Generating Customised Intruder Attacks from an Extension
Hi, I'm trying to create a burp extension which generates customised intruder attacks. I'm aware that I can create attacks with some level of control...
View ArticleIs it possible to retrieve the path of the currently open project?
I would like to retrieve the path of the currently open Burp Project to reference some resource on the filesystem relative to the project directory. I am unable to find a suitable API to do this in the...
View ArticleBurp Extension + UpStream Proxy SLOWWWW
Hi all, I created a burp extension that decrypts AES traffic. The infrastructure I am testing is in such way that all requests' payloads are being encrypted with AES. In order to work around this, I am...
View ArticleWebSocket API
I'm dealing more and more with websockets: is there _any_ way to modify requests on the fly? I'm not afraid of writing a custom extension or fiddle with scripting my own tools. FWIW, if you provide...
View ArticleBurp Enterprise Edition/Pro Edition can be integrated with Microsoft Team...
Hi Burp Team, Currently we are evaluating the trial version of Burp Enterprise edition tool for security testing in our organization. The requirement is to integrate Burp Enterprise Edition/Pro Edition...
View Articlewhen I install a python extender(burpsmartbuster), it points out that "failed...
I have already install jython.jar file(2.7,the file has been selected in options) and python(but i have two versions of python and both of them is system variables) the error messages is here:...
View ArticleExtender Not Displaying Plugins / Can't Refresh
I am behind a corporate proxy environment using Ubuntu. Using the corporate proxy settings I am able to use Firefox to view websites as expected so Burpsuite should be able to display the BApp Store...
View ArticleBurp 2.0 extension-only audit
I have a local page that I use to test for LFI attacks, when I used to run active scan against this page in Burp 1.7.37, I get the attack detected by different extensions, e.g. J2EEScan. I tried to...
View ArticleScan Summary Report into Jenkins
I am currently running scans using burp enterprise from Jenkins. The scan completes and a report is available on burp enterprise server. But how do I get this report to be displayed in Jenkins?
View ArticleIMessageEditorTab check Tool
I'm trying to create a simple jython extension to run a regex against the HTTP response and extract key fields into a new IMessageEditorTab. Is there anyway in IMessageEditorTab.isEnabled or...
View ArticlePython extension import package error
Hello, I've run into an application that AES encrypts the body of HTTP requests and responses, I am writing an extension to decrypt and encrypt the payloads. I am writing the extension in Python and I...
View ArticleTesting environment
Hi, I'm developing an extension and by this time got annoyed of development process where I need to restart extension to see the changes applied. Is there any way I could set up a testing environment...
View ArticlePersist IBurpCollaboratorClientContext
Hi, is there a way to persist IBurpCollaboratorClientContext object? When I reload my extension and get IBurpCollaboratorClientContext with callbacks.createBurpCollaboratorClientContext method it still...
View ArticleCarbonator scans not accurate
I just downloaded Carbonator extender through bapp and have use the command ./burpscan.sh http 127.0.0.1 80 /DVWA/vulnerabilities/ This launched burp UI and I checked that the scan does not detect SQL...
View ArticlebuildParameter not working
I built the HttpRequest using buildHttpMessage method and trying to add Cookie and Body param using LegacyBurpExtender.getInstance().getHelpers().buildParameter and addParameter and updateParameter...
View ArticleHow to set active scanner insertion points
I'm trying to set custom insertion points for the header,query param and body parameters. Currently I'm using active scan method by passing manually caluculated offsetlist....
View ArticleFailed to load Python interpreter from Jython JAR file
Hello Dear, I am facing an error. I am not able to add my extension in Burp. I am getting the follow error: java.lang.Exception: Failed to load Python interpreter from Jython JAR file at...
View ArticleError "Request was dropped by the user" in Custom tab while using Burp extender
Hi, I am new to building burp plugin, I have implemented a message editor, but when I toggle the interceptor on and off, I get an error in the text editor itself: Error: "le>Burp Suite Professional...
View ArticleSerializing IScanIssues
Hello Support Team, So I have created an implementation of IScanIssue but I am getting errors when trying to JSON encode the class like this: "java.lang.IllegalArgumentException:...
View ArticleAccessing marker indexes from Intruder Payload
Hello Support, I am trying to grab the indexes from a user created Intruder payload but it doesn't seem like it is possible within the APIs. If I already have markers I can apply them to a...
View ArticleHow to integrate Scan Check Builder integration with Burp Extension API
How to integrate Scan Check Builder integration with Burp Extension API? I'm able to submit active scans by selecting profile manually through tool. But I want to integrate Scan Check builder with Burp...
View ArticlePackaging Burp Extensions
How are we supposed to package extensions that require both Java and Jython? I've an extension which uses 2 python projects and those 2 use python modules like six. How should I package it for...
View ArticleBurp Extensions Distribution
Hello, Can you please help with the question at https://support.portswigger.net/customer/en/portal/questions/17629848-packaging-burp-extensions?new=17629848? Not sure if it's not answered as there is a...
View Articlehow can I add the resulting of this a burp plugin to the sitemap?
Hi I made a burp plugin to convert get to post and post to get and it is working when I am scanning the web app but how can I add the resulting of this plugin to the sitemap? this is my burp plugin:...
View ArticleBapps folder and non BApp store extensions
Hey guys, I have a question on how Burp installs extensions from BApp store vs local extensions. It looks like for ones installed from the store, Burp stores them under the bapps folder. However for...
View Articletrigger an active scanning programatically
Dear burp team, From an extension I would like to firstly do an passive scanning. Once the application was scanned then I would like programatically for each (passive) request to do an active scanning....
View ArticlePacking/Unpacking custom POST data format for Active Scans
I'm trying to write an extension to test a mobile API endpoint that uses a homebrew message level encryption format. Basically there is a pre-shared AES key between the mobile app and the server, and...
View ArticleMaking a custom extender interface
Hi to all! Im currently creating a burp extension and I was wondering if there was any way to make an interface for it (Not just print things into the extender console). I read something about some...
View ArticleCan I Dynamicly Proxy a Https Request in Burp Extention?
I am writing a random ip proxy extention to handle the problem of bloking ip when exceeding target's request rate limit.But i fount the setHttpService isn't work when the request is https.what can i do...
View ArticleCO2 extension
Hello, may I know whether it is free to install the co2 extension in burp suite professional? thanks
View ArticleHeadless burp authenticated scans
How can I perform an authenticated scan using headless burp?
View ArticleAdd Custom Headers stopped to work.
Hi Guys! Any changes in Add Custom Headers extension? It stopped to work on Linux/Windows/1.7 and 2.X Burp versions. (:
View ArticleTrouble integrating requests python library and jython
Im currently building a burp extension using Jython. At one point I basically get URLs from the proxy Tab and make an additional request with that url+someEndpoint with the Python Requests library. The...
View ArticleOld version of AutoRepeater in the BApp store
Hello, extension AutoRepeater is available in the BApp store as version 1.0 from April, 4th 2018. The latest commit from the original repository https://github.com/nccgroup/AutoRepeater was on July...
View ArticleBurp Suite Automation
Hi All We are trying to automate to test various vulnerabilities like xpath injection,sql injection, Cross-site scripting etc. We have referred the following link...
View ArticleSend to decoder programmaticaly from extensions
There are methods in IBurpExtenderCallbacks for sending data to - repeater, - intruder, - comparer, and - spider. Why isn't there one for decoder? When writing a custom message editor with a custom...
View ArticleScan Configuration
I am building an extension that calls doActiveScan and doPassiveScan. Is there a way to specify the scanner configuration. Currently tasks are created and there is a default scanner configuration used...
View ArticleBurp Extension for Intruder Payload with multiple payload lists
Hi, I am working on creating a extension for burp suite where a user can choose from a list of payload lists [one list for angular payloads, one list for react payload] according to the framework of...
View ArticleXML tab "Reparse" Programmatically
Hi, I would like to know how the "Reparse" button in the request/response "XML" tab reformats XML documents programmatically via Java. Specifically, I am wondering what library(s) are used for this. I...
View ArticleExtensions are not loading with Burp defaults
Hi Team, I always use Burp defaults option for configurations while opening/creating projects. I have a few extensions installed such as Retire.js, TokenJar, Active Scan++, etc. What my issue is that...
View ArticleExtension load error code
os win 7 java.lang.ExceptionInInitializerError at org.python.util.PythonInterpreter.(PythonInterpreter.java:100) at org.python.util.PythonInterpreter.(PythonInterpreter.java:94) at...
View ArticlePause scanner from extension
Is there any API to pause the scanner from an extension? For example, let's say you are scanning an API with a rate limiter, and your extension can detect that you are getting close to the limit, can...
View ArticleGet All URLs from a Website
Hello, I am currently writing a burp Extension. I need to get all URLs from the Website before the active Scan. How can I do this? Thanks
View ArticleFailed to update Bapp List
Hi, My burp store list fails to be updated. I am using my employer's proxy settings and it may create some conflicts OR block some traffic. Do you have any work around this problem? Do you know how I...
View ArticleOutdated extensions and open pull requests
Hello, some extensions (like "Add Custom Header") don't have their latest version available in the BAppStore, and that lasts for a few months (and I hate having to maintain private versions) First, I...
View ArticleCustom Extension for Whitelisting
Burp Suite Pro v1.7.23 Is it possible to skip a certain link/URL for specific checks (e.g. CSRF, SQL Injection) during a scan, while remaining them ticked in Scanner Options? So for better...
View ArticleJython - ImportError: No module named expatreader
Hi, I would like to use defusedxml package. I am using Jython 2.7.1 standelone and I created virtual pyhton env where I installed defusedxml. I set up in bup extender "folder for loading modules" to -...
View ArticleCan't Add a Extension to be Executed by session handling rule for checking...
Hi, First off just wanted to say that you guys have been doing a great job with Burp, it pretty much covers 85 - 95% of my daily web app pentesting needs with the core functionalities. So my problem is...
View ArticleAdditional Scanner Checks - Does it report HTTP 404 & 403 pages?
Hi, I am wondering if the Burp Extension - Additional Scanner Checks reports missing HTTP headers for HTTP 404 & 403 pages?
View Article