Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Method to Pause/Unpause Scanner

August May 24, 2017 07:05PM UTC

Does the API include methods for an extension to pause and unpause the scanner? I have searched the Javadocs but didn't find any.

My scenario is an extension that implements ISessionHandlingAction to re-login the user when the session times out. I would like to pause the scanner while the login is happening so that it doesn't issue a bunch of requests with a stale session.

Is there another way to do it? Maybe by saving the configuration, altering the scan state, and reloading it into Burp?


Dafydd Stuttard May 25, 2017 07:59AM UTC Support Center agent

There isn’t currently a way to do this, sorry. We do plan a general overhaul of the API at some point, and we will look into providing this capability.

One way to achieve what you want in the meantime would be to register an IHttpListener so that your code gets called for all requests. Create a lock object and acquire/release the lock when processing relevant requests. Then when your session recovery kicks in, acquire the same lock until the session is restored. This will effectively block other request threads while your custom session handler does its work.


jyarema Aug 16, 2017 04:04PM UTC
+1 on a feature to programmatically start/stop the active scanner. I see this as a very useful feature when you need to use an extender to handle custom authentication routines. Should the test user account become locked out, you don't want to proceed with further scans with a locked out account as you'll likely get invalid scan results.

Paul Johnston Aug 18, 2017 10:06AM UTC Support Center agent

Thanks jyarema, we’ve recorded you request and it will be considered when the API is refactored.

You may be able to get some successful with this using the session handling rule “Prompt for in-browser session recovery.”

We’ll let you know when we make progress.


Doug Logan Feb 19, 2018 03:37PM UTC
+1 for this feature. We'd like to pause our scanner when/if the VPN goes down since we'd no longer be testing from a white-listed IP.

We could write a plugin to do this if there was the capability to pause the scanner. We'll probably look into the IHTTPListener suggestion in the meantime, but actual pause capability would be much cleaner.

Alternatively, is there any reason we can't find the pause menu item with Java relection?

Paul Johnston Mar 01, 2018 11:38AM UTC Support Center agent

Hi Doug,

I’ve noted your +1 You will struggle to use Java reflection because the Burp code is obfuscated. You could theoretically use the Swing Robot class to simulate user actions, although it may not be completely reliable.


Post Your public answer

Your name
Your email address
Answer