All of us - security professionals - use Burp Suite every day, whether as red teamers or blue teamers. With our experience in the industry, we've encountered scenarios where we'd like to remember specific test cases for particular categories. We often take notes, jot down how to test, what to test, or sometimes wing it and rely on our memory power.
However, for those small or even big things we might miss due to tight deadlines or memory lapses, BChecks offers an automated solution.
Enter BChecks, a scriptable and extensible security testing framework within Burp Suite Professional, akin to how Nuclei allows for customized vulnerability detection. These scripts allow us to tailor security tests to your specific needs, enabling targeted and effective vulnerability assessments.
Why Use BChecks?
Automate Test Cases: Create BChecks to automate test cases that you've saved in your notes or want to remember for specific categories.
Cover Edge Cases: Write BChecks for even the simplest things that you might miss during testing, like checking response headers or analyzing background JavaScript files.
Efficient Resource Utilization: BChecks are lightweight and can run continuously as you accumulate requests in your proxy history, unlike memory-intensive extensions.
Targeted Testing: For a particular request, you can write extensive BChecks to test all payloads and cases, similar to how Intruder functions.
Iterative Refinement: Refine your BChecks by testing them on dummy requests until they report issues as intended.
How to use BChecks
Navigating to BChecks:
Launch Burp Suite Professional and head to the 'Extensions' tab, locate the fourth tab labeled 'BChecks'—your gateway to customizable security assessments.
Creating or Importing BChecks:
Click on 'New > Blank' to start crafting your BCheck script from scratch. Prefer a head start? Download the comprehensive BChecks repository, select 'Import,' and choose the files you wish to integrate.
Validating and Saving Your Scripts:
With your script ready, hit 'Validate' to ensure everything is in order. A green signal of 'Errors: 0' is your cue to proceed. Click 'Save' to lock in your script.
Seamless Background Operations:
With Burp Suite's Proxy activated, navigate your application as usual. BChecks operates diligently in the background. If it detects any vulnerabilities, they'll be meticulously logged under the 'Target > Site Map' tab, marked as "Issue was generated by a BCheck," ready for your review.
Creating a basic BCheck Script:
- Define the Metadata: Start by defining basic information about your check.
metadata:
language: v1-beta
name: "Insecure Login Check"
description: "Detects if login pages are served over HTTP"
author: "Your Name"
- Set Up Trigger Condition (steps 2 and 3 combined): Specify the trigger that should run for each host. You can define the logic you need to implement and the subsequent actions.
given host then
- Send a request and check the response (steps 4 and 5 combined): Send a request to the login page and check if it’s served over HTTP. In case you encounter any issues, you can report them.
send request called login_page_check:
method: "GET"
path: "/login"
if {login_page_check.response.url.protocol} is "http" then
report issue:
severity: medium
confidence: certain
detail: "Login page served over insecure HTTP."
remediation: "Switch to HTTPS to secure the login page."
end if
This script is a basic example, but it illustrates creating a BCheck – from defining the metadata to scripting the logic and reporting issues.
Following similar steps, you can develop a wide range of custom BChecks to enhance your security testing with Burp Suite Professional.
For more working examples demonstrating various use cases, visit Portswigger’s Worked Examples.
Writing Effective BChecks
Creating effective BChecks is a blend of technical expertise and strategic thinking. Here are some tips to get you started:
Define Your Objective: Clearly understand the vulnerability or issue you want to target with your BCheck script.
Keep It Simple: Start with simple checks and gradually build complexity. Avoid overcomplicating scripts from the outset.
Test and Refine: Regularly test and refine your scripts to ensure they are effective and do not produce false positives.
Stay Updated: Keep abreast of the latest security trends and update your scripts accordingly.
Leverage Community Resources: Explore the BChecks GitHub repository for examples and inspiration from fellow security professionals.
A basic BCheck Example
A simple BCheck script that detects whether a website's login page is served over insecure HTTP:
metadata:
language: v2-beta
name: "Insecure Login Check"
description: "Detects if login pages are served over HTTP"
author: "Kaustubh"
given host then
send request called login_page_check:
method: "GET"
path: "/login"
if {login_page_check.response.url.protocol} is "http" then
report issue and continue:
severity: medium
confidence: certain
detail: "Login page served over insecure HTTP."
remediation: "Switch to HTTPS to secure the login page."
end if
This script showcases the basic structure of a BCheck, from defining metadata to scripting the logic and reporting issues.
Beyond the basics, BChecks allows for intricate testing scenarios like:
Header Analysis: Report an issue if the response contains any headers that give information about its server
Regex for Data Patterns: Detect email addresses in responses
Custom Requests: Check for exposed admin panels
Detect blind XSS vulnerabilities.
Encode sensitive data before transmission
Possible API docs path detection
Resources and Further Learning
My BChecks Collection - A curated collection of BChecks scripts for various scenarios, maintained by the author.
In the ever-evolving cybersecurity landscape, BChecks represent a advancement, enabling security professionals to conduct more targeted, effective, and comprehensive assessments.