Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Scan Configuration JSON documentation?

Zac | Last updated: Nov 02, 2021 04:50PM UTC

Hi I am evaluating Enterprise Edition and trying to find documentation for custom (JSON) scan configurations that can be either uploaded into the web app or used as part of a GraphQL API query. In the web app, if I go to "Scans >> Create a new Scan" there is "Scan configurations" section where I can upload a custom scan configuration in JSON format (file). Similarly, on this page --> https://portswigger.net/burp/extensibility/enterprise/graphql-api/ScanConfiguration.html I see the "scan_configuration_fragment_json" field which I assume is the same JSON that I can upload in the web app. What I am not seeing is JSON or object documentation on what a scan configuration actually looks like. What its valid fields or nested objects are. Can someone please: 1. Point me in the direction of this documentation, so I can upload a JSON file for a custom scan; and 2. Perhaps point me to a sample snippet/example of the JSON, so I can start making sense of it!; and 3. We have a unique authentication mechanism that requires special HTTP headers with each request. I am hoping that this JSON configuration allows us to customize headers sent with each request? If not, then I'm looking for advice on how to send the custom headers with each request Burp makes. And if it does allow us to customize them, then any documentation on how to customize the headers would also be appreciated. Thanks in advance!

Uthman, PortSwigger Agent | Last updated: Nov 03, 2021 12:01PM UTC

Zac | Last updated: Nov 03, 2021 06:31PM UTC

Thank you, this is extremely helpful. I may very well use that add-custom-headers extension of yours, or write my own (in Java). Say I upload the custom extension JAR to my Burp EE installation...is there any way to pass arguments to it, dynamically? Ideally, the scan configuration JSON could contain variables that get used by the Java extension, that way I could insert a valid JWT a HTTP request headers each time a scan kicks off. Otherwise I would have to hardcode the JWT inside the Java code, build the fat jar, and reupload it every time the JWT changes!

Uthman, PortSwigger Agent | Last updated: Nov 04, 2021 10:11AM UTC

Hi Zac,

You are welcome!

Unfortunately, as you mentioned, you will need to edit the source code and rebuild the JAR each time for dynamically updating headers. We have not implemented any logic in the extension for parameter parsing from a configuration file.

Feel free to clone the repo and add any improvements. A config file definitely makes more sense!

Alternatively, you may wish to check out the JSON Web Tokens extension and use this as a basis for creating your own extension.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.