Adding custom scan checks
You can create and import custom scan checks using BChecks. Burp Scanner runs these checks in addition to its built-in scanning routine, helping you to target your scans and make your testing workflow as efficient as possible.
BChecks are listed in a table in the Extensions > BChecks tab. Click on any BCheck in the table to preview the definition.
The table contains the following columns:
-
Enabled - Whether the BCheck is enabled. When you enable a BCheck, by default Burp Scanner will use it when you next perform an audit. Note that you can't enable BChecks that contain errors. These are identified by a warning icon .
-
Name - The name of the BCheck.
-
Author - The name of BCheck creator.
-
Tags - Any tags that are applied to the BCheck.
Note
The Name, Author, and Tags columns are automatically populated from the BCheck definition. To modify these, edit the BCheck definition directly. For more information on editing BChecks definitions, see BCheck definition reference and BChecks worked examples.
Managing BChecks
You can perform the following actions on your BChecks:
-
To enable or disable a BCheck, use the checkbox in the Enabled column.
-
To create a new BCheck, click New. For more information, see Creating BChecks.
-
To import BChecks from a folder or text file, click Import and select the relevant file. Files that you want to import should be in plain text format with the
.bcheck extension.
-
To edit a BCheck definition, double-click the BCheck.
-
To remove BChecks, select the BChecks that you want to delete, then click .
-
To copy BChecks, select the BChecks that you want to copy, then click .
-
To search in the BChecks table, click Search.
-
To search within the BCheck definition, select the BCheck, then use the search bar below the definition preview. For more information on the quick search function, see Text editor - Quick search.
Note
You can also import and export BChecks as part of a project file. For more information, see Project files.
Testing BChecks
To test and debug your BChecks, you can configure Burp Scanner to only use BChecks when scanning. To do this, run a scan with the Audit checks - BChecks only built-in scan configuration.
Alternatively, you can create your own custom configuration that uses only BChecks. To do this:
-
Open an audit scan configuration and expand the Issues reported section.
-
Select Select individual issues.
-
Deselect all issues, except for BCheck generated issue.
Managing BChecks for a specific scan
You can prevent Burp from using BChecks when scanning. To do this:
-
Open an audit scan configuration and expand the Issues reported section.
-
Select Select individual issues.
-
Deselect BCheck generated issue.
You can also specify whether Burp should run BChecks for passive scans, active scans, or both. To do this:
-
Open an audit scan configuration and expand the Issues reported section.
-
Select Select individual issues.
-
Right-click BCheck generated issue, then select Edit detection methods.
-
Select Passive checks and Active checks as required.