Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

IBurpExtenderCallbacks.addScanIssue throws an exception with temporary projects

Joan | Last updated: Jul 31, 2023 07:44AM UTC

Hello, I'm writing my very first extension based on Extender API (Legacy), and I'm struggling with a weird issue when adding a scan issue within a temporary project. I know there's a new API (Montoya), but I'm using a given example that uses Extender API as a reference, so I'd like to get mine working, and migrate to Montoya later. So, what I did so far is: - I have created my own implementation of the IScanIssue interface (https://portswigger.net/burp/extender/api/burp/iscanissue.html), filling it in with some basic (fake) information, to have a minimum working example. - I'm calling the IBurpExtenderCallbacks.addScanIssue method (https://portswigger.net/burp/extender/api/burp/iburpextendercallbacks.html#addScanIssue-burp.IScanIssue-), and then it throws a weird issue. What makes me feel a bit confused is that it only fails when I work with a temporary project, but it works well otherwise. Is that an expected behavior? If I'm not wrong, I think I have used other BApps that add scan issues adequately even with temporary projects. The stack trace I'm getting is completely unreadable (because it basically points to obfuscated code): at burp.Zi1r.ZW(Unknown Source) at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) at java.base/java.util.Collections$2.tryAdvance(Collections.java:4853) at java.base/java.util.Collections$2.forEachRemaining(Collections.java:4861) at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921) at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682) at burp.Zxn7.ZV(Unknown Source) at burp.Zqpm.ZV(Unknown Source) at burp.Zx56.Zi(Unknown Source) at burp.Zoxu.ZS(Unknown Source) at burp.Zoxu.Ze(Unknown Source) at burp.Zoxu.Zj(Unknown Source) at burp.Zxcc.ZT(Unknown Source) at burp.Zxcc.ZE(Unknown Source) at burp.Znn9.ZR(Unknown Source) at burp.Znn9.Zn(Unknown Source) at burp.Zdn.ZN(Unknown Source) at burp.Zx1l.run(Unknown Source) at burp.Zo0a.add(Unknown Source) at jdk.internal.reflect.GeneratedMethodAccessor49.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at burp.Zsu7.invoke(Unknown Source) at jdk.proxy2/jdk.proxy2.$Proxy42.add(Unknown Source) at burp.Ziw5.lambda$addScanIssue$38(Unknown Source) at burp.Zjge.Z_(Unknown Source) at burp.Ziw5.addScanIssue(Unknown Source) at burp.Zrs0.addScanIssue(Unknown Source) at burp.Zx3l.addScanIssue(Unknown Source) at burp.Zj7b.addScanIssue(Unknown Source) So, any idea will be more than welcome! Thanks in advance!

Hannah, PortSwigger Agent | Last updated: Jul 31, 2023 08:46AM UTC

Hi Could you tell me the version of Burp that you are using to generate this error, please? Are you working off of one of our provided examples for scan checks? You can find the Extender API version of this here: https://github.com/PortSwigger/example-scanner-checks The equivalent example in the Montoya API can be found here: https://github.com/PortSwigger/burp-extensions-montoya-api-examples/tree/main/customscanchecks

Joan | Last updated: Aug 02, 2023 10:49PM UTC

Hi Hannah, I'm using the latest version Burp Suite Professional 2023.7.2, but I also tried it with 2023.6 (indeed I updated to check it with the latest version). I'm not using any of your examples, but mostly inspired by your API documentation. Indeed, looking at your example-scanner-checks, looks like it has its own implementation of IScanIssue but it's not directly using the IBurpExtenderCallbacks.addScanIssue method, but using Active/Passive scans. Any further idea? Thanks! :)

Hannah, PortSwigger Agent | Last updated: Aug 03, 2023 04:22PM UTC