Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

MontoyaAPI v2023.12.1 Invalid URL Exception in includeInScope API

skb | Last updated: Jan 09, 2024 02:56AM UTC

Hello, many thanks to your efforts on the cool Montoya API. I'm using a MontoyaAPI v2023.12.1 (net.portswigger.burp.extensions:montoya-api:2023.12.1) with a BurpSuite Professional v2023.12.1 for Intel Mac. My custom extension uses Scope.includeInScope API[1] to include some URL in the target scope as below: ```kt api.scope().includeInScope("https://example.com") // where `api` is the argument of `initialize` method ``` It has been working well until v2023.12.1, but in that version it raises an IllegalArgumentException: ```log java.lang.IllegalArgumentException: Invalid URL at burp.Zdax.includeInScope(Unknown Source) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104) at java.base/java.lang.reflect.Method.invoke(Method.java:578) at burp.Zgoh.invoke(Unknown Source) at jdk.proxy2/jdk.proxy2.$Proxy64.includeInScope(Unknown Source) at burp.Zoyw.includeInScope(Unknown Source) ``` FYI, if I put a trailing slash to the URL, it did not work. [1] https://portswigger.github.io/burp-extensions-montoya-api/javadoc/burp/api/montoya/scope/Scope.html#includeInScope(java.lang.String)

Hannah, PortSwigger Agent | Last updated: Jan 09, 2024 02:48PM UTC

Hi Thanks for bringing this to our attention. We've looked into this, and this issue has occurred due to the major changes we've made to the Dashboard. You should find that your URL is still added to the scope - the actual place where the error is occurring is within the functionality that changes the color of the "Target" and "Scope settings" tabs. We've put a fix in place for this issue, which should be available in our next release. If there's anything else we can help with in the meantime, please let us know.

skb | Last updated: Jan 09, 2024 03:08PM UTC

Thanks for your quick reply and fixes. I understand the situation. I will wrap the call sites with try-block to ignore the exception until the next release. Waiting for the release, thanks!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.