Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Making a request after every Scanner response, depending on the response contents.

Adrian Feb 02, 2017 01:32AM UTC

I'm not sure whether this is possible via a mixture of macros / an extension, but here's my problem.

I'm trying to scan a request that creates an entry in a database, and the request includes the name of the new entry. The problem is, when running the request through the scanner, it will use the same name each time, and after the first request will result in an error message like "an entry with this name already exists".

The solution I'm trying to create is this:

1) After each Scanner request returns a response, check the response and extract the ID of the newly created entry.
2) Send a subsequent request that deletes the entry with the extracted ID.
3) Move on to the next Scanner request.

I thought I could do it with session handling rules, but apparently the option to invoke a Burp extension only works prior to the request being sent.

Is there any way of doing this with Scanner request / responses? I realize I could use the IHttpListener but I believe that runs concurrently with the Scanner, and I need the request to delete the entry to run after each Scanner request and before the next one starts.

Dafydd Stuttard Feb 02, 2017 12:12PM UTC Support Center agent

You could do this with an IHttpListener. Monitor for responses received by the Scanner tool (for the relevant request URL, if necessary). When you observe a response containing an ID, issue another request to delete the item with that ID. Burp has already received the first response, and you can safely issue the second request in the same thread.

A possible alternative would be to use a session handling rule that applies to Scanner requests made containing the relevant parameter for the name of the new entry. Your extension can register a custom session handling action that is invoked by the session rule, and which simply updates the relevant parameter with a random value.

Post Your public answer

Your name
Your email address