vmware / burp-rest-api Goto Github PK
View Code? Open in Web Editor NEWREST/JSON API to the Burp Suite security tool.
License: BSD 2-Clause "Simplified" License
REST/JSON API to the Burp Suite security tool.
License: BSD 2-Clause "Simplified" License
Team,
I have followed the steps in
#6 and #11 . What I am doing is:
-Create a lib folder and copy my Burp jar in it. (v 1.7.27 pro)
-Build with ./gradlew clean build
I get the following error:
javax.net.ssl.SSLHandshakeException at BurpClientIT.java:199
Caused by: sun.security.validator.ValidatorException at BurpClientIT.java:199
Caused by: sun.security.provider.certpath.SunCertPathBuilderException at BurpClientIT.java:199
com.vmware.burp.extension.client.BurpClientIT > testScannerSpiderAndReportMethods FAILED
javax.net.ssl.SSLHandshakeException at BurpClientIT.java:199
Caused by: sun.security.validator.ValidatorException at BurpClientIT.java:199
Caused by: sun.security.provider.certpath.SunCertPathBuilderException at BurpClientIT.java:199
2017-10-04 09:26:45.572 INFO 30804 --- [ Thread-9] ationConfigEmbeddedWebApplicationContext : Closing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@727dbff5: startup date [Wed Oct 04 09:26:32 EDT 2017]; root of context hierarchy
2017-10-04 09:26:45.575 INFO 30804 --- [ Thread-9] o.s.c.support.DefaultLifecycleProcessor : Stopping beans in phase 2147483647
5 tests completed, 2 failed
:test FAILED
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':test'.
The failed test report says :
" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target "
Could anyone help me out ?
While trying to figure out why my scans take longer than anticipated, I discovered scan queue items of pages that do not exist in my web application.
I show the problem with an example:
My web application consists of http://localhost/
and http://localhost/task/show
.
I add the http://localhost
to the scope, set it as spider seed and use it to initiate an active scan.
My site map contains of:
http://localhost
task
show
And my scan queue contains of:
I do not expect and I do not want to scan the second URL, as it does not exist in my application.
It seems like calling IBurpExtenderCallbacks.getSiteMap()
returns an entry for this path, too, although burp - more precisely burp's spider - never issued a request to http://localhost/task
.
We can also observe this behavior when calling the rest API to obtain the site map. It outputs entries without a response, which is checked in the HttpMessage
class:
if (iHttpRequestResponse.getResponse() != null) {
...
}
The solution here would be to only send a site map entry to the scanner, if it has a response:
public class BurpService {
...
public boolean scan(String baseUrl, boolean isActive)
throws MalformedURLException {
...
for (IHttpRequestResponse iHttpRequestResponse : siteMapInScope) {
if (iHttpRequestResponse.getResponse() == null) {
continue;
}
...
Currently it seems that the burp proxy is binding by default to localhost
, and that the API is listening on 0.0.0.0
. It would be awesome if we were able to control these by command line arguments in a similar way that we currently can with the port options.
The main line I found in the code that seemed relevant was:
But not 100% if that is correct, as it seems like it's part of an integration test.
Hi team,
Please fix by add missing ')' to this file :
burp-rest-api\src\main\java\com\vmware\burp\extension\service\BurpService.java
line 74: error: ')' expected
Thanks
There is currently an endpoint that allows the current scan status to be retrieved, but not an equivalent for the spider.
It would be cool to be able to check when it has 'finished spidering', or how many items are left in it's queue (similar to what is shown in the burp UI)
Releasing a stable version by tagging would be helpful, since I am automating the download and installation of the REST API.
Hi guys, lately I have been having the following error when trying to build the burp-rest-api. The following test fails when building.
com.vmware.burp.extension.client.BurpClientIT > testConfigMethods FAILED
java.lang.IllegalStateException
Caused by: org.springframework.context.ApplicationContextException
Caused by: java.lang.NoSuchMethodError
When I run the burp-rest-api.jar the following error shows up:
org.springframework.context.ApplicationContextException: Failed to start bean 'documentationPluginsBootstrapper'; nested exception is java.lang.NoSuchMethodError: springfox.documentation.spi.service.contexts.RequestMappingContext.getHandlerMethod()Lorg/springframework/web/method/HandlerMethod;
I have tried it with a clean code base and burp suite pro file but this issue remains. It looks like it has something to do with Spring but I couldn't figure it out. Did someone else also encounter this problem?
Hello,
There is a problem when running this in Docker, you can't accept the EULA or enter your license key. This happens when using gradlew bootRun
I solved it by setting standardInput = System.in
inside the bootRun block in build.gradle.
Hope this helps.
Regards.
How is it possible restrict access for API only on localhost?
I don't wanna expose my machine to external call from other pc on network
netstat report
::::8090 //api access everybody
127.0.0.1:8080 //proxy access localhost
i tried to start gradlew bootRun -Dproject-file=/opt/project-fil.burp
but I got
Launching the Burp with options: [--project-file=/tmp/temp-project-dir-876864466082593177/temp-project.burp, --config-file=/tmp/project-options1095584310114412893.json, --user-config-file=/tmp/user-options6426525993457471961.json]
Why BURP started with temp project-file?
curl -X POST --header 'Content-Type: application/json' --header 'Accept: /' 'http://yyy.yyy.yyy.yyy:8090/burp/spider?baseUrl=https://xxx.xxx.xxx.xxx'
curl -X PUT --header 'Content-Type: application/json' --header 'Accept: /' 'http:// yyy.yyy.yyy.yyy:8090/burp/target/scope?url=https://xxx.xxx.xxx.xxx'
curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' 'http:// yyy.yyy.yyy.yyy:8090/burp/scanner/scans/active?baseUrl=https://xxx.xxx.xxx.xxx'
<After this when I look BURP UI , under scanner tab , it shows "waiting" for all the URL's>
curl -X GET --header 'Accept: application/json' 'http://10.142.147.30:8090/burp/scanner/status'
curl -X GET --header 'Accept: application/octet-stream' 'http:// yyy.yyy.yyy.yyy:8090/burp/report?urlPrefix=https://xxx.xxx.xxx.xxx&reportType=HTML'
WHERE:
xxx.xxx.xxx.xxx == Application IP where scan need to be performed
yyy.yyy.yyy.yyy == IP where BURP tool is running
BURP Jar ==> burpsuite_pro_v1.7.11.jar
VMWare REST API's for BURP --> burp-rest-api-1.0.0.jar
Issue:
Pre-existing scopes for projects appear to be reset upon opening a project.
Steps to reproduce:
Burpsuite version: 1.7.34
First off, thanks for writing this. I'm looking forward to using it. I am however having some issues. Perhaps it's noob related since this is the first time I'm attempting to get it to work.
I've successfully built it (from master) and am running it.
STEP 1
STEP 2
This results in:
2017-02-23 23:52:53.826 INFO 26615 --- [nio-8090-exec-5] c.v.burp.extension.web.BurpController : Is http://myurl.com/ in Scope: true
2017-02-23 23:52:53.831 INFO 26615 --- [nio-8090-exec-5] c.v.burp.extension.service.BurpService : Total SiteMap size: 325
2017-02-23 23:52:53.831 INFO 26615 --- [nio-8090-exec-5] c.v.burp.extension.service.BurpService : Is http://myurl.com/ in Scope: true
2017-02-23 23:52:53.833 INFO 26615 --- [nio-8090-exec-5] c.v.burp.extension.service.BurpService : Number of URLs submitting for Active Scan: 220
2017-02-23 23:53:12.970 INFO 26615 --- [nio-8090-exec-6] c.v.burp.extension.service.BurpService : Getting percentage complete.
2017-02-23 23:53:12.970 INFO 26615 --- [nio-8090-exec-6] c.v.b.e.domain.internal.ScanQueueMap : Scan Queue is empty. Returning the Percent Complete as 100%.
Nothing is actually scanned. Calling the endpoint to retrieve issues or the report yields 0 findings.
I'm not sure what I'm doing wrong here, and trying to diagnose with setting headless=false doesn't actually work. It always runs in headless mode - at least on macOS.
I also tried to /burp/reset but that results in a 500 with a RuntimeException being thrown.
I'm running on Java 8 u111 with burpsuite_pro_v1.7.17.jar
Any pointers greatly appreciated.
When using the Rest API, the only extension which successfully loads is the Burp Rest Extension. Upon trying to load a Java extension, you are presented with an error message stating:
java.lang.Exception: Extension does not implement any usable methods
Python extensions give a message along these lines:
java.lang.ClassCastException: org.python.core.PySingleton cannot be cast to burp.IBurpExtender
When using Burp normally with the traditional
java -jar <location to burp jar>
the extensions work without issue.
The Extension options are consistent across both the Rest API instance of Burp and the normal instance you would run with Burp.
-- Confirmed to be a problem on Burp 1.7.14 as well.
Hi there,
First of all, great work and pretty cool extension!
Is there any chance you could provide .jar in the release section? That would be really helpful.
Thanks,
Hi,
i am trying to run burp rest api module by burp java jar command but i didn't find burp-rest-api-1.0.0.jar. could pls create a video file to show the valid configuration and run a sample API so beginners will know exactly how can they use valuable work?
I have a problem, i download and extracted bur-rest-api on my Kali.
Then i download burp free edtion and i put in bur-rest-api/lib and i renamed like you said burpsuite_pro.jar
then ./gradlew bootRun "-Dburp.edition=free"
show "downloading https://...gradle-2.13-bin.zip"
"unzipping ... set executalbe permision /root/.gradle/wrapper/dists/gradle-2.13-bin/.../bin/gradle"
Then process end without error.
But i don't see any build directory o burp-rest-api.jar
What is it problem?
HI,
First of all kudos on the project.The most important API for me is initiating an active scan, although i'm getting a 200 response.. i don't see the URls getting populated in the scan Queue.Below is what i see in the active logs:
2018-04-09 15:02:20.174 INFO 21442 --- [tp1816120828-17] c.v.burp.extension.service.BurpService : Is https://mysite.com in Scope: true
2018-04-09 15:02:20.179 INFO 21442 --- [tp1816120828-17] c.v.burp.extension.service.BurpService : Number of URLs submitting for Active Scan: 867
2018-04-09 15:02:27.907 INFO 21442 --- [tp1816120828-18] c.v.burp.extension.service.BurpService : Getting percentage complete
2018-04-09 15:02:27.907 INFO 21442 --- [tp1816120828-18] c.v.b.e.domain.internal.ScanQueueMap : Scan Queue is empty. Returning the Percent Complete as 100%.
Am am i missing something here?
My Burp version in v1.7.33
Having these errors after running gradlew bootRun
java:11: error: cannot find symbol
public class BurpExtender implements IBurpExtender {
^
symbol: class IBurpExtender
/home/burp-rest-api/src/main/java/burp/BurpExtender.java:14: error: cannot find symbol
private IBurpExtenderCallbacks callbacks;
^
symbol: class IBurpExtenderCallbacks
location: class BurpExtender
/home/burp-rest-api/src/main/java/burp/BurpExtender.java:15: error: cannot find symbol
private IExtensionHelpers helpers;
^
symbol: class IExtensionHelpers
location: class BurpExtender
/home/burp-rest-api/src/main/java/burp/BurpExtender.java:31: error: cannot find symbol
public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
^
symbol: class IBurpExtenderCallbacks
location: class BurpExtender
/home/burp-rest-api/src/main/java/burp/BurpExtender.java:46: error: cannot find symbol
public IBurpExtenderCallbacks getCallbacks() {
^
symbol: class IBurpExtenderCallbacks
location: class BurpExtender
/home/burp-rest-api/src/main/java/burp/BurpExtender.java:50: error: cannot find symbol
public IExtensionHelpers getHelpers() {
^
symbol: class IExtensionHelpers
location: class BurpExtender
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/HttpMessage.java:10: error: cannot find symbol
import burp.IExtensionHelpers;
^
symbol: class IExtensionHelpers
location: package burp
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/HttpMessage.java:11: error: cannot find symbol
import burp.IHttpRequestResponse;
^
symbol: class IHttpRequestResponse
location: package burp
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/HttpMessage.java:59: error: cannot find symbol
public HttpMessage(IHttpRequestResponse iHttpRequestResponse) {
^
symbol: class IHttpRequestResponse
location: class HttpMessage
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/ScanIssue.java:9: error: cannot find symbol
import burp.IHttpRequestResponse;
^
symbol: class IHttpRequestResponse
location: package burp
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/ScanIssue.java:10: error: cannot find symbol
import burp.IScanIssue;
^
symbol: class IScanIssue
location: package burp
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/ScanIssue.java:65: error: cannot find symbol
public ScanIssue(IScanIssue iScanIssue) {
^
symbol: class IScanIssue
location: class ScanIssue
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/SpiderQueueMap.java:10: error: cannot find symbol
import burp.IHttpRequestResponse;
^
symbol: class IHttpRequestResponse
location: package burp
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/SpiderQueueMap.java:24: error: cannot find symbol
private Map<String, IHttpRequestResponse[]> map = new HashMap<>();
^
symbol: class IHttpRequestResponse
location: class SpiderQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/SpiderQueueMap.java:30: error: cannot find symbol
public void addItem(String url, IHttpRequestResponse[] siteMapUrl) {
^
symbol: class IHttpRequestResponse
location: class SpiderQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/SpiderQueueMap.java:52: error: cannot find symbol
private IHttpRequestResponse[] getQueue(String url) {
^
symbol: class IHttpRequestResponse
location: class SpiderQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/SpiderQueueMap.java:61: error: cannot find symbol
private boolean compareSiteMap(IHttpRequestResponse[] newSiteMap, IHttpRequestResponse[] oldSiteMap){
^
symbol: class IHttpRequestResponse
location: class SpiderQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/SpiderQueueMap.java:61: error: cannot find symbol
private boolean compareSiteMap(IHttpRequestResponse[] newSiteMap, IHttpRequestResponse[] oldSiteMap){
^
symbol: class IHttpRequestResponse
location: class SpiderQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/ScanQueueMap.java:9: error: cannot find symbol
import burp.IScanQueueItem;
^
symbol: class IScanQueueItem
location: package burp
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/ScanQueueMap.java:22: error: cannot find symbol
private Map<String, List> map = new HashMap<>();
^
symbol: class IScanQueueItem
location: class ScanQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/ScanQueueMap.java:24: error: cannot find symbol
public void addItem(String url, IScanQueueItem iScanQueueItem) {
^
symbol: class IScanQueueItem
location: class ScanQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/ScanQueueMap.java:51: error: cannot find symbol
private List getQueue(String url) {
^
symbol: class IScanQueueItem
location: class ScanQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:10: error: cannot find symbol
import burp.IHttpRequestResponse;
^
symbol: class IHttpRequestResponse
location: package burp
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:11: error: cannot find symbol
import burp.IScanIssue;
^
symbol: class IScanIssue
location: package burp
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:12: error: cannot find symbol
import burp.IScanQueueItem;
^
symbol: class IScanQueueItem
location: package burp
/home/burp-rest-api/src/main/java/burp/BurpExtender.java:30: error: method does not override or implement a method from a supertype
@OverRide
^
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/HttpMessage.java:63: error: cannot find symbol
IExtensionHelpers helpers = BurpExtender.getInstance().getHelpers();
^
symbol: class IExtensionHelpers
location: class HttpMessage
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/ScanIssue.java:81: error: cannot find symbol
IHttpRequestResponse iHttpRequestResponse = iScanIssue.getHttpMessages()[i];
^
symbol: class IHttpRequestResponse
location: class ScanIssue
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/SpiderQueueMap.java:88: error: cannot find symbol
IHttpRequestResponse[] httpMessageListOld = map.get(url);
^
symbol: class IHttpRequestResponse
location: class SpiderQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/SpiderQueueMap.java:89: error: cannot find symbol
IHttpRequestResponse[] httpMessageListNew = BurpExtender.getInstance().getCallbacks().getSiteMap(url);
^
symbol: class IHttpRequestResponse
location: class SpiderQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/ScanQueueMap.java:26: error: cannot find symbol
List list = map.get(url);
^
symbol: class IScanQueueItem
location: class ScanQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/ScanQueueMap.java:30: error: cannot find symbol
List list = new ArrayList<>();
^
symbol: class IScanQueueItem
location: class ScanQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/ScanQueueMap.java:68: error: cannot find symbol
for (IScanQueueItem iScanQueueItem : getQueue(url)) {
^
symbol: class IScanQueueItem
location: class ScanQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:108: error: cannot find symbol
burp.StartBurp.main(burpOptions);
^
symbol: class StartBurp
location: package burp
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:170: error: cannot find symbol
for (IHttpRequestResponse iHttpRequestResponse : BurpExtender.getInstance().getCallbacks()
^
symbol: class IHttpRequestResponse
location: class BurpService
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:183: error: cannot find symbol
IHttpRequestResponse[] siteMapInScope = BurpExtender.getInstance().getCallbacks().getSiteMap(baseUrl);
^
symbol: class IHttpRequestResponse
location: class BurpService
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:185: error: cannot find symbol
for (IHttpRequestResponse iHttpRequestResponse : siteMapInScope) {
^
symbol: class IHttpRequestResponse
location: class BurpService
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:195: error: cannot find symbol
IScanQueueItem iScanQueueItem = BurpExtender.getInstance().getCallbacks()
^
symbol: class IScanQueueItem
location: class BurpService
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:222: error: cannot find symbol
for (IHttpRequestResponse iHttpRequestResponse : BurpExtender.getInstance().getCallbacks()
^
symbol: class IHttpRequestResponse
location: class BurpService
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:250: error: cannot find symbol
IScanIssue[] iScanIssues = BurpExtender.getInstance().getCallbacks()
^
symbol: class IScanIssue
location: class BurpService
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:252: error: cannot find symbol
for (IScanIssue iScanIssue : iScanIssues) {
^
symbol: class IScanIssue
location: class BurpService
41 errors
:compileJava FAILED
FAILURE: Build failed with an exception.
Compilation failed; see the compiler error output for details.
When using Burp Community jar file for building the project, Gradle fail:
PS C:\...\burp-rest-api> .\gradlew clean build
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! Make sure that no other Burp instances are running !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Updating version to '1.0.2' in src\main\resources\application.yml
:clean
:createschemaTargetDir UP-TO-DATE
:compileJava
FAILURE: Build failed with an exception.
* What went wrong:
Could not resolve all dependencies for configuration ':compileClasspath'.
> Could not find :burpsuite_pro:.
Required by:
:burp-rest-api:1.0.2
* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.
BUILD FAILED
Total time: 6.973 secs
The problem seems to be caused by a dependencies section in "build.gradle" file:
dependencies {
compile('org.springframework.boot:spring-boot-starter-web')
compile("org.springframework.boot:spring-boot-starter-jetty")
compile fileTree(dir: 'lib', include: '**/*.jar')
compile "io.springfox:springfox-swagger2:2.+"
compile "io.springfox:springfox-swagger-ui:2.+"
compile name: 'burpsuite_pro'
testCompile('org.springframework.boot:spring-boot-starter-test')
testCompile('org.apache.httpcomponents:httpclient:4.5.2')
jaxb 'org.glassfish.jaxb:jaxb-jxc:2.+'
jaxb 'org.glassfish.jaxb:jaxb-xjc:2.+'
}
Because the community version jar file is named "burpsuite_community_v.X.X.X.jar" it is not recognized as a correct jar file. I solved my problem by rename my file "burpsuite_pro.jar" as expected by Gradle and then it works, but that's not really userfriendly. Maybe you should correct that in the dependencies or precise this solution in your README file ?
Regards.
EDIT : Some precisions about the environment : Windows 7, Burp Community (with jar file version 1.7.32), Gradle 4.6, Java 1.8
Hello,
Thank you for developing this. Are there any plans in the future to expand this to cover more actions in Burp Suite? Such as Intruder and Repeater attacks?
Thank you,
Hayder
I am facing issue javax.net.ssl.SSLHandshakeException at BurpClientIT.java.Can any1 help me with this?
Because why not?
I tested the build process with a free-edition jar.
I got an error when trying to run the built jar because --project-file
argument is only supported in Pro version. I slightly modify BurpService.java to suppress that argument and everything else works.
Maybe we can either detect that the supplied jar is free-edition and act accordingly, or at least have a command line flag that suppresses the use of --project-file
argument.
I tried to run the 'spider' endpoint, and got a little confused when it seemed to hang endlessly without returning any errors/success messages. Eventually I dug in to look at the logs and noticed the following:
burp_1 | 2018-03-15 03:29:49.405 INFO 1 --- [tp1097446581-17] c.v.burp.extension.web.BurpController : Is http://foo.example.com/ in Scope: false
burp_1 | 2018-03-15 03:29:49.406 INFO 1 --- [tp1097446581-17] c.v.burp.extension.web.BurpController : Spider is NOT performed as the http://foo.example.com/ URL is not in scope.
It would be good if this returned some form of failure/error message on the URL endpoint so I could handle it appropriately.
Hi there,
I'm trying to compile the jar using my standalone jar from burp. It get's stuck on 83% after the following output:
20:25:57.317 [QUIET] [system.out] 2017-09-10 20:25:57.317 INFO 10898 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/webjars/**] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
20:25:57.318 [QUIET] [system.out] 2017-09-10 20:25:57.318 INFO 10898 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/**] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
20:25:57.363 [QUIET] [system.out] 2017-09-10 20:25:57.362 INFO 10898 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/**/favicon.ico] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
20:25:57.517 [QUIET] [system.out] 2017-09-10 20:25:57.517 INFO 10898 --- [ main] o.s.j.e.a.AnnotationMBeanExporter : Registering beans for JMX exposure on startup
20:25:57.529 [QUIET] [system.out] 2017-09-10 20:25:57.529 INFO 10898 --- [ main] o.s.c.support.DefaultLifecycleProcessor : Starting beans in phase 2147483647
20:25:57.530 [QUIET] [system.out] 2017-09-10 20:25:57.530 INFO 10898 --- [ main] d.s.w.p.DocumentationPluginsBootstrapper : Context refreshed
20:25:57.555 [QUIET] [system.out] 2017-09-10 20:25:57.555 INFO 10898 --- [ main] d.s.w.p.DocumentationPluginsBootstrapper : Found 1 custom documentation plugin(s)
20:25:57.669 [QUIET] [system.out] 2017-09-10 20:25:57.669 INFO 10898 --- [ main] s.d.s.w.s.ApiListingReferenceScanner : Scanning for api listing references
20:25:58.115 [QUIET] [system.out] 2017-09-10 20:25:58.115 INFO 10898 --- [ main] s.b.c.e.t.TomcatEmbeddedServletContainer : Tomcat started on port(s): 8090 (http)
20:25:58.124 [QUIET] [system.out] 2017-09-10 20:25:58.123 INFO 10898 --- [ main] c.vmware.burp.extension.BurpApplication : Started BurpApplication in 11.266 seconds (JVM running for 11.632)
20:25:58.556 [QUIET] [system.out] [NEW] Server:\s*Hiawatha v([\d.]+)
20:25:58.557 [QUIET] [system.out] [NEW] http://errors\.angularjs\.org/([\d.]+)/
20:25:58.558 [QUIET] [system.out] [NEW] Built upon the <a href="[^>]+banshee-php\.org/">[a-z]+</a>v([\d.]+)
20:25:58.558 [QUIET] [system.out] [NEW] Oracle-Application-Server-([\d.]+.*)
20:25:58.558 [QUIET] [system.out] [NEW] Server:\s*openresty/([\d.]+)
20:25:58.558 [QUIET] [system.out] [NEW] Server:\s*Intel\(R\) Active Management Technology ([\d.]+)
20:25:58.558 [QUIET] [system.out] [NEW] Server:\sthttpd/([\d.]+)
20:25:58.558 [QUIET] [system.out] [NEW] X-Powered-By:\s*php/?([\d.]+)
20:25:58.559 [QUIET] [system.out] [NEW] Server:\s*MoxaHttp/([\d.]+)
20:25:58.561 [QUIET] [system.out] [NEW] <html[^>]* yuilibrary\.com/rdf/([\d.]+)/yui\.rdf|<body[^>]+class="yui3-skin-sam
20:25:58.561 [QUIET] [system.out] [NEW] <p>Powered by <a[^>]+>GitList ([\d.]+)
20:25:58.562 [QUIET] [system.out] [NEW] X-Powered-By:\s*mod_rack/([\d.]+)
20:25:58.562 [QUIET] [system.out] [NEW] Handlebars\.VERSION\s*=\s*["']([\w.]+)["']
20:25:58.562 [QUIET] [system.out] [NEW] Server:\s*Mbedthis-Appweb/([\d.]+)
20:25:58.562 [QUIET] [system.out] [NEW] Server:\s*Motion-httpd/([\d.]+)
20:25:58.562 [QUIET] [system.out] [NEW] X-Powered-By:\s*JBossWeb-([\d.]+)
20:25:58.562 [QUIET] [system.out] [NEW] Oracle9iAS\/([\d\.]+)
20:25:58.562 [QUIET] [system.out] [NEW] Server:\s*mod_fastcgi/([\d.]+)
20:25:58.563 [QUIET] [system.out] [NEW] X-Powered-By:\s*JSP/([\d.]+)
20:25:58.563 [QUIET] [system.out] [NEW] Server:\s*Cherokee/([\d.]+)
20:25:58.564 [QUIET] [system.out] [NEW] CKEDITOR.*version:"([\d.]+)"
20:25:58.564 [QUIET] [system.out] [NEW] Server:\s*mod_rails/([\d.]+)
20:25:58.564 [QUIET] [system.out] [NEW] <link href="/css/sonar\.css?v=([\d.]+)
20:25:58.564 [QUIET] [system.out] [NEW] Server:\sPer ?/?v?([\d.]+)
20:25:58.564 [QUIET] [system.out] [NEW] Perl/v([\d.]+)
20:25:58.565 [QUIET] [system.out] [NEW] Server:\s*DirectAdmin Daemon v([\d.]+)
20:25:58.565 [QUIET] [system.out] [NEW] X-Powered-By:\s*wpCache/([\d.]+)
20:25:58.565 [QUIET] [system.out] [NEW] Apache/([\d.]+(?: \([ \w]+\))?)
20:25:58.565 [QUIET] [system.out] [NEW] Server:\s*gunicorn/([\d.]+)
20:25:58.565 [QUIET] [system.out] [NEW] Server:\s*SimpleHTTP/([\d.]+)
20:25:58.566 [QUIET] [system.out] [NEW] Server:\s*Yaws ([\d.]+)
20:25:58.597 [QUIET] [system.out] [NEW] Oracle Corporation ([\d\._])+
20:25:58.599 [QUIET] [system.out] [NEW] Joomla! ([\d.]+)
20:25:58.599 [QUIET] [system.out] [NEW] Server:\s*IBM_HTTP_Server/([\d.]+)
20:25:58.599 [QUIET] [system.out] [NEW] Server:\s*IIS/([\d.]+)
20:25:58.599 [QUIET] [system.out] [NEW] Server:\s*MediaTomb/([\d.]+)
20:25:58.599 [QUIET] [system.out] [NEW] X-Generator:\s*Drupal\s([\d.]+)
20:25:58.600 [QUIET] [system.out] [NEW] X-Content-Encoded-By:\s*Joomla! ([\d.]+)
20:25:58.600 [QUIET] [system.out] [NEW] <title>Log in to FishEye and Crucible ([\d.]+)</title>
20:25:58.600 [QUIET] [system.out] [NEW] name="generator" content="WordPress ([\d.]+)"
20:25:58.600 [QUIET] [system.out] [NEW] Ember\.VERSION\s*=\s*["']([\w.]+)["']
20:25:58.600 [QUIET] [system.out] [NEW] Server:\s*MochiWeb/([\d.]+)
20:25:58.600 [QUIET] [system.out] [NEW] X-Powered-By:\sTomca-([\d.]+)
20:25:58.600 [QUIET] [system.out] [NEW] Server:\s*GlassFish Server Open Source Edition ?/?([\d.]+)
20:25:58.600 [QUIET] [system.out] [NEW] Server:\s*FreeBSD ([\d.]+)
20:25:58.601 [QUIET] [system.out] [NEW] kbn-version:\s*^([\d.]+)$
20:25:58.601 [QUIET] [system.out] [NEW] <!-- gitphp web interface ([\d.]+)
20:25:58.601 [QUIET] [system.out] [NEW] Server:\s*ATS/?([\d.]+)
20:25:58.601 [QUIET] [system.out] [NEW] JSF/([\d.]+)
20:25:58.601 [QUIET] [system.out] [NEW] Apache Tomcat/([\d.]+)
20:25:58.601 [QUIET] [system.out] [NEW] X-Powered-By:\s*mod_wsgi/([\d.]+)
20:25:58.601 [QUIET] [system.out] [NEW] Server:\s*Winstone Servlet Container v?([\d.]+)
20:25:58.601 [QUIET] [system.out] [NEW] mod_ssl/([\d.]+)
20:25:58.602 [QUIET] [system.out] [NEW] Server:\s*TornadoServer/([\d.]+)
20:25:58.602 [QUIET] [system.out] [NEW] X-AspNetMvc-Version: ([\d.]+)
20:25:58.602 [QUIET] [system.out] [NEW] Server:\s*RAID HTTPServer/([\d.]+)
20:25:58.602 [QUIET] [system.out] [NEW] Server:\s*Happy ICS Server/([\d.]+)
20:25:58.602 [QUIET] [system.out] [NEW] PHP/([\d.]+)
20:25:58.602 [QUIET] [system.out] [NEW] Oracle OpenSSO ([\d.]+.*)
20:25:58.602 [QUIET] [system.out] [NEW] java\/([\d\.\_]+)
20:25:58.602 [QUIET] [system.out] [NEW] Sun-Java-System-Web-Server/([\d.]+.*)
20:25:58.603 [QUIET] [system.out] [NEW] Microsoft \.NET Framework ([\d.]+)
20:25:58.603 [QUIET] [system.out] [NEW] Oracle Application Server Containers for J2EE 10g \(([\d\.]+)\)
20:25:58.603 [QUIET] [system.out] [NEW] Server:\s*mini_httpd/([\d.]+)
20:25:58.603 [QUIET] [system.out] [NEW] Powered by <a href="[^"]*"><strong>Trac[ /]([\d.]+)
20:25:58.603 [QUIET] [system.out] [NEW] X-AMP-Version:\s*([\d.]+)
20:25:58.603 [QUIET] [system.out] [NEW] Server:\s*JC-HTTPD/([\d.]+)
20:25:58.603 [QUIET] [system.out] [NEW] \$gwt_version\s?=\s?"([\d.]+)"
20:25:58.604 [QUIET] [system.out] [NEW] <!--[^>]+FlexCMP[^>v]+v\. ([\d.]+)
20:25:58.604 [QUIET] [system.out] [NEW] JBoss-EAP/([\d.]+)
20:25:58.604 [QUIET] [system.out] [NEW] Server:\s*Xitami/([\d.]+)
20:25:58.604 [QUIET] [system.out] [NEW] Microsoft-IIS/([\d.]+)
20:25:58.604 [QUIET] [system.out] [NEW] Server:\s*lighttpd/([\d.]+)
20:25:58.604 [QUIET] [system.out] [NEW] Server:\s*TSM_HTTP/([\d.]+)
20:25:58.604 [QUIET] [system.out] [NEW] X-Powered-By:\s*CppCMS/([\d.]+)
20:25:58.604 [QUIET] [system.out] [NEW] powered by <a[^>]+>Django ?([\d.]+)
20:25:58.605 [QUIET] [system.out] [NEW] X-AspNet-Version: ([\d.]+)
20:25:58.605 [QUIET] [system.out] [NEW] WebLogic (:?Server )?([\d\.]+)
20:25:58.605 [QUIET] [system.out] [NEW] Server:\s*mod_ssl/([\d.]+)
20:25:58.605 [QUIET] [system.out] [NEW] X-Powered-By:\s*Perl Dancer ([\d.]+)
20:25:58.605 [QUIET] [system.out] [NEW] X-Powered-By:\s*W3 Total Cache/([\d.]+)
20:25:58.605 [QUIET] [system.out] [NEW] <!-- Generated by Doxygen ([\d.]+)
20:25:58.605 [QUIET] [system.out] [NEW] <!-- git web interface version ([\d.]+)
20:25:58.605 [QUIET] [system.out] [NEW] X-Powered-By:\s*WP Rocket/([\d.]+)
20:25:58.606 [QUIET] [system.out] [NEW] Server:\s*Perl Dancer ([\d.]+)
20:25:58.606 [QUIET] [system.out] [NEW] \| phpMyAdmin ([\d.]+)<\/title>
20:25:58.606 [QUIET] [system.out] [NEW] Server:\s*php/?([\d.]+)
20:25:58.606 [QUIET] [system.out] [NEW] WebSphere Application Server/([\d.]+)
20:25:58.606 [QUIET] [system.out] [NEW] ">Chamilo ([\d.]+)</a>
20:25:58.606 [QUIET] [system.out] [NEW] X-Powered-By:\s*FlexCMP.+\[v\. ([\d.]+)
20:25:58.606 [QUIET] [system.out] [NEW] Oracle.Application.Server.10g\/([\d\.]+)
20:25:58.606 [QUIET] [system.out] [NEW] OpenCms/([\d.]+)
20:25:58.607 [QUIET] [system.out] [NEW] Server:\s*Apache/([\d.]+)
20:25:58.607 [QUIET] [system.out] [NEW] X-Powered-By:\s*HHVM/?([\d.]+)
20:25:58.607 [QUIET] [system.out] [NEW] Server:\s*AOLserver/?([\d.]+)
20:25:58.607 [QUIET] [system.out] [NEW] X-Powered-By:\s*Chamilo ([\d.]+)
20:25:58.607 [QUIET] [system.out] [NEW] X-Mod-Pagespeed:\s*([\d.]+)
20:25:58.607 [QUIET] [system.out] [NEW] Server:\s*CenteHTTPd/([\d.]+)
20:25:58.607 [QUIET] [system.out] [NEW] X-Powered-By:\s*JSF/([\d.]+)
20:25:58.607 [QUIET] [system.out] [NEW] Server:\s*Python/([\d.]+)
20:25:58.607 [QUIET] [system.out] [NEW] Server: WildFly/([\d.]+)
20:25:58.608 [QUIET] [system.out] [NEW] nginx/([\d.]+)
20:25:58.608 [QUIET] [system.out] [NEW] jQuery JavaScript Library v([\d.]+)
20:25:58.608 [QUIET] [system.out] [NEW] Server:\s*Artifactory/([\d.]+)
20:25:58.608 [QUIET] [system.out] [NEW] Server:\s*akka-http/([\d.]+)
20:25:58.608 [QUIET] [system.out] [NEW] Powered by <a href=[^>]+atlassian\.com/software/confluence[^>]+>Atlassian Confluence</a> ([\d.]+)
20:25:58.608 [QUIET] [system.out] [NEW] Server:\s*Allegro-Software-RomPager/([\d.]+)
20:25:58.608 [QUIET] [system.out] [NEW] OpenSSL/([a-z\d.]+(-fips)?)
20:25:58.608 [QUIET] [system.out] [NEW] lighttpd/([\d.]+)
20:25:58.609 [QUIET] [system.out] [NEW] Server:\s*Rapid Logic/([\d.]+)
20:25:58.609 [QUIET] [system.out] [NEW] X-Powered-By:\s*CMS Danneo ([\d.]+)
20:25:58.609 [QUIET] [system.out] [NEW] Server:\s*Monkey/?([\d.]+)
20:25:58.609 [QUIET] [system.out] [NEW] Server:\s*eDevice SmartStack ?/?([\d.]+)
20:25:58.609 [QUIET] [system.out] [NEW] Server:\s*DECORUM/([\d.]+)
20:25:58.609 [QUIET] [system.out] [NEW] X-Powered-By:\s*Kohana Framework ([\d.]+)
20:25:58.609 [QUIET] [system.out] [NEW] Server:\s*Microsoft-HTTPAPI/([\d.]+)
20:25:58.609 [QUIET] [system.out] [NEW] Server:\s*Indy/([\d.]+)
20:25:58.609 [QUIET] [system.out] [NEW] X-Powered-By:\s*mod_rails/([\d.]+)
20:25:58.610 [QUIET] [system.out] [NEW] X-Powered-By: Undertow/([\d.]+)
20:25:58.610 [QUIET] [system.out] [NEW] X-OWA-Version: ([\d.]+)
20:25:58.610 [QUIET] [system.out] [NEW] Oracle Application Server\/([\d\.]+)
20:25:58.610 [QUIET] [system.out] [NEW] Server:\s*HP-iLO-Server/([\d.]+)
20:25:58.610 [QUIET] [system.out] [NEW] Server:\smod_DA/([\d.]+)
20:25:58.610 [QUIET] [system.out] [NEW] Server:\s*CouchDB/([\d.]+)
20:25:58.610 [QUIET] [system.out] [NEW] X-Powered-By:\s*JBoss-([\d.]+)
20:25:58.610 [QUIET] [system.out] [NEW] <span class="version">Artifactory Pro Power Pack ([\d.]+)
20:25:58.611 [QUIET] [system.out] [NEW] mod_perl/([\d.]+)
20:25:58.611 [QUIET] [system.out] [NEW] Server:\s*mod_wsgi/([\d.]+)
20:25:58.611 [QUIET] [system.out] [NEW] jQuery UI ([\d.]+)
20:25:58.611 [QUIET] [system.out] [NEW] Server:\s*Oracle-HTTP-Server/([\d.]+)
20:25:58.611 [QUIET] [system.out] [NEW] <div class="ui left">
20:25:58.611 [QUIET] [system.out] \s+© \d{4} Gogs Version: ([\d.]+) Page:
20:25:58.611 [QUIET] [system.out] [NEW] X-Powered-By:\sLua ([\d.]+)
20:25:58.611 [QUIET] [system.out] [NEW] Adminer</a> <span class="version">([\d.]+)</span>
20:25:58.612 [QUIET] [system.out] [NEW] onclick="bodyClick\(event\);" onload="verifyVersion\('([\d.]+)'\);">
20:25:58.612 [QUIET] [system.out] [NEW] Server:\s*mod_rack/([\d.]+)
20:25:58.612 [QUIET] [system.out] [NEW] NSC/([\d.]+) \(JVM\)
20:25:58.612 [QUIET] [system.out] [NEW] Ruby/([\d.]+(?:/\d{4}-\d{2}-\d{2})?)
20:25:58.612 [QUIET] [system.out] [NEW] Server:\s*Schneider-WEB/V?([\d.]+)
20:25:58.612 [QUIET] [system.out] [NEW] Liferay-Portal:\s*[a-z\s]+([\d.]+)
20:25:58.612 [QUIET] [system.out] [NEW] X-Cocoon-Version: ([\d.]+)
20:25:58.613 [QUIET] [system.out] [NEW] Server:\s*OpenSSL/([\d.]+[a-z]?)
20:25:58.613 [QUIET] [system.out] [NEW] X-TeaLeaf-UIEventCapture-Version: ([\d.]+)
20:25:58.613 [QUIET] [system.out] [NEW] JBPAPP_([\d_]+(?:GA)?)
20:25:58.613 [QUIET] [system.out] [NEW] Server:\s*cpsrvd/([\d.]+)
20:25:58.613 [QUIET] [system.out] [NEW] IBM_HTTP_Server/([\d.]+)
20:25:58.613 [QUIET] [system.out] [NEW] jQuery UI Core ([\d.]+)
20:25:58.613 [QUIET] [system.out] [NEW] GlassFish Server Open Source Edition ([\d\.]+)
20:25:58.613 [QUIET] [system.out] [NEW] Server:\s*mod_python/([\d.]+)
20:25:58.614 [QUIET] [system.out] [NEW] MicrosoftSharePointTeamServices: ([\d.]+)
20:25:58.614 [QUIET] [system.out] [NEW] Server:\s*TwistedWeb/([\d.]+)
20:25:58.614 [QUIET] [system.out] [NEW] Server:\s*Embedthis-http/([\d.]+)
20:25:58.614 [QUIET] [system.out] [NEW] Server:\s*HP_Compact_Server/([\d.]+)
20:25:58.614 [QUIET] [system.out] [NEW] Server:\s*Winstone Servlet Engine v?([\d.]+)
20:25:58.614 [QUIET] [system.out] [NEW] X-Powered-By:\s*Winstone.([\d.]+)
20:25:58.615 [QUIET] [system.out] [NEW] jQuery v([\d.]+)
20:25:58.615 [QUIET] [system.out] [NEW] <link\s[^>]*href="[^"]*?([\d.]+)/themes/resources/owafont\.css
20:25:58.616 [QUIET] [system.out] [NEW] Phusion Passenger(?: \([a-zA-Z_/]+\))? ([\d.]+)
20:25:58.616 [QUIET] [system.out] [NEW] TornadoServer/([\d.]+)
20:25:58.616 [QUIET] [system.out] [NEW] Apache-Coyote/([\d.]+)
20:25:58.616 [QUIET] [system.out] [NEW] <!--Coppermine Photo Gallery ([\d.]+)
20:25:58.616 [QUIET] [system.out] [NEW] X-ATG-Version:\s*ATGPlatform/([\d.]+)
20:25:58.616 [QUIET] [system.out] [NEW] Jetty\([v\d.]+\)
20:25:58.617 [QUIET] [system.out] [NEW] var APPLICATION_FULL_VERSION = '([\d.]+)';
> Building 83% > :bootRun
I tried to run it with --debug
and using also clean build
but it always happens the same.
Do you know what could be happening?
Thanks in advance!
I've traced the issue down to lines 158-164 in BurpService.java
Specifically, you're iterating through items that were entered into the sitemap, however this logic doesn't seem right. When initially submitting a URL to be spidered, you correctly add it to the scope, however, this does not also add it to the sitemap. This can't be done by the spidering code, so you'd likely have to extend the BurpExtender to also listen on proxy events in order to get items into the sitemap.
But this seems like you would have uncovered it in testing. I'm either missing a step in the use of this API or we shouldn't be relying on items in the sitemap to be submitted to the active scanner. Could someone here help me out?
Trying to build this inside a Docker container:
FROM openjdk:8-jdk-alpine
RUN apk add --no-cache git ca-certificates bash
ENV BURP_VERSION='1.7.32'
WORKDIR /home/burp-rest-api
RUN git clone https://github.com/vmware/burp-rest-api.git .
COPY burpsuite_pro_v${BURP_VERSION}.jar ./lib/burpsuite_pro.jar
CMD ["/bin/sh"]
Also tried this without alpine (FROM openjdk:8-jdk
), in case that was an issue, but it still failed.
When I run ./gradlew clean build --info
I get the following error,:
com.vmware.burp.extension.client.BurpClientIT STANDARD_ERROR
java.lang.NullPointerException
:test FAILED
:test (Thread[main,5,main]) completed. Took 19.685 secs.
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':test'.
> Process 'Gradle Test Executor 1' finished with non-zero exit value 10
So the failure appears to be occurring somewhere with:
Hello there, thanks for the great work, however I got an error when trying to run and build. Could not find or load main class org.gradle.wrapper.GradleWrapperMain
Hey, I was wondering if you could please add a feature to send customized requests to the scanner? For example, I want to be able to configure the following for each request I send to the scanner:
Thanks! :)
EDIT: You can simply make requests through the proxy, which are then stored in the sitemap, which can then be scanned. Spoke too soon. :)
$ ./gradlew bootRun "-Dburp.edition=free"
and piping 'y' to the command
$ yes | ./gradlew bootRun "-Dburp.edition=free"
both fail with:
Do you accept the license agreement? (y/n)
:bootRun FAILED
FAILURE: Build failed with an exception.
Process 'command '/usr/lib/jvm/java-8-openjdk-amd64/bin/java'' finished with non-zero exit value 11
BUILD FAILED
Using BurpSuitePro 1.7.31
Failed tests
BurpClientIT. testGetProxyHistoryAndSiteMap
BurpClientIT. testScannerSpiderAndReportMethods
c$ ./gradlew clean build
:clean
:createschemaTargetDir UP-TO-DATE
:compileJava
Note: /Users/<>/Code/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java uses or overrides a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
:processResources
:classes
:findMainClass
:jar
:bootRepackage
:assemble
:compileTestJava
:processTestResources UP-TO-DATE
:testClasses
:test
com.vmware.burp.extension.client.BurpClientIT > testConfigMethods FAILED
org.springframework.web.client.HttpServerErrorException at BurpClientIT.java:88
com.vmware.burp.extension.client.BurpClientIT > testGetProxyHistoryAndSiteMap FAILED
javax.net.ssl.SSLHandshakeException at BurpClientIT.java:199
Caused by: sun.security.validator.ValidatorException at BurpClientIT.java:199
Caused by: sun.security.provider.certpath.SunCertPathBuilderException at BurpClientIT.java:199
com.vmware.burp.extension.client.BurpClientIT > testScannerSpiderAndReportMethods FAILED
javax.net.ssl.SSLHandshakeException at BurpClientIT.java:199
Caused by: sun.security.validator.ValidatorException at BurpClientIT.java:199
Caused by: sun.security.provider.certpath.SunCertPathBuilderException at BurpClientIT.java:199
2018-01-30 01:11:45.480 INFO 2857 --- [ Thread-7] ationConfigEmbeddedWebApplicationContext : Closing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@451f19b8: startup date [Tue Jan 30 01:11:24 IST 2018]; root of context hierarchy
2018-01-30 01:11:45.485 INFO 2857 --- [ Thread-7] o.s.c.support.DefaultLifecycleProcessor : Stopping beans in phase 2147483647
5 tests completed, 3 failed
:test FAILED
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':test'.
> There were failing tests. See the report at: file:///Users/<>/Code/burp-rest-api/build/reports/tests/index.html
* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.
BUILD FAILED
when I start the burp rest api,i get a wrong
`FAILURE: Build failed with an exception.
Process 'command '/usr/local/share/java/jdk1.8.0_171/bin/java'' finished with non-zero exit value 1
Hi!
It took a little while, but I have X11 forwarding working from my osx laptop to an ec2 instance.
If desired, i can create a PR to the docs. Steps:
My ssh X11 forwarding looked like this
mac> ssh -X -L 5901:localhost:5901 -i ~/path_to_privatekey ubuntu@ip -vv
After installing vncserver as per biranlinkletter, the main differences were
This opened an Xterm on my mac, but I got display errors.
I solved this by setting
AWS> export DISPLAY=localhost:1
Probably the most robust way to find out the Display port running vncserver is to check the
:600N entry below. N is the port, in my case, 1.
ubuntu@ip-172-31-17-158:~$ netstat -plan | grep LISTEN
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:6001 0.0.0.0:* LISTEN 2124/Xvnc4
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::5901 :::* LISTEN 2124/Xvnc4
tcp6 0 0 127.0.0.1:8080 :::* LISTEN 3525/java
tcp6 0 0 :::22 :::* LISTEN -
building with spring-boot-gradle-plugin 1.3.2 bombs out with an error: "Could not create task of type 'DependencyManagementReportTask'."
FAILURE: Build failed with an exception.
* Where:
Build file 'burp-rest-api/build.gradle' line: 15
* What went wrong:
A problem occurred evaluating root project 'burp-rest-api'.
> Failed to apply plugin [class 'io.spring.gradle.dependencymanagement.DependencyManagementPlugin']
> Could not create task of type 'DependencyManagementReportTask'.
Seems to be related to this known issue
quick fix is to add updated dependency management plugin to the dependencies section of the buildscript.
15:46 $ gradle --version
------------------------------------------------------------
Gradle 3.4.1
------------------------------------------------------------
Build time: 2017-03-03 19:45:41 UTC
Revision: 9eb76efdd3d034dc506c719dac2955efb5ff9a93
Groovy: 2.4.7
Ant: Apache Ant(TM) version 1.9.6 compiled on June 29 2015
JVM: 1.8.0_112 (Oracle Corporation 25.112-b16)
OS: Mac OS X 10.12.3 x86_64
this worked for me:
15:53 $ git diff build.gradle
diff --git a/build.gradle b/build.gradle
index def410c..3d044f4 100644
--- a/build.gradle
+++ b/build.gradle
@@ -5,6 +5,7 @@ buildscript {
}
dependencies {
+ classpath("io.spring.gradle:dependency-management-plugin:0.6.1.RELEASE")
classpath("org.springframework.boot:spring-boot-gradle-plugin:1.3.2.RELEASE")
}
}
I don't know enough about gradle/spring boot to submit a more refined fix (if any is actually needed), so no offense taken if you close this wontfix straight away
I tried to use the 2.13 version of Gradle as suggested, but nothing happens. Tried Burp Pro on latest Kali and Ubuntu.
I am getting the below error when executing the gradle build --info
com.vmware.burp.extension.client.BurpClientIT STANDARD_ERROR Burp project files are not supported on this edition of Burp
I am using the Burp free version burpsuite_free_v1.7.20.jar and gradle version is 4.0.2
log :
2017-08-01 05:08:29.431 INFO 21845 --- [ Test worker] c.v.burp.extension.client.BurpClientIT : Starting BurpClientIT on ip-172-31-11-213 with PID 21845 (/home/anil/burp-rest-api/build/classes/java/test started by root in /home/anil/burp-rest-api) 2017-08-01 05:08:29.431 INFO 21845 --- [ Test worker] c.v.burp.extension.client.BurpClientIT : No active profile set, falling back to default profiles: default 2017-08-01 05:08:29.460 INFO 21845 --- [ Test worker] ationConfigEmbeddedWebApplicationContext : Refreshing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@c99b59d: startup date [Tue Aug 01 05:08:29 UTC 2017]; root of context hierarchy 2017-08-01 05:08:30.108 INFO 21845 --- [ Test worker] o.s.b.f.s.DefaultListableBeanFactory : Overriding bean definition for bean 'beanNameViewResolver' with a different definition: replacing [Root bean: class [null]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration$WhitelabelErrorViewConfiguration; factoryMethodName=beanNameViewResolver; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [org/springframework/boot/autoconfigure/web/ErrorMvcAutoConfiguration$WhitelabelErrorViewConfiguration.class]] with [Root bean: class [null]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=org.springframework.boot.autoconfigure.web.WebMvcAutoConfiguration$WebMvcAutoConfigurationAdapter; factoryMethodName=beanNameViewResolver; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [org/springframework/boot/autoconfigure/web/WebMvcAutoConfiguration$WebMvcAutoConfigurationAdapter.class]] 2017-08-01 05:08:30.528 INFO 21845 --- [ Test worker] s.b.c.e.t.TomcatEmbeddedServletContainer : Tomcat initialized with port(s): 8090 (http) 2017-08-01 05:08:30.538 INFO 21845 --- [ Test worker] o.apache.catalina.core.StandardService : Starting service Tomcat 2017-08-01 05:08:30.539 INFO 21845 --- [ Test worker] org.apache.catalina.core.StandardEngine : Starting Servlet Engine: Apache Tomcat/8.0.30 2017-08-01 05:08:30.608 INFO 21845 --- [ost-startStop-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext 2017-08-01 05:08:30.608 INFO 21845 --- [ost-startStop-1] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 1151 ms 2017-08-01 05:08:30.787 INFO 21845 --- [ost-startStop-1] o.s.b.c.e.ServletRegistrationBean : Mapping servlet: 'dispatcherServlet' to [/] 2017-08-01 05:08:30.790 INFO 21845 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'characterEncodingFilter' to: [/*] 2017-08-01 05:08:30.791 INFO 21845 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'hiddenHttpMethodFilter' to: [/*] 2017-08-01 05:08:30.791 INFO 21845 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'httpPutFormContentFilter' to: [/*] 2017-08-01 05:08:30.791 INFO 21845 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'requestContextFilter' to: [/*] 2017-08-01 05:08:30.839 INFO 21845 --- [ Test worker] c.v.burp.extension.service.BurpService : # of command line arguments received to Burp suite: 0 2017-08-01 05:08:30.841 INFO 21845 --- [ Test worker] c.v.burp.extension.service.BurpService : Launching the Burp suite (pro edition) in headless mode... 2017-08-01 05:08:30.845 INFO 21845 --- [ Test worker] c.v.burp.extension.service.BurpService : Launching the Burp suite with options: [--project-file=temp-project.burp, --config-file=/tmp/project-options4203813438758469740.json, --config-file=/tmp/user-options6124988651167321627.json]
The api's model for getSitemap
has currently the following properties:
{
comment,
highlight,
host,
port,
protocol,
request, // Specified in documentation, but not included in response
response, // Specified in documentation, but not included in response
statusCode,
url,
}
This set of properties is incomplete in terms of being able to identify a particular request, because the method
property is missing. Especially, since request
and response
, from which the method could be extracted, are excluded from the api's response.
The method of a request can simply be obtained by:
IExtensionHelpers helpers = BurpExtender.getInstance().getHelpers();
String method = helpers.analyzeRequest(iHttpRequestResponse).getMethod();
As it is done for other value such as url
in the class HttpMessage
.
Also, other useful information, that burp provides to its extensions, should be added to the model:
if ((iHttpRequestResponse.getResponse() != null)) {
List<ICookie> cookies = helpers.analyzeResponse(iHttpRequestResponse).getCookies();
List<String> headers = helpers.analyzeResponse(iHttpRequestResponse).getHeaders();
}
Hello,
After a successfull build I tried to run with this command :
java -jar build/libs/burp-rest-api-1.0.3.jar --burp.edition=free
and i got this error :
"Burp project files are not supported on this edition of Burp"
Any idea ?
Thx
Added saved state file in the path "../../src/main/resources/cleanstate/" and triggered reset method but it is throwing "Internal Server Error". here is the log displayed on the console. state, json and burp files tried for this exercise but no luck.
2017-07-28 01:50:02.792 INFO 2204 --- [nio-8090-exec-7] c.v.burp.extension.service.BurpService : Restoring state by replacing state with a new state
2017-07-28 01:50:02.793 ERROR 2204 --- [nio-8090-exec-7] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context
with path [] threw exception [Request processing failed; nested exception is java.lang.RuntimeException: java.lang.RuntimeException: An error occurred during r
estore operation] with root cause
java.lang.RuntimeException: java.lang.RuntimeException: An error occurred during restore operation
at burp.fwe.a(Unknown Source) ~[burpsuite_pro.jar:na]
at burp.ar.restoreState(Unknown Source) ~[burpsuite_pro.jar:na]
at com.vmware.burp.extension.service.BurpService.restoreState(BurpService.java:244) ~[main/:na]
at com.vmware.burp.extension.web.BurpController.resetState(BurpController.java:337) ~[main/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_131]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_131]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_131]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_131]
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:222) ~[spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
Hi there,
I tried using gradle to build the .jar and this is the error I have:
$ ./gradlew clean build
:clean
:createschemaTargetDir UP-TO-DATE
:compileJava
/home/paul/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:89: error: cannot find symbol
burp.StartBurp.main(burpOptions);
^
symbol: class StartBurp
location: package burp
/home/paul/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:98: error: cannot find symbol
burp.StartBurp.main(args.getSourceArgs());
^
symbol: class StartBurp
location: package burp
Note: /home/paul/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java uses or overrides a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
2 errors
:compileJava FAILED
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':compileJava'.
> Compilation failed; see the compiler error output for details.
* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.
BUILD FAILED
Total time: 10.199 secs
Any idea what I can do to build it?
Cheers,
In the built and run section , it is mentioned that :
Create a lib folder under the project directory and place the Burp Suite JAR file into it.
we are not able to understand this step . Kindly elaborate on this one .
Do we need to perform this step ,in burp project , or in the eclipse project while creating a jar file ?
While trying to build the project via gradle build I am getting following error message:-
A problem occurred evaluating root project 'burp-rest-api-master'.
Failed to apply plugin [class 'io.spring.gradle.dependencymanagement.DependencyManagementPlugin']
Could not create task of type 'DependencyManagementReportTask'.
Gradle version :- 4.6
Groovy version :- 2.4.12
Can someone help me out ? I need to use these RestAPI soon
Thanks,
NIshant Shah
It doesn't load my config file and falls back to the default config.
I just changed the proxy listen_mode from "loopback_only" to "all_interfaces" in my new config file, and run it using the following command:
$ java -jar burp-rest-api/build/libs/burp-rest-api-1.0.0.jar --config-file=/tmp/project-options.json
Log:
2017-08-01 06:59:16.239 INFO 28104 --- [ main] c.vmware.burp.extension.BurpApplication : Starting BurpApplication v1.0.0 with PID 28104 (burp-rest-api/build/libs/burp-rest-api-1.0.0.jar started by ec2-user in /tmp/burp)
2017-08-01 06:59:16.265 INFO 28104 --- [ main] c.vmware.burp.extension.BurpApplication : No active profile set, falling back to default profiles: default
2017-08-01 06:59:16.457 INFO 28104 --- [ main] ationConfigEmbeddedWebApplicationContext : Refreshing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@36f8f43d: startup date [Tue Aug 01 06:59:16 UTC 2017]; root of context hierarchy
...
2017-08-01 06:59:21.025 INFO 28104 --- [ main] c.v.burp.extension.service.BurpService : Launching the Burp suite (pro edition) in headless mode...
2017-08-01 06:59:21.033 INFO 28104 --- [ main] c.v.burp.extension.service.BurpService : Launching the Burp suite with options: [--project-file=temp-project.burp, --config-file=/tmp/project-options8553372049623231948.json, --config-file=/tmp/user-options2287475060260215367.json]
Proxy: Proxy service started on 127.0.0.1:8080
Currently the wrapper is set to build with 2.13
(Apr 25, 2016):
The latest version appears to be 4.6
(Feb 28, 2018):
Hi!
I have problems with using extensions.
Burp version 1.7.27
If I launch jar with UI:
java -jar burp-rest-api.jar --headless.mode=false
No one extensions doesn't work with error:
java.lang.Exception: Extension does not implement any usable methods
at burp.eqh.<init>(Unknown Source)
at burp.b0g.a(Unknown Source)
at burp.kpe.run(Unknown Source)
at java.lang.Thread.run(Thread.java:748)
If I launch from gradle:
./gradlew bootRun -Djava.awt.headless=false
got errors:
This extension requires Burp Suite Pro 1.7.10 or later
java.lang.NoSuchMethodError
at burp.BurpExtender.registerExtenderCallbacks(BurpExtender.java:39)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at burp.mch.run(Unknown Source)
at java.lang.Thread.run(Thread.java:748)
java.lang.IllegalArgumentException: Cannot create PyString with non-byte value
at org.python.core.PyString.<init>(PyString.java:64)
at org.python.core.PyString.<init>(PyString.java:70)
at org.python.core.Py.newString(Py.java:641)
at org.python.core.PySystemState.initRegistry(PySystemState.java:800)
at org.python.core.PySystemState.doInitialize(PySystemState.java:1045)
at org.python.core.PySystemState.initialize(PySystemState.java:974)
at org.python.core.PySystemState.initialize(PySystemState.java:930)
at org.python.core.PySystemState.initialize(PySystemState.java:925)
at org.python.core.PySystemState.initialize(PySystemState.java:920)
at org.python.core.PySystemState.initialize(PySystemState.java:916)
at org.python.core.ThreadStateMapping.getThreadState(ThreadStateMapping.java:32)
at org.python.core.Py.getThreadState(Py.java:1440)
at org.python.core.Py.getThreadState(Py.java:1436)
at org.python.core.Py.getSystemState(Py.java:1456)
at org.python.util.PythonInterpreter.<init>(PythonInterpreter.java:105)
at org.python.util.PythonInterpreter.<init>(PythonInterpreter.java:94)
at org.python.util.PythonInterpreter.<init>(PythonInterpreter.java:71)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at burp.gqh.<init>(Unknown Source)
at burp.b0g.a(Unknown Source)
at burp.kpe.run(Unknown Source)
at java.lang.Thread.run(Thread.java:748)
path to jython is correct.
I am new to burp and I am willing to implement testing using java code. So is it required to have burp .exe file to execute file.
And what is the flow of code when we do it with java.
Team,
I have performed the following steps:
1-used ./gradlew bootRun, I am able to launch an instance of Burp.
Following instructions in #6 and #11.
2-copied my project and user options into "src/main/resources/static/" and then ran the gradlew executable present in the folder structure
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.