Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp scanner insertion point custom encoding

I | Last updated: Jan 25, 2019 10:32PM UTC

I'm trying to create an extension for scanner to specify multiple insertion points and also do some custom encoding on the payload from scanner. I'm attempting to use the following example along with the documentation to achieve this: https://github.com/PortSwigger/example-custom-scan-insertion-points/blob/master/java/BurpExtender.java I don't exactly want to change the positions, I just want to get the payload string either in plaintext or base64 so that I could do some custom encoding and replace the parameter with the new value. Also, if I define these multiple custom insertion points will the scanner still insert into other areas? Am I using the right API to achieve this, and does anyone have any better examples to demonstrate this type of extension?

PortSwigger Agent | Last updated: Jan 28, 2019 09:16AM UTC

Yes, IScannerInsertionPointProvider is the best available interface to implement for this purpose. There isn't an interface like IScannerInsertionPointEncoder that exactly suits your needs. So if you wanted to, as an example ROT13 encode all payloads in form parameters, you'd need to code an IScannerInsertionPointProvider that detected all the form parameters and returned IScannerInsertionPoint. Then in IScannerInsertionPoint.buildRequest you'd need to encode the payload and place it in the request. You could use IExtensionHelpers.updateParameter to help with that. Scanner uses extension provided insertion points in addition to built-in ones. You can turn particular built-in parameters off and on in the scan configuration.

Burp User | Last updated: Jan 29, 2019 05:17AM UTC

Hi, so I did do this using the example in the link above, I made a loop to add a few parameters to insertionPoints Array and changed the buildRequest to just encrypt the payload argument. The InsertionPoint function is practically blank because I wanted to change the whole value and not a part of it. However, this does not seem to actually encrypt the payload, also the original value is still present. Any ideas on the issue? My buildRequest function looks like this: @Override public byte[] buildRequest(byte[] payload) { // build the raw data using the specified payload String input = encrypt(payload); // update the request with the new parameter value return helpers.updateParameter(baseRequest, helpers.buildParameter("data", input, IParameter.PARAM_BODY)); } Also any idea on how I can change the arguments for buildParameter for other insertion points?

PortSwigger Agent | Last updated: Jan 29, 2019 09:29AM UTC

What I suggest you do is print out more debug output. Print out baseRequest, payload, input and the updated request. Are you using Logger++ to monitor the traffic Scanner is sending? For parameters like HTTP headers you'd have to do somewhat more work, either using IRequestInfo, or processing the byte arrays.

Burp User | Last updated: Jan 29, 2019 07:35PM UTC

I was just printing to the console and issuing alerts but no messages from any of the methods other then before registering the provider. I've also been using an upstream proxy to verify if the payloads were encrypted which they were not. And the requests are just HTTP URL and BODY parameters.

PortSwigger Agent | Last updated: Jan 30, 2019 10:38AM UTC

To help you any further I would need to see the full source code to your extension. Email it to support@portswigger.net

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.