Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

JUnit test with Burp Extensions

t1n | Last updated: Sep 14, 2015 03:48PM UTC

Hi, I'm developing a Burp Extension and want to add some testing. Is there a way to create IHttpRequestResponse objects manual? Or retrieve callbacks during a JUnit test, without starting Burp. I do not really know what to do. Thanks for your help!

PortSwigger Agent | Last updated: Sep 15, 2015 11:28AM UTC

All of the custom objects used in the Burp API are interface types, like IHttpRequestResponse. For test purposes you can either: - Create your own class that implements any required interface - Use a mocking framework like Mockito to mock the required object You can do this with the callbacks object itself, so you can use a fake or mock instance of Burp in your tests.

Anthony | Last updated: Aug 17, 2023 04:20PM UTC

This seems like a crazy amount of overhead for writing simple test cases. I'm trying to create a list of HttpRequestResponse objects with the Montoya API to double-check that my passive scans work correctly with the expected objects. I can't use the static constructors of any objects since the MontoyaObjectFactory is null until the extension is added to burp. Is there any other recommended solution?

Hannah, PortSwigger Agent | Last updated: Aug 18, 2023 12:25PM UTC

Hi

You shouldn't need the MontoyaApi object to create HttpRequestResponses - you can just create these as needed.

For example:
@Test
void givenAnHttpRequestResponseThenRunAPassiveScanCheck()
{
    HttpRequest request = HttpRequest.httpRequest("GET / HTTP/1.1\r\nHost: portswigger-labs.net\r\n\r\n");
    HttpResponse response = HttpResponse.httpResponse("test");

    HttpRequestResponse requestResponse = HttpRequestResponse.httpRequestResponse(request, response);

    List<AuditIssue> expectedAuditIssueList = List.of(AuditIssue.auditIssue(
            "Name",
            "Detail",
            "Remediation",
            "https://portswigger-labs.net",
            AuditIssueSeverity.HIGH,
            AuditIssueConfidence.CERTAIN,
            "Background",
            "RemediationBackground",
            AuditIssueSeverity.HIGH,
            requestResponse)
    );

    ScanCheck scanCheck = new MyScanCheck();
    AuditResult result = scanCheck.passiveAudit(requestResponse);

    assertTrue(result.auditIssues().equals(expectedAuditIssueList));
}

Anthony | Last updated: Aug 18, 2023 03:25PM UTC

Thanks for the response, Hannah! I appreciate the support. I think I might be missing something since that's basically what I have for a JUnit test right now. The static constructor for HttpRequest calls the FACTORY object. ``` package burp.api.montoya.http.message.requests; import static burp.api.montoya.internal.ObjectFactoryLocator.FACTORY; static HttpRequest httpRequest(String request) { return FACTORY.httpRequest(request); } ``` Which I found here. ``` package burp.api.montoya.internal; public class ObjectFactoryLocator { /** * This is initialized when your extension is loaded. */ public static MontoyaObjectFactory FACTORY = null; } ``` When I try to use the static constructor like the example you shared, I receive a null error since FACTORY isn't initialized in the test. That's how I ended up here lol. What do you think, am I just missing something?

Hannah, PortSwigger Agent | Last updated: Aug 18, 2023 03:53PM UTC

Could you drop us an email at support@portswigger.net with your code, so we can take a look in some more detail, please? Alternatively, if you have a link to your GitHub that would be useful.

Anthony | Last updated: Aug 18, 2023 05:32PM UTC

Thank you, I sent an email with a GitHub repo and pictures of the error. Just for reference, this is the error I'm getting java.lang.NullPointerException: Cannot invoke "burp.api.montoya.internal.MontoyaObjectFactory.httpRequest(String)" because "burp.api.montoya.internal.ObjectFactoryLocator.FACTORY" is null Thanks for the help!

Anthony | Last updated: Oct 06, 2023 02:45PM UTC

For others trying to go down the same path as I was. It's best to create functions that take in Java standard objects like Strings, Lists, etc. compared to passing in the API's objects since those would require you to mock out that object. Here was Hannah's point of view: It looks like, rather than testing your own functionality, you are testing Burp's. Rather than testing the full passiveAudit method, we would recommend isolating your code (the contents of the "if" statement) and testing that instead. For example, extracting it to a method that takes String values for "header.name()" and "header.value()" would make it a lot easier to test. ``` private boolean verifier(String name, String value) { return commonWebServerHeaders.contains(name) && !value.isBlank() && !allowedServerValues.contains(value); } ``` Due to the amount of mocking required, the current test compares a mocked object to a mocked object.

You need to Log in to post a reply. Or register here, for free.