{"id":161180,"date":"2025-12-10T09:02:32","date_gmt":"2025-12-10T09:02:32","guid":{"rendered":"https:\/\/hnsecurity.it\/?p=161180"},"modified":"2025-12-10T09:02:32","modified_gmt":"2025-12-10T09:02:32","slug":"extending-burp-suite-for-fun-and-profit-the-montoya-way-part-9","status":"publish","type":"post","link":"https:\/\/hnsecurity.it\/it\/blog\/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-9\/","title":{"rendered":"Extending Burp Suite for fun and profit \u2013 The Montoya way \u2013 Part 9"},"content":{"rendered":"
    \n
  1. Setting up the environment + Hello World<\/a><\/li>\n
  2. Inspecting and tampering HTTP requests and responses<\/a><\/li>\n
  3. Inspecting and tampering WebSocket messages<\/a><\/li>\n
  4. Creating new tabs for processing HTTP requests and responses<\/a><\/li>\n
  5. Adding new functionalities to the context menu (accessible by right-clicking)<\/a><\/li>\n
  6. Adding new checks to Burp Suite Active and Passive Scanner<\/a><\/li>\n
  7. Using the Collaborator in Burp Suite plugins<\/a><\/li>\n
  8. BChecks – A quick way to extend Burp Suite Active and Passive Scanner<\/a><\/li>\n
  9. Custom scan checks – An improved quick way to extend Burp Suite Active and Passive Scanner<\/strong><\/li>\n
  10. … and much more!<\/li>\n<\/ol>\n

     <\/p>\n

    Hi there!<\/p>\n

    In the past three articles, we have seen how to extend Burp’s Active and Passive scanner<\/strong>, how to use the Collaborator<\/strong> and how to use BChecks<\/strong>, a recent feature that allows to add checks to the Active and Passive Scanner without developing dedicated extensions.<\/p>\n

    BChecks are a very quick way to extend Burp Scanner but they can be used only for a small subset of checks. As we saw in Part 8<\/a>, none of the checks implemented for the active scanner in Part 6<\/a> and Part 7<\/a> could be defined using BChecks. In the case of Part 6<\/a>, this is because BChecks currently do not allow to obtain the response time, and in the case of Part 7<\/a>, it is not possible to perform operations on byte arrays, which are necessary for constructing the payloads used in that particular extension.<\/p>\n

    Now, since version 2025.9.5 of Burp Suite, we can also extend Burp Suite Scanner without a dedicated extension with a Java-like language<\/strong>, in a similar way of what we do with Bambda<\/strong> filters present in many Burp Suite tools. This new functionality has been grouped with BChecks under the new “Custom scan checks” extension tab. <\/strong>With this new powerful option, we can create a custom scan check with almost all the functionalities we have in a standalone extension. Obviously, for complex scenarios, a full-blown external extension may be the best (or the only viable) option, but if our check is not too complex and does not require external libraries, custom scan checks are a great option (actually, in the Extender settings we can point Burp to a folder where it will look for Java libraries; I don’t think we can call them from custom scan checks, but to be honest I haven’t tried yet).<\/p>\n

    Custom scan checks can be created, enabled\/disabled, imported\/exported, deleted, etc. in the Extensions tab of Burp Suite, in the “Custom scan check” tab. This tab has replaced the old “BChecks” tab, because now you can create both Java-like scan checks and YAML-like BChecks.<\/p>\n

    \"\"<\/p>\n

    The development environment is the same we saw in the BChecks article<\/a>. We have a full development environment that can be used to develop, test, and try the custom scan checks. We have tools to develop the code<\/strong>, check if syntax is correct,<\/strong> test on sample requests\/responses<\/strong>, a dedicated Logger, Issue activity, and Event log tabs. <\/strong>Refer to Part 8<\/a>\u00a0for a full description of the development environment.<\/p>\n

    \"\"<\/p>\n

    We can create the following types of Java-like custom scan checks:<\/p>\n