Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

JUnit test with Burp Extensions

t1n | Last updated: Sep 14, 2015 03:48PM UTC

Hi, I'm developing a Burp Extension and want to add some testing. Is there a way to create IHttpRequestResponse objects manual? Or retrieve callbacks during a JUnit test, without starting Burp. I do not really know what to do. Thanks for your help!

PortSwigger Agent | Last updated: Sep 15, 2015 11:28AM UTC

All of the custom objects used in the Burp API are interface types, like IHttpRequestResponse. For test purposes you can either: - Create your own class that implements any required interface - Use a mocking framework like Mockito to mock the required object You can do this with the callbacks object itself, so you can use a fake or mock instance of Burp in your tests.

Anthony | Last updated: Aug 17, 2023 04:20PM UTC

This seems like a crazy amount of overhead for writing simple test cases. I'm trying to create a list of HttpRequestResponse objects with the Montoya API to double-check that my passive scans work correctly with the expected objects. I can't use the static constructors of any objects since the MontoyaObjectFactory is null until the extension is added to burp. Is there any other recommended solution?

Hannah, PortSwigger Agent | Last updated: Aug 18, 2023 12:25PM UTC

Hi

You shouldn't need the MontoyaApi object to create HttpRequestResponses - you can just create these as needed.

For example:
@Test
void givenAnHttpRequestResponseThenRunAPassiveScanCheck()
{
    HttpRequest request = HttpRequest.httpRequest("GET / HTTP/1.1\r\nHost: portswigger-labs.net\r\n\r\n");
    HttpResponse response = HttpResponse.httpResponse("test");

    HttpRequestResponse requestResponse = HttpRequestResponse.httpRequestResponse(request, response);

    List<AuditIssue> expectedAuditIssueList = List.of(AuditIssue.auditIssue(
            "Name",
            "Detail",
            "Remediation",
            "https://portswigger-labs.net",
            AuditIssueSeverity.HIGH,
            AuditIssueConfidence.CERTAIN,
            "Background",
            "RemediationBackground",
            AuditIssueSeverity.HIGH,
            requestResponse)
    );

    ScanCheck scanCheck = new MyScanCheck();
    AuditResult result = scanCheck.passiveAudit(requestResponse);

    assertTrue(result.auditIssues().equals(expectedAuditIssueList));
}

Anthony | Last updated: Aug 18, 2023 03:25PM UTC

Thanks for the response, Hannah! I appreciate the support. I think I might be missing something since that's basically what I have for a JUnit test right now. The static constructor for HttpRequest calls the FACTORY object. ``` package burp.api.montoya.http.message.requests; import static burp.api.montoya.internal.ObjectFactoryLocator.FACTORY; static HttpRequest httpRequest(String request) { return FACTORY.httpRequest(request); } ``` Which I found here. ``` package burp.api.montoya.internal; public class ObjectFactoryLocator { /** * This is initialized when your extension is loaded. */ public static MontoyaObjectFactory FACTORY = null; } ``` When I try to use the static constructor like the example you shared, I receive a null error since FACTORY isn't initialized in the test. That's how I ended up here lol. What do you think, am I just missing something?

Hannah, PortSwigger Agent | Last updated: Aug 18, 2023 03:53PM UTC

Could you drop us an email at support@portswigger.net with your code, so we can take a look in some more detail, please? Alternatively, if you have a link to your GitHub that would be useful.

Anthony | Last updated: Aug 18, 2023 05:32PM UTC

Thank you, I sent an email with a GitHub repo and pictures of the error. Just for reference, this is the error I'm getting java.lang.NullPointerException: Cannot invoke "burp.api.montoya.internal.MontoyaObjectFactory.httpRequest(String)" because "burp.api.montoya.internal.ObjectFactoryLocator.FACTORY" is null Thanks for the help!

Anthony | Last updated: Oct 06, 2023 02:45PM UTC

For others trying to go down the same path as I was. It's best to create functions that take in Java standard objects like Strings, Lists, etc. compared to passing in the API's objects since those would require you to mock out that object. Here was Hannah's point of view: It looks like, rather than testing your own functionality, you are testing Burp's. Rather than testing the full passiveAudit method, we would recommend isolating your code (the contents of the "if" statement) and testing that instead. For example, extracting it to a method that takes String values for "header.name()" and "header.value()" would make it a lot easier to test. ``` private boolean verifier(String name, String value) { return commonWebServerHeaders.contains(name) && !value.isBlank() && !allowedServerValues.contains(value); } ``` Due to the amount of mocking required, the current test compares a mocked object to a mocked object.

f1nl0wt3ch | Last updated: Feb 20, 2024 01:33PM UTC

Hi @Anthony! I am facing the same issue with you. How you overcome this problem? In case I wanna make a true call to test my function, how could we solve this?

Hannah, PortSwigger Agent | Last updated: Feb 20, 2024 05:11PM UTC

The best way to truly test functions in your extension would be to create a test extension that you can load into Burp and use to test functionality. For example, implement a button that runs a specific test when you click it. This means that you won't have to mock out the API functionality. Alternatively, as mentioned before, split out your functionality from the functionality contained within Burp's API, so that you can test your own behavior.

f1nl0wt3ch | Last updated: Feb 20, 2024 08:48PM UTC

Hi Hannah! Thank you for your helps. I misunderstood that, the Http interface is used to access to the Intruder. It doesn't suite to my case. After reading your documentation again about the API and replace by java.net.Http from JDK. Finally I got my function working and am able to test the logic.

Hannah, PortSwigger Agent | Last updated: Feb 21, 2024 10:42AM UTC