Home

Awesome

Sample Burp Suite extension: custom scanner checks

In the custom scan insertion points example, we saw how an extension could be used to provide custom insertion points for use by Burp Scanner, enabling you to run the Scanner's built-in checks against entry points within serialized data or other formats that Burp does not natively support. In this example, we'll see how an extension can be used to futher extend the Scanner's behavior, by providing custom checks for passive and active scanning.

Custom scan checks are tightly integrated within Burp's scanning engine, and are invoked at the relevant stage for each base request and insertion point that the user sends for scanning. They can perform arbitrary processing, issue their own requests (when actively scanning), and report their own custom scan issues.

For the sake of this example, we've updated the demo serialized input application to contain two fictitious vulnerabilities that our extension can check for:

The sample extension demonstrates the following techniques:

If you want to run this extension, you'll need to use the included server (for ASP.NET and NodeJS), and also install the custom scan insertion points example, so that the active scan payload is inserted correctly into the serialized request.

This repository includes source code for Java, Python and Ruby. It also includes a server (for ASP.NET and NodeJS) that extends the serialization example to add some fictitious bugs so that you can test the custom scanner check and see that the issues are reported. Note: the sample server uses the JavaScript btoa() function to perform Base64-encoding on the client side. This function is not supported by Internet Explorer, but works on most other browsers.