**Approach — brief**Create a Burp passive scanner extension that registers as IBurpExtender and IScannerCheck, inspects HTTP responses, parses Set-Cookie headers, and raises IScanIssue entries for cookies missing HttpOnly or Secure. Deduplicate by tracking findings per host+cookieName+path+port.1) Register extension and scannerpython
# Jython-style pseudocode
class BurpExtender(IBurpExtender, IScannerCheck):
def registerExtenderCallbacks(self, callbacks):
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
callbacks.setExtensionName("CookieFlagPassive")
callbacks.registerScannerCheck(self)
self._reported = set() # store (host, port, cookieName, path, flagType)
2) Inspect responses and parse Set-Cookiepython
def doPassiveScan(self, baseRequestResponse):
resp = baseRequestResponse.getResponse()
if not resp: return None
headers = self._helpers.analyzeResponse(resp).getHeaders()
host = baseRequestResponse.getHttpService().getHost()
port = baseRequestResponse.getHttpService().getPort()
issues = []
for h in headers:
if h.lower().startswith("set-cookie:"):
cookie = h[len("Set-Cookie:"):].strip()
name, attrs = parse_cookie(cookie) # split on '=' and ';'
attrs_lower = [a.strip().lower() for a in attrs]
if "httponly" not in attrs_lower:
key = (host, port, name, get_path(baseRequestResponse), "httponly")
if key not in self._reported:
self._reported.add(key)
issues.append(make_issue(..., "HttpOnly missing", evidence=h))
if "secure" not in attrs_lower:
key = (host, port, name, get_path(baseRequestResponse), "secure")
if key not in self._reported:
self._reported.add(key)
issues.append(make_issue(..., "Secure missing", evidence=h))
return issues if issues else None
3) Build issue objects and reportpython
def make_issue(self, baseReqResp, name, detail, evidence):
return CustomScanIssue(baseReqResp.getHttpService(), baseReqResp.getUrl(),
[baseReqResp], name, detail, "Information")
(CustomScanIssue implements IScanIssue; use callbacks.raiseAlert or return list as per API)4) Avoid duplicates- Use a set keyed by host, port, cookie name, path and flag type.- Persist only in-memory for a run; optionally reset on scope changes.- Use normalized cookie names and paths to avoid variation.5) Testing locally- Spin up a local webserver (e.g., Flask/Node) that emits various Set-Cookie headers (with/without flags).- Load sites in browser proxied through Burp while extension is enabled.- Confirm passive findings appear once per cookie and provide correct evidence.- Unit-test parse_cookie logic with inputs: multiple attributes, quoted values, commas in values.- Use Burp extender debug logging and enable stderr capture for errors.Notes / Edge cases- Handle multiple Set-Cookie headers per response.- Account for cookie attributes with values (Domain=, Path=, SameSite=).- Normalize attribute casing and whitespace.