Burp Suite User Forum

Create new post

Log4jShell scanner removed? Does Active scan++ supports Log4jshell?

Shreyas | Last updated: Sep 18, 2023 05:55PM UTC

Hi, Any reason why Log4jShell scanner extension is removed from BApp Store? Also, since Log4jShell scanner removed, does for all the below variants are supported by Active scan++ Feature Log4Shell scanner (this one) ActiveScan++ (b485a07) Synchronous detection ✔️ ✔️ Asynchronous detection ✔️ ❌ Hostname detection ✔️ ❌ Username detection ✔️ ❌ Ability for single-issue scan (see below) ✔️ ❌ Thank you, Shreyas

Dominyque, PortSwigger Agent | Last updated: Sep 19, 2023 09:47AM UTC

Hi We removed the Log4jShell scanner extension from the BApp Store as it was triggering the anti-virus check. We did contact the author about this, but they haven't gotten back to us. You can still use the Log4jShell extension from GitHub if you would like: https://github.com/silentsignal/burp-log4shell. The functionality of the Active Scan++ is listed in the description: https://portswigger.net/bappstore/3123d5b5f25c4128894d97ea1acc4976.

Ben | Last updated: Nov 15, 2023 09:34PM UTC

Dominyque, the description in the BApp Store and the GitHub page for Active Scan++ is currently inaccurate, because one of the developers commented out the Log4Shell check back in July. See line 72 of activeScan++.py here: https://github.com/PortSwigger/active-scan-plus-plus/commit/b327b5e8fc5c1a9be27eb545428ec1c8ffc68e84

Dominyque, PortSwigger Agent | Last updated: Nov 16, 2023 07:50AM UTC

Hi Ben Thank you for reporting. We can make a change to the description of the BApp to remove the Log4Shell bit- but please note, that it might be some time before the change is released as we do have a backlog of BApps we are working through at the minute.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.