Burp 2.0 extension-only audit
I have a local page that I use to test for LFI attacks, when I used to run active scan against this page in Burp 1.7.37, I get the attack detected by different extensions, e.g. J2EEScan.
I tried to scan the same page in Burp 2.20beta with the extension-only audit. However, I got no results and by checking the logs I don't see any of the extension packets, only maybe Active Scan++ but no J2EEScan nor Scan Check Builder packets.
I used the jar file for Burp2.20beta. Would you have an idea why such an issue took place and if there is a way to get extension-only audit to work with the above mentioned extensions?
When you select the extension via Extender > Extensions, do you see anything in the Errors tab?
Omar – I just checked with Burp 2.0.20 on MacOS and J2EEScan was correctly generating requests in an extension only audit. I was able to view the requests in Logger++
Are you on a different platform? Are you able to see J2EEScan requests in Logger++ ?
I know that the extension is loaded and is working properly as I can see some of the passive checks already in the target section, my problem is with the active scanning in the beta version.
Omar, sorry for the delay in getting back to you. Burp extensions are developed by third party developers. We’d recommend contacting the authors with this issue:
I'm the mantainer of J2EEScan, if you still have problems with the stable burp 2.x please let me know, using github.
Enrico, thanks for getting back to this customer, we really appreciate it.