Burp Suite User Forum

Login to post

Montoya API - Custom Scanner Check

Vinnie | Last updated: Oct 31, 2022 12:18PM UTC

Hi! Thanks for creating a new Burp Extension API, I am testing the new Montoya API to create a plugin with a custom scanner check. For this I used the ScanCheck interface and within the activeAudit function I would have the following code: // Enter payload in insertion Point byte[] req = auditInsertionPoint.buildHttpMessageWithPayload(payload.getBytes()); // Launch the request HttpRequestResponse scanRequestResponse = montoyaApi.http().issueRequest(HttpRequest.httpRequest(req)); Does not seem to work yet as most likely doing something wrong here in these lines of code. Any guidance would be appreciated! Thank you!

Michelle, PortSwigger Agent | Last updated: Oct 31, 2022 03:23PM UTC

Thanks for your message. Can I quickly double-check, are you using Burp Suite Professional with this new scanner check extension?

Vinnie | Last updated: Oct 31, 2022 03:55PM UTC

Jep I do ;)

Hannah, PortSwigger Agent | Last updated: Nov 01, 2022 11:57AM UTC

Hi Vinnie Do you have previous experience using the old Extender API? We have a large example extension that has "translations" from the old API to the new Montoya API. You can find the example for registering a custom Scanner check here: https://github.com/PortSwigger/burp-extensions-montoya-api/blob/73369af49eac0079199b5a3a5273835036d91adf/api/src/test/java/burp/api/montoya/TestExtension.java#L900 We should have some more examples of the new Montoya API being used in some sample extensions soon.

Vinnie | Last updated: Nov 02, 2022 11:23AM UTC

Thanks! Yeah I have experience with the previous one, essentially I am migrating my previous plugin to the new API. I think the file you shared might contain some more info for me to dig in deeper to make this work. And if not I will await the new sample extensions ;) Regardless, Thanks for the help! Appreciated!

Vinnie | Last updated: Nov 02, 2022 11:35AM UTC

Update: Based on the TestExtensions file, I was able to make it work doing the following: // Enter payload in insertion Point byte[] httpMessage = auditInsertionPoint.buildHttpMessageWithPayload(payload.getBytes()); // Assemble the HTTP Request HttpRequest request = httpRequest(baseRequestResponse.httpRequest().httpService(),httpMessage); // Launch the request HttpRequestResponse scanRequestResponse = montoyaApi.http().issueRequest(request);

You need to Log in to post a reply. Or register here, for free.