Burp Suite User Forum

Login to post

How to deep-copy MontoyaAPI object to send to other isolated execution spaces within extension

Robin | Last updated: Aug 20, 2023 10:24PM UTC

I'm writing a plugin that accepts plugins. They are properly isolated spaces and I can launch extensions to my extension and shut them down (yes, that was difficult, I made some custom class loaders and a new shutdown listener for them.) One problem. They need access to both my api object AND the montoya object. And they all have the same montoya api object right now.... Is there any state contained in the montoya api object where this could cause an issue for users? If so, how do I create a copy for them to use.

Robin | Last updated: Aug 20, 2023 10:34PM UTC

It's fine if all the requests look like they're coming from my extension. However, what isn't fine is if there are things where they can modify state and have it affect other plugins using the same api object. If passing the same object around won't cause any issues, then that will be fine, but I would obviously prefer to have access to a copy anyway for thoroughness of plugin isolation's sake.

Robin | Last updated: Aug 20, 2023 10:44PM UTC

I don't need to do anything special with the object, I just need a separate one. I'm basically just adding 1 or 2 sections to the api that would allow for some extra features for plugin writers that I think would be very useful and some others have shown interest in.

Robin | Last updated: Aug 20, 2023 11:20PM UTC

also, if i dont have a separate copy it may become hard to meet burpsuite's criteria #5 for extension guidelines.

Robin | Last updated: Aug 20, 2023 11:28PM UTC

I could potentially just create separate UI functions for them as the rest seem somewhat independent of each other? But that goes against the general policy of using burp functions for everything.

Robin | Last updated: Aug 20, 2023 11:38PM UTC

Also, yes, I do plan to implement further scanning of plugins before they get accepted into burpsuite. I am planning on using asm info to scan them before actually running them to ensure people dont get owned. The way it works will also allow me to give users an easy way to review what a plugin actually does before they run it on their system, as there are only a few objects that actually get passed in through my plugin and I can create displays for it before actually loading it. That is... only if i can create a copy of this object... Otherwise I have to pass a lot more through and serialize things and it will become very difficult.

Robin | Last updated: Aug 21, 2023 12:06AM UTC

I am on the newer side in cyber security and development but I'm learning fast. I love your tool, but I am missing something I want very badly, and with the power of kotlin and asm and knowing how to package dependencies and use various scanning tools, I am confident in my abilities to implement all of these features given the time. Right now the base is strong, I have full control of loading and unloading of plugins to my plugin, I can scan before actually running, but have a few more scanning techniques to implement later, a preliminary copy of both of the main features with a couple holes that I have plans for, no display yet but I will get there, but it has 1 hole. A copy of the api object. If I have that, I have an excitingly achievable roadmap ahead of me.

Robin | Last updated: Aug 21, 2023 11:59AM UTC

Nevermind. The things I would need to copy return new objects anyway, and the things that don't return new objects probably make more sense for me to implement myself. If there is an easier way to do it that I'm just missing though, please let me know

Hannah, PortSwigger Agent | Last updated: Aug 21, 2023 03:01PM UTC

Hi The MontoyaApi object itself is stateless. However, calling certain methods on the MontoyaApi object can modify the state of the extension. Some examples of this would be registering handlers, or printing to the output/error stream.

Robin | Last updated: Aug 22, 2023 12:59AM UTC

Yes it's beautiful thank you! Currently implementing filing persistent objects by a subset for the plugin instead of by the whole extension, and adding a plugin identifier prefix to logging info. I reimplemented extension as PluginManaging because I will be managing that, and then I can focus entirely on adding my own new features! Very excited. Thank you so much for the confirmation because I was pretty sure it was stateless but I wasn't sure if that was intentional or would cause issues down the road.

Robin | Last updated: Aug 22, 2023 01:01AM UTC

If I register a handler under a plugin, it should run the correct handler so I'm not super worried about that one. Again, thank you so much for the confirmation!

Robin | Last updated: Aug 22, 2023 01:07AM UTC

Trying to think up something to track the plugins by that will be resistant to changes in the plugin so they can always find their info. Any tips? I have UUIDs but the data for the UUIDs isn't persistant, its used to track runtime instances. Plugins have names but i want that to be for display? I could use class names but what if they change the name of the class that implements my plugin interface? Maybe I'll just let them set a persistence key so they know that if they change it it will break that, and it wont be used for anything else so they wont have to? and then if not found prompt user to specify?

Robin | Last updated: Aug 22, 2023 02:31AM UTC

Hang on, you can register more than 1 of each type of handler per extension, correct? If i use a handler in 1 place, I can register a separate one?

Robin | Last updated: Aug 22, 2023 02:34AM UTC

i.e. I can register 2 separate concurrent HttpHandlers in an extension?

Robin | Last updated: Aug 22, 2023 03:27AM UTC

and if i had 2 ProxyWebSocketCreationHandler, they would both recieve the data? All extensions recieve the same data for the handlers anyway correct?

Robin | Last updated: Aug 22, 2023 03:40AM UTC

I moved my question about handlers to a new thread

You need to Log in to post a reply. Or register here, for free.