Burp scanner insertion point custom encoding
I'm trying to create an extension for scanner to specify multiple insertion points and also do some custom encoding on the payload from scanner. I'm attempting to use the following example along with the documentation to achieve this:
I don't exactly want to change the positions, I just want to get the payload string either in plaintext or base64 so that I could do some custom encoding and replace the parameter with the new value.
Also, if I define these multiple custom insertion points will the scanner still insert into other areas?
Am I using the right API to achieve this, and does anyone have any better examples to demonstrate this type of extension?
Yes, IScannerInsertionPointProvider is the best available interface to implement for this purpose. There isn’t an interface like IScannerInsertionPointEncoder that exactly suits your needs.
So if you wanted to, as an example ROT13 encode all payloads in form parameters, you’d need to code an IScannerInsertionPointProvider that detected all the form parameters and returned IScannerInsertionPoint. Then in IScannerInsertionPoint.buildRequest you’d need to encode the payload and place it in the request. You could use IExtensionHelpers.updateParameter to help with that.
Scanner uses extension provided insertion points in addition to built-in ones. You can turn particular built-in parameters off and on in the scan configuration.
My buildRequest function looks like this:
public byte buildRequest(byte payload)
// build the raw data using the specified payload
String input = encrypt(payload);
// update the request with the new parameter value
return helpers.updateParameter(baseRequest, helpers.buildParameter("data", input, IParameter.PARAM_BODY));
Also any idea on how I can change the arguments for buildParameter for other insertion points?
What I suggest you do is print out more debug output. Print out baseRequest, payload, input and the updated request. Are you using Logger++ to monitor the traffic Scanner is sending?
For parameters like HTTP headers you’d have to do somewhat more work, either using IRequestInfo, or processing the byte arrays.
And the requests are just HTTP URL and BODY parameters.
To help you any further I would need to see the full source code to your extension. Email it to email@example.com