled\":true,\"expression\":\"PHPSESSID\",\"item\":\"name\",\"match_type\":\"is\",\"parameter\":\"cookie\"},{\"enabled\":true,\"expression\":\"session_id\",\"item\":\"name\",\"match_type\":\"is\",\"parameter\":\"cookie\"}]},\"insertion_point_types\":{\"insert_body_params\":true,\"insert_cookies\":true,\"insert_entire_body\":true,\"insert_http_headers\":true,\"insert_param_name\":true,\"insert_url_params\":true,\"insert_url_path_filename\":true,\"insert_url_path_folders\":true},\"issues_reported\":{\"scan_type_intrusive_active\":true,\"scan_type_javascript_analysis\":true,\"scan_type_light_active\":true,\"scan_type_medium_active\":true,\"scan_type_passive\":true,\"select_individual_issues\":false,\"selected_issues\":[],\"store_issues_within_queue_items\":false},\"javascript_analysis\":{\"fetch_out_of_scope_resources\":true,\"max_dynamic_time_per_item\":30,\"max_static_time_per_item\":30,\"request_missing_dependencies\":true,\"use_dynamic_analysis\":true,\"use_static_analysis\":true},\"misc_insertion_point_options\":{\"max_insertion_points_per_base_request\":30,\"use_nested_insertion_points\":true},\"modifying_parameter_locations\":{\"body_to_cookie\":false,\"body_to_url\":false,\"cookie_to_body\":false,\"cookie_to_url\":false,\"url_to_body\":false,\"url_to_cookie\":false}}}"; JSONObject new_scanner_config= new JSONObject(string); obj.put("scanner", new_scanner_config.getJSONObject("scanner")); debug.println(obj.getJSONObject("scanner").getJSONObject("audit_optimization").get("scan_speed")); callbacks.loadConfigFromJson(obj.toString()); debug.println("updated config"); debug.println((new JSONObject(callbacks.saveConfigAsJson())).getJSONObject("scanner").getJSONObject("audit_optimization").get("scan_speed")); //debug.println(callbacks.saveConfigAsJson()); } Thanks, Bhaskar.

Hannah, PortSwigger Agent | Last updated: Aug 05, 2021 08:35AM UTC

Hi Bhaskar You can't adjust scan configurations using the Extender API. IBurpExtenderCallbacks.loadConfigFromJson() is used to load project-level configurations in Burp. This is best described as the output available by going to the "Project" menu item, and then "Project options > Save project options". This method has the same actions as the "Load project options" menu item, that is available in the same place. You may be able to use a different scan configuration by launching a scan with the REST API. However, this will perform a full crawl and audit.

Bhaskar | Last updated: Aug 05, 2021 11:25AM UTC

Hi Hannah, Thank you for your response. Can this functionality be added to the burp in feature releases? Thanks, Bhaskar.

Hannah, PortSwigger Agent | Last updated: Aug 05, 2021 01:15PM UTC

Hi Bhaskar We have an ongoing feature request for this functionality, which we've added your +1 to! When this functionality has been implemented, we'll be able to let you know. Please let us know if you need any further assistance.

You need to Log in to post a reply. Or register here, for free.