Burp Suite User Forum

Login to post

Safety of Bapp Extensions

Darrell | Last updated: Oct 21, 2020 04:43PM UTC

What does portswigger do in terms of reviewing submitted extensions for safety. Malware/virus scan? Code review? Static/dynamic security analysis? Or are they offered as "use at your own risk"?

Hannah, PortSwigger Agent | Last updated: Oct 22, 2020 08:19AM UTC

Before a BApp is published, we perform a review. This includes: - Ensuring that the extension is not replicating any existing functionality or available extensions. - A cursory code review, for any obvious flaws. - An automated review checking for the usage of any key functions. - Virus/malware scan - Manual testing of the extension. Once that has been completed and satisfied, the extension is published. The criteria that we use to assess BApps can be found here: https://portswigger.net/blog/your-recipe-for-bapp-store-success Additionally, if you would like to review the code or build an extension yourself, all extension source code is available on our GitHub page, having been forked from the original author's repository: https://github.com/PortSwigger We do have the following disclaimer on the BApp Store: "Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose." Please let me know if you have any further questions.

You need to Log in to post a reply. Or register here, for free.