Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

HTTP Request Smuggler doesn't work

NeKKKM | Last updated: Oct 24, 2023 12:31AM UTC

HTTP Request Smuggler is not working properly, when I start Attack, it does not proceed from "ENGINE WARMING UP". The execution environment is as follows. ・Burp suite:2023.10.2.3 -2023-10-02 ・Extension : Both are the latest version. I appreciate your support.

Dominyque, PortSwigger Agent | Last updated: Oct 24, 2023 07:20AM UTC

Hi Are there any errors under the Extensions> Installed> Errors tab after loading/ installing the extension? Is the output tab being populated?

NeKKKM | Last updated: Oct 24, 2023 01:57PM UTC

Thanks for the reply. I tried reinstalling and there was no error. Also, the output tab appeared to install without any problems. =========================================== ・Erros: None ・Output: Using albinowaxUtils v1.2 This extension should be run on the latest version of Burp Suite. Using an older version of Burp may cause impaired functionality. Loaded HTTP Request Smuggler v2.15 =========================================== Also, the output log during execution looked like this =========================================== Using albinowaxUtils v1.2 This extension should be run on the latest version of Burp Suite. Using an older version of Burp may cause impaired functionality. Loaded HTTP Request Smuggler v2.15 Updating active thread pool size to 8 Loop 0 Loop 1 Queued 1 attacks from 1 requests in 0 seconds Completed request with key https0a59006803c8cfd8815d6b8d007700a0.web-security-academy.netGET200HTML: 1 of 1 in 46 seconds with 11 requests =========================================== Other than that, I have no specific settings for java enviroment and python enciroment. Please let me know if there is anything else that needs to be investigated. Thank you for your response.

NeKKKM | Last updated: Oct 24, 2023 01:57PM UTC

Thanks for the reply. I tried reinstalling and there was no error. Also, the output tab appeared to install without any problems. =========================================== ・Erros: None ・Output: Using albinowaxUtils v1.2 This extension should be run on the latest version of Burp Suite. Using an older version of Burp may cause impaired functionality. Loaded HTTP Request Smuggler v2.15 =========================================== Also, the output log during execution looked like this =========================================== Using albinowaxUtils v1.2 This extension should be run on the latest version of Burp Suite. Using an older version of Burp may cause impaired functionality. Loaded HTTP Request Smuggler v2.15 Updating active thread pool size to 8 Loop 0 Loop 1 Queued 1 attacks from 1 requests in 0 seconds Completed request with key https0a59006803c8cfd8815d6b8d007700a0.web-security-academy.netGET200HTML: 1 of 1 in 46 seconds with 11 requests =========================================== Other than that, I have no specific settings for java enviroment and python enciroment. Please let me know if there is anything else that needs to be investigated. Thank you for your response.

Dominyque, PortSwigger Agent | Last updated: Oct 25, 2023 08:26AM UTC

Hi Can you please email support@portswigger.net with the following: 1) Could you send me your diagnostics information? You can find this by going to "Help > Diagnostics" within Burp. 2) A screen recording of you launching the HTTP Request Smuggler attack

NeKKKM | Last updated: Oct 25, 2023 02:19PM UTC

Hi, I just sent you an email with the diagnostic information and the video of the launching the HTTP Request Smuggler attack . Please check it out. Thank you for your response.

Dominyque, PortSwigger Agent | Last updated: Oct 25, 2023 02:39PM UTC

Hi We have received and replied to your email.

NeKKKM | Last updated: Oct 26, 2023 09:15AM UTC

Hi, I have replied again. Please confirm.

François | Last updated: Nov 14, 2023 08:58AM UTC

Hello, I also have difficulties with this extension. I installed the extension from the BurpStore. The execution environment is as follows. ・Burp suite:2023.10.3.4 Build 24713 ・Extension : Both are the latest version. =========================================== During the installation: ・Erros: None ・Output: Using albinowaxUtils v1.2 This extension should be run on the latest version of Burp Suite. Using an older version of Burp may cause impaired functionality. Loaded HTTP Request Smuggler v2.15 =========================================== During the execution: Output : Updating active thread pool size to 8 Loop 0 Kicking off request scans Queueing request scan: Header removal Loop 1 Queued 1 attacks from 1 requests in 0 seconds Queueing request scan: CL.0 Queueing request scan: Client-side desync Timeout with response. Start time: 1699951606680 Current time: 1699951621814 Difference: 15134 Tolerance: 10000 Queueing request scan: Pause-based desync Timeout with response. Start time: 1699951622325 Current time: 1699951637363 Difference: 15038 Tolerance: 10000 Queueing request scan: Connection-state Queueing request scan: Smuggle probe Updating active thread pool size to 8 Loop 0 Loop 1 Queued 1 attacks from 1 requests in 0 seconds Queueing request scan: HTTP/2 probe Queueing request scan: HTTP/2 Tunnel probe TE Queueing request scan: HTTP/2 Tunnel probe CL Completed request with key https0afa0050046b5412809af841001300ec.web-security-academy.netGET200HTML: 1 of 1 in 78 seconds with 1187 requests Queueing request scan: HTTP/2-hidden probe Queueing request scan: HTTP/2 :scheme probe Queueing request scan: HTTP/2 dual :path probe Queueing request scan: HTTP/2 :method probe Queueing request scan: HTTP/2 fake-pseudo probe Completed request with key https0afa0050046b5412809af841001300ec.web-security-academy.netGET: 2 of 2 in 206 seconds with 1199 requests Error: Establishing 1 connection to https://0afa0050046b5412809af841001300ec.web-security-academy.net:443 ... Ignoring error: java.lang.NullPointerException: Cannot invoke "burp.api.montoya.MontoyaApi.utilities()" because "burp.Utils.montoyaApi" is null Completed attack on https://0afa0050046b5412809af841001300ec.web-security-academy.net:443 Sent 0 requests over 2 connections in 15.333327 seconds RPS: 0 Establishing 1 connection to https://0afa0050046b5412809af841001300ec.web-security-academy.net:443 ... Ignoring error: java.lang.IllegalStateException Completed attack on https://0afa0050046b5412809af841001300ec.web-security-academy.net:443 Sent 0 requests over 2 connections in 15.342764 seconds RPS: 0 Establishing 1 connection to https://0afa0050046b5412809af841001300ec.web-security-academy.net:443 ... Ignoring error: java.lang.NullPointerException: Cannot invoke "burp.api.montoya.MontoyaApi.utilities()" because "burp.Utils.montoyaApi" is null Completed attack on https://0afa0050046b5412809af841001300ec.web-security-academy.net:443 Sent 0 requests over 2 connections in 0.27315405 seconds RPS: 0 Establishing 1 connection to https://0afa0050046b5412809af841001300ec.web-security-academy.net:443 ... Ignoring error: java.lang.NullPointerException: Cannot invoke "burp.api.montoya.MontoyaApi.utilities()" because "burp.Utils.montoyaApi" is null Ignoring error: java.lang.NullPointerException: Cannot invoke "burp.api.montoya.MontoyaApi.utilities()" because "burp.Utils.montoyaApi" is null Completed attack on https://0afa0050046b5412809af841001300ec.web-security-academy.net:443 Sent 0 requests over 3 connections in 0.5017436 seconds RPS: 0 Establishing 1 connection to https://0afa0050046b5412809af841001300ec.web-security-academy.net:443 ... Ignoring error: java.lang.NullPointerException: Cannot invoke "burp.api.montoya.MontoyaApi.utilities()" because "burp.Utils.montoyaApi" is null Ignoring error: java.lang.NullPointerException: Cannot invoke "burp.api.montoya.MontoyaApi.utilities()" because "burp.Utils.montoyaApi" is null Completed attack on https://0afa0050046b5412809af841001300ec.web-security-academy.net:443 Sent 0 requests over 3 connections in 0.43515903 seconds RPS: 0 Thank you for your help

Dominyque, PortSwigger Agent | Last updated: Nov 14, 2023 09:03AM UTC

Hi Frame Are you seeing the same problem with the attack not proceeding from 'Engine warming up'?

François | Last updated: Nov 15, 2023 11:01AM UTC

Hello, I don't see any errors related to 'Engine warming up'. I don't see any information in the turbo intruder logs. After verification, the extension seems to be functional despite some errors in the extension logs. Please ignore my previous message. Thanks for your support

Sean | Last updated: Nov 15, 2023 01:55PM UTC

Hi Dominyque, but I can chime in and can say, that this issue persists in Burp Suite Professional v2023.11.1-24839 / HTTP Request Smuggler 2.15 with the Intruder hanging at "Engine warming up..." if you try to launch a CL.TE or TE.CL attack. The error console of the HTTP Request Smuggler extension throws this error: Establishing 1 connection to https://0a19006f04934209822c1bab007600d7.web-security-academy.net:443 ... Ignoring error: java.lang.NullPointerException: Cannot invoke "burp.api.montoya.MontoyaApi.utilities()" because "burp.Utils.montoyaApi" is null Ignoring error: java.lang.NullPointerException: Cannot invoke "burp.api.montoya.MontoyaApi.utilities()" because "burp.Utils.montoyaApi" is null Completed attack on https://0a19006f04934209822c1bab007600d7.web-security-academy.net:443 Sent 0 requests over 3 connections in 4.5065174 seconds RPS: 0

Dominyque, PortSwigger Agent | Last updated: Nov 15, 2023 02:00PM UTC

Hi Sean Thank you for contributing! :) The author has been informed of the bug, and the extension is currently in our BApp review process for the fixes to be added. I will update this thread when the fix has been released.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.