Burp community forum

Retire.js not working

Wealot | Last updated: Aug 07, 2018 01:33PM UTC

Hi, The retire.js extension in Burp Suite Pro is not working. I do not see any feedback during passive scanning in either the "Target>Issue" or "Scanner>Issue activity" tabs. The firefox Retire.js plugin does show issues so I know it should show something. I just downloaded Pro with this plugin as one of the reasons. I do run on the newest Kali which has JRE version 10.0.2, please tell me if it is logical that it would be that. The extension it self has no errors, only shows Loading the latest...... as the last output. Kind regards,

Liam, PortSwigger Agent | Last updated: Aug 07, 2018 01:40PM UTC

Could you try using the Linux platform installer version of Burp Suite? This comes bundled with it's own version of Java.

Burp User | Last updated: Aug 07, 2018 02:14PM UTC

That one actually gives instant Java errors on the Azure Kali default installation. So the installer doesn't work at all.... (might be a second support ticket I should create :P)

Liam, PortSwigger Agent | Last updated: Aug 07, 2018 02:21PM UTC

Would it be possible to send us screenshots of the error messages you are encountering?

Liam, PortSwigger Agent | Last updated: Aug 07, 2018 02:22PM UTC

It might be worth contacting the developers of the extension to find out if they are doing anything differently: - https://github.com/portswigger/retire-js If the application is public facing / part of a bug bounty scheme we could perform some testing ourselves?

Burp User | Last updated: Aug 08, 2018 06:52AM UTC

Ok, the installation script was my mistake :D. I got the following error: Could not initialize class sun.awt.X11GraphicsEnvironment Which was due to how I was displaying over VNC and running the script with root. For everyone with this issue, "unset DISPLAY" was all I had to do (as root) and then it worked. Now for Retire.js, it also doesn't work with an installed Burp. The active scan that I did this night did show 1 of the vulnerable JS, but not the others (should be 4 if I believe Retire.js FireFox plugin). When passive browsing the scanner tab does report "Cross-domain script includes" that have the vulnerable JS libraries in them so I am sure something crosses through Burp that should be flagged by Retire.js..... Any ideas?

Burp User | Last updated: Aug 08, 2018 01:49PM UTC

I'll ask the developers, and it is not public facing :D

Liam, PortSwigger Agent | Last updated: Aug 08, 2018 01:52PM UTC

Thanks for the update Krzysztof.

Burp User | Last updated: Jan 15, 2019 12:22PM UTC

There's a new version available directly from the GitHub, and it works very well in both 1.7.37, and 2.0.13beta (so far...). https://github.com/h3xstream/burp-retire-js

You need to Log in to post a reply. Or register here, for free.