HttpHandler.handleRequestToBeSent while Auditing and Crawling

[423locked]

Hi! I'm attempting to intercept http requests from audit and crawl tools via HttpHandler.handleRequestToBeSent, but the handlers do not seem to be called.

I register http handler in burpExtender with api.http().registerHttpHandler(new MyHttpHandler(api));

None of the logs inside handlers worked, sadly. Only the log telling that the handler was actually set has worked. Could you please point out what possible the problem is?

[Hannah-PortSwigger]

Hi

To clarify, you receive the output "i'm here" from your extension?

It looks like you're trying to add an additional header to your outgoing HTTP request.

You would need to do this in the following way:

@Override
public RequestToBeSentAction handleHttpRequestToBeSent(HttpRequestToBeSent requestToBeSent)
{
    HttpRequest newRequest = requestToBeSent.withAddedHeader("Name", "Value");

    return RequestToBeSentAction.continueWith(newRequest);
}

[423locked]

Hey, thanks for the correction of withAddedHeader but the problem is that the extension actually does not output "im here" log message and thus the whole requestToBeSent handler does not run

[Hannah-PortSwigger]

Just to verify, you find that the "I'm here" message does not get called, even when traffic is passing through Burp (for example, sending a request in Repeater). The methods in the HttpHandler won't trigger unless there is traffic for them to act upon.

Are you able to provide a link to your code, or share some further examples, please?

Have you checked out any of our example extensions? You can find these here: https://github.com/PortSwigger/burp-extensions-montoya-api-examples

The example extensions are a good starting point on which to build more complex extensions. Some useful ones for you would probably be the following:

• https://github.com/PortSwigger/burp-extensions-montoya-api-examples/tree/main/httphandler
• https://github.com/PortSwigger/burp-extensions-montoya-api-examples/tree/main/eventlisteners
• https://github.com/PortSwigger/burp-extensions-montoya-api-examples/tree/main/customlogger

[423locked]

Just to verify, you find that the "I'm here" message does not get called, even when traffic is passing through Burp (for example, sending a request in Repeater).

I've just tested it - sent traffic in Repeater but the extension did not output anything.

Thanks for the links, I've already looked through the example extensions though

[Hannah-PortSwigger]

Could you drop us a link to your repo, so we can take a look at it? Alternatively, if you'd prefer to share your code via email, you can get in contact with us at support@portswigger.net.

Please be aware that our business hours are Monday to Friday 9am to 5pm UK time, so we won't be able to get back to you till after the weekend.

[423locked]

I can either make handlers work and generate report without waiting (it would be empty) or wait for the audit to finish but the handlers won't work.