Auditing not calling doActiveScan(...) method via Extensibility API
I am currently trying to learn the Burp Extensibility API using this example (in Java); https://github.com/PortSwigger/example-scanner-checks and getting stuck with something.
With latest Beta version of Burp v2b18, is there a way to automatically spider+audit the server.js, that will display the vulnerability "Pipe Injection"?
When I perform an audit I see that doPassiveScan was called, but I can not get doActiveScan to be called. However, I can get doActiveScan to be called if i manually proxy a form submission request via Burp, and then scan manually.
Any suggestions will be welcomed.
In your case, I suggest you explicitly start a scan of server.js by right-clicking on it (in the Site Map or Proxy History) and launching a scan.
This should result in doActiveScan being called on your extension. If it doesn’t, just drop us a line and we’ll investigate other potential causes.
Thanks for your reply.
I can only get the vulnerability to show when a proxy the request manually and do some more manual stuff i.e.
I open http://localhost:8000 and submit a random input as form data e.g.
POST / HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept-Encoding: gzip, deflate
And then I go to Target -> Site map, right-click on the form submission "data=aW5.......3d" , click Scan -> Select "Audit selected items" w/ "Create new task". Then I can only get the vulnerability to show up as an issue. If i were to select "Crawl and audit" instead of "Audit selected items" the issue will not show up.
Is this intended functionality? If so, is there a custom crawl/ or audit configuration that I can set that will return the issue when I select "Crawl and audit"?
Thanks for your feedback! We couldn’t reproduce this behaviour locally, it sounds like your crawl+audit task has a missing item in its scan queue that the audit scan has. It would be great if you could send us a screenshot of the scan queue for both crawl+audit and audit tasks. Also, just to clarify, are you expecting the data insertion point to show the vulnerable behaviour when the scan check sends a pipe character?
I created a YouTube video to show what I'm doing (hopefully) more clearly;
Ideally, I'd like the action at ~29 seconds in , to discover the vulnerability (pipe character), without having to manually proxy requests through my browser.
Hello back there from the Burp Desktop team!
Run it with the following command:
$ node server.js