Thursday, December 20, 2012

Sample Burp Suite extension: custom scanner checks

In the previous example, we saw how an extension could be used to provide custom insertion points for use by Burp Scanner, enabling you to run the Scanner's built-in checks against entry points within serialized data or other formats that Burp does not natively support. In this example, we'll see how an extension can be used to futher extend the Scanner's behavior, by providing custom checks for passive and active scanning.

Custom scan checks are tightly integrated within Burp's scanning engine, and are invoked at the relevant stage for each base request and insertion point that the user sends for scanning. They can perform arbitrary processing, issue their own requests (when actively scanning), and report their own custom scan issues.

For the sake of this example, we've updated the demo serialized input application to contain two fictitious vulnerabilities that our extension can check for:
  • An information leakage vulnerability where a content management system is copying sensitive data into some application responses.
  • An input vulnerability where submitting the pipe character results in a distinctive error message, indicating an exploitable condition.
The sample extension demonstrates the following techniques:
  • Registering a custom scanner check.
  • Performing passive and active scanning when initiated by the user.
  • Using the Burp-provided IScannerInsertionPoint to construct requests for active scanning using specified payloads, without needing to understand how the insertion point works.
  • Using a Burp helper method to search responses for relevant match strings.
  • Highlighting relevant portions of requests and responses, in line with Burp's natively-generated scan issues.
  • Synchronously reporting custom scan issues in response to the relevant checks.
  • Guiding Burp on when to consolidate duplicated issues at the same URL (e.g., when the user has scanned the same item multiple times).
If you want to run this extension, you'll need to use the updated ASP.NET page, and also install the previous custom scan insertion points example, so that the active scan payload is inserted correctly into the serialized request.

Download the custom scanner checks extension. The download includes Java source code and the compiled JAR file. It also includes an ASP.NET page that extends the serialization example to add some fictitious bugs so that you can test the custom scanner check and see that the issues are reported. Note: the sample ASP.NET page uses the JavaScript btoa() function to perform Base64-encoding on the client side. This function is not supported by Internet Explorer, but works on most other browsers.


Anonymous said...

Any chance we can see an example of a python extension for a custom scanner check check based on a string/regex? definitely looking forward to utilising the new extender framework.


AllState Victum said...

No Java source file ion D/L :
Download the custom scanner checks extension. The download includes Java source code


PortSwigger said...

Yes, the source code is in the download - see

Anonymous said...

I'm trying to make this extension work but even though it loads in the Extender tab without errors, I cannot see any new functionality in the GUI.

Any idea what the problem could be?

PortSwigger said...

The extension doesn't add any new functionality to the GUI. It adds new logic to Burp's Scanner.

The download includes an ASP.NET page that you can use to test the extension against and see what it does.

Anonymous said...

Thanks for the reply. I thought you would be able to customise the payloads used by the Active Scanner. That is what I was looking to do.

PortSwigger said...

Yes, you can do exactly that. You can create a scan check that sends whatever payloads you want. If you look at the source code to that sample extension, you'll see it sends its own requests, and uses the insertion point provided by the scanner to build the needed requests.