Burp Suite User Forum

Login to post


floyd | Last updated: Aug 29, 2018 09:42AM UTC

I was wondering if you have any idea what could lead to the following python stack trace when using the makeHttpRequest Burp extension API? Traceback (most recent call last): File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 903, in doActiveScan self.do_checks(injector) File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1029, in do_checks colab_tests.extend(self._xxe_xmp(injector, burp_colab)) File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1029, in do_checks colab_tests.extend(self._xxe_xmp(injector, burp_colab)) File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 2417, in _xxe_xmp return x.do_collaborator_tests(injector, burp_colab, injector.opts.get_enabled_file_formats()) File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 5398, in do_collaborator_tests c = self._send_collab(injector, burp_colab, types, basename, content, old_xmp, new_xmp, issue) File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 5438, in _send_collab urr = self._make_http_request(injector, req, redownload_filename=filename) File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 4097, in _make_http_request attack = self._callbacks.makeHttpRequest(service, req) byc: burp.byc I've never seen an error like "byc: burp.byc" before. What's "byc"? Jython and Java version seems to be fine: Jython version: 2.7.0 (default:9987c746f838, Apr 29 2015, 02:25:11) [Java HotSpot(TM) 64-Bit Server VM (Oracle Corporation)] Java version: 1.8.0_112 I got it as a github issue but don't know how I could help that poor soul: https://github.com/modzero/mod0BurpUploadScanner/issues/21

PortSwigger Agent | Last updated: Aug 29, 2018 09:43AM UTC

Please let us know the version of Burp you're using. burp.byc is an obfuscated class name. If I know the Burp version I can deobfuscate.

Burp User | Last updated: Aug 29, 2018 11:24AM UTC

The OP didn't indicate the Burp version (and I just added the Burp version is going to be reported in the next version of the extension). But all reports I got so far were for 1.7.37 so that could be it. I'll let you know once I get it confirmed.

PortSwigger Agent | Last updated: Aug 29, 2018 12:24PM UTC

Ok, I just checked the obfuscator logs and it looks like this is ScanRequestTimedOutException in Burp 2.0.0. Previously if there was a timeout we simply returned an empty response. We probably shouldn't throw an obfuscated exception though. We will have a chat internally about what the desired behavior is. In the meantime, can I encourage you to put makeHttpRequest in a try/catch block. If there's just the odd timeout the extension can probably continue.

PortSwigger Agent | Last updated: Aug 29, 2018 01:16PM UTC

Hi Floyd, This bug has now been fixed and it should go out in the next release. The behaviour should now be consistent with burp 1.x (when you call makeHttpRequest and get a timeout we return a null reference). If you register a scan check and call makeHttpRequest from doActiveScan *and* get a timeout, Burp will record that fact and it will re-run your scan check as may times as per the scan configuration. This means you should be able to revert your commit to handle the byc exception in your scan check after the next release. Cheers!

Burp User | Last updated: Aug 30, 2018 08:50AM UTC

Thanks for the quick check! Let me know once you know what you are planning to do. I can wrap the makeHttpRequest, but this probably breaks other extensions too.

PortSwigger Agent | Last updated: Aug 31, 2018 10:02AM UTC

So makeHttpRequest will always return null if there was a timeout exception (regardless of where you call it) but if you call it in the context of doActiveScan we will attempt to repeat your extension-provided scan check in a second pass. Just so you know this was released in yesterday in version 2.0.03beta

Burp User | Last updated: Aug 31, 2018 11:25AM UTC

Ah, nice, thanks guys! Interesting, so makeHttpRequest will behave differently depending if called from doActiveScan or from another context... It will be important to communicate such stuff to extension developers. One day I mean, I know you guys are busy. I will commit the revert as soon as there is the new Burp version out. cheers!

You need to Log in to post a reply. Or register here, for free.