Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Troubleshooting custom extensions

Zac | Last updated: Nov 12, 2021 05:25PM UTC

I am trialing the Enterprise Edition and I have written my own custom Java extension (that I package into a self-contained "fat" jar) because I need Burp to add a custom header to each and every request that it makes. Let's say this is a "Fizzbuzz" header that will have a UUID value generated by the Java extension. For example, "Fizzbuzz: ED50D3E9-CC55-46D6-B537-CD40A2FD15D1", etc. In the web console, I log in and go to Settings >> Extensions >> Custom Extensions >> Upload extension, and then I upload my jar file. In my site scan, I configure the scan to use this custom extension and can verify (by looking at the UI) that it appears to be configured to use the extension. I run a scan and it completes. I go to Scanned URLs and find a sample URL that was scanned. I click it and see that there was an Issue with it, so I click on the Issue and then go to the Request tab. I see: ``` GET /apicrpbsmo7j0/v1/core/folders HTTP/1.1 Host: my-bsee.example.com Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Connection: close Cache-Control: max-age=0 ``` Why am I not seeing my Fizzbuzz header? Did something potentially fail in the custom extension or am I just looking in the wrong screen? How can I be sure my custom extension was invoked on each request and executed properly? More generally: a) How can I troubleshoot this issue, or any other issues with custom extensions? Can I write to STDOUT/STDERR from inside the extension, or a log file, and view the output somewhere or somehow? b) How does Burp interact with these custom extensions? If I implement IBurpExtender and IHttpListener, will the extension be invoked for each and every HTTP request that Burp makes as part of a scan? Or is there filtering involved somehow?

Uthman, PortSwigger Agent | Last updated: Nov 15, 2021 12:29PM UTC

Hi Zac,

Thank you for your message.

Better logging would definitely be helpful so I appreciate your frustration!

The issue here is that extensions do not show you the modified view of a raw request when a native scan check is performed (i.e. the request with your custom header inside it). You'll notice this if you try using your extension in Burp Pro too - only the Logger tab will show you the request with your custom header).

For custom scan checks, you will see that this can be configured. E.g. if you use the 'Burp Bounty, Scan Check Builder' extension. Or you can capture the request in the 'Flow' extension > Right-click > Add new sitemap issue to see this in action.

There are a few ways to check that the headers have been added to the requests:

  • Print to stdout - this will print to your scan debug log file though so it may end up polluting it unless you find a way to organize how/when the entries are added
  • Set an upstream proxy server to Burp Pro and look at the output in the Logger tab - you can do this within your Enterprise scan configuration settings

You can find information on how Enterprise handles extensions here:


In relation to your second question, yes - most of the API methods will work. The exception to this would be anything that adds a new tab e.g. [https://portswigger.net/burp/extender/api/burp/IBurpExtenderCallbacks.html#addSuiteTab(burp.ITab) since that only exists in Pro. All Enterprise extensions cannot access API methods unique to Pro or that require a GUI (i.e. should not implement things like the Swing interface) because agents are ran headlessly.

Your specific example will work and my colleague and I have created an extension to do this. Feel free to edit the code suitable to your requirements:


Please let me know if you have any further questions!

Best Regards,

Uthman Eqbal
Technical Product Specialist
PortSwigger

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.