Burp Suite User Forum

Create new post

Possible bug in concrete class of IScanQueueItem

Nadeem | Last updated: May 16, 2015 09:48PM UTC

Hi, I think I may have discovered a small bug with the concrete implementation of the IScanQueueItem returned by the doActiveScan methods. When I try to access a method, I get the following error: Exception in thread "JavaFX Application Thread" java.lang.IllegalAccessException: Class sun.reflect.misc.Trampoline can not access a member of class burp.a4g with modifiers "public" at sun.reflect.Reflection.ensureMemberAccess(Reflection.java:101) at java.lang.reflect.AccessibleObject.slowCheckMemberAccess(AccessibleObject.java:295) at java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:287) at java.lang.reflect.Method.invoke(Method.java:476) at sun.reflect.misc.Trampoline.invoke(MethodUtil.java:71) at sun.reflect.GeneratedMethodAccessor1.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:483) at sun.reflect.misc.MethodUtil.invoke(MethodUtil.java:275) at com.sun.webkit.Utilities.lambda$fwkInvokeWithContext$54(Utilities.java:94) at com.sun.webkit.Utilities$$Lambda$449/116716326.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.sun.webkit.Utilities.fwkInvokeWithContext(Utilities.java:94) at com.sun.webkit.dom.JSObject.callImpl(Native Method) at com.sun.webkit.dom.JSObject.call(JSObject.java:98) at com.redcanari.swing.SwingFXUtilities.lambda$null$18(SwingFXUtilities.java:44) at com.redcanari.swing.SwingFXUtilities$$Lambda$457/692419495.run(Unknown Source) at com.sun.javafx.application.PlatformImpl.lambda$null$164(PlatformImpl.java:292) at com.sun.javafx.application.PlatformImpl$$Lambda$69/2115930874.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.sun.javafx.application.PlatformImpl.lambda$runLater$165(PlatformImpl.java:291) at com.sun.javafx.application.PlatformImpl$$Lambda$67/128622969.run(Unknown Source) at com.sun.glass.ui.InvokeLaterDispatcher$Future.run(InvokeLaterDispatcher.java:95) This issue does not exist with any of the other interfaces I've played with so far. In performing some debugging, I noticed that doActiveScan().getClass().getModifiers() == 0. Further debugging uncovers a check in sun.reflect.Reflection.ensureMemberAccess() that checks whether the modifier is set to public (1). This is why the exception is thrown. I am no Java expert but reading online there are suggestions that this may be due to the fact that the class declaration lacks the "public" modifier. Your help would be greatly appreciated! Cheers, Nadeem

Burp User | Last updated: May 16, 2015 09:52PM UTC

Further inspection of the a4g class in the debugger verifies that the class has no "public" modifier, however, other classes such as zxe (concrete implementation of ITextEditor) has that modifier, hence the reason why it is not throwing an exception on method invocations.

Burp User | Last updated: May 18, 2015 04:07AM UTC

It looks like the same error is creeping up for the concrete implementation of IRequestInfo as well.

PortSwigger Agent | Last updated: May 18, 2015 08:07AM UTC

What method are you trying to call on the IScanQueueItem instance when this happens? From your stack trace, it looks like you are using JavaFX (which Burp currently doesn't) and FX is using reflection to perform some action on the object. This manipulation is outside of the Extender API. If you stick to using regular Extender API methods, things should work fine.

Burp User | Last updated: May 18, 2015 12:53PM UTC

Any method on all of the methods above behave in the same manner via reflection invocations. However this issue does not exist in any of the other interfaces provided by burp so far.

Burp User | Last updated: May 18, 2015 01:31PM UTC

Hello again, Looking into what interfaces have the public class modifier and what don't I have the following lists. The following concrete classes do not work via reflection: class cgf implements IRequestInfo class a4g implements IScanQueueItem class gz implements IScannerInsertionPoint The following classes do work via reflection: public class vtf implements IParameter public class f2f implements IBurpExtenderCallbacks public class r1g implements IExtensionHelpers public class mac implements IResponseInfo public class krg implements IHttpService public class b4b extends a4b implements IHttpRequestResponseWithMarkers public class rdf extends qdf implements IHttpRequestResponseWithMarkers, IHttpRequestResponsePersisted public class mf implements IMessageEditorController public class wvg implements IMessageEditor, i3g public class zxe implements ITextEditor public class h2 implements IContextMenuFactory public class r1g implements IExtensionHelpers public class a4b implements IHttpRequestResponse public class qdf implements IHttpRequestResponsePersisted public class avd implements IScanIssue public class v1 implements ITempFile The reason I am using reflection is to support a JavaScript bridge that I've built between Burp and my plugin. I will be presenting on this topic at DEFCON23 (https://defcon.org/html/defcon-23/dc-23-speakers.html#Douba) and I would love to be able to call the interfaces that don't work via JavaScript before the conference. Your help would be greatly appreciated. Otherwise, the only workaround I see is to write a whole bunch of proxy classes that call the objects directly within the JVM instead of via reflection calls which would be rather ugly. Hope this input helps. Cheers, Nadeem

PortSwigger Agent | Last updated: May 18, 2015 01:44PM UTC

If you really need to use reflection, rather than going via the regular Extender API, you can use reflection to make any class/field/method accessible before you attempt to access it: https://docs.oracle.com/javase/7/docs/api/java/lang/reflect/AccessibleObject.html#setAccessible(boolean)

Burp User | Last updated: May 18, 2015 03:05PM UTC

Hello again, The reflection API does not allow one to change the modifiers for classes. It only applies to Fields, Methods, and Constructors. Is there any particular reason why these concrete classes cannot be made public since the rest are? Cheers, Nadeem

PortSwigger Agent | Last updated: May 18, 2015 03:46PM UTC

We've never intended people to use reflection to access these classes, and there isn't any reason to access them other than via the normal API. If we did change an internal class to be public, there is a strongly likelihood it would revert again in future, because someone's IDE would suggest the access can safely be made weaker. Anyway, I believe that you can access anything, including methods inside non-public classes, by calling setAccessible(true) before you try to access them.

Burp User | Last updated: May 18, 2015 04:43PM UTC

Unfortunately, I do not control the reflection query since it is managed by the JFX web engine. Looks like I would have to write a wrapper class for each of the affected classes.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.