Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp 2020.9.1 crashes when sending certain characters in repeater

Adam | Last updated: Sep 10, 2020 10:49AM UTC

When POSTing a login request (does not seem to matter if the body is JSON or HTTP post form etc.) the entire application crashes if an dollar($) symbol is in a parameter name in the body of the request. Found when testing for NoSQL injection, the string 'password[$ne]=admin' or '"password[$ne]":"admin"' in the body seem to do it. doesn't matter if the string is URL encoded or not. Overall it seems if the $ is in the parameter name, and it has a value, this is enough to crash it

Uthman, PortSwigger Agent | Last updated: Sep 10, 2020 11:13AM UTC

Hi Adam, Thanks for reporting this. I have tried replicating this on http://demo.testfire.net but Burp is not crashing. Can you send further details (screenshots, screen recording, and steps to replicate) to support@portswigger.net, please?

Paupu | Last updated: Oct 09, 2020 04:35PM UTC

Hi Uthman, I experienced the same problem of Adam. I investigated a little bit and the problem seems to be related to the sending of a dollar character ($) in the body of a request (GET or POST or other methods) in the Repeater tab. It happened to me on both Community and Professional versions (for sure versions 2020.9.1 and 2020.9.2) and for both Windows and Linux versions. But, this bug seems to be triggered just if the ".NET Beautifier" extension in installed. I run BurpSuite in diagnostic mode by commandline; the crash seems to be related to a "java.lang.ArrayIndexOutOfBoundsException" and the result is that the application is blocked and I could only forcibly kill the process to close it. Running with flag "--diagnostic" I obtained the following stacktrace on Windows OS (if needed I can also send you the Linux one). java.lang.ArrayIndexOutOfBoundsException: Index 3 out of bounds for length 3 at java.desktop/javax.swing.plaf.synth.SynthTabbedPaneUI.paintTabArea(SynthTabbedPaneUI.java:525) at java.desktop/javax.swing.plaf.synth.SynthTabbedPaneUI.paint(SynthTabbedPaneUI.java:464) at java.desktop/javax.swing.plaf.synth.SynthTabbedPaneUI.update(SynthTabbedPaneUI.java:362) at java.desktop/javax.swing.JComponent.paintComponent(JComponent.java:797) at java.desktop/javax.swing.JComponent.paint(JComponent.java:1074) at java.desktop/javax.swing.JComponent.paintChildren(JComponent.java:907) at java.desktop/javax.swing.JComponent.paint(JComponent.java:1083) at java.desktop/javax.swing.JComponent.paintChildren(JComponent.java:907) at java.desktop/javax.swing.JSplitPane.paintChildren(JSplitPane.java:1024) at java.desktop/javax.swing.JComponent.paint(JComponent.java:1083) at java.desktop/javax.swing.JComponent.paintChildren(JComponent.java:907) at java.desktop/javax.swing.JComponent.paint(JComponent.java:1083) at java.desktop/javax.swing.JComponent.paintChildren(JComponent.java:907) at java.desktop/javax.swing.JComponent.paint(JComponent.java:1083) at java.desktop/javax.swing.JComponent.paintChildren(JComponent.java:907) at java.desktop/javax.swing.JComponent.paint(JComponent.java:1083) at java.desktop/javax.swing.JComponent.paintToOffscreen(JComponent.java:5255) at java.desktop/javax.swing.RepaintManager$PaintManager.paintDoubleBufferedImpl(RepaintManager.java:1643) at java.desktop/javax.swing.RepaintManager$PaintManager.paintDoubleBuffered(RepaintManager.java:1618) at java.desktop/javax.swing.RepaintManager$PaintManager.paint(RepaintManager.java:1556) at java.desktop/javax.swing.RepaintManager.paint(RepaintManager.java:1323) at java.desktop/javax.swing.JComponent._paintImmediately(JComponent.java:5203) at java.desktop/javax.swing.JComponent.paintImmediately(JComponent.java:5013) at java.desktop/javax.swing.RepaintManager$4.run(RepaintManager.java:865) at java.desktop/javax.swing.RepaintManager$4.run(RepaintManager.java:848) at java.base/java.security.AccessController.doPrivileged(AccessController.java:391) at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85) at java.desktop/javax.swing.RepaintManager.paintDirtyRegions(RepaintManager.java:848) at java.desktop/javax.swing.RepaintManager.paintDirtyRegions(RepaintManager.java:823) at java.desktop/javax.swing.RepaintManager.prePaintDirtyRegions(RepaintManager.java:772) at java.desktop/javax.swing.RepaintManager$ProcessingRunnable.run(RepaintManager.java:1884) at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:316) at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:770) at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721) at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715) at java.base/java.security.AccessController.doPrivileged(AccessController.java:391) at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85) at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:740) at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203) at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124) at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113) at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109) at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101) at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90) I hope that this post could help you to fix it! Thank you!

Uthman, PortSwigger Agent | Last updated: Oct 12, 2020 10:14AM UTC

Hi Paupu, Thanks a lot for reporting this! I have replicated the issue and our development team is looking into it. I will keep this thread updated.

Uthman, PortSwigger Agent | Last updated: Nov 16, 2020 04:33PM UTC

This issue has now been fixed. Can you please give both extensions a try in the latest version?

Paupu | Last updated: Mar 02, 2021 04:30PM UTC

Hi Uthman, sorry for the (too much) delay to answer to you! I tried on version 2021.2.1 of BurpSuite on Windows with ".NET Beautifier" extension installed and I experienced the same problem. Let me know if you want any other specific information. Thanks!

Uthman, PortSwigger Agent | Last updated: Mar 04, 2021 08:30AM UTC

Hi Paupu, I just attempted to replicate it again but I am having some issues. Can you please provide clear replication steps? Do you have any other extensions enabled?

Paupu | Last updated: Mar 10, 2021 01:36PM UTC

Hi Uthman, I noticed that the bug is still present (in version v2021.2.1 for Windows and Linux) only when I have enabled both ".NET Beautifier" (https://github.com/portswigger/dotnet-beautifier) and "SAML Raider" (https://github.com/portswigger/saml-raider) extensions. Unfortunately, starting BurpSuite with "--diagnostics" flag I don't receive any stacktrace when it stop working, so I cannot provide any further information about the crash.

Uthman, PortSwigger Agent | Last updated: Mar 10, 2021 04:16PM UTC

Thanks. We have raised this with our development team and will let you know when we have some further feedback.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.