Burp Suite User Forum

Create new post

My letter to Santa Burp Team 2017 (Extender API enhancements)

Luca | Last updated: Oct 10, 2017 11:08PM UTC

Dear Santa Burp Team, My name is Luca and I am 37 years old. I have been a very good boy this year, and I would like the following Extender API enhancements: 1) Extend the support of IExtensionHelpers addParameter/removeParameter/updateParameter to PARAM_JSON, PARAM_XML and PARAM_XML_ATTR, PARAM_MULTIPART_ATTR 2) Today, it's possible to add Burp Scan items via (A) doActiveScan/doPassiveScan or (B) proxy having passive/active scan enabled. While it's already possible to fully control the scanner queue in case of (A), it is NOT possible to get the list of scan items or cancel them if they have been added using (B). I wish that would be a way to obtain the full list of IScanQueueItem. Overall, I think that the scanner API lacks the ability to better control the engine/queuing mechanism and pause/resume the overall scan 3) loadConfigFromJson and saveConfigFromJson work at the project level. There is no user-level config save & load. For instance, it is not possible to dynamically load and unload extensions by an extension. Please give us (load|save)(Project|User)ConfigFromJson There are still 74 days before Christmas. A refresh of the APIs would be a great gift! Thank you, Luca

PortSwigger Agent | Last updated: Oct 11, 2017 08:49AM UTC

Dear Luca Thank you for your letter. Everyone who writes to me says they have been good, so I'll need to send one of my elves over to keep an eye on you, just to make sure. I get an awful lot of present requests from boys and girls everywhere, and it's not always possible to keep everyone happy. Some of my elves are busy working on big improvements to my sleigh. Everyone will see the benefit when these are finished, but in the meantime it's harder for me to make all the new toys that children want. As to your specific requests: 1. We should be able to do this before long. The current API doesn't carry over trivially to JSON/XML because their data isn't just name/value pairs. Really, you'd need to specify a path through the tree to the parameter you want to add/remove/modify. This is probably the approach that we'll take. 2. In the next few months, we're planning some fundamental changes to Burp's scanning paradigm, which will let users/extensions launch multiple independent scans with different settings. Each scan will be able to be paused/resumed/cancelled individually, and you'll be able to add new scan items to specified existing scans. All of this will eventually be exposed via the API. Regarding the ability to query and manipulate the actual scan queue, what is the use case for that, and will the need be addressed by the planned support for multiple independent scans? 3. This actually used to be possible a long time ago and led to no end of problems, with extensions trying to load extension configs on startup and ending up in a loop. We actually removed the capability as a bugfix. The better way to support the use case would be via specific APIs to add/list/remove extensions, rather than the config mechanism. Would that meet your need? Kind regards Santa

Burp User | Last updated: Oct 18, 2017 01:14PM UTC

Thanks a lot Santa! 1. It makes sense, and yes - that would work! 2. A new paradigm with multiple independent scans would probably satisfy my requirements. The need for controlling the scan queue is related to the fact that if I am running Burp headless (Proxy + Active Scan), I cannot really control what's going on. Today, I need to create an IProxyListener, and programmatically send all incoming requests to the scanner via doActiveScan in order to be able to monitor the progress. 3. Yes, absolutely. APIs to add/list/remove extensions would be great! Cheers, Luca

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.