Burp Suite User Forum

Login to post

Cannot return null value for a passive scanner check

Nadia | Last updated: Jan 17, 2023 04:22PM UTC

Hi, I'm writing a passive scanner by implementing the ScanCheck interface and calling Scanner.registerScanCheck(ScanCheck). I want to check a particular condition and return an audit issue if this condition is met, as expected for a scanner. According to the Javadocs, the passiveAudit() method of the ScanCheck interface returns a list of AuditIssue objects (type AuditResult) or null if no issues are identified*. Following this, I have implemented the following method in my custom implementation of ScanCheck: @Override public AuditResult passiveAudit(HttpRequestResponse baseRequestResponse) { HttpRequest baseRequest = baseRequestResponse.request(); String requestURL = baseRequest.url(); if (requestURL.contains("foo")){ AuditIssue issue = AuditIssue.auditIssue("audit", "foo auditor", "abcd", "https://example.com", AuditIssueSeverity.LOW, AuditIssueConfidence.CERTAIN, "abcd", "defg", AuditIssueSeverity.INFORMATION, baseRequestResponse); AuditResult issues = AuditResult.auditResult(issue); return issues; } else { AuditResult nullIssues = AuditResult.auditResult(null); return nullIssues; } } * As seen in https://portswigger.github.io/burp-extensions-montoya-api/javadoc/burp/api/montoya/scanner/ScanCheck.html#passiveAudit(burp.api.montoya.http.message.HttpRequestResponse)

Nadia | Last updated: Jan 17, 2023 04:25PM UTC

Oops, I posted that before I was ready. It should say: else { return null; } When I implement this extension, I get the following error: java.lang.NullPointerException: Cannot invoke "burp.api.montoya.scanner.AuditResult.auditIssues()" because the return value of "burp.api.montoya.scanner.ScanCheck.passiveAudit(burp.api.montoya.http.message.HttpRequestResponse)" is null I am confused what I should return when the scanner does not discover an issue. The Javadoc suggests I should return null, but that does not work. I have also tried to return an empty list, which cannot be converted properly to the AuditResult type.

Hannah, PortSwigger Agent | Last updated: Jan 17, 2023 04:43PM UTC

Hi Thanks for the information, we'll look into this in some more detail. We should have some feedback on this issue in the next couple of days.

Liam, PortSwigger Agent | Last updated: Jan 18, 2023 10:47AM UTC

Thanks for this report, Nadia. We'll get this fixed in the next release. Please let us know if you need any further assistance.

Nadia | Last updated: Jan 18, 2023 02:42PM UTC

Thank you!

Hannah, PortSwigger Agent | Last updated: Jan 19, 2023 05:44PM UTC

Hi Nadia Rather than returning null in your AuditResult.auditResult(), could you try returning an empty list or just leaving the parenthesis blank? You can find an example for scan checks here: https://github.com/PortSwigger/burp-extensions-montoya-api-examples/tree/dev/customscanchecks

Nadia | Last updated: Jan 24, 2023 02:59PM UTC

Hi Hannah, Thanks for your help. Returning an empty list, converted to an AuditResult as in the example works perfectly. Appreciate the example!

You need to Log in to post a reply. Or register here, for free.