Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Active scanning sorting features and insertion points fine control.

Thomas Lentz Apr 24, 2018 04:58PM UTC

Hello,

With the aim of automating Burp scan in a development cycle, I wish to get the proxy history of a specific Burp project and launch an active scan on each items.

To do so I was wondering if you would make the "remove duplicates" function available in the API (the same as in the menu when launching active scan on a bulk of items) ?

Secondly, is there a way to have more fine control on the insertion points that active scan will select ? More specifically, is there a possibility to whitelist certain parameters (cookies or else) ?

Thank you,


Paul Johnston Apr 30, 2018 10:06AM UTC Support Center agent

Hi Thomas,

Thanks for getting in touch.

We’ll have a discussion about making exposing the Active Scan Wizard to the extension API. This is an area that is going to change significantly in future versions of Burp, so we won’t look at the API until after that is done. In the meantime, you would need to reimplement this in your own code. The logic is not actually that complex. If you want some help, let me know.

There’s quite a lot you can do around insertion points, both manually and from an extension. In Intruder, if you define positions, you can choose “Actively scan defined insertion points” from the context menu. There’s a version of doActiveScan that provides similar control. You can also register an IScannerInsertionPointProvider and this API provides a bit more control that simply specifying payload offsets, e.g. you can do encoding. The Scanner options let you turn on and off certain insertion points, such as “URL parameter values” and you can control this config from an extension using callbacks.loadConfigFromJson().

Please let us know if you need any further assistance.


Post Your public answer

Your name
Your email address
Answer