Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Montoya API Scanner Examples

Richard | Last updated: Jun 05, 2024 08:49AM UTC

Hi, I'm trying to build an extension that reads results from the BurpSuite Pro scanner using the Montoya API and I was wondering if there are any examples out there for how to handle audit issues?

Hannah, PortSwigger Agent | Last updated: Jun 05, 2024 09:24AM UTC

Hi We have some examples on how to use the Montoya API here: https://github.com/PortSwigger/burp-extensions-montoya-api-examples There are some examples demonstrating how to add your own custom scan checks and insertion points, but it sounds like you would like an example of how to use ```montoyaApi.scanner().registerAuditIssueHandler()```? We don't currently have an example for this behavior, but we could add one if you like? Could you provide some more information around the functionality you are trying to provide with your extension, so we can make some better recommendations? If you prefer, you can drop us an email at support@portswigger.net.

Richard | Last updated: Jun 05, 2024 10:11AM UTC

Hi Hannah, Thanks for this, I've had a look at the examples on GitHub which have been quite useful for getting started. I'm basically trying to build a extension that displays audit issues in a separate tab / table and from there send each result to an API endpoint my team have built where they are then used to inform creation of findings as part of a pentest report. It would be really useful to see some examples of the scanner interface to achieve something like this, there's no enhancement of scan checks so to speak but more like a generic read / copy operation on whatever is coming through the scanner. I'm assuming the scanner interface is the best to use for this scenario, or if this achievable using the HttpHandler interface? Thanks!

Hannah, PortSwigger Agent | Last updated: Jun 05, 2024 10:51AM UTC

Hi

In order to perform an action based on an issue raised by the scanner (at the point where it gets raised), you would want to register an AuditIssueHandler in your main initialize()method. I'm not sure if this handler takes issue consolidation into account, so it's possible that you may end up with duplicates.

This will also only register new issues as they come in, so you may wish to implement some import functionality for previously discovered issues - you can retrieve these from the site map using montoyaApi.siteMap().issues().

The AuditIssueHandler will receive details about issues raised, whereas an HttpHandler will only receive details about requests and responses passing through Burp.

A very basic example could look like this:
import burp.api.montoya.BurpExtension;
import burp.api.montoya.MontoyaApi;
import burp.api.montoya.scanner.audit.issues.AuditIssue;

import java.util.ArrayList;
import java.util.List;

@SuppressWarnings("unused")
public class Extension implements BurpExtension
{
    @Override
    public void initialize(MontoyaApi montoyaApi)
    {
        List<AuditIssue> issueList = new ArrayList<>();

        montoyaApi.scanner().registerAuditIssueHandler(issueList::add);

        montoyaApi.userInterface().registerSuiteTab("My panel", new MyPanel(issueList));
    }
}

Richard | Last updated: Jun 05, 2024 12:34PM UTC

Thanks a lot for sharing this example its much appreciated!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.