Hi Zac,
Thank you for your message.
Better logging would definitely be helpful so I appreciate your frustration!
The issue here is that extensions do not show you the modified view of a raw request when a native scan check is performed (i.e. the request with your custom header inside it). You'll notice this if you try using your extension in Burp Pro too - only the Logger tab will show you the request with your custom header).
For custom scan checks, you will see that this can be configured. E.g. if you use the 'Burp Bounty, Scan Check Builder' extension. Or you can capture the request in the 'Flow' extension > Right-click > Add new sitemap issue to see this in action.
There are a few ways to check that the headers have been added to the requests:
- Print to stdout - this will print to your scan debug log file though so it may end up polluting it unless you find a way to organize how/when the entries are added
- Set an upstream proxy server to Burp Pro and look at the output in the Logger tab - you can do this within your Enterprise scan configuration settings
You can find information on how Enterprise handles extensions here:
In relation to your second question, yes - most of the API methods will work. The exception to this would be anything that adds a new tab e.g. [
https://portswigger.net/burp/extender/api/burp/IBurpExtenderCallbacks.html#addSuiteTab(burp.ITab)
since that only exists in Pro. All Enterprise extensions cannot access API methods unique to Pro or that require a GUI (i.e. should not implement things like the Swing interface) because agents are ran headlessly.
Your specific example will work and my colleague and I have created an extension to do this. Feel free to edit the code suitable to your requirements:
Please let me know if you have any further questions!
Best Regards,
Uthman Eqbal
Technical Product Specialist
PortSwigger