search

PortSwigger / BChecks

BChecks collection for Burp Suite Professional and Burp Suite Enterprise Edition
https://portswigger.net/burp/documentation/scanner/bchecks
GNU Lesser General Public License v3.0
588 stars 104 forks source link

[FEATURE] Add support to send requests to different hosts #177

Open slicingmelon opened 5 months ago

slicingmelon commented 5 months ago

What is the problem you are trying to solve?

Add support to send requests to different target URLs. This could be done by adding support to set the target host on the request that is going to be sent.

How are you currently being hindered by this problem?

So given the following bchecks code:

metadata:
    language: v2-beta
    name: "cool name here"
    description: "cool description"
    author: "pedro"
    tags: "cooltag"

given path then
     send request called check:
        method: "POST"
        path: "/my_awesome_endpoint"
        replacing headers:
            "Host": "myawesomehost",
            "Content-Type": "application/x-www-form-urlencoded"

        replacing body:
                `data={base64_encode({base.response.body})}`

        if {check.response.status_code} is "200" then
            report issue and continue:
            severity: high
            confidence: tentative
            detail: "bla bla detail"
            remediation: "delete"
        end if

So even though I am setting the Host header, the request is still being sent to the original hostname, having my custom Host header being set. It would be great if we could send requests to different hosts, to be able to develop more complex bchecks templates.

Thank you!

Hannah-PortSwigger commented 4 months ago

Hi

Could you provide some more information on why you would like to send requests to different hosts at the point of the scan check?

Once you get to this point in the Scanner, the scope of the item you are scanning is quite narrow. Generally speaking, you shouldn't be making requests to different targets at this point.

slicingmelon commented 4 months ago

Hello,

One scenario would be in a microservices-based environment, you might need to send a request to a different host to fetch a token, and then use it in a subsequent request. Another example, I would like to communicate with a different host/API, to confirm the validity of a potential secret leaked in the response.

Hannah-PortSwigger commented 4 months ago

Hi

Thanks for that information.

You BCheck should not be handling authentication. Instead, this should be done on a wider level. For example, by providing application logins as part of your scan configuration or using session handling rules.

Confirming the validity of a secret may be better suited to manual confirmation or performed separately from a scan. If you prefer, you could write an extension for this functionality instead. If you'd like to find out more about writing extensions, you can check out our documentation here.