Getting Started with Burp Suite
Burp Suite Documentation
Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.
| Burp Suite Professional and Community editions | Burp Suite Enterprise Edition |
| Burp Scanner | Burp Collaborator |
| Burp Infiltrator | Full Documentation Contents |
Burp Extender
Burp Extender lets you extend the functionality of Burp Suite in numerous ways.
Extensions can be written in Java, Python or Ruby.
| API documentation | Writing your first Burp Suite extension |
| Sample extensions | View community discussions about Extensibility |
Problem with burp extension to automate security checks of single sign-on
Hello,
I'm currently trying to develop (jython) extension to automate some work with single sign-on protocols (like oauth, saml etc.). The main idea how it would work is:
- Check requests if it's an sso request
- Determine which one it is
- Perform some passive checks
- Perform active checks which would lead to start a new chain of authorization with protocol and perform some attacks (f.e. XSW for SAML).
As for passive checks I do not have a problems with them (using baseRequestResponse at the doPassiveScan function mostly), I can't really think of the hooks (looking at documentation) that I can use to perform the active checks that will work as in my idea.
I will be glad if you will show me the way a bit in that case
Regards,
Tom
Hi Tom,
That sounds like an interesting extension. There are some SSO extensions in the BApp Store already; it would be interesting to consult them.
I expect you’ve already discovered the IScannerCheck interface and that you can override doActiveScan. You should perform your active checks within that method. You can use callbacks.makeHttpRequest to issue a request, which will go through Burp’s network stack, including session handling rules. If there any specific issue you’re having doing that?