Burp scanner: how to add support for csrf tokens
I'm having an issue with the Burp Scanner: when anti-csrf tokens are present, it seems the scanner cannot handle it and it faild to perform active/passive scans. Would it be possible through Burp Extension capabilities to add a feature so Burp checks each requests, extracts the CSRF token, and adds it to the submittion request? Thanks,3 Agent Answers 2 Community AnswersSep 23, 2016 12:23PM UTC
applyMarker in Ruby - java Class Cast Exception
I am using Ruby to develop an extender, that do passive scan for a particular string in response. Everything is working fine apart from applyMarkers. When applyMarkers method is called I am receive the below error. Any Idea how to fix this ? How to Cast? what is [I in java ? Error: java.lang.RuntimeException: java.lang.ClassCastException: org.jruby.RubyArray cannot be cast to [I Thanks1 Agent Answer 1 Community AnswerSep 21, 2016 06:58PM UTC
Hi, I am creating a Burp extension which is using the makeHttpRequest functionality in order to send some requests, but I would like to assign a maximum timeout to these request. Some of them could not have a response. How I could do this? Cheers, Daniel1 Agent Answer 0 Community AnswerSep 20, 2016 03:26PM UTC
Potentially misconfigured headers from extension "Header Analyzer"
The "Header Analyzer" extension reports the following issue: Potentially misconfigured headers: Header name: x-xss-protection. Header value: 1; mode=block My response contains this header: X-XSS-Protection: 1; mode=block As far as I know, that is a correct header? Can anyone explain why this extension says it is "potentially misconfigured? Thanks1 Agent Answer 0 Community AnswerSep 13, 2016 09:31PM UTC
Why Burp asks to activate license when starting by cmd.exe
Hi all, I met a problem with Burp. I developed a java extension to launch burp in cmd.exe. I wrote a .bat file and call it by Java Runtime. It asks me to activate the license again. If I open the .bat file directly, it won't ask for activation. But if I open the .bat file by Java Runtime object like this: Runtime runtime = Runtime.getRuntime(); runtime.exec("cmd /k start...2 Agent Answers 1 Community AnswerSep 08, 2016 02:04AM UTC
Forcing Burp to open w/ scanner unpaused?
Is is possible to force Burp to open in a state which scans are forcibly unpaused? I'm working on a project where we call doActiveScans() to a single entry from getProxyHistory(), and upon clicking on the "Scanner" tab, the scans in queue are marked as "waiting".1 Agent Answer 0 Community AnswerSep 06, 2016 08:42PM UTC
Loading external jars from extensions
Hello, I am building a Burp extension and I would like to incorporate external JARs, for example the gson library to store some settings in a file. For the life of me I can't figure out how to get this configured correctly in Eclipse, even though I see some extensions in the bapp store actually do this. I have created a folder called lib in my eclipse project folder and included the ext...2 Agent Answers 2 Community AnswersAug 29, 2016 06:48AM UTC
How to enable SQLiPy on Burp
I have added SQLiPy on Burp and I can see the tab too however I am not sure what to be added in the proxy and port to start it. Even when I tried adding it with my PC's proxy nothing is happening when I click on Start scanning.1 Agent Answer 0 Community AnswerAug 24, 2016 08:17AM UTC
Stop scanning form API call
Hi, Is there any API to stop scanning and start scanning. I want to stop scanning when session is invalidated and resume on proper sessions. How can I achieve this. Regards, Sid1 Agent Answer 0 Community AnswerAug 24, 2016 07:10AM UTC
Spider treating active scan URLs with injected parameter queries as new urls to spider.
I built an extension that successfully spiders the application, but I have a problem where when active scanning starts in earnest, eventually it starts adding injected URLs into the scanning scope, thus duplicated the amount of work that needs to be done. I cannot find a configuration to shut off the behavior of identifying a URL with query params as a unique URL. I know that OWASP's ZA...1 Agent Answer 0 Community AnswerAug 16, 2016 04:08PM UTC