Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

helpers indexOf doesn't seem to be working as expected.

Alan | Last updated: May 16, 2022 07:50PM UTC

(reposting as I neglected to put this in bug reports the first time) I'm working with https://github.com/PortSwigger/java-deserializer I have a stream of bytes in a request that should be a serialized java object. Line 145 in JDUtils.java (https://github.com/PortSwigger/java-deserializer/blob/b6f04746206a692883d9418403a2f374f6697c28/src/burp/JDUtils.java#L145) is the following: return helpers.indexOf(content, JDUtils.serializeMagic, false, 0, content.length) > -1; Dumping the byte array thats passed in as the content argument, I clearly see the serializeMagic bytes right after the headers: 13, 10, 13, 10, -84, -19 (cr,nl,cr,nl, serialized object begins). However, the call to indexOf returns -1, not an offset to -84 as expected. What am I missing here ? Thanks in advance!

Michelle, PortSwigger Agent | Last updated: May 17, 2022 08:28AM UTC

Thanks for your message. Extensions are written and maintained by third-party users of Burp, so issues with the extensions should be reported to the authors. You can find the link where you can report issues to the original author here: https://github.com/nccgroup/JDSer-ngng I hope this helps.

Alan | Last updated: May 18, 2022 12:12AM UTC

Not really. The issue is not with the extension. The issue is with the indexOf API call that *IS* a part of burp core API. It seems to be broken.

Alan | Last updated: May 18, 2022 12:14AM UTC

Specifically the method is defined in IExtensionHelpers.java ``` 180 /** 181 * This method searches a piece of data for the first occurrence of a 182 * specified pattern. It works on byte-based data in a way that is similar ~ 183 * to the way the native Java method <code>String.indexOf()</code> works on ~ 184 * String-based data. 185 * 186 * @param data The data to be searched. 187 * @param pattern The pattern to be searched for. 188 * @param caseSensitive Flags whether or not the search is case-sensitive. ~ 189 * @param from The offset within <code>data</code> where the search should ~ 190 * begin. ~ 191 * @param to The offset within <code>data</code> where the search should ~ 192 * end. 193 * @return The offset of the first occurrence of the pattern within the 194 * specified bounds, or -1 if no match is found. 195 */ ~ 196 int indexOf( + 197 byte[] data, 198 byte[] pattern, 199 boolean caseSensitive, 200 int from, 201 int to); 202 ```

Hannah, PortSwigger Agent | Last updated: May 24, 2022 03:52PM UTC

Hi Alan I've put together a small test extension, and it seems like the issue may be to do with the negative byte values provided. How are you providing the content item to the extension, or retrieving it? If you convert it to unsigned bytes, and adjust the JDUtils.serializeMagic value to be unsigned as well, do you still receive this issue?

William | Last updated: Apr 17, 2023 01:42PM UTC

Hi, I am having the same experience as Alan did. I do not believe this relates to signed/unsigned bytes because Java only has signed bytes and I would agree with Alan that this is not a problem in the extension but in the Burp Suite API(s). I have demonstrations written in Java that illustrate the problem for both the legacy and Montoya APIs. For simplicity of posting, the following Python code also brings out the problem using the legacy API, if saved as, e.g. "IExtensionHelpers-IndexOf-NotWorking-LegacyAPI.py" and added as a Python extension. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ from burp import IBurpExtender from java.io import PrintWriter from java.lang import RuntimeException class BurpExtender(IBurpExtender): # # implement IBurpExtender # def registerExtenderCallbacks(self, callbacks): helpers = callbacks.getHelpers() # set our extension name callbacks.setExtensionName("IExtensionHelpers IndexOf Not Working (legacy API)") # obtain our output and error streams stdout = PrintWriter(callbacks.getStdout(), True) stderr = PrintWriter(callbacks.getStderr(), True) # write a message to our output stream print(""" This is a test of the following method: ---- int indexOf(byte[] data, byte[] pattern, boolean caseSensitive, int from, int to) ---- This method searches a piece of data for the first occurrence of a specified pattern. ---- https://portswigger.net/burp/extender/api/burp/IExtensionHelpers.html#indexOf-byte:A-byte:A-boolean-int-int- ================================================================ """) serializeMagic = '\xac\xed' serializeMagicSandwich = '\xed\xed\xac\xed\xac\xed\xac' print('serializeMagic=' + '-'.join(x.encode('hex') for x in serializeMagic)) print('serializeMagicSandwich=' + '-'.join(x.encode('hex') for x in serializeMagicSandwich)) print('\n'); print('This does not work:') print('\thelpers.indexOf(serializeMagicSandwich, serializeMagic, False, 0, len(serializeMagicSandwich))') print('Expected result: 2. Actual result: ' + str(helpers.indexOf(serializeMagicSandwich, serializeMagic, False, 0, len(serializeMagicSandwich)))) print('\n'); print('Nor does this:') print('\thelpers.indexOf(serializeMagicSandwich, serializeMagic, True, 0, len(serializeMagicSandwich))') print('Expected result: 2. Actual result: ' + str(helpers.indexOf(serializeMagicSandwich, serializeMagic, True, 0, len(serializeMagicSandwich)))) print('\n'); print('But this does work:') print('\tserializeMagicAsString = helpers.bytesToString(serializeMagic)') serializeMagicAsString = helpers.bytesToString(serializeMagic) print('\tserializeMagicSandwichAsString = helpers.bytesToString(serializeMagicSandwich)') serializeMagicSandwichAsString = helpers.bytesToString(serializeMagicSandwich) print('serializeMagicSandwichAsString.find(serializeMagicAsString)') print('Expected result: 2. Actual result: ' + str(serializeMagicSandwichAsString.find(serializeMagicAsString))); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sample output: ------------- This is a test of the following method: ---- int indexOf(byte[] data, byte[] pattern, boolean caseSensitive, int from, int to) ---- This method searches a piece of data for the first occurrence of a specified pattern. ---- https://portswigger.net/burp/extender/api/burp/IExtensionHelpers.html#indexOf-byte:A-byte:A-boolean-int-int- ================================================================ serializeMagic=ac-ed serializeMagicSandwich=ed-ed-ac-ed-ac-ed-ac This does not work: helpers.indexOf(serializeMagicSandwich, serializeMagic, False, 0, len(serializeMagicSandwich)) Expected result: 2. Actual result: -1 Nor does this: helpers.indexOf(serializeMagicSandwich, serializeMagic, True, 0, len(serializeMagicSandwich)) Expected result: 2. Actual result: -1 But this does work: serializeMagicAsString = helpers.bytesToString(serializeMagic) serializeMagicSandwichAsString = helpers.bytesToString(serializeMagicSandwich) serializeMagicSandwichAsString.find(serializeMagicAsString) Expected result: 2. Actual result: 2

William | Last updated: Apr 17, 2023 01:46PM UTC

P.S. As the above shows a potential workaround within extensions is to convert to a string and then use string functionality.

Hannah, PortSwigger Agent | Last updated: Apr 17, 2023 02:32PM UTC

Hi William Thanks for those details. Could you drop us an email at support@portswigger.net with your examples attached so that we can look into this further, please?

William | Last updated: Apr 20, 2023 08:30AM UTC

Thanks for your reply and my apologies for the delay in responding. I have now submitted an email to support@portswigger.net.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.