You can test custom scan checks to confirm that they work as expected. There are two ways to do this:
Use the built-in test function - When creating or editing a check, run it against selected HTTP messages directly in the editor.
Run a test scan - Configure Burp Scanner to run a scan that includes only the custom scan checks you enable.
You can test your custom scan checks directly in the Custom scan checks editor. When you run a test, Burp Scanner applies the scan check to pre-selected HTTP messages and reports the results.
To test a custom scan check:
Go to Extensions > Custom scan checks.
Click New or Edit to open the Custom scan checks editor.
From anywhere in Burp, select the HTTP messages you want to test.
Right-click and select Send to Custom scan checks editor.
Go to the Custom scan checks editor and make sure the Scan check tab is selected.
In the Select custom scan check test cases panel, use the checkboxes to select the specific messages to use in your test.
Click Run test. Burp Scanner runs the custom scan check against the selected test cases.
The bottom panel of the editor displays the number of requests sent, issues raised, and errors found. It also displays the following tabs:
Audit items - Lists the individual HTTP requests that the check identified as audit items.
Issues - Lists all security vulnerabilities that the check finds.
Event log - Lists key events that occur while the task is running.
Logger - Lists all HTTP traffic generated by the task.
For more information on reviewing scans, see Viewing scan results.
To stop a running test, click Cancel test.
From the Select custom scan check test cases panel, you can perform the following actions on your test case messages:
Enable or disable - Use the checkbox to include or exclude a test case.
Duplicate - Right-click test cases in the table and select Duplicate.
Remove - Right-click test cases in the table and select Remove.
Edit - Select the test case you want to edit, then modify the content in the Request and Response tabs. Re-run any tests to see the impact of your changes.
To hide the Select custom scan check test cases panel, click the Test cases tab in the sidebar.
To test more than one custom scan checks at a time you can configure Burp Scanner to run a scan that only uses your custom scan checks:
In the scan launcher, go to the Scan configuration tab.
From the dropdown, select the type of scan configuration you want to use.
Under Audit configuration, click Scan checks.
In the settings panel, go to the Built-in tab and toggle the top checkbox to disable all the built-in scan checks.
Go to the Extensions tab and toggle Enabled to disable all the extension-provided scan checks.
Go to the Custom tab and use the checkboxes to disable or enable specific custom scan checks.
Burp Scanner will only include the enabled custom scan checks when auditing.