Burp Suite User Forum

Login to post

Empty report from burp extension after migrating to 2020.12.1

Adria | Last updated: Jan 25, 2021 08:24PM UTC

Dear all, Context: We have created a Burp extension heavily inspired from the VMWare Burp rest api extension (https://github.com/vmware/burp-rest-api). Basically the extension offers a few REST APis entry point in order to have some automation. The extension is a Spring boot application delivered as a fat jar (a jar containing all the dependencies and the burp jar also). The extension starts a jetty server on a specific port and then will start burp with the following call: burp.StartBurp.main(args.getSourceArgs()); Problem: We recently migrated from Burp 1.17.3 to 2020.12.1. The only problem that we had during building of the new application was the migration to Java10. The new application is running, the proxy is receiving traffic but the reports are always empty; zero findings. The way we are generating the reports is something like this: IScanIssue[] issues = extender.getCallbacks().getScanIssues(null); extender.getCallbacks() .generateScanReport( format, issues, reportFile); This was working perfectly well with the 1.17.3 version but it does not work with 2020.12.1. Extra infos: It is possible via our Rest API to trigger an active analysis; actually we take all the HTTP requests and replay it via the API call callbacks.doActiveScan(). When we do this then the reports id not empty but for the passive analysis it is always empty. Any hint/help is welcomed thx, Adrian

Hannah, PortSwigger Agent | Last updated: Jan 26, 2021 02:42PM UTC

Hi Adrian Thank you for your message. Are you using any deprecated functions in your extension? You can find these in our documentation (https://portswigger.net/burp/extender/api/), or there should be a warning in your Dashboard event log. In the UI of Burp, are issues being reported as expected? Have you tried outputting values before the report to see if you are fetching issues as expected (eg. return the list of scan issues)? Cheers Hannah Law Technical Product Specialist PortSwigger Web Security

Adria | Last updated: Jan 27, 2021 02:32PM UTC

Hello Hannah, We are not using any deprecated functions. Now I see a difference between running the Burp UI with no extension and running the Burp UI from our custom application (it's a petty that I cannot add screenshots :/ ). When I run Burp UI normally (meaning using the Burp jar file) then in the Dashboard->Tasks I can see 2 tasks: 1. Live passive crawl from Proxy (all traffic) and 2. Live audit from proxy (all traffic). In this case it will work, the findings will be found by task n2 so I'll see new Issues in the "Issue Activity". When I run the Burp UI from our application, something like "java -DHIDE_BURP_UI=false -Dserver.port=9999 -jar ./megaburp.jar" (we have a system property to show the UI which by default is hidden) then in the Dashboard->Tasks I can see 1 task only: 1. Live passive crawl from Proxy (all traffic). In this case it will not work, no Issues are shown in the "Issue Activity". I don't really understand the meaning of this (new) tasks in the UI (I'm rather familiar with the version 1.7.*). I don't know if programmatically a task of type "Live audit from proxy (all traffic)" can be created.... hope it helps, Adrian

Adria | Last updated: Jan 27, 2021 02:34PM UTC

I both cases the proxy is functioning; it receive and it sends traffic.

Hannah, PortSwigger Agent | Last updated: Jan 27, 2021 03:58PM UTC

Hi Adrian If you'd like to send any screenshots to us you can drop us an email at support@portswigger.net When you're loading from your application, are you opening an existing project file or starting a new temporary project file each time?

Adria | Last updated: Jan 27, 2021 04:33PM UTC

Hi again Hannah, I've just sent an email containing screenshots; the subject of the email is 'screenshots for "Empty report from burp extension after migrating to 2020.12.1"' Now to answer to your previous question; we are always using temporary projects. The custom application is started, the clients are using the proxy, retrieving the report via the REST api and then the application is terminated, no state is saved. All this is happening in an automated way, no human intervention. We never use the BURP Ui from our custom application because there is no human to use it :) hope it helps, Adrian

Hannah, PortSwigger Agent | Last updated: Jan 28, 2021 02:47PM UTC

Hi Adrian Thanks, we've got your email!

You need to Log in to post a reply. Or register here, for free.