Professional
Adding custom scan checks
-
Last updated: October 29, 2024
-
Read time: 3 Minutes
You can create and import custom scan checks using BChecks. Burp Scanner runs these checks in addition to its built-in scanning routine, helping you to target your scans and make your testing workflow as efficient as possible.
BChecks are listed in a table in the Extensions > BChecks tab. Click on any BCheck in the table to preview the definition.
The table contains the following columns:
- Enabled - Whether the BCheck is enabled. When you enable a BCheck, by default Burp Scanner will use it when you next perform an audit. Note that you can't enable BChecks that contain errors. These are identified by a warning icon .
- Name - The name of the BCheck.
- Author - The name of BCheck creator.
- Tags - Any tags that are applied to the BCheck.
Note
The Name, Author, and Tags columns are automatically populated from the BCheck definition. To modify these, edit the BCheck definition directly. For more information on editing BChecks definitions, see BCheck definition reference and BChecks worked examples.
Managing BChecks
You can perform the following actions on your BChecks:
- To enable or disable a BCheck, use the checkbox in the Enabled column.
- To create a new BCheck, click New. For more information, see Creating BChecks.
- To import BChecks from a folder or text file, click Import and select the relevant file. Files that you want to import should be in plain text format with the
.bcheck
extension. - To export BChecks, click Export . For more information, see Exporting BChecks.
- To edit a BCheck definition, double-click the BCheck.
- To remove BChecks, select the BChecks that you want to delete, then click .
- To copy BChecks, select the BChecks that you want to copy, then click .
- To search in the BChecks table, click Search.
- To search within the BCheck definition, select the BCheck, then use the search bar below the definition preview. For more information on the quick search function, see Text editor - Quick search.
Note
You can also import and export BChecks as part of a project file. For more information, see Project files.
Testing BChecks
You can test your BChecks using the BS Code editor's built-in test function. When you run a test, Burp Scanner runs the BCheck on a group of pre-selected HTTP messages and reports the results.
Alternatively, you can test multiple BChecks at once by running a scan with the Audit checks - BChecks only built-in scan configuration selected. This scan uses your enabled checks only.
More information
Troubleshooting BChecks
If you're creating or editing a BCheck, you can use the BS Code Logger to help you to troubleshoot any unexpected behaviors:
Go to Extensions > BChecks and select a BCheck.
Click Edit. The BS Code window opens.
To send a message from anywhere in Burp to the BChecks editor, right-click the message and select Send to BChecks editor.
In the BS Code window, select the Logger tab and click Run test.
Select a message to see the request and response.
Requests generated by BChecks may be modified by session handling rules or extensions. If the message doesn't look as you expected, try disabling session handling rules or extensions, and run the test again.
Managing BChecks for a specific scan
You can prevent Burp from using BChecks when scanning. To do this:
- Open an audit scan configuration and expand the Issues reported section.
- Select Select individual issues.
- Deselect BCheck generated issue.
You can also specify whether Burp should run BChecks for passive scans, active scans, or both. To do this:
- Open an audit scan configuration and expand the Issues reported section.
- Select Select individual issues.
- Right-click BCheck generated issue, then select Edit detection methods.
- Select Passive checks and Active checks as required.
Related pages
- Using custom scan configurations in Burp Suite Professional - For information on how to create a new audit scan configuration.
- Audit options - Issues reported.