Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

How to affect URLs that show up in Target/Site Map

Roy Davis Oct 05, 2017 08:36PM UTC

I am developing an extension to enhance the Target/Site Map filtering capabilities. Is there a way to intercept every Request coming into Burp to allow decision code that would determine if a URL will be displayed in the "Site Map" list on the Target tab?

Thanks.


Roy Davis Oct 05, 2017 11:39PM UTC
Ok, so I feel like I'm getting somewhere with this, but I am not getting the behaviour I expected. Given an instance of this IProxyListener class, wired up appropriately, I expected Requests to www.foo.com to NOT show up in the Target/SiteMap, but they still do. What am I doing wrong?


package burp;

public class ProxyListener implements IProxyListener
{
public ProxyListener(IBurpExtenderCallbacks callbacks)
{

}

@Override
public void processProxyMessage(boolean messageIsRequest, IInterceptedProxyMessage message)
{
System.out.println("In ProxyListener.processProxyMessage");

if(messageIsRequest)
{
IHttpRequestResponse reqResp = message.getMessageInfo();
IHttpService httpService = reqResp.getHttpService();
String host = httpService.getHost();
System.out.println("Intercepted Request to: " + host );

if(host.equalsIgnoreCase("www.foo.com"))
{
message.setInterceptAction(IInterceptedProxyMessage.ACTION_DONT_INTERCEPT);
System.out.println("ACTION_DONT_INTERCEPT");
}
else
{
message.setInterceptAction(IInterceptedProxyMessage.ACTION_FOLLOW_RULES);
System.out.println("ACTION_FOLLOW_RULES");
}

}

}
}

Roy Davis Oct 06, 2017 12:24AM UTC
Ok, unless I am really missing something here, I don't see any way to make this work. Is there API access to the Site Map Filtering mechanisms? Maybe I could approach it that way?

Paul Johnston Oct 06, 2017 08:36AM UTC Support Center agent

Hi Roy,

Thanks for your message. As you say, your proxy code won’t affect the site map. And unfortunately, there’s no easy way to control the site map filter.

If you can handle some hackiness you could edit requests you’re not interested in, append something like NOSHOW to the URL. Then in site map then user could do a negative search for NOSHOW.

The other possibility is to re-implement site site map entirely. You can use the IHttpListener interface, a little bit like Flow and Logger++ do. However, you will end up duplicating most of the site map code.

Please let us know if you need any further assistance.


Roy Davis Oct 06, 2017 07:38PM UTC
Thanks Paul. Can I suggest Portswigger consider exposing the Target Filtering API? It would be very powerful to allow us to create customizations which extend this functionality directly.

Paul Johnston Oct 09, 2017 07:43AM UTC Support Center agent

Hi Roy,

That sounds a reasonable request. We’ve got some work planned in the medium term to improve the capability of the filter bar. When we do that we’ll see if we can add an extension API too.

I have another idea how you could do what you want; taking inspiration from the Multi-Browser Highlighting extension in the BApp Store. Your extension can call setHighlight on relevant requests, then the user can filter based on highlights in the site map.

Please let us know if you need any further assistance.


Roy Davis Jul 10, 2018 04:51PM UTC
Hi Paul Johnston,

I would really love to finish the extension we chatted about on this thread back in Oct. 2017. Any chance you guys are going to release some updates to the API to support this anytime soon??

thanks!

- Roy Davis (Salesforce Product Security Team)

Paul Johnston Jul 11, 2018 07:15AM UTC Support Center agent

Hi Roy,

Thanks for following up on this. Unfortunately there has been no progress on this area since we last spoke. The development team have been busy on architectural improvements.

Realistically, I think it’s likely to be 12 months until we look at the filter UI.


Roy Davis Aug 03, 2018 04:26PM UTC
Ok, thanks for the update Paul. As soon as your team releases the update, I will continue work on implementing a configurable persistent filter plugin. When it's ready I'll submit it to the Bapp Store.

Post Your public answer

Your name
Your email address
Answer