SlideShare a Scribd company logo

Extending burp with python

Download as PPTX, PDF
••
H
Hoang Nguyen

1. Burp extensions can overcome web application hurdles through the Burp API. Interfaces like IMessageEditorTab and ITab allow creating new views of requests and responses, while processHTTPMessage and doPassiveScan can automate tasks by catching and rewriting traffic. 2. Examples include decoding custom encodings, signing requests, viewing unique response headers, and passively scanning for encoded values in cookies. Common problems are solved with minimal Python coding against the Burp API.

Technology
1 of 25
Downloaded 19 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Extending Burp with Python Defeating web application idiosyncrasies with common-sense, Python and minimal knowledge of Java GUIs
What is Burp?
Purpose of this Talk • Quick tour of Burp APIs with examples to show what can be achieved • Demonstrate that Web app assessment hurdles overcome with minimal coding effort
Why would you need a custom extn? 1. Decode custom encoding/serialization 2. Handle anti-tamper or signed requests 3. Provide a new “view” into an application 4. Automate a manual task with a new scanner check
Setup to run a Python Burp Extn. 1 Download Jython standalone binary 2 Tell Burp where find Jython 3 Load a Python extension Path to Jython binary goes here
The helloworld of Burp extensions from burp import IBurpExtender class BurpExtender(IBurpExtender): # required def registerExtenderCallbacks(self, callbacks): # set our extension name callbacks.setExtensionName("Hello world extension") # write a message to the Burp alerts tab callbacks.issueAlert("Hello alerts") Just writes “Hello alerts” out to alerts tab
1. Problem: Unsupported encoding Application uses an encoding not understood by Burp Examples: Serialised Java, SAP’s weird URLenc variant, SAML, Websphere Portlet Burp APIs: IMessageEditorTab to display decoded content
Solution: new encoder/decoder 1. Tell Burp about your new message editor tab class CustomDecoderTab(IMessageEditorTab): def __init__(self, extender, controller, editable): ... def getTabCaption(self): return "Custom Decoder"
Solution: new decoder/encoder 2. Use setMessage to display decode def setMessage(self, content, isRequest): ... if '!ut' in path: # actual decoding magic omitted content = response.read() content = xml.dom.minidom.parseString(content).toprettyxml() if content: self._txtInput.setText(content) self._currentMessage = content
Websphere portlet state decoder Source: https://github.com/faffi/WebSphere-Portlet-State-Decoder Encoded content on URL Gets decoded in new tab
2. Problem: Signed requests Application requires signature thats generated client side. examples 1. Seen in thick client apps as anti-tamper mechanism 2. AWS API calls are signed for authentication http://rajasaur.blogspot.co.nz/2009/10/hmac-sha-signatures-using-python-for.html Burp API: processHTTPMessage allows us to re-write traffic
Solution: automate request signing 1. Catch an outbound request from burp import IBurpExtender# this function catches requests and responses def processHttpMessage(self, toolFlag, messageIsRequest, currentRequest): # only process requests if not messageIsRequest: return ...
Solution: automate request signing 2. Grab the request body and headers # requestInfo object allows us to easily spit body and headers requestInfo = self._helpers.analyzeRequest(currentRequest) bodyBytes = currentRequest.getRequest()[requestInfo.getBodyOffset():] bodyStr = self._helpers.bytesToString(bodyBytes) headers = requestInfo.getHeaders() newHeaders = list(headers) #it's a Java arraylist; get a python list
Solution: automate request signing 3. Append signature as HTTP Header # Do custom signing shenanigans secret = "SuperSecret123" h = hmac.new(secret, bodyStr, hashlib.sha256) newHeaders.append("Authorization: " + base64.b64encode(h.digest()))
Solution: automate request signing 4. Create and send request newMessage = self._helpers.buildHttpMessage(newHeaders, bodyStr) currentRequest.setRequest(newMessage) Here’s the new Authorization header being sent out
3. Problem: Big apps, lotsa headers Large applications may emit different headers from various locations within the app. Headers can reveal useful info. Eg. Reverse proxy may hand off from backend A to backend B. Burp APIs: processHTTPMessage and ITab to display result
Solution: View of unique headers Keep track of unique headers, filter out uninteresting headers. # insert an entry if the header is 'interesting’ if header_name.lower() not in boring_headers: # and we haven't seen this name/value pair before, log it if header not in self.headers_seen: self.headers_seen.append(header) self._log.add(LogEntry(header, …, … )
Solution: View of unique headers Create a new tab and display collected headers in the new tab. # Give the new tab a name def getTabCaption(self): return "Response Headers” # This adds all the Java UI unpleasantness def getUiComponent(self): return self._splitpane
Solution: View of unique headers List of unique headers displayed in new “Response Headers” tab Clicking item in list shows request/response
4. Problem: Automate a manual task Locate and decode F5 cookies, display as a passive scan result Burp API: doPassiveScan to trigger check code
Solution: create new check 1. doPassiveScan catches request def doPassiveScan(self, baseRequestResponse): # Returns IResponseInfo analyzedResponse = self.helpers.analyzeResponse(baseRequestResponse.getResponse()) analyzedRequest = self.helpers.analyzeRequest(baseRequestResponse) # Get Cookies from IResponseInfo Instance cookieList = analyzedResponse.getCookies()
Solution: create new check 2. Locate BIGIP cookies and decode them # Loop though list of cookies for cookie in cookieList: cookieName = cookie.getName() # Look for BIGIP Cookies if cookieName.lower().startswith("bigip"): f5CookieName = cookieName f5RawCookieValue = cookie.getValue() # Decode and check for RFC 1918 address f5info = decode(f5RawCookieValue)
Solution: create new check 3. Create Issue class to return useful info class PassiveScanIssue(IScanIssue): ... def getIssueName(self): return "Encoded IP Address Discovered in F5 Cookie Value" ... def getIssueDetail(self): msg = "The URL <b>" + str(self.findingurl) + "</b> sets the F5 load balancer cookie <b>"
F5-BigIP Cookie Checker Source: http://blog.secureideas.com/2013/08/burp-extension-for-f5-cookie-detection.html Internal IP address retrieved from encoded cookie
Summary 1. Decode custom encoding/serialization Use IMessageEditorTab interface to display decoded content 2. Handle anti-tamper or signed requests Use processHTTPMessage to catch and rewrite requests 3. Provide a new “view” into an application Use ITab interface to display custom view 4. Automate a manual task with a new scanner check Use doPassiveScan to trigger a check

More Related Content

PPTX
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
August Detlefsen
 
PPTX
AppSec USA 2015: Customizing Burp Suite
August Detlefsen
 
PPTX
Burp plugin development for java n00bs (44 con)
Marc Wickenden
 
PDF
BSides Lisbon 2013 - All your sites belong to Burp
Tiago Mendo
 
PDF
The Play Framework at LinkedIn
Yevgeniy Brikman
 
PDF
Burp suite
hamdi_sevben
 
PDF
Celery for internal API in SOA infrastructure
Roman Imankulov
 
PDF
What's new in xamarin.android, Jonathan Pryor
Xamarin
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
August Detlefsen
 
AppSec USA 2015: Customizing Burp Suite
August Detlefsen
 
Burp plugin development for java n00bs (44 con)
Marc Wickenden
 
BSides Lisbon 2013 - All your sites belong to Burp
Tiago Mendo
 
The Play Framework at LinkedIn
Yevgeniy Brikman
 
Burp suite
hamdi_sevben
 
Celery for internal API in SOA infrastructure
Roman Imankulov
 
What's new in xamarin.android, Jonathan Pryor
Xamarin
 

What's hot (14)

PPT
Functional Testing Swing Applications with Frankenstein
vivek_prahlad
 
PDF
How to Reverse Engineer Web Applications
Jarrod Overson
 
PPT
Introduction to Apache Ant
Muhammad Hafiz Hasan
 
PDF
Djangocon 2014 angular + django
Nina Zakharenko
 
PDF
Building an API with Django and Django REST Framework
Christopher Foresman
 
KEY
Integration Testing With Cucumber How To Test Anything J A O O 2009
Dr Nic Williams
 
PDF
CBDW2014 - MockBox, get ready to mock your socks off!
Ortus Solutions, Corp
 
PPT
Integration and Acceptance Testing
Alan Hecht
 
PDF
Scalable web application architecture
postrational
 
PPT
Apache Ant
Vinod Kumar V H
 
ODP
Nexthink Library - replacing a ruby on rails application with Scala and Spray
Matthew Farwell
 
PPT
Beyond Unit Testing
Steve Loughran
 
PDF
RSpec 2 Best practices
Andrea Reginato
 
PDF
The Many Ways to Test Your React App
All Things Open
 
Functional Testing Swing Applications with Frankenstein
vivek_prahlad
 
How to Reverse Engineer Web Applications
Jarrod Overson
 
Introduction to Apache Ant
Muhammad Hafiz Hasan
 
Djangocon 2014 angular + django
Nina Zakharenko
 
Building an API with Django and Django REST Framework
Christopher Foresman
 
Integration Testing With Cucumber How To Test Anything J A O O 2009
Dr Nic Williams
 
CBDW2014 - MockBox, get ready to mock your socks off!
Ortus Solutions, Corp
 
Integration and Acceptance Testing
Alan Hecht
 
Scalable web application architecture
postrational
 
Apache Ant
Vinod Kumar V H
 
Nexthink Library - replacing a ruby on rails application with Scala and Spray
Matthew Farwell
 
Beyond Unit Testing
Steve Loughran
 
RSpec 2 Best practices
Andrea Reginato
 
The Many Ways to Test Your React App
All Things Open
 
Ad

Similar to Extending burp with python (20)

PPTX
Burp Suite Extension Development
NSConclave
 
PDF
Let's read code: python-requests library
Susan Tan
 
PDF
Burp suite
Yashar Shahinzadeh
 
PDF
Python tools for testing web services over HTTP
Mykhailo Kolesnyk
 
PDF
Burp-ing through your cryptography shield
DefCamp
 
PDF
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon
 
PDF
Pycon - Python for ethical hackers
Mohammad Reza Kamalifard
 
PDF
Building TweetEngine
ikailan
 
PPTX
PenTest using Python By Purna Chander
nforceit
 
PPTX
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
PPTX
Burp Suite Starter
Fadi Abdulwahab
 
PPTX
How Python Empowers Ethical Hackers by Supriya Kumar Mitra
null - The Open Security Community
 
PPTX
ZN-2015
Ivan Elkin
 
PDF
Http Status Report
ConSanFrancisco123
 
PPTX
Web technologies: HTTP
Piero Fraternali
 
PDF
Let's read code: the python-requests library
Susan Tan
 
PPTX
Create a Custom Plugin in Burp Suite using the Extension
NSConclave
 
PDF
Ruxmon.2015-08.-.proxenet
Christophe Alladoum
 
PDF
If You Tolerate This, Your Child Processes Will Be Next
Bart Leppens
 
PDF
Python Web Interaction
Robert Sanderson
 
Burp Suite Extension Development
NSConclave
 
Let's read code: python-requests library
Susan Tan
 
Burp suite
Yashar Shahinzadeh
 
Python tools for testing web services over HTTP
Mykhailo Kolesnyk
 
Burp-ing through your cryptography shield
DefCamp
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon
 
Pycon - Python for ethical hackers
Mohammad Reza Kamalifard
 
Building TweetEngine
ikailan
 
PenTest using Python By Purna Chander
nforceit
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Burp Suite Starter
Fadi Abdulwahab
 
How Python Empowers Ethical Hackers by Supriya Kumar Mitra
null - The Open Security Community
 
ZN-2015
Ivan Elkin
 
Http Status Report
ConSanFrancisco123
 
Web technologies: HTTP
Piero Fraternali
 
Let's read code: the python-requests library
Susan Tan
 
Create a Custom Plugin in Burp Suite using the Extension
NSConclave
 
Ruxmon.2015-08.-.proxenet
Christophe Alladoum
 
If You Tolerate This, Your Child Processes Will Be Next
Bart Leppens
 
Python Web Interaction
Robert Sanderson
 
Ad

More from Hoang Nguyen (20)

PPTX
Rest api to integrate with your site
Hoang Nguyen
 
PPTX
How to build a rest api
Hoang Nguyen
 
PPTX
Api crash
Hoang Nguyen
 
PPTX
Smm and caching
Hoang Nguyen
 
PPTX
Optimizing shared caches in chip multiprocessors
Hoang Nguyen
 
PPTX
How analysis services caching works
Hoang Nguyen
 
PPTX
Hardware managed cache
Hoang Nguyen
 
PPTX
Directory based cache coherence
Hoang Nguyen
 
PPTX
Cache recap
Hoang Nguyen
 
PPTX
Python your new best friend
Hoang Nguyen
 
PPTX
Python language data types
Hoang Nguyen
 
PPTX
Python basics
Hoang Nguyen
 
PPTX
Programming for engineers in python
Hoang Nguyen
 
PPTX
Learning python
Hoang Nguyen
 
PPTX
Cobol, lisp, and python
Hoang Nguyen
 
PPT
Object oriented programming using c++
Hoang Nguyen
 
PPTX
Object oriented analysis
Hoang Nguyen
 
PPTX
Object model
Hoang Nguyen
 
PPTX
Data structures and algorithms
Hoang Nguyen
 
PPT
Data abstraction the walls
Hoang Nguyen
 
Rest api to integrate with your site
Hoang Nguyen
 
How to build a rest api
Hoang Nguyen
 
Api crash
Hoang Nguyen
 
Smm and caching
Hoang Nguyen
 
Optimizing shared caches in chip multiprocessors
Hoang Nguyen
 
How analysis services caching works
Hoang Nguyen
 
Hardware managed cache
Hoang Nguyen
 
Directory based cache coherence
Hoang Nguyen
 
Cache recap
Hoang Nguyen
 
Python your new best friend
Hoang Nguyen
 
Python language data types
Hoang Nguyen
 
Python basics
Hoang Nguyen
 
Programming for engineers in python
Hoang Nguyen
 
Learning python
Hoang Nguyen
 
Cobol, lisp, and python
Hoang Nguyen
 
Object oriented programming using c++
Hoang Nguyen
 
Object oriented analysis
Hoang Nguyen
 
Object model
Hoang Nguyen
 
Data structures and algorithms
Hoang Nguyen
 
Data abstraction the walls
Hoang Nguyen
 

Recently uploaded (20)

PDF
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
PDF
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
PDF
Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...
Artjoker Software Development Company
 
PDF
CIFDAQ's Teaching Thursday: Moving Averages Made Simple
CIFDAQ
 
PPTX
ChatGPT's Deck on The Enduring Legacy of Fax Machines
Greg Swan
 
PDF
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
REPORT: Heating appliances market in Poland 2024
SPIUG
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
Chapter 2 Digital Image Fundamentals.pdf
Getnet Tigabie Askale -(GM)
 
PDF
How-Cloud-Computing-Impacts-Businesses-in-2025-and-Beyond.pdf
Artjoker Software Development Company
 
PPTX
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
PPTX
Smart Infrastructure and Automation through IoT Sensors
Rejig Digital
 
PDF
Software Development Company | KodekX
KodekX
 
PDF
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
PDF
Building High-Performance Oracle Teams: Strategic Staffing for Database Manag...
SMACT Works
 
PDF
DevOps & Developer Experience Summer BBQ
AUGNYC
 
PPTX
How to Build a Scalable Micro-Investing Platform in 2025 - A Founder’s Guide ...
Third Rock Techkno
 
PDF
Make GenAI investments go further with the Dell AI Factory - Infographic
Principled Technologies
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...
Artjoker Software Development Company
 
CIFDAQ's Teaching Thursday: Moving Averages Made Simple
CIFDAQ
 
ChatGPT's Deck on The Enduring Legacy of Fax Machines
Greg Swan
 
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
REPORT: Heating appliances market in Poland 2024
SPIUG
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
Chapter 2 Digital Image Fundamentals.pdf
Getnet Tigabie Askale -(GM)
 
How-Cloud-Computing-Impacts-Businesses-in-2025-and-Beyond.pdf
Artjoker Software Development Company
 
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
Smart Infrastructure and Automation through IoT Sensors
Rejig Digital
 
Software Development Company | KodekX
KodekX
 
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
Building High-Performance Oracle Teams: Strategic Staffing for Database Manag...
SMACT Works
 
DevOps & Developer Experience Summer BBQ
AUGNYC
 
How to Build a Scalable Micro-Investing Platform in 2025 - A Founder’s Guide ...
Third Rock Techkno
 
Make GenAI investments go further with the Dell AI Factory - Infographic
Principled Technologies
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 

Extending burp with python

  • 1. Extending Burp with Python Defeating web application idiosyncrasies with common-sense, Python and minimal knowledge of Java GUIs
  • 3. Purpose of this Talk • Quick tour of Burp APIs with examples to show what can be achieved • Demonstrate that Web app assessment hurdles overcome with minimal coding effort
  • 4. Why would you need a custom extn? 1. Decode custom encoding/serialization 2. Handle anti-tamper or signed requests 3. Provide a new “view” into an application 4. Automate a manual task with a new scanner check
  • 5. Setup to run a Python Burp Extn. 1 Download Jython standalone binary 2 Tell Burp where find Jython 3 Load a Python extension Path to Jython binary goes here
  • 6. The helloworld of Burp extensions from burp import IBurpExtender class BurpExtender(IBurpExtender): # required def registerExtenderCallbacks(self, callbacks): # set our extension name callbacks.setExtensionName("Hello world extension") # write a message to the Burp alerts tab callbacks.issueAlert("Hello alerts") Just writes “Hello alerts” out to alerts tab
  • 7. 1. Problem: Unsupported encoding Application uses an encoding not understood by Burp Examples: Serialised Java, SAP’s weird URLenc variant, SAML, Websphere Portlet Burp APIs: IMessageEditorTab to display decoded content
  • 8. Solution: new encoder/decoder 1. Tell Burp about your new message editor tab class CustomDecoderTab(IMessageEditorTab): def __init__(self, extender, controller, editable): ... def getTabCaption(self): return "Custom Decoder"
  • 9. Solution: new decoder/encoder 2. Use setMessage to display decode def setMessage(self, content, isRequest): ... if '!ut' in path: # actual decoding magic omitted content = response.read() content = xml.dom.minidom.parseString(content).toprettyxml() if content: self._txtInput.setText(content) self._currentMessage = content
  • 10. Websphere portlet state decoder Source: https://github.com/faffi/WebSphere-Portlet-State-Decoder Encoded content on URL Gets decoded in new tab
  • 11. 2. Problem: Signed requests Application requires signature thats generated client side. examples 1. Seen in thick client apps as anti-tamper mechanism 2. AWS API calls are signed for authentication http://rajasaur.blogspot.co.nz/2009/10/hmac-sha-signatures-using-python-for.html Burp API: processHTTPMessage allows us to re-write traffic
  • 12. Solution: automate request signing 1. Catch an outbound request from burp import IBurpExtender# this function catches requests and responses def processHttpMessage(self, toolFlag, messageIsRequest, currentRequest): # only process requests if not messageIsRequest: return ...
  • 13. Solution: automate request signing 2. Grab the request body and headers # requestInfo object allows us to easily spit body and headers requestInfo = self._helpers.analyzeRequest(currentRequest) bodyBytes = currentRequest.getRequest()[requestInfo.getBodyOffset():] bodyStr = self._helpers.bytesToString(bodyBytes) headers = requestInfo.getHeaders() newHeaders = list(headers) #it's a Java arraylist; get a python list
  • 14. Solution: automate request signing 3. Append signature as HTTP Header # Do custom signing shenanigans secret = "SuperSecret123" h = hmac.new(secret, bodyStr, hashlib.sha256) newHeaders.append("Authorization: " + base64.b64encode(h.digest()))
  • 15. Solution: automate request signing 4. Create and send request newMessage = self._helpers.buildHttpMessage(newHeaders, bodyStr) currentRequest.setRequest(newMessage) Here’s the new Authorization header being sent out
  • 16. 3. Problem: Big apps, lotsa headers Large applications may emit different headers from various locations within the app. Headers can reveal useful info. Eg. Reverse proxy may hand off from backend A to backend B. Burp APIs: processHTTPMessage and ITab to display result
  • 17. Solution: View of unique headers Keep track of unique headers, filter out uninteresting headers. # insert an entry if the header is 'interesting’ if header_name.lower() not in boring_headers: # and we haven't seen this name/value pair before, log it if header not in self.headers_seen: self.headers_seen.append(header) self._log.add(LogEntry(header, …, … )
  • 18. Solution: View of unique headers Create a new tab and display collected headers in the new tab. # Give the new tab a name def getTabCaption(self): return "Response Headers” # This adds all the Java UI unpleasantness def getUiComponent(self): return self._splitpane
  • 19. Solution: View of unique headers List of unique headers displayed in new “Response Headers” tab Clicking item in list shows request/response
  • 20. 4. Problem: Automate a manual task Locate and decode F5 cookies, display as a passive scan result Burp API: doPassiveScan to trigger check code
  • 21. Solution: create new check 1. doPassiveScan catches request def doPassiveScan(self, baseRequestResponse): # Returns IResponseInfo analyzedResponse = self.helpers.analyzeResponse(baseRequestResponse.getResponse()) analyzedRequest = self.helpers.analyzeRequest(baseRequestResponse) # Get Cookies from IResponseInfo Instance cookieList = analyzedResponse.getCookies()
  • 22. Solution: create new check 2. Locate BIGIP cookies and decode them # Loop though list of cookies for cookie in cookieList: cookieName = cookie.getName() # Look for BIGIP Cookies if cookieName.lower().startswith("bigip"): f5CookieName = cookieName f5RawCookieValue = cookie.getValue() # Decode and check for RFC 1918 address f5info = decode(f5RawCookieValue)
  • 23. Solution: create new check 3. Create Issue class to return useful info class PassiveScanIssue(IScanIssue): ... def getIssueName(self): return "Encoded IP Address Discovered in F5 Cookie Value" ... def getIssueDetail(self): msg = "The URL <b>" + str(self.findingurl) + "</b> sets the F5 load balancer cookie <b>"
  • 24. F5-BigIP Cookie Checker Source: http://blog.secureideas.com/2013/08/burp-extension-for-f5-cookie-detection.html Internal IP address retrieved from encoded cookie
  • 25. Summary 1. Decode custom encoding/serialization Use IMessageEditorTab interface to display decoded content 2. Handle anti-tamper or signed requests Use processHTTPMessage to catch and rewrite requests 3. Provide a new “view” into an application Use ITab interface to display custom view 4. Automate a manual task with a new scanner check Use doPassiveScan to trigger a check