Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Burp scanner insertion point custom encoding

I Jan 25, 2019 10:32PM UTC

I'm trying to create an extension for scanner to specify multiple insertion points and also do some custom encoding on the payload from scanner. I'm attempting to use the following example along with the documentation to achieve this:

https://github.com/PortSwigger/example-custom-scan-insertion-points/blob/master/java/BurpExtender.java

I don't exactly want to change the positions, I just want to get the payload string either in plaintext or base64 so that I could do some custom encoding and replace the parameter with the new value.

Also, if I define these multiple custom insertion points will the scanner still insert into other areas?

Am I using the right API to achieve this, and does anyone have any better examples to demonstrate this type of extension?


Paul Johnston Jan 28, 2019 09:22AM UTC Support Center agent

Yes, IScannerInsertionPointProvider is the best available interface to implement for this purpose. There isn’t an interface like IScannerInsertionPointEncoder that exactly suits your needs.

So if you wanted to, as an example ROT13 encode all payloads in form parameters, you’d need to code an IScannerInsertionPointProvider that detected all the form parameters and returned IScannerInsertionPoint. Then in IScannerInsertionPoint.buildRequest you’d need to encode the payload and place it in the request. You could use IExtensionHelpers.updateParameter to help with that.

Scanner uses extension provided insertion points in addition to built-in ones. You can turn particular built-in parameters off and on in the scan configuration.


I Jan 29, 2019 05:17AM UTC
Hi, so I did do this using the example in the link above, I made a loop to add a few parameters to insertionPoints Array and changed the buildRequest to just encrypt the payload argument. The InsertionPoint function is practically blank because I wanted to change the whole value and not a part of it. However, this does not seem to actually encrypt the payload, also the original value is still present. Any ideas on the issue?

My buildRequest function looks like this:
@Override
public byte[] buildRequest(byte[] payload)
{
// build the raw data using the specified payload
String input = encrypt(payload);

// update the request with the new parameter value
return helpers.updateParameter(baseRequest, helpers.buildParameter("data", input, IParameter.PARAM_BODY));
}

Also any idea on how I can change the arguments for buildParameter for other insertion points?


Paul Johnston Jan 29, 2019 09:37AM UTC Support Center agent

What I suggest you do is print out more debug output. Print out baseRequest, payload, input and the updated request. Are you using Logger++ to monitor the traffic Scanner is sending?

For parameters like HTTP headers you’d have to do somewhat more work, either using IRequestInfo, or processing the byte arrays.


I Jan 29, 2019 07:35PM UTC
I was just printing to the console and issuing alerts but no messages from any of the methods other then before registering the provider. I've also been using an upstream proxy to verify if the payloads were encrypted which they were not.
And the requests are just HTTP URL and BODY parameters.

Paul Johnston Jan 30, 2019 02:48PM UTC Support Center agent

To help you any further I would need to see the full source code to your extension. Email it to support@portswigger.net


Post Your public answer

Your name
Your email address
Answer