Burp Extensions

Make a new post

  • Burp Extension

    I am trying to create a burp extension which scans for particular text in the response. Now I want this text to be dynamically defined by the user. How do I do that ? As in consider search functionality as extension which monitors all your responses and search for the keywords you want it to search . Whats tha best approach here ?

    1 Agent Answer    0 Community Answer
    May 09, 2016 10:07AM UTC
  • Manual Scan Issues Extension exception with Burp 1.7

    java.lang.NullPointerException at burp.BurpExtender.createMenuItems(BurpExtender.java:76) at burp.nbd.a(Unknown Source) at burp.bmc.a(Unknown Source) at burp.ofc.a(Unknown Source) at burp.ofc.a(Unknown Source) at burp.v7.a(Unknown Source) at burp.v7.mouseReleased(Unknown Source) at java.awt.AWTEventMulticaster.mouseReleased(Unknown Source) at java.awt.Component.processMouseEv...

    1 Agent Answer    0 Community Answer
    Apr 25, 2016 08:40PM UTC
  • Modify Response depending on request

    Hi I need to write a python extension to modify responses depending on what the actual request was. Responses coming from server may be the same for different requests (like 400 Forbidden). I am using the IProxyListener interface, but I see that it handles requests and responses separately, ie(message is request OR message is not request) How can I adjust my response based on the what the ...

    1 Agent Answer    0 Community Answer
    Apr 07, 2016 01:54PM UTC
  • extension - Burp-hash

    I've been using the Burp-hash extension but its starting to be unreliable. Is anyone else getting a lot of false Issues reported with the Burp-hash extension? I get the following often and its not even valid within itself. Issue detail The REQUEST contains a SHA-384 hashed value that matches an observed parameter. Observed hash: 933dc2a4011e4e919771d764300888ad70d70357000000004...

    1 Agent Answer    0 Community Answer
    Apr 06, 2016 10:46PM UTC
  • wsdler and Basic Authentication

    I am using WSDLER against a web service which uses basic authentication. Even with 'Platform Authentication' enabled (Options>Connections) and the correct host/type/username/password set, attempting to parse the WSDL results in a "Can't parse WSDL" error. If I download the verbose version of wsdler (see https://blog.netspi.com/hacking-web-services-with-burp/) the stack ...

    1 Agent Answer    0 Community Answer
    Apr 05, 2016 07:00PM UTC
  • Request/response timing

    Hi, I've been playing with java api to try and extract timing info for intruder sessions. Using the custom logger as a base I'm putting the request url and current time into a map, then when a response is received looking up the url in the map, getting the time and subtracting it from the current time. Is this a reliable way of approaching it? It seems to produce reasonable results.

    1 Agent Answer    0 Community Answer
    Mar 22, 2016 04:37PM UTC
  • Highlighting in extension-generated IScanIssue instances

    Built-in scanner issues can apply highlight to both requests and responses, however I don't see any API to do so in IScanIssue instances generated by extensions. The method getHttpMessages() returns an array of IHttpRequestResponse instances, but that only has a get/setHighlight() used for color highlighting, not the positional highlights used by built-in scan issues. Am I missing something? ...

    1 Agent Answer    1 Community Answer
    Mar 18, 2016 01:05PM UTC
  • Confusion on InsertionPoints / active scan module

    Hi, I'm trying to make the DetectDynamicJS extension an active scanner extension instead of a passive scanner, which it is right now, to adhere to the rule that passive scanners don't issue requests. I'm a little confused about the workings of insertion point / active scan. All the extension needs to do is issue one, or sometimes two requests, which is by the way re-issuing t...

    1 Agent Answer    2 Community Answers
    Mar 18, 2016 10:02AM UTC
  • How to detect active and/or passive scanning activity is done

    Hi, I need help on the Burp Extensions. I would like to generate customized issue reports once active and/or passive scanning activity is done. But how to get ScanQueueItem status or percentage in order to know if the scanning activities are done when the request is triggered by browser, not by Burp Extension itself?

    3 Agent Answers    4 Community Answers
    Mar 17, 2016 03:50AM UTC
  • Burp Extension API - list available proxy interfaces

    I am writing a Burp plugin that helps with proxying devices that do not have configurable proxy settings. To do this, I have the extension intercept DNS queries and respond with an IP address that points to an already running Burp proxy listener. Right now, I have to manually type the address of my Burp proxy. However, it would be convenient to simply have a drop-down of my currently active Burp p...

    2 Agent Answers    1 Community Answer
    Mar 11, 2016 07:39PM UTC