Professional

Testing BChecks

  • Last updated: October 29, 2024

  • Read time: 3 Minutes

You can test your BChecks using the BS Code editor's built-in test function. This enables you to confirm whether your checks are working as expected.

BCheck tests use pre-selected requests and responses as test cases. When you run a test, Burp Scanner runs the BCheck on the selected HTTP messages and reports the results.

Running a BCheck test

To test a BCheck:

  1. Click Extensions > BChecks to open the BChecks editor.

  2. Select the HTTP messages that you want to use as test cases. You can select messages from anywhere that they are displayed in Burp. To select a message, either:

    • Right-click the message and click Send to BChecks editor. This option is only available if you have previously opened the BChecks editor in the current session.
    • Select the message and press the Send to BChecks editor hotkey, if configured. For more information on configuring hotkeys, see Hotkey settings.
  3. In the BChecks editor, open the BCheck you want to test:

    • To create and test a BCheck, follow the process described in Creating BChecks up to the point that your check passes validation.
    • To test an existing BCheck, select it from the list.
  4. Make sure that the BS Code tab is selected. Note that the HTTP test cases you sent to the BChecks editor are displayed in the Select BCheck test cases panel.

  5. If required, use the checkboxes to select specific messages to use in this test.

  6. Click Run test. Burp Scanner runs the BCheck against the selected test cases. Note that the test does not run if there are validation errors in the BCheck definition.

  7. Review the results of the test. The editor displays the number of requests sent, issue raised, and errors found on the bottom panel. It also displays the following tabs, which work in the same way as when viewing ordinary scan results:

    • Audit items
    • Issues
    • Event log
    • Logger

    For more information on reviewing scans, see Viewing scan results.

Note

To stop a running test, click Cancel test.

Managing BCheck test cases

You can enable, disable, duplicate, and remove your selected test case messages using the right-click context menu on the Select BCheck text cases panel.

You can edit the content of the messages using the Request and Response tabs. You need to re-run any tests to see the impact of these changes.

If required, you can hide the Select BCheck text cases panel by clicking the Test cases tab in the sidebar.

Configuring test scans

You can also test BChecks by configuring Burp Scanner to only use your active checks when scanning. This enables you to test and debug your entire collection of BChecks at once, rather than testing them one at a time. To do this, run a scan with the Audit checks - BChecks only built-in scan configuration.

Alternatively, you can create a custom scan configuration that uses BChecks only. To do this:

  1. Open an audit scan configuration and expand the Issues reported section.

  2. Select Select individual issues.

  3. Deselect all issues, except for BCheck generated issue.

Was this article helpful?