Sunday, 22 April 2012

Basics of Burp Extender (Part 2)

In the first part of a Basics of Burp Extender, we have created a sample burp extender to drop all the HTTP request to "". We have implemented the processProxyMessage method of IBurpExtender interface.

In this part, we will implement processHttpMessage and registerExtenderCallbacks methods of IBurpExtender interface. The end goal of this sample example is "Intercept the HTTP request, check if it is in target scope, if not in scope then add it to the target scope list and passively scan the response."

 * A simple burp extender to intercept the request,
 * add it to the target scope and scan passively.
package burp;

public class BurpExtender
     public IBurpExtenderCallbacks mycallbacks;

     //This method is invoked whenever proxy tool (proxy tab) makes an HTTP request or receives a response.
     public void processHttpMessage(java.lang.String toolName,
                           boolean messageIsRequest,
                           IHttpRequestResponse messageInfo) 
               //Methods of IBurpExtenderCallbacks must be wrapped inside try catch block as they throws java.lang.Exception
                   URL url = messageInfo.getUrl(); //Get the URL of the intercepted request
                   if(!mycallbacks.isInScope(url)) //Check whether it is in scope or not?
                        mycallbacks.includeInScope(url); //add the target URL to scope
                        //passively scan the target URL
               catch(Exception e)
    /*This method is invoked at startup. It is needed if you are implementing any method of IBurpExtenderCallbacks interface.
    In this example, we have implemented three such methods of this interface.*/
    public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks)
          mycallbacks = callbacks;

This was rather a very sample example. In the next part we will implement newScanIssue method of IBurpExtender interface and few other things (i am not sure what other things ;-) )

No comments:

Post a Comment