Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

IBurpExtenderCallbacks.addScanIssue throws an exception with temporary projects

Joan | Last updated: Jul 31, 2023 07:44AM UTC

Hello, I'm writing my very first extension based on Extender API (Legacy), and I'm struggling with a weird issue when adding a scan issue within a temporary project. I know there's a new API (Montoya), but I'm using a given example that uses Extender API as a reference, so I'd like to get mine working, and migrate to Montoya later. So, what I did so far is: - I have created my own implementation of the IScanIssue interface (https://portswigger.net/burp/extender/api/burp/iscanissue.html), filling it in with some basic (fake) information, to have a minimum working example. - I'm calling the IBurpExtenderCallbacks.addScanIssue method (https://portswigger.net/burp/extender/api/burp/iburpextendercallbacks.html#addScanIssue-burp.IScanIssue-), and then it throws a weird issue. What makes me feel a bit confused is that it only fails when I work with a temporary project, but it works well otherwise. Is that an expected behavior? If I'm not wrong, I think I have used other BApps that add scan issues adequately even with temporary projects. The stack trace I'm getting is completely unreadable (because it basically points to obfuscated code): at burp.Zi1r.ZW(Unknown Source) at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) at java.base/java.util.Collections$2.tryAdvance(Collections.java:4853) at java.base/java.util.Collections$2.forEachRemaining(Collections.java:4861) at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921) at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682) at burp.Zxn7.ZV(Unknown Source) at burp.Zqpm.ZV(Unknown Source) at burp.Zx56.Zi(Unknown Source) at burp.Zoxu.ZS(Unknown Source) at burp.Zoxu.Ze(Unknown Source) at burp.Zoxu.Zj(Unknown Source) at burp.Zxcc.ZT(Unknown Source) at burp.Zxcc.ZE(Unknown Source) at burp.Znn9.ZR(Unknown Source) at burp.Znn9.Zn(Unknown Source) at burp.Zdn.ZN(Unknown Source) at burp.Zx1l.run(Unknown Source) at burp.Zo0a.add(Unknown Source) at jdk.internal.reflect.GeneratedMethodAccessor49.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at burp.Zsu7.invoke(Unknown Source) at jdk.proxy2/jdk.proxy2.$Proxy42.add(Unknown Source) at burp.Ziw5.lambda$addScanIssue$38(Unknown Source) at burp.Zjge.Z_(Unknown Source) at burp.Ziw5.addScanIssue(Unknown Source) at burp.Zrs0.addScanIssue(Unknown Source) at burp.Zx3l.addScanIssue(Unknown Source) at burp.Zj7b.addScanIssue(Unknown Source) So, any idea will be more than welcome! Thanks in advance!

Hannah, PortSwigger Agent | Last updated: Jul 31, 2023 08:46AM UTC

Hi Could you tell me the version of Burp that you are using to generate this error, please? Are you working off of one of our provided examples for scan checks? You can find the Extender API version of this here: https://github.com/PortSwigger/example-scanner-checks The equivalent example in the Montoya API can be found here: https://github.com/PortSwigger/burp-extensions-montoya-api-examples/tree/main/customscanchecks

Joan | Last updated: Aug 02, 2023 10:49PM UTC

Hi Hannah, I'm using the latest version Burp Suite Professional 2023.7.2, but I also tried it with 2023.6 (indeed I updated to check it with the latest version). I'm not using any of your examples, but mostly inspired by your API documentation. Indeed, looking at your example-scanner-checks, looks like it has its own implementation of IScanIssue but it's not directly using the IBurpExtenderCallbacks.addScanIssue method, but using Active/Passive scans. Any further idea? Thanks! :)

Hannah, PortSwigger Agent | Last updated: Aug 03, 2023 04:22PM UTC

Hi

Could you drop us an email at support@portswigger.net with your code so we can take a look at it, please?

We've just tested adding an issue directly using the referenced method, but have not had any issues in either a temporary project file or a disk-based project file.

package burp;

import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.util.List;

public class BurpExtender implements IBurpExtender
{
    private IBurpExtenderCallbacks callbacks;

    @Override
    public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
        this.callbacks = callbacks;

        callbacks.setExtensionName("Extender API scan checks");

        IHttpService service = new IHttpService()
        {
            @Override
            public String getHost()
            {
                return "portswigger-labs.net";
            }

            @Override
            public int getPort()
            {
                return 443;
            }

            @Override
            public String getProtocol()
            {
                return "https";
            }
        };

        IHttpRequestResponse requestResponse = callbacks.makeHttpRequest(service, "GET / HTTP/1.1\r\nHost: portswigger-labs.net\r\n\r\n".getBytes(StandardCharsets.UTF_8));
        int[] markers = {5, 30};
        callbacks.addScanIssue(new CustomScanIssue(requestResponse, callbacks.applyMarkers(requestResponse, List.of(markers), List.of(markers))));
    }
    private class CustomScanIssue implements IScanIssue
    {
        private final IHttpRequestResponse baseRequestResponse;
        private final IHttpRequestResponseWithMarkers marked;

        public CustomScanIssue(IHttpRequestResponse baseRequestResponse, IHttpRequestResponseWithMarkers marked)
        {

            this.baseRequestResponse = baseRequestResponse;
            this.marked = marked;
        }

        @Override
        public URL getUrl() {
            return callbacks.getHelpers().analyzeRequest(baseRequestResponse).getUrl();
        }

        @Override
        public String getIssueName() {
            return "wiener issue";
        }

        @Override
        public int getIssueType() {
            return 0;
        }

        @Override
        public String getSeverity() {
            return "High";
        }

        @Override
        public String getConfidence() {
            return "Certain";
        }

        @Override
        public String getIssueBackground() {
            return "test";
        }

        @Override
        public String getRemediationBackground() {
            return "test";
        }

        @Override
        public String getIssueDetail() {
            return "test";
        }

        @Override
        public String getRemediationDetail() {
            return "test";
        }

        @Override
        public IHttpRequestResponse[] getHttpMessages() {
            return new IHttpRequestResponse[]{marked};
        }

        @Override
        public IHttpService getHttpService() {
            return baseRequestResponse.getHttpService();
        }
    }
}

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.