Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

How to affect URLs that show up in Target/Site Map

Roy | Last updated: Oct 05, 2017 08:36PM UTC

I am developing an extension to enhance the Target/Site Map filtering capabilities. Is there a way to intercept every Request coming into Burp to allow decision code that would determine if a URL will be displayed in the "Site Map" list on the Target tab? Thanks.

Burp User | Last updated: Oct 05, 2017 11:39PM UTC

Ok, so I feel like I'm getting somewhere with this, but I am not getting the behaviour I expected. Given an instance of this IProxyListener class, wired up appropriately, I expected Requests to www.foo.com to NOT show up in the Target/SiteMap, but they still do. What am I doing wrong? package burp; public class ProxyListener implements IProxyListener { public ProxyListener(IBurpExtenderCallbacks callbacks) { } @Override public void processProxyMessage(boolean messageIsRequest, IInterceptedProxyMessage message) { System.out.println("In ProxyListener.processProxyMessage"); if(messageIsRequest) { IHttpRequestResponse reqResp = message.getMessageInfo(); IHttpService httpService = reqResp.getHttpService(); String host = httpService.getHost(); System.out.println("Intercepted Request to: " + host ); if(host.equalsIgnoreCase("www.foo.com")) { message.setInterceptAction(IInterceptedProxyMessage.ACTION_DONT_INTERCEPT); System.out.println("ACTION_DONT_INTERCEPT"); } else { message.setInterceptAction(IInterceptedProxyMessage.ACTION_FOLLOW_RULES); System.out.println("ACTION_FOLLOW_RULES"); } } } }

Burp User | Last updated: Oct 06, 2017 12:24AM UTC

Ok, unless I am really missing something here, I don't see any way to make this work. Is there API access to the Site Map Filtering mechanisms? Maybe I could approach it that way?

PortSwigger Agent | Last updated: Oct 06, 2017 07:52AM UTC

Hi Roy, Thanks for your message. As you say, your proxy code won't affect the site map. And unfortunately, there's no easy way to control the site map filter. If you can handle some hackiness you could edit requests you're not interested in, append something like NOSHOW to the URL. Then in site map then user could do a negative search for NOSHOW. The other possibility is to re-implement site site map entirely. You can use the IHttpListener interface, a little bit like Flow and Logger++ do. However, you will end up duplicating most of the site map code. Please let us know if you need any further assistance.

Burp User | Last updated: Oct 06, 2017 07:38PM UTC

Thanks Paul. Can I suggest Portswigger consider exposing the Target Filtering API? It would be very powerful to allow us to create customizations which extend this functionality directly.

PortSwigger Agent | Last updated: Oct 09, 2017 07:24AM UTC

Hi Roy, That sounds a reasonable request. We've got some work planned in the medium term to improve the capability of the filter bar. When we do that we'll see if we can add an extension API too. I have another idea how you could do what you want; taking inspiration from the Multi-Browser Highlighting extension in the BApp Store. Your extension can call setHighlight on relevant requests, then the user can filter based on highlights in the site map. Please let us know if you need any further assistance.

Burp User | Last updated: Jul 10, 2018 04:51PM UTC

Hi Paul Johnston, I would really love to finish the extension we chatted about on this thread back in Oct. 2017. Any chance you guys are going to release some updates to the API to support this anytime soon?? thanks! - Roy Davis (Salesforce Product Security Team)

PortSwigger Agent | Last updated: Jul 10, 2018 04:58PM UTC

Hi Roy, Thanks for following up on this. Unfortunately there has been no progress on this area since we last spoke. The development team have been busy on architectural improvements. Realistically, I think it's likely to be 12 months until we look at the filter UI.

Burp User | Last updated: Aug 03, 2018 04:26PM UTC

Ok, thanks for the update Paul. As soon as your team releases the update, I will continue work on implementing a configurable persistent filter plugin. When it's ready I'll submit it to the Bapp Store.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.