Burp Suite User Forum

Login to post

I am having a problem getting a GraphQL call to be processed by our Burp Suite Enterprise

Glenn | Last updated: Apr 15, 2021 01:39PM UTC

I have a c# program that is working from my machine ( I know that is what they all say), when I port it to another machine it gets an error. I can run Burp Suites GraphQL commands from the machine using the curl command but not from my C# program. How would you suggest I try to figure out what I am doing wrong.? I am currently running Burp Suite Enterprise 2020-11.5632. The program is written in C# using the .Net Core 5.0 version. I don't appear to be getting any real response message from Burp Suite: "Status Code:0, Content-Type:, Content-Length:0" Thanks, Glenn

Liam, PortSwigger Agent | Last updated: Apr 16, 2021 07:24AM UTC

Hi Glen, what is the purpose of your c# program? Can you provide us with an example of the GraphQL commands you are using? Also, could you update to the latest version of Burp Enterprise?

Glenn | Last updated: Apr 16, 2021 10:27AM UTC

At this point all I want to do is get a list of scans. That is all my program is trying to do. I have a number of programs that do other things, but they don't work either. I have attached the simple program that just tries to get the list of scans for you to look at. I am also going to update to the latest release of Enterprise. Here is the program: using System; using System.Collections.Generic; using System.Net.NetworkInformation; using System.Net; using System.Net.Http; using System.Net.Sockets; using Newtonsoft.Json; using Newtonsoft.Json.Linq; using Newtonsoft.Json.Serialization; using Microsoft.Extensions.Configuration; using Microsoft.Extensions.Configuration.Json; using Microsoft.Extensions.Configuration.UserSecrets; //using Rest; //using RestRequest; using RestSharp; namespace TestNetConnection { class Program { private static int retcode = 0; private static IConfiguration config = null; private static string APIKey = String.Empty; private static RestClient client = null; private static string GetScansCmd = String.Empty; private static string GetScan = String.Empty; static void Main(string[] args) { SetupApplication(); string host = config["BurpSuiteUrl"]; APIKey = config["APIKey"]; GetScansCmd = config["GetScans"]; GetScan = config["GetScan"]; client = new RestClient(host); client.Timeout = -1; RestRequest request = new RestRequest(Method.POST); request.AddHeader("Authorization", APIKey); request.AddHeader("Content-Type", "application/json"); retcode = GetScans(request); Console.ReadKey(); } static private void SetupApplication() { config = new ConfigurationBuilder() .AddJsonFile("Appsettings.json") .AddUserSecrets<Program>() .Build(); } private static int GetScans(RestRequest request) { // Get the last time this program was run int ret = 0; try { request.AddParameter("application/json", GetScan, ParameterType.RequestBody); IRestResponse response = client.Execute(request); string json = JValue.Parse(response.Content).ToString(Formatting.Indented); Dictionary<string, dynamic> scansDict = new Dictionary<string, dynamic>(); scansDict = JsonConvert.DeserializeObject<Dictionary<string, dynamic>>(json); } catch(Exception e) { Console.WriteLine($"Exception: {e.Message}"); ret = -3000; } return ret; } } }

Glenn | Last updated: Apr 19, 2021 09:52AM UTC

Are they advances on this request

Liam, PortSwigger Agent | Last updated: Apr 19, 2021 02:02PM UTC

We think that the code could be simplified quite significantly. Something like this should work: var client = new RestClient(“<ENTERPRISE-SERVER-URL>/graphql/v1"); var request = new RestRequest(Method.POST); request.AddHeader("Content-Type", "application/json"); request.AddHeader("Authorization", “<API-KEY>”); request.AddParameter("application/json", "{\"query\":\"query GetScans {\\n scans {\\n id\\n }\\n}\",\"operationName\":\"GetScans\"}", ParameterType.RequestBody); IRestResponse response = client.Execute(request); Please let us know if you need any further assistance.

Glenn | Last updated: Apr 19, 2021 05:59PM UTC

OK, I tries that and got a better error. It was: "Exception of type 'System.Net.InternalException' was thrown. -2146892963" which was the InnerException of the ErrorException "The SSL connection could not be established, see inner exception.". Apparently there is a problem with the length of a TLS 1.2 processing. I think I had seen this the first time I ran the Burp Suite Enterprise from the website on this machine and it asked me a question if I wanted to ignore it. I said yes, and then the calls ran fine. The problem now is that I am trying to run this from a C# program, and that option does not appear to be there. Any thoughts on how to get around this?

Liam, PortSwigger Agent | Last updated: Apr 20, 2021 11:07AM UTC

We think the error is caused because you are using an untrusted certificate on the Enterprise Server. Is that correct? The solution therefore would be to make the machine executing the C# application trust the certificate or to tell the application not to validate TLS certificates, which we think can be done with the following code: restClient.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;

Glenn | Last updated: Apr 26, 2021 02:28PM UTC

Hi Liam, I asked around Mathematica and we seem to think that the problem is that this server isn't getting the chain information. Both the machine that is running the C# program and the Burp Suite server are using the same CA chain, but it still doesn't connect. When I look at the RemoteCertificateValidationCallback, we noticed some things that we could supply if we knew how to supply them. The certificate I am assuming is the certificate that is being used by the Burp Suite server, how would we specify the chain parameter. We can get it a number of ways including possibly exporting and using the exported version in this API call, if that might work. Any additional help would be greatly appreciated. Glenn

Glenn | Last updated: Apr 27, 2021 01:12PM UTC

Is there anything I should be doing now?

Glenn | Last updated: Apr 28, 2021 09:51AM UTC

Hello, Is there anything else you can say about this request?

Liam, PortSwigger Agent | Last updated: Apr 29, 2021 09:24AM UTC

Can you please confirm that the suggested code snippet has been added to the program: restClient.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true; The suggested fix should work. Can you let us know if you have any issues once you have used the suggested snippet?

Glenn | Last updated: Apr 29, 2021 11:01AM UTC

I added the suggested code change and it still comes back with the same error. The I think is that the chain parameter appears to be null. What should it be and how do I set it?

Glenn | Last updated: May 02, 2021 07:39AM UTC

Is it possible to get my question answered? Thanks

Liam, PortSwigger Agent | Last updated: May 04, 2021 03:39PM UTC

From our understanding, the C# program works on one machine but not on another? This indicates some difference in configuration between the 2 machines. The conversation and error points towards Burp Enterprise being configured with a self-signed certificate that uses a DHE Key length that is too small (eg 512-bits). See the related articles: https://www.nsoftware.com/kb/xml/06101501.rst#8009035D https://support.microsoft.com/en-us/topic/ms15-055-vulnerability-in-schannel-could-allow-information-disclosure-may-12-2015-e5b7e0c8-e658-c1c7-fd0f-8d8d46dc5e81 It may be that one machine has a patch applied that enforces the restriction while another does not. If you can create a new certificate with a longer key that may resolve the problem. Alternatively, you could modify the registry of the failing system to allow a 512-bit key (set ClientMinKeyBitLength registry DWord value to 00000200).

You need to Log in to post a reply. Or register here, for free.