Professional

Adding custom scan checks

• Last updated: March 21, 2024

• Read time: 3 Minutes

You can create and import custom scan checks using BChecks. Burp Scanner runs these checks in addition to its built-in scanning routine, helping you to target your scans and make your testing workflow as efficient as possible.

BChecks are listed in a table in the Extensions > BChecks tab. Click on any BCheck in the table to preview the definition.

The table contains the following columns:

• Enabled - Whether the BCheck is enabled. When you enable a BCheck, by default Burp Scanner will use it when you next perform an audit. Note that you can't enable BChecks that contain errors. These are identified by a warning icon .
• Name - The name of the BCheck.
• Author - The name of BCheck creator.
• Tags - Any tags that are applied to the BCheck.

Managing BChecks

You can perform the following actions on your BChecks:

• To enable or disable a BCheck, use the checkbox in the Enabled column.
• To create a new BCheck, click New. For more information, see Creating BChecks.
• To import BChecks from a folder or text file, click Import and select the relevant file. Files that you want to import should be in plain text format with the .bcheck extension.
• To export BChecks, click Export . For more information, see Exporting BChecks.
• To edit a BCheck definition, double-click the BCheck.
• To remove BChecks, select the BChecks that you want to delete, then click .
• To copy BChecks, select the BChecks that you want to copy, then click .
• To search in the BChecks table, click Search.
• To search within the BCheck definition, select the BCheck, then use the search bar below the definition preview. For more information on the quick search function, see Text editor - Quick search.

Testing BChecks

You can test your BChecks using the BS Code editor's built-in test function. When you run a test, Burp Scanner runs the BCheck on a group of pre-selected HTTP messages and reports the results.

Alternatively, you can test multiple BChecks at once by running a scan with the Audit checks - BChecks only built-in scan configuration selected. This scan uses your enabled checks only.

Troubleshooting BChecks

If you're creating or editing a BCheck, you can use the BS Code Logger to help you to troubleshoot any unexpected behaviors:

1. Go to Extensions > BChecks and select a BCheck.

2. Click Edit. The BS Code window opens.

3. To send a message from anywhere in Burp to the BChecks editor, right-click the message and select Send to BChecks editor.

4. In the BS Code window, select the Logger tab and click Run test.

5. Select a message to see the request and response.

Requests generated by BChecks may be modified by session handling rules or extensions. If the message doesn't look as you expected, try disabling session handling rules or extensions, and run the test again.

Managing BChecks for a specific scan

You can prevent Burp from using BChecks when scanning. To do this:

1. Open an audit scan configuration and expand the Issues reported section.
2. Select Select individual issues.
3. Deselect BCheck generated issue.

You can also specify whether Burp should run BChecks for passive scans, active scans, or both. To do this:

1. Open an audit scan configuration and expand the Issues reported section.
2. Select Select individual issues.
3. Right-click BCheck generated issue, then select Edit detection methods.
4. Select Passive checks and Active checks as required.