public interface ScanCheck
Extensions can implement this interface and then call
Scanner.registerScanCheck(ScanCheck)to register a custom Scanner check. When performing an audit, Burp will ask the check to perform an active or passive audit on the base request, and report any audit issues that are identified.
Method SummaryModifier and TypeMethodDescriptionThe Scanner invokes this method for each insertion point that is actively audited.The Scanner invokes this method when the custom Scan check has reported multiple issues for the same URL path.The Scanner invokes this method for each base request / response that is passively audited.
(HttpRequestResponse baseRequestResponse, AuditInsertionPoint auditInsertionPoint)The Scanner invokes this method for each insertion point that is actively audited. Extensions may issue HTTP requests as required to carry out an active audit, and should use the
AuditInsertionPointobject provided to build requests for particular payloads. Note: Scan checks should submit raw non-encoded payloads to insertion points, and the insertion point has responsibility for performing any data encoding that is necessary given the nature and location of the insertion point.
baseRequestResponse- The base
HttpRequestResponsethat should be actively audited.
AuditInsertionPointobject that can be queried to obtain details of the insertion point being tested, and can be used to build requests for particular payloads.
AuditResultobject with a list of
AuditIssueobjects, or an empty
AuditResultobject if no issues are identified.
passiveAuditThe Scanner invokes this method for each base request / response that is passively audited. Note: Extensions should only analyze the HTTP messages provided during a passive audit, and should not make any new HTTP requests of their own.
consolidateIssuesThe Scanner invokes this method when the custom Scan check has reported multiple issues for the same URL path. This can arise either because there are multiple distinct vulnerabilities, or because the same (or a similar) request has been scanned more than once. The custom check should determine whether the issues are duplicates. In most cases, where a check uses distinct issue names or descriptions for distinct issues, the consolidation process will simply be a matter of comparing these features for the two issues.