Burp Suite User Forum

Create new post

Method to Pause/Unpause Scanner

August | Last updated: May 24, 2017 07:05PM UTC

Does the API include methods for an extension to pause and unpause the scanner? I have searched the Javadocs but didn't find any. My scenario is an extension that implements ISessionHandlingAction to re-login the user when the session times out. I would like to pause the scanner while the login is happening so that it doesn't issue a bunch of requests with a stale session. Is there another way to do it? Maybe by saving the configuration, altering the scan state, and reloading it into Burp?

PortSwigger Agent | Last updated: May 25, 2017 07:57AM UTC

There isn't currently a way to do this, sorry. We do plan a general overhaul of the API at some point, and we will look into providing this capability. One way to achieve what you want in the meantime would be to register an IHttpListener so that your code gets called for all requests. Create a lock object and acquire/release the lock when processing relevant requests. Then when your session recovery kicks in, acquire the same lock until the session is restored. This will effectively block other request threads while your custom session handler does its work.

Burp User | Last updated: Aug 16, 2017 04:04PM UTC

+1 on a feature to programmatically start/stop the active scanner. I see this as a very useful feature when you need to use an extender to handle custom authentication routines. Should the test user account become locked out, you don't want to proceed with further scans with a locked out account as you'll likely get invalid scan results.

PortSwigger Agent | Last updated: Aug 18, 2017 10:01AM UTC

Thanks jyarema, we've recorded you request and it will be considered when the API is refactored. You may be able to get some successful with this using the session handling rule "Prompt for in-browser session recovery." We'll let you know when we make progress.

PortSwigger Agent | Last updated: Oct 06, 2017 02:03PM UTC

Hi Doug, I've noted your +1 You will struggle to use Java reflection because the Burp code is obfuscated. You could theoretically use the Swing Robot class to simulate user actions, although it may not be completely reliable.

Burp User | Last updated: Feb 19, 2018 03:37PM UTC

+1 for this feature. We'd like to pause our scanner when/if the VPN goes down since we'd no longer be testing from a white-listed IP. We could write a plugin to do this if there was the capability to pause the scanner. We'll probably look into the IHTTPListener suggestion in the meantime, but actual pause capability would be much cleaner. Alternatively, is there any reason we can't find the pause menu item with Java relection?

Burp User | Last updated: Jul 01, 2019 11:24AM UTC

+1 for this feature. Would be very useful in conditions as described above by multiple people.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.