vmware / burp-rest-api Goto Github PK

Team,

I have followed the steps in
#6 and #11 . What I am doing is:
-Create a lib folder and copy my Burp jar in it. (v 1.7.27 pro)
-Build with ./gradlew clean build

I get the following error:

    javax.net.ssl.SSLHandshakeException at BurpClientIT.java:199
        Caused by: sun.security.validator.ValidatorException at BurpClientIT.java:199
            Caused by: sun.security.provider.certpath.SunCertPathBuilderException at BurpClientIT.java:199

com.vmware.burp.extension.client.BurpClientIT > testScannerSpiderAndReportMethods FAILED
    javax.net.ssl.SSLHandshakeException at BurpClientIT.java:199
        Caused by: sun.security.validator.ValidatorException at BurpClientIT.java:199
            Caused by: sun.security.provider.certpath.SunCertPathBuilderException at BurpClientIT.java:199
2017-10-04 09:26:45.572  INFO 30804 --- [       Thread-9] ationConfigEmbeddedWebApplicationContext : Closing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@727dbff5: startup date [Wed Oct 04 09:26:32 EDT 2017]; root of context hierarchy
2017-10-04 09:26:45.575  INFO 30804 --- [       Thread-9] o.s.c.support.DefaultLifecycleProcessor  : Stopping beans in phase 2147483647

5 tests completed, 2 failed
:test FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':test'.

The failed test report says :
" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target "

Could anyone help me out ?

While trying to figure out why my scans take longer than anticipated, I discovered scan queue items of pages that do not exist in my web application.

I show the problem with an example:

My web application consists of http://localhost/ and http://localhost/task/show.
I add the http://localhost to the scope, set it as spider seed and use it to initiate an active scan.
My site map contains of:

http://localhost
  task
    show

And my scan queue contains of:

• http://localhost
• http://localhost/task
• http://localhost/task/show

I do not expect and I do not want to scan the second URL, as it does not exist in my application.
It seems like calling IBurpExtenderCallbacks.getSiteMap()returns an entry for this path, too, although burp - more precisely burp's spider - never issued a request to http://localhost/task.

We can also observe this behavior when calling the rest API to obtain the site map. It outputs entries without a response, which is checked in the HttpMessage class:

if (iHttpRequestResponse.getResponse() != null) {
...
}

The solution here would be to only send a site map entry to the scanner, if it has a response:

public class BurpService {
...
  public boolean scan(String baseUrl, boolean isActive)
            throws MalformedURLException {
...
        for (IHttpRequestResponse iHttpRequestResponse : siteMapInScope) {
          if (iHttpRequestResponse.getResponse() == null) {
            continue;
          }
...

Currently it seems that the burp proxy is binding by default to localhost, and that the API is listening on 0.0.0.0. It would be awesome if we were able to control these by command line arguments in a similar way that we currently can with the port options.

The main line I found in the code that seemed relevant was:

• burp-rest-api/src/test/java/com/vmware/burp/extension/client/BurpClientIT.java

  Line 60 in 0fca0b5

  burpClient = new BurpClient("http://localhost:" + port);

But not 100% if that is correct, as it seems like it's part of an integration test.

Hi ,

after running the commands

gradlew clean build
# and run it
java -jar build/libs/burp-rest-api-1.0.2.jar --burp.edition=free # for free edition

Throwing exception.

It will be better if you could please share a video with free edition.
Not able to understand this null pointer exception.

Hi team,

Please fix by add missing ')' to this file :
burp-rest-api\src\main\java\com\vmware\burp\extension\service\BurpService.java
line 74: error: ')' expected

Thanks

There is currently an endpoint that allows the current scan status to be retrieved, but not an equivalent for the spider.

It would be cool to be able to check when it has 'finished spidering', or how many items are left in it's queue (similar to what is shown in the burp UI)

Releasing a stable version by tagging would be helpful, since I am automating the download and installation of the REST API.

Hi guys, lately I have been having the following error when trying to build the burp-rest-api. The following test fails when building.

com.vmware.burp.extension.client.BurpClientIT > testConfigMethods FAILED
java.lang.IllegalStateException
Caused by: org.springframework.context.ApplicationContextException
Caused by: java.lang.NoSuchMethodError

When I run the burp-rest-api.jar the following error shows up:

org.springframework.context.ApplicationContextException: Failed to start bean 'documentationPluginsBootstrapper'; nested exception is java.lang.NoSuchMethodError: springfox.documentation.spi.service.contexts.RequestMappingContext.getHandlerMethod()Lorg/springframework/web/method/HandlerMethod;

I have tried it with a clean code base and burp suite pro file but this issue remains. It looks like it has something to do with Spring but I couldn't figure it out. Did someone else also encounter this problem?

Hello,

There is a problem when running this in Docker, you can't accept the EULA or enter your license key. This happens when using gradlew bootRun

I solved it by setting standardInput = System.in inside the bootRun block in build.gradle.

Hope this helps.

Regards.

How is it possible restrict access for API only on localhost?
I don't wanna expose my machine to external call from other pc on network

netstat report
::::8090 //api access everybody
127.0.0.1:8080 //proxy access localhost

i tried to start gradlew bootRun -Dproject-file=/opt/project-fil.burp
but I got
Launching the Burp with options: [--project-file=/tmp/temp-project-dir-876864466082593177/temp-project.burp, --config-file=/tmp/project-options1095584310114412893.json, --user-config-file=/tmp/user-options6426525993457471961.json]
Why BURP started with temp project-file?

1. Start SPIDER on

curl -X POST --header 'Content-Type: application/json' --header 'Accept: /' 'http://yyy.yyy.yyy.yyy:8090/burp/spider?baseUrl=https://xxx.xxx.xxx.xxx'

1. Add Target Scope

curl -X PUT --header 'Content-Type: application/json' --header 'Accept: /' 'http:// yyy.yyy.yyy.yyy:8090/burp/target/scope?url=https://xxx.xxx.xxx.xxx'

1. Start Scan

curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' 'http:// yyy.yyy.yyy.yyy:8090/burp/scanner/scans/active?baseUrl=https://xxx.xxx.xxx.xxx'
<After this when I look BURP UI , under scanner tab , it shows "waiting" for all the URL's>

1. Get Status

curl -X GET --header 'Accept: application/json' 'http://10.142.147.30:8090/burp/scanner/status'

1. Generate Report

curl -X GET --header 'Accept: application/octet-stream' 'http:// yyy.yyy.yyy.yyy:8090/burp/report?urlPrefix=https://xxx.xxx.xxx.xxx&reportType=HTML'

WHERE:
xxx.xxx.xxx.xxx == Application IP where scan need to be performed
yyy.yyy.yyy.yyy == IP where BURP tool is running

BURP Jar ==> burpsuite_pro_v1.7.11.jar
VMWare REST API's for BURP --> burp-rest-api-1.0.0.jar

Issue:

1. Point#3 listed above, scan is showing in waiting state
2. Password for the App hosted on xxx.xxx.xxx.xxx is getting changed. For example: there is one user "onprem_nce" with password "xxxxxx". After BURP scan, we are not able to login to the application with "onprem_nce" user.?

Pre-existing scopes for projects appear to be reset upon opening a project.

Steps to reproduce:

1. Using burpsuite, open a new project & add https://example.com to the scope. Exit burpsuite.
2. Using burp-rest-api, open the previously created project. At this point it appears that the https://example.com scope is no longer there.

Burpsuite version: 1.7.34

First off, thanks for writing this. I'm looking forward to using it. I am however having some issues. Perhaps it's noob related since this is the first time I'm attempting to get it to work.

I've successfully built it (from master) and am running it.

STEP 1

• Add URL to scope
• PUT /burp/target/scope?url=http:%2F%2Fmyurl.com%2F
• STATUS: 200

STEP 2

• Start active scan
• POST /burp/scanner/scans/active?baseUrl=http:%2F%2Fmyurl.com%2F
• STATUS: 200

This results in:

2017-02-23 23:52:53.826  INFO 26615 --- [nio-8090-exec-5] c.v.burp.extension.web.BurpController    : Is http://myurl.com/ in Scope: true
2017-02-23 23:52:53.831  INFO 26615 --- [nio-8090-exec-5] c.v.burp.extension.service.BurpService   : Total SiteMap size: 325
2017-02-23 23:52:53.831  INFO 26615 --- [nio-8090-exec-5] c.v.burp.extension.service.BurpService   : Is http://myurl.com/ in Scope: true
2017-02-23 23:52:53.833  INFO 26615 --- [nio-8090-exec-5] c.v.burp.extension.service.BurpService   : Number of URLs submitting for Active Scan: 220
2017-02-23 23:53:12.970  INFO 26615 --- [nio-8090-exec-6] c.v.burp.extension.service.BurpService   : Getting percentage complete.
2017-02-23 23:53:12.970  INFO 26615 --- [nio-8090-exec-6] c.v.b.e.domain.internal.ScanQueueMap     : Scan Queue is empty. Returning the Percent Complete as 100%.

Nothing is actually scanned. Calling the endpoint to retrieve issues or the report yields 0 findings.

I'm not sure what I'm doing wrong here, and trying to diagnose with setting headless=false doesn't actually work. It always runs in headless mode - at least on macOS.

I also tried to /burp/reset but that results in a 500 with a RuntimeException being thrown.

I'm running on Java 8 u111 with burpsuite_pro_v1.7.17.jar

Any pointers greatly appreciated.

When using the Rest API, the only extension which successfully loads is the Burp Rest Extension. Upon trying to load a Java extension, you are presented with an error message stating:

java.lang.Exception: Extension does not implement any usable methods

Python extensions give a message along these lines:
java.lang.ClassCastException: org.python.core.PySingleton cannot be cast to burp.IBurpExtender

When using Burp normally with the traditional
java -jar <location to burp jar>
the extensions work without issue.

The Extension options are consistent across both the Rest API instance of Burp and the normal instance you would run with Burp.

• Running Burp 1.7.13 on OSX El Capitan (10.11.6)
• Running Java version 8

-- Confirmed to be a problem on Burp 1.7.14 as well.

Hi there,

First of all, great work and pretty cool extension!
Is there any chance you could provide .jar in the release section? That would be really helpful.

Thanks,

Hi,

i am trying to run burp rest api module by burp java jar command but i didn't find burp-rest-api-1.0.0.jar. could pls create a video file to show the valid configuration and run a sample API so beginners will know exactly how can they use valuable work?

I have a problem, i download and extracted bur-rest-api on my Kali.
Then i download burp free edtion and i put in bur-rest-api/lib and i renamed like you said burpsuite_pro.jar
then ./gradlew bootRun "-Dburp.edition=free"
show "downloading https://...gradle-2.13-bin.zip"
"unzipping ... set executalbe permision /root/.gradle/wrapper/dists/gradle-2.13-bin/.../bin/gradle"
Then process end without error.
But i don't see any build directory o burp-rest-api.jar
What is it problem?

HI,

First of all kudos on the project.The most important API for me is initiating an active scan, although i'm getting a 200 response.. i don't see the URls getting populated in the scan Queue.Below is what i see in the active logs:

2018-04-09 15:02:20.174  INFO 21442 --- [tp1816120828-17] c.v.burp.extension.service.BurpService   : Is https://mysite.com in Scope: true
2018-04-09 15:02:20.179  INFO 21442 --- [tp1816120828-17] c.v.burp.extension.service.BurpService   : Number of URLs submitting for Active Scan: 867
2018-04-09 15:02:27.907  INFO 21442 --- [tp1816120828-18] c.v.burp.extension.service.BurpService   : Getting percentage complete
2018-04-09 15:02:27.907  INFO 21442 --- [tp1816120828-18] c.v.b.e.domain.internal.ScanQueueMap     : Scan Queue is empty. Returning the Percent Complete as 100%.

Am am i missing something here?
My Burp version in v1.7.33

Having these errors after running gradlew bootRun

java:11: error: cannot find symbol
public class BurpExtender implements IBurpExtender {
^
symbol: class IBurpExtender
/home/burp-rest-api/src/main/java/burp/BurpExtender.java:14: error: cannot find symbol
private IBurpExtenderCallbacks callbacks;
^
symbol: class IBurpExtenderCallbacks
location: class BurpExtender
/home/burp-rest-api/src/main/java/burp/BurpExtender.java:15: error: cannot find symbol
private IExtensionHelpers helpers;
^
symbol: class IExtensionHelpers
location: class BurpExtender
/home/burp-rest-api/src/main/java/burp/BurpExtender.java:31: error: cannot find symbol
public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
^
symbol: class IBurpExtenderCallbacks
location: class BurpExtender
/home/burp-rest-api/src/main/java/burp/BurpExtender.java:46: error: cannot find symbol
public IBurpExtenderCallbacks getCallbacks() {
^
symbol: class IBurpExtenderCallbacks
location: class BurpExtender
/home/burp-rest-api/src/main/java/burp/BurpExtender.java:50: error: cannot find symbol
public IExtensionHelpers getHelpers() {
^
symbol: class IExtensionHelpers
location: class BurpExtender
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/HttpMessage.java:10: error: cannot find symbol
import burp.IExtensionHelpers;
^
symbol: class IExtensionHelpers
location: package burp
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/HttpMessage.java:11: error: cannot find symbol
import burp.IHttpRequestResponse;
^
symbol: class IHttpRequestResponse
location: package burp
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/HttpMessage.java:59: error: cannot find symbol
public HttpMessage(IHttpRequestResponse iHttpRequestResponse) {
^
symbol: class IHttpRequestResponse
location: class HttpMessage
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/ScanIssue.java:9: error: cannot find symbol
import burp.IHttpRequestResponse;
^
symbol: class IHttpRequestResponse
location: package burp
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/ScanIssue.java:10: error: cannot find symbol
import burp.IScanIssue;
^
symbol: class IScanIssue
location: package burp
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/ScanIssue.java:65: error: cannot find symbol
public ScanIssue(IScanIssue iScanIssue) {
^
symbol: class IScanIssue
location: class ScanIssue
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/SpiderQueueMap.java:10: error: cannot find symbol
import burp.IHttpRequestResponse;
^
symbol: class IHttpRequestResponse
location: package burp
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/SpiderQueueMap.java:24: error: cannot find symbol
private Map<String, IHttpRequestResponse[]> map = new HashMap<>();
^
symbol: class IHttpRequestResponse
location: class SpiderQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/SpiderQueueMap.java:30: error: cannot find symbol
public void addItem(String url, IHttpRequestResponse[] siteMapUrl) {
^
symbol: class IHttpRequestResponse
location: class SpiderQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/SpiderQueueMap.java:52: error: cannot find symbol
private IHttpRequestResponse[] getQueue(String url) {
^
symbol: class IHttpRequestResponse
location: class SpiderQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/SpiderQueueMap.java:61: error: cannot find symbol
private boolean compareSiteMap(IHttpRequestResponse[] newSiteMap, IHttpRequestResponse[] oldSiteMap){
^
symbol: class IHttpRequestResponse
location: class SpiderQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/SpiderQueueMap.java:61: error: cannot find symbol
private boolean compareSiteMap(IHttpRequestResponse[] newSiteMap, IHttpRequestResponse[] oldSiteMap){
^
symbol: class IHttpRequestResponse
location: class SpiderQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/ScanQueueMap.java:9: error: cannot find symbol
import burp.IScanQueueItem;
^
symbol: class IScanQueueItem
location: package burp
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/ScanQueueMap.java:22: error: cannot find symbol
private Map<String, List> map = new HashMap<>();
^
symbol: class IScanQueueItem
location: class ScanQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/ScanQueueMap.java:24: error: cannot find symbol
public void addItem(String url, IScanQueueItem iScanQueueItem) {
^
symbol: class IScanQueueItem
location: class ScanQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/ScanQueueMap.java:51: error: cannot find symbol
private List getQueue(String url) {
^
symbol: class IScanQueueItem
location: class ScanQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:10: error: cannot find symbol
import burp.IHttpRequestResponse;
^
symbol: class IHttpRequestResponse
location: package burp
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:11: error: cannot find symbol
import burp.IScanIssue;
^
symbol: class IScanIssue
location: package burp
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:12: error: cannot find symbol
import burp.IScanQueueItem;
^
symbol: class IScanQueueItem
location: package burp
/home/burp-rest-api/src/main/java/burp/BurpExtender.java:30: error: method does not override or implement a method from a supertype
@OverRide
^
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/HttpMessage.java:63: error: cannot find symbol
IExtensionHelpers helpers = BurpExtender.getInstance().getHelpers();
^
symbol: class IExtensionHelpers
location: class HttpMessage
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/ScanIssue.java:81: error: cannot find symbol
IHttpRequestResponse iHttpRequestResponse = iScanIssue.getHttpMessages()[i];
^
symbol: class IHttpRequestResponse
location: class ScanIssue
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/SpiderQueueMap.java:88: error: cannot find symbol
IHttpRequestResponse[] httpMessageListOld = map.get(url);
^
symbol: class IHttpRequestResponse
location: class SpiderQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/SpiderQueueMap.java:89: error: cannot find symbol
IHttpRequestResponse[] httpMessageListNew = BurpExtender.getInstance().getCallbacks().getSiteMap(url);
^
symbol: class IHttpRequestResponse
location: class SpiderQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/ScanQueueMap.java:26: error: cannot find symbol
List list = map.get(url);
^
symbol: class IScanQueueItem
location: class ScanQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/ScanQueueMap.java:30: error: cannot find symbol
List list = new ArrayList<>();
^
symbol: class IScanQueueItem
location: class ScanQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/domain/internal/ScanQueueMap.java:68: error: cannot find symbol
for (IScanQueueItem iScanQueueItem : getQueue(url)) {
^
symbol: class IScanQueueItem
location: class ScanQueueMap
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:108: error: cannot find symbol
burp.StartBurp.main(burpOptions);
^
symbol: class StartBurp
location: package burp
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:170: error: cannot find symbol
for (IHttpRequestResponse iHttpRequestResponse : BurpExtender.getInstance().getCallbacks()
^
symbol: class IHttpRequestResponse
location: class BurpService
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:183: error: cannot find symbol
IHttpRequestResponse[] siteMapInScope = BurpExtender.getInstance().getCallbacks().getSiteMap(baseUrl);
^
symbol: class IHttpRequestResponse
location: class BurpService
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:185: error: cannot find symbol
for (IHttpRequestResponse iHttpRequestResponse : siteMapInScope) {
^
symbol: class IHttpRequestResponse
location: class BurpService
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:195: error: cannot find symbol
IScanQueueItem iScanQueueItem = BurpExtender.getInstance().getCallbacks()
^
symbol: class IScanQueueItem
location: class BurpService
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:222: error: cannot find symbol
for (IHttpRequestResponse iHttpRequestResponse : BurpExtender.getInstance().getCallbacks()
^
symbol: class IHttpRequestResponse
location: class BurpService
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:250: error: cannot find symbol
IScanIssue[] iScanIssues = BurpExtender.getInstance().getCallbacks()
^
symbol: class IScanIssue
location: class BurpService
/home/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:252: error: cannot find symbol
for (IScanIssue iScanIssue : iScanIssues) {
^
symbol: class IScanIssue
location: class BurpService
41 errors
:compileJava FAILED

FAILURE: Build failed with an exception.

• What went wrong:
  Execution failed for task ':compileJava'.

Compilation failed; see the compiler error output for details.

• Try:
  Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.

When using Burp Community jar file for building the project, Gradle fail:

PS C:\...\burp-rest-api> .\gradlew clean build
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !! Make sure that no other Burp instances are running !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Updating version to '1.0.2' in src\main\resources\application.yml
:clean
:createschemaTargetDir UP-TO-DATE
:compileJava

FAILURE: Build failed with an exception.

* What went wrong:
Could not resolve all dependencies for configuration ':compileClasspath'.
> Could not find :burpsuite_pro:.
  Required by:
      :burp-rest-api:1.0.2

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.

BUILD FAILED

Total time: 6.973 secs

The problem seems to be caused by a dependencies section in "build.gradle" file:

dependencies {
    compile('org.springframework.boot:spring-boot-starter-web')
    compile("org.springframework.boot:spring-boot-starter-jetty")
    compile fileTree(dir: 'lib', include: '**/*.jar')
    compile "io.springfox:springfox-swagger2:2.+"
    compile "io.springfox:springfox-swagger-ui:2.+"
    
    compile name: 'burpsuite_pro'

    testCompile('org.springframework.boot:spring-boot-starter-test')
    testCompile('org.apache.httpcomponents:httpclient:4.5.2')

    jaxb 'org.glassfish.jaxb:jaxb-jxc:2.+'
	jaxb 'org.glassfish.jaxb:jaxb-xjc:2.+'
}

Because the community version jar file is named "burpsuite_community_v.X.X.X.jar" it is not recognized as a correct jar file. I solved my problem by rename my file "burpsuite_pro.jar" as expected by Gradle and then it works, but that's not really userfriendly. Maybe you should correct that in the dependencies or precise this solution in your README file ?

Regards.

EDIT : Some precisions about the environment : Windows 7, Burp Community (with jar file version 1.7.32), Gradle 4.6, Java 1.8

Hello,
Thank you for developing this. Are there any plans in the future to expand this to cover more actions in Burp Suite? Such as Intruder and Repeater attacks?

Thank you,
Hayder

I am facing issue javax.net.ssl.SSLHandshakeException at BurpClientIT.java.Can any1 help me with this?

Because why not?

I tested the build process with a free-edition jar.
I got an error when trying to run the built jar because --project-file argument is only supported in Pro version. I slightly modify BurpService.java to suppress that argument and everything else works.

Maybe we can either detect that the supplied jar is free-edition and act accordingly, or at least have a command line flag that suppresses the use of --project-file argument.

I tried to run the 'spider' endpoint, and got a little confused when it seemed to hang endlessly without returning any errors/success messages. Eventually I dug in to look at the logs and noticed the following:

burp_1  | 2018-03-15 03:29:49.405  INFO 1 --- [tp1097446581-17] c.v.burp.extension.web.BurpController    : Is http://foo.example.com/ in Scope: false
burp_1  | 2018-03-15 03:29:49.406  INFO 1 --- [tp1097446581-17] c.v.burp.extension.web.BurpController    : Spider is NOT performed as the http://foo.example.com/ URL is not in scope.

It would be good if this returned some form of failure/error message on the URL endpoint so I could handle it appropriately.

Hi there,

I'm trying to compile the jar using my standalone jar from burp. It get's stuck on 83% after the following output:

20:25:57.317 [QUIET] [system.out] 2017-09-10 20:25:57.317  INFO 10898 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/webjars/**] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
20:25:57.318 [QUIET] [system.out] 2017-09-10 20:25:57.318  INFO 10898 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/**] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
20:25:57.363 [QUIET] [system.out] 2017-09-10 20:25:57.362  INFO 10898 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/**/favicon.ico] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
20:25:57.517 [QUIET] [system.out] 2017-09-10 20:25:57.517  INFO 10898 --- [           main] o.s.j.e.a.AnnotationMBeanExporter        : Registering beans for JMX exposure on startup
20:25:57.529 [QUIET] [system.out] 2017-09-10 20:25:57.529  INFO 10898 --- [           main] o.s.c.support.DefaultLifecycleProcessor  : Starting beans in phase 2147483647
20:25:57.530 [QUIET] [system.out] 2017-09-10 20:25:57.530  INFO 10898 --- [           main] d.s.w.p.DocumentationPluginsBootstrapper : Context refreshed
20:25:57.555 [QUIET] [system.out] 2017-09-10 20:25:57.555  INFO 10898 --- [           main] d.s.w.p.DocumentationPluginsBootstrapper : Found 1 custom documentation plugin(s)
20:25:57.669 [QUIET] [system.out] 2017-09-10 20:25:57.669  INFO 10898 --- [           main] s.d.s.w.s.ApiListingReferenceScanner     : Scanning for api listing references
20:25:58.115 [QUIET] [system.out] 2017-09-10 20:25:58.115  INFO 10898 --- [           main] s.b.c.e.t.TomcatEmbeddedServletContainer : Tomcat started on port(s): 8090 (http)
20:25:58.124 [QUIET] [system.out] 2017-09-10 20:25:58.123  INFO 10898 --- [           main] c.vmware.burp.extension.BurpApplication  : Started BurpApplication in 11.266 seconds (JVM running for 11.632)
20:25:58.556 [QUIET] [system.out] [NEW] Server:\s*Hiawatha v([\d.]+)
20:25:58.557 [QUIET] [system.out] [NEW] http://errors\.angularjs\.org/([\d.]+)/
20:25:58.558 [QUIET] [system.out] [NEW] Built upon the <a href="[^>]+banshee-php\.org/">[a-z]+</a>v([\d.]+)
20:25:58.558 [QUIET] [system.out] [NEW] Oracle-Application-Server-([\d.]+.*)
20:25:58.558 [QUIET] [system.out] [NEW] Server:\s*openresty/([\d.]+)
20:25:58.558 [QUIET] [system.out] [NEW] Server:\s*Intel\(R\) Active Management Technology ([\d.]+)
20:25:58.558 [QUIET] [system.out] [NEW] Server:\sthttpd/([\d.]+)
20:25:58.558 [QUIET] [system.out] [NEW] X-Powered-By:\s*php/?([\d.]+)
20:25:58.559 [QUIET] [system.out] [NEW] Server:\s*MoxaHttp/([\d.]+)
20:25:58.561 [QUIET] [system.out] [NEW] <html[^>]* yuilibrary\.com/rdf/([\d.]+)/yui\.rdf|<body[^>]+class="yui3-skin-sam
20:25:58.561 [QUIET] [system.out] [NEW] <p>Powered by <a[^>]+>GitList ([\d.]+)
20:25:58.562 [QUIET] [system.out] [NEW] X-Powered-By:\s*mod_rack/([\d.]+)
20:25:58.562 [QUIET] [system.out] [NEW] Handlebars\.VERSION\s*=\s*["']([\w.]+)["']
20:25:58.562 [QUIET] [system.out] [NEW] Server:\s*Mbedthis-Appweb/([\d.]+)
20:25:58.562 [QUIET] [system.out] [NEW] Server:\s*Motion-httpd/([\d.]+)
20:25:58.562 [QUIET] [system.out] [NEW] X-Powered-By:\s*JBossWeb-([\d.]+)
20:25:58.562 [QUIET] [system.out] [NEW] Oracle9iAS\/([\d\.]+)
20:25:58.562 [QUIET] [system.out] [NEW] Server:\s*mod_fastcgi/([\d.]+)
20:25:58.563 [QUIET] [system.out] [NEW] X-Powered-By:\s*JSP/([\d.]+)
20:25:58.563 [QUIET] [system.out] [NEW] Server:\s*Cherokee/([\d.]+)
20:25:58.564 [QUIET] [system.out] [NEW] CKEDITOR.*version:"([\d.]+)"
20:25:58.564 [QUIET] [system.out] [NEW] Server:\s*mod_rails/([\d.]+)
20:25:58.564 [QUIET] [system.out] [NEW] <link href="/css/sonar\.css?v=([\d.]+)
20:25:58.564 [QUIET] [system.out] [NEW] Server:\sPer ?/?v?([\d.]+)
20:25:58.564 [QUIET] [system.out] [NEW] Perl/v([\d.]+)
20:25:58.565 [QUIET] [system.out] [NEW] Server:\s*DirectAdmin Daemon v([\d.]+)
20:25:58.565 [QUIET] [system.out] [NEW] X-Powered-By:\s*wpCache/([\d.]+)
20:25:58.565 [QUIET] [system.out] [NEW] Apache/([\d.]+(?: \([ \w]+\))?)
20:25:58.565 [QUIET] [system.out] [NEW] Server:\s*gunicorn/([\d.]+)
20:25:58.565 [QUIET] [system.out] [NEW] Server:\s*SimpleHTTP/([\d.]+)
20:25:58.566 [QUIET] [system.out] [NEW] Server:\s*Yaws ([\d.]+)
20:25:58.597 [QUIET] [system.out] [NEW] Oracle Corporation ([\d\._])+
20:25:58.599 [QUIET] [system.out] [NEW] Joomla! ([\d.]+)
20:25:58.599 [QUIET] [system.out] [NEW] Server:\s*IBM_HTTP_Server/([\d.]+)
20:25:58.599 [QUIET] [system.out] [NEW] Server:\s*IIS/([\d.]+)
20:25:58.599 [QUIET] [system.out] [NEW] Server:\s*MediaTomb/([\d.]+)
20:25:58.599 [QUIET] [system.out] [NEW] X-Generator:\s*Drupal\s([\d.]+)
20:25:58.600 [QUIET] [system.out] [NEW] X-Content-Encoded-By:\s*Joomla! ([\d.]+)
20:25:58.600 [QUIET] [system.out] [NEW] <title>Log in to FishEye and Crucible ([\d.]+)</title>
20:25:58.600 [QUIET] [system.out] [NEW] name="generator" content="WordPress ([\d.]+)"
20:25:58.600 [QUIET] [system.out] [NEW] Ember\.VERSION\s*=\s*["']([\w.]+)["']
20:25:58.600 [QUIET] [system.out] [NEW] Server:\s*MochiWeb/([\d.]+)
20:25:58.600 [QUIET] [system.out] [NEW] X-Powered-By:\sTomca-([\d.]+)
20:25:58.600 [QUIET] [system.out] [NEW] Server:\s*GlassFish Server Open Source Edition ?/?([\d.]+)
20:25:58.600 [QUIET] [system.out] [NEW] Server:\s*FreeBSD ([\d.]+)
20:25:58.601 [QUIET] [system.out] [NEW] kbn-version:\s*^([\d.]+)$
20:25:58.601 [QUIET] [system.out] [NEW] <!-- gitphp web interface ([\d.]+)
20:25:58.601 [QUIET] [system.out] [NEW] Server:\s*ATS/?([\d.]+)
20:25:58.601 [QUIET] [system.out] [NEW] JSF/([\d.]+)
20:25:58.601 [QUIET] [system.out] [NEW] Apache Tomcat/([\d.]+)
20:25:58.601 [QUIET] [system.out] [NEW] X-Powered-By:\s*mod_wsgi/([\d.]+)
20:25:58.601 [QUIET] [system.out] [NEW] Server:\s*Winstone Servlet Container v?([\d.]+)
20:25:58.601 [QUIET] [system.out] [NEW] mod_ssl/([\d.]+)
20:25:58.602 [QUIET] [system.out] [NEW] Server:\s*TornadoServer/([\d.]+)
20:25:58.602 [QUIET] [system.out] [NEW] X-AspNetMvc-Version: ([\d.]+)
20:25:58.602 [QUIET] [system.out] [NEW] Server:\s*RAID HTTPServer/([\d.]+)
20:25:58.602 [QUIET] [system.out] [NEW] Server:\s*Happy ICS Server/([\d.]+)
20:25:58.602 [QUIET] [system.out] [NEW] PHP/([\d.]+)
20:25:58.602 [QUIET] [system.out] [NEW] Oracle OpenSSO ([\d.]+.*)
20:25:58.602 [QUIET] [system.out] [NEW] java\/([\d\.\_]+)
20:25:58.602 [QUIET] [system.out] [NEW] Sun-Java-System-Web-Server/([\d.]+.*)
20:25:58.603 [QUIET] [system.out] [NEW] Microsoft \.NET Framework ([\d.]+)
20:25:58.603 [QUIET] [system.out] [NEW] Oracle Application Server Containers for J2EE 10g \(([\d\.]+)\)
20:25:58.603 [QUIET] [system.out] [NEW] Server:\s*mini_httpd/([\d.]+)
20:25:58.603 [QUIET] [system.out] [NEW] Powered by <a href="[^"]*"><strong>Trac[ /]([\d.]+)
20:25:58.603 [QUIET] [system.out] [NEW] X-AMP-Version:\s*([\d.]+)
20:25:58.603 [QUIET] [system.out] [NEW] Server:\s*JC-HTTPD/([\d.]+)
20:25:58.603 [QUIET] [system.out] [NEW] \$gwt_version\s?=\s?"([\d.]+)"
20:25:58.604 [QUIET] [system.out] [NEW] <!--[^>]+FlexCMP[^>v]+v\. ([\d.]+)
20:25:58.604 [QUIET] [system.out] [NEW] JBoss-EAP/([\d.]+)
20:25:58.604 [QUIET] [system.out] [NEW] Server:\s*Xitami/([\d.]+)
20:25:58.604 [QUIET] [system.out] [NEW] Microsoft-IIS/([\d.]+)
20:25:58.604 [QUIET] [system.out] [NEW] Server:\s*lighttpd/([\d.]+)
20:25:58.604 [QUIET] [system.out] [NEW] Server:\s*TSM_HTTP/([\d.]+)
20:25:58.604 [QUIET] [system.out] [NEW] X-Powered-By:\s*CppCMS/([\d.]+)
20:25:58.604 [QUIET] [system.out] [NEW] powered by <a[^>]+>Django ?([\d.]+)
20:25:58.605 [QUIET] [system.out] [NEW] X-AspNet-Version: ([\d.]+)
20:25:58.605 [QUIET] [system.out] [NEW] WebLogic (:?Server )?([\d\.]+)
20:25:58.605 [QUIET] [system.out] [NEW] Server:\s*mod_ssl/([\d.]+)
20:25:58.605 [QUIET] [system.out] [NEW] X-Powered-By:\s*Perl Dancer ([\d.]+)
20:25:58.605 [QUIET] [system.out] [NEW] X-Powered-By:\s*W3 Total Cache/([\d.]+)
20:25:58.605 [QUIET] [system.out] [NEW] <!-- Generated by Doxygen ([\d.]+)
20:25:58.605 [QUIET] [system.out] [NEW] <!-- git web interface version ([\d.]+)
20:25:58.605 [QUIET] [system.out] [NEW] X-Powered-By:\s*WP Rocket/([\d.]+)
20:25:58.606 [QUIET] [system.out] [NEW] Server:\s*Perl Dancer ([\d.]+)
20:25:58.606 [QUIET] [system.out] [NEW]  \| phpMyAdmin ([\d.]+)<\/title>
20:25:58.606 [QUIET] [system.out] [NEW] Server:\s*php/?([\d.]+)
20:25:58.606 [QUIET] [system.out] [NEW] WebSphere Application Server/([\d.]+)
20:25:58.606 [QUIET] [system.out] [NEW] ">Chamilo ([\d.]+)</a>
20:25:58.606 [QUIET] [system.out] [NEW] X-Powered-By:\s*FlexCMP.+\[v\. ([\d.]+)
20:25:58.606 [QUIET] [system.out] [NEW] Oracle.Application.Server.10g\/([\d\.]+)
20:25:58.606 [QUIET] [system.out] [NEW] OpenCms/([\d.]+)
20:25:58.607 [QUIET] [system.out] [NEW] Server:\s*Apache/([\d.]+)
20:25:58.607 [QUIET] [system.out] [NEW] X-Powered-By:\s*HHVM/?([\d.]+)
20:25:58.607 [QUIET] [system.out] [NEW] Server:\s*AOLserver/?([\d.]+)
20:25:58.607 [QUIET] [system.out] [NEW] X-Powered-By:\s*Chamilo ([\d.]+)
20:25:58.607 [QUIET] [system.out] [NEW] X-Mod-Pagespeed:\s*([\d.]+)
20:25:58.607 [QUIET] [system.out] [NEW] Server:\s*CenteHTTPd/([\d.]+)
20:25:58.607 [QUIET] [system.out] [NEW] X-Powered-By:\s*JSF/([\d.]+)
20:25:58.607 [QUIET] [system.out] [NEW] Server:\s*Python/([\d.]+)
20:25:58.607 [QUIET] [system.out] [NEW] Server: WildFly/([\d.]+)
20:25:58.608 [QUIET] [system.out] [NEW] nginx/([\d.]+)
20:25:58.608 [QUIET] [system.out] [NEW] jQuery JavaScript Library v([\d.]+)
20:25:58.608 [QUIET] [system.out] [NEW] Server:\s*Artifactory/([\d.]+)
20:25:58.608 [QUIET] [system.out] [NEW] Server:\s*akka-http/([\d.]+)
20:25:58.608 [QUIET] [system.out] [NEW] Powered by <a href=[^>]+atlassian\.com/software/confluence[^>]+>Atlassian Confluence</a> ([\d.]+)
20:25:58.608 [QUIET] [system.out] [NEW] Server:\s*Allegro-Software-RomPager/([\d.]+)
20:25:58.608 [QUIET] [system.out] [NEW] OpenSSL/([a-z\d.]+(-fips)?)
20:25:58.608 [QUIET] [system.out] [NEW] lighttpd/([\d.]+)
20:25:58.609 [QUIET] [system.out] [NEW] Server:\s*Rapid Logic/([\d.]+)
20:25:58.609 [QUIET] [system.out] [NEW] X-Powered-By:\s*CMS Danneo ([\d.]+)
20:25:58.609 [QUIET] [system.out] [NEW] Server:\s*Monkey/?([\d.]+)
20:25:58.609 [QUIET] [system.out] [NEW] Server:\s*eDevice SmartStack ?/?([\d.]+)
20:25:58.609 [QUIET] [system.out] [NEW] Server:\s*DECORUM/([\d.]+)
20:25:58.609 [QUIET] [system.out] [NEW] X-Powered-By:\s*Kohana Framework ([\d.]+)
20:25:58.609 [QUIET] [system.out] [NEW] Server:\s*Microsoft-HTTPAPI/([\d.]+)
20:25:58.609 [QUIET] [system.out] [NEW] Server:\s*Indy/([\d.]+)
20:25:58.609 [QUIET] [system.out] [NEW] X-Powered-By:\s*mod_rails/([\d.]+)
20:25:58.610 [QUIET] [system.out] [NEW] X-Powered-By: Undertow/([\d.]+)
20:25:58.610 [QUIET] [system.out] [NEW] X-OWA-Version: ([\d.]+)
20:25:58.610 [QUIET] [system.out] [NEW] Oracle Application Server\/([\d\.]+)
20:25:58.610 [QUIET] [system.out] [NEW] Server:\s*HP-iLO-Server/([\d.]+)
20:25:58.610 [QUIET] [system.out] [NEW] Server:\smod_DA/([\d.]+)
20:25:58.610 [QUIET] [system.out] [NEW] Server:\s*CouchDB/([\d.]+)
20:25:58.610 [QUIET] [system.out] [NEW] X-Powered-By:\s*JBoss-([\d.]+)
20:25:58.610 [QUIET] [system.out] [NEW] <span class="version">Artifactory Pro Power Pack ([\d.]+)
20:25:58.611 [QUIET] [system.out] [NEW] mod_perl/([\d.]+)
20:25:58.611 [QUIET] [system.out] [NEW] Server:\s*mod_wsgi/([\d.]+)
20:25:58.611 [QUIET] [system.out] [NEW] jQuery UI ([\d.]+)
20:25:58.611 [QUIET] [system.out] [NEW] Server:\s*Oracle-HTTP-Server/([\d.]+)
20:25:58.611 [QUIET] [system.out] [NEW] <div class="ui left">
20:25:58.611 [QUIET] [system.out] \s+© \d{4} Gogs Version: ([\d.]+) Page:
20:25:58.611 [QUIET] [system.out] [NEW] X-Powered-By:\sLua ([\d.]+)
20:25:58.611 [QUIET] [system.out] [NEW] Adminer</a> <span class="version">([\d.]+)</span>
20:25:58.612 [QUIET] [system.out] [NEW] onclick="bodyClick\(event\);" onload="verifyVersion\('([\d.]+)'\);">
20:25:58.612 [QUIET] [system.out] [NEW] Server:\s*mod_rack/([\d.]+)
20:25:58.612 [QUIET] [system.out] [NEW] NSC/([\d.]+) \(JVM\)
20:25:58.612 [QUIET] [system.out] [NEW] Ruby/([\d.]+(?:/\d{4}-\d{2}-\d{2})?)
20:25:58.612 [QUIET] [system.out] [NEW] Server:\s*Schneider-WEB/V?([\d.]+)
20:25:58.612 [QUIET] [system.out] [NEW] Liferay-Portal:\s*[a-z\s]+([\d.]+)
20:25:58.612 [QUIET] [system.out] [NEW] X-Cocoon-Version: ([\d.]+)
20:25:58.613 [QUIET] [system.out] [NEW] Server:\s*OpenSSL/([\d.]+[a-z]?)
20:25:58.613 [QUIET] [system.out] [NEW] X-TeaLeaf-UIEventCapture-Version: ([\d.]+)
20:25:58.613 [QUIET] [system.out] [NEW] JBPAPP_([\d_]+(?:GA)?)
20:25:58.613 [QUIET] [system.out] [NEW] Server:\s*cpsrvd/([\d.]+)
20:25:58.613 [QUIET] [system.out] [NEW] IBM_HTTP_Server/([\d.]+)
20:25:58.613 [QUIET] [system.out] [NEW] jQuery UI Core ([\d.]+)
20:25:58.613 [QUIET] [system.out] [NEW] GlassFish Server Open Source Edition ([\d\.]+)
20:25:58.613 [QUIET] [system.out] [NEW] Server:\s*mod_python/([\d.]+)
20:25:58.614 [QUIET] [system.out] [NEW] MicrosoftSharePointTeamServices: ([\d.]+)
20:25:58.614 [QUIET] [system.out] [NEW] Server:\s*TwistedWeb/([\d.]+)
20:25:58.614 [QUIET] [system.out] [NEW] Server:\s*Embedthis-http/([\d.]+)
20:25:58.614 [QUIET] [system.out] [NEW] Server:\s*HP_Compact_Server/([\d.]+)
20:25:58.614 [QUIET] [system.out] [NEW] Server:\s*Winstone Servlet Engine v?([\d.]+)
20:25:58.614 [QUIET] [system.out] [NEW] X-Powered-By:\s*Winstone.([\d.]+)
20:25:58.615 [QUIET] [system.out] [NEW] jQuery v([\d.]+)
20:25:58.615 [QUIET] [system.out] [NEW] <link\s[^>]*href="[^"]*?([\d.]+)/themes/resources/owafont\.css
20:25:58.616 [QUIET] [system.out] [NEW] Phusion Passenger(?: \([a-zA-Z_/]+\))? ([\d.]+)
20:25:58.616 [QUIET] [system.out] [NEW] TornadoServer/([\d.]+)
20:25:58.616 [QUIET] [system.out] [NEW] Apache-Coyote/([\d.]+)
20:25:58.616 [QUIET] [system.out] [NEW] <!--Coppermine Photo Gallery ([\d.]+)
20:25:58.616 [QUIET] [system.out] [NEW] X-ATG-Version:\s*ATGPlatform/([\d.]+)
20:25:58.616 [QUIET] [system.out] [NEW] Jetty\([v\d.]+\)
20:25:58.617 [QUIET] [system.out] [NEW] var APPLICATION_FULL_VERSION = '([\d.]+)';
> Building 83% > :bootRun

I tried to run it with --debug and using also clean build but it always happens the same.

Do you know what could be happening?

Thanks in advance!

I've traced the issue down to lines 158-164 in BurpService.java

Specifically, you're iterating through items that were entered into the sitemap, however this logic doesn't seem right. When initially submitting a URL to be spidered, you correctly add it to the scope, however, this does not also add it to the sitemap. This can't be done by the spidering code, so you'd likely have to extend the BurpExtender to also listen on proxy events in order to get items into the sitemap.

But this seems like you would have uncovered it in testing. I'm either missing a step in the use of this API or we shouldn't be relying on items in the sitemap to be submitted to the active scanner. Could someone here help me out?

Trying to build this inside a Docker container:

FROM openjdk:8-jdk-alpine
RUN apk add --no-cache git ca-certificates bash

ENV BURP_VERSION='1.7.32'

WORKDIR /home/burp-rest-api
RUN git clone https://github.com/vmware/burp-rest-api.git .
COPY burpsuite_pro_v${BURP_VERSION}.jar ./lib/burpsuite_pro.jar

CMD ["/bin/sh"]

Also tried this without alpine (FROM openjdk:8-jdk), in case that was an issue, but it still failed.

When I run ./gradlew clean build --info I get the following error,:

com.vmware.burp.extension.client.BurpClientIT STANDARD_ERROR
    java.lang.NullPointerException
:test FAILED
:test (Thread[main,5,main]) completed. Took 19.685 secs.

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':test'.
> Process 'Gradle Test Executor 1' finished with non-zero exit value 10

So the failure appears to be occurring somewhere with:

• https://github.com/vmware/burp-rest-api/blob/master/src/test/java/com/vmware/burp/extension/client/BurpClientIT.java

Hello there, thanks for the great work, however I got an error when trying to run and build. Could not find or load main class org.gradle.wrapper.GradleWrapperMain

Hey, I was wondering if you could please add a feature to send customized requests to the scanner? For example, I want to be able to configure the following for each request I send to the scanner:

• Target URL
• HTTP Verb
• User-Agent
• Content-Type
• Parameters
• Parameter type (supplied as GET parameters vs supplied as POST parameters)

Thanks! :)

EDIT: You can simply make requests through the proxy, which are then stored in the sitemap, which can then be scanned. Spoke too soon. :)

$ ./gradlew bootRun "-Dburp.edition=free"
and piping 'y' to the command
$ yes | ./gradlew bootRun "-Dburp.edition=free"

both fail with:

Do you accept the license agreement? (y/n)
:bootRun FAILED

FAILURE: Build failed with an exception.

• What went wrong:
  Execution failed for task ':bootRun'.

Process 'command '/usr/lib/jvm/java-8-openjdk-amd64/bin/java'' finished with non-zero exit value 11

• Try:
  Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.

BUILD FAILED

Using BurpSuitePro 1.7.31

Failed tests
BurpClientIT. testGetProxyHistoryAndSiteMap
BurpClientIT. testScannerSpiderAndReportMethods

c$ ./gradlew clean build
:clean
:createschemaTargetDir UP-TO-DATE
:compileJava
Note: /Users/<>/Code/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java uses or overrides a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
:processResources
:classes
:findMainClass
:jar
:bootRepackage
:assemble
:compileTestJava
:processTestResources UP-TO-DATE
:testClasses
:test

com.vmware.burp.extension.client.BurpClientIT > testConfigMethods FAILED
    org.springframework.web.client.HttpServerErrorException at BurpClientIT.java:88

com.vmware.burp.extension.client.BurpClientIT > testGetProxyHistoryAndSiteMap FAILED
    javax.net.ssl.SSLHandshakeException at BurpClientIT.java:199
        Caused by: sun.security.validator.ValidatorException at BurpClientIT.java:199
            Caused by: sun.security.provider.certpath.SunCertPathBuilderException at BurpClientIT.java:199

com.vmware.burp.extension.client.BurpClientIT > testScannerSpiderAndReportMethods FAILED
    javax.net.ssl.SSLHandshakeException at BurpClientIT.java:199
        Caused by: sun.security.validator.ValidatorException at BurpClientIT.java:199
            Caused by: sun.security.provider.certpath.SunCertPathBuilderException at BurpClientIT.java:199
2018-01-30 01:11:45.480  INFO 2857 --- [       Thread-7] ationConfigEmbeddedWebApplicationContext : Closing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@451f19b8: startup date [Tue Jan 30 01:11:24 IST 2018]; root of context hierarchy
2018-01-30 01:11:45.485  INFO 2857 --- [       Thread-7] o.s.c.support.DefaultLifecycleProcessor  : Stopping beans in phase 2147483647

5 tests completed, 3 failed
:test FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':test'.
> There were failing tests. See the report at: file:///Users/<>/Code/burp-rest-api/build/reports/tests/index.html

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.

BUILD FAILED

when I start the burp rest api,i get a wrong
`FAILURE: Build failed with an exception.

• What went wrong:
  Execution failed for task ':bootRun'.

Process 'command '/usr/local/share/java/jdk1.8.0_171/bin/java'' finished with non-zero exit value 1

• Try:
  Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.
  `
  What shall I do?

Hi!

It took a little while, but I have X11 forwarding working from my osx laptop to an ec2 instance.

If desired, i can create a PR to the docs. Steps:

I followed http://www.brianlinkletter.com/how-to-run-gui-applications-xfce-on-an-amazon-aws-cloud-server-instance/

My ssh X11 forwarding looked like this
mac> ssh -X -L 5901:localhost:5901 -i ~/path_to_privatekey ubuntu@ip -vv

After installing vncserver as per biranlinkletter, the main differences were

1. to match his settings, commented out #X11DisplayOffset 10
2. instead of linux vnc client i used
   mac> open vnc://localhost:5901

This opened an Xterm on my mac, but I got display errors.

I solved this by setting
AWS> export DISPLAY=localhost:1

Probably the most robust way to find out the Display port running vncserver is to check the
:600N entry below. N is the port, in my case, 1.

ubuntu@ip-172-31-17-158:~$ netstat -plan | grep LISTEN
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:6001 0.0.0.0:* LISTEN 2124/Xvnc4
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::5901 :::* LISTEN 2124/Xvnc4
tcp6 0 0 127.0.0.1:8080 :::* LISTEN 3525/java
tcp6 0 0 :::22 :::* LISTEN -

building with spring-boot-gradle-plugin 1.3.2 bombs out with an error: "Could not create task of type 'DependencyManagementReportTask'."

FAILURE: Build failed with an exception.
* Where:
Build file 'burp-rest-api/build.gradle' line: 15
* What went wrong:
A problem occurred evaluating root project 'burp-rest-api'.
> Failed to apply plugin [class 'io.spring.gradle.dependencymanagement.DependencyManagementPlugin']
> Could not create task of type 'DependencyManagementReportTask'.

Seems to be related to this known issue

quick fix is to add updated dependency management plugin to the dependencies section of the buildscript.

15:46 $ gradle --version

------------------------------------------------------------
Gradle 3.4.1
------------------------------------------------------------

Build time:   2017-03-03 19:45:41 UTC
Revision:     9eb76efdd3d034dc506c719dac2955efb5ff9a93

Groovy:       2.4.7
Ant:          Apache Ant(TM) version 1.9.6 compiled on June 29 2015
JVM:          1.8.0_112 (Oracle Corporation 25.112-b16)
OS:           Mac OS X 10.12.3 x86_64

this worked for me:

15:53 $ git diff build.gradle
diff --git a/build.gradle b/build.gradle
index def410c..3d044f4 100644
--- a/build.gradle
+++ b/build.gradle
@@ -5,6 +5,7 @@ buildscript {
     }

     dependencies {
+        classpath("io.spring.gradle:dependency-management-plugin:0.6.1.RELEASE")
         classpath("org.springframework.boot:spring-boot-gradle-plugin:1.3.2.RELEASE")
     }
 }

I don't know enough about gradle/spring boot to submit a more refined fix (if any is actually needed), so no offense taken if you close this wontfix straight away

I tried to use the 2.13 version of Gradle as suggested, but nothing happens. Tried Burp Pro on latest Kali and Ubuntu.

I am getting the below error when executing the gradle build --info
com.vmware.burp.extension.client.BurpClientIT STANDARD_ERROR Burp project files are not supported on this edition of Burp

I am using the Burp free version burpsuite_free_v1.7.20.jar and gradle version is 4.0.2

log :
2017-08-01 05:08:29.431 INFO 21845 --- [ Test worker] c.v.burp.extension.client.BurpClientIT : Starting BurpClientIT on ip-172-31-11-213 with PID 21845 (/home/anil/burp-rest-api/build/classes/java/test started by root in /home/anil/burp-rest-api) 2017-08-01 05:08:29.431 INFO 21845 --- [ Test worker] c.v.burp.extension.client.BurpClientIT : No active profile set, falling back to default profiles: default 2017-08-01 05:08:29.460 INFO 21845 --- [ Test worker] ationConfigEmbeddedWebApplicationContext : Refreshing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@c99b59d: startup date [Tue Aug 01 05:08:29 UTC 2017]; root of context hierarchy 2017-08-01 05:08:30.108 INFO 21845 --- [ Test worker] o.s.b.f.s.DefaultListableBeanFactory : Overriding bean definition for bean 'beanNameViewResolver' with a different definition: replacing [Root bean: class [null]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration$WhitelabelErrorViewConfiguration; factoryMethodName=beanNameViewResolver; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [org/springframework/boot/autoconfigure/web/ErrorMvcAutoConfiguration$WhitelabelErrorViewConfiguration.class]] with [Root bean: class [null]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=org.springframework.boot.autoconfigure.web.WebMvcAutoConfiguration$WebMvcAutoConfigurationAdapter; factoryMethodName=beanNameViewResolver; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [org/springframework/boot/autoconfigure/web/WebMvcAutoConfiguration$WebMvcAutoConfigurationAdapter.class]] 2017-08-01 05:08:30.528 INFO 21845 --- [ Test worker] s.b.c.e.t.TomcatEmbeddedServletContainer : Tomcat initialized with port(s): 8090 (http) 2017-08-01 05:08:30.538 INFO 21845 --- [ Test worker] o.apache.catalina.core.StandardService : Starting service Tomcat 2017-08-01 05:08:30.539 INFO 21845 --- [ Test worker] org.apache.catalina.core.StandardEngine : Starting Servlet Engine: Apache Tomcat/8.0.30 2017-08-01 05:08:30.608 INFO 21845 --- [ost-startStop-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext 2017-08-01 05:08:30.608 INFO 21845 --- [ost-startStop-1] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 1151 ms 2017-08-01 05:08:30.787 INFO 21845 --- [ost-startStop-1] o.s.b.c.e.ServletRegistrationBean : Mapping servlet: 'dispatcherServlet' to [/] 2017-08-01 05:08:30.790 INFO 21845 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'characterEncodingFilter' to: [/*] 2017-08-01 05:08:30.791 INFO 21845 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'hiddenHttpMethodFilter' to: [/*] 2017-08-01 05:08:30.791 INFO 21845 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'httpPutFormContentFilter' to: [/*] 2017-08-01 05:08:30.791 INFO 21845 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'requestContextFilter' to: [/*] 2017-08-01 05:08:30.839 INFO 21845 --- [ Test worker] c.v.burp.extension.service.BurpService : # of command line arguments received to Burp suite: 0 2017-08-01 05:08:30.841 INFO 21845 --- [ Test worker] c.v.burp.extension.service.BurpService : Launching the Burp suite (pro edition) in headless mode... 2017-08-01 05:08:30.845 INFO 21845 --- [ Test worker] c.v.burp.extension.service.BurpService : Launching the Burp suite with options: [--project-file=temp-project.burp, --config-file=/tmp/project-options4203813438758469740.json, --config-file=/tmp/user-options6124988651167321627.json]

@dwareddy @dmettem
Need help !

The api's model for getSitemap has currently the following properties:

{
    comment,
    highlight,
    host,
    port,
    protocol,
    request, // Specified in documentation, but not included in response
    response, // Specified in documentation, but not included in response
    statusCode,
    url,
}

This set of properties is incomplete in terms of being able to identify a particular request, because the method property is missing. Especially, since request and response, from which the method could be extracted, are excluded from the api's response.

The method of a request can simply be obtained by:

IExtensionHelpers helpers = BurpExtender.getInstance().getHelpers();
String method = helpers.analyzeRequest(iHttpRequestResponse).getMethod();

As it is done for other value such as url in the class HttpMessage.

Also, other useful information, that burp provides to its extensions, should be added to the model:

if ((iHttpRequestResponse.getResponse() != null)) {
    List<ICookie> cookies = helpers.analyzeResponse(iHttpRequestResponse).getCookies();
    List<String> headers = helpers.analyzeResponse(iHttpRequestResponse).getHeaders();
}

Hello,

After a successfull build I tried to run with this command :
java -jar build/libs/burp-rest-api-1.0.3.jar --burp.edition=free
and i got this error :

"Burp project files are not supported on this edition of Burp"

Any idea ?

Thx

Added saved state file in the path "../../src/main/resources/cleanstate/" and triggered reset method but it is throwing "Internal Server Error". here is the log displayed on the console. state, json and burp files tried for this exercise but no luck.

2017-07-28 01:50:02.792 INFO 2204 --- [nio-8090-exec-7] c.v.burp.extension.service.BurpService : Restoring state by replacing state with a new state
2017-07-28 01:50:02.793 ERROR 2204 --- [nio-8090-exec-7] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context
with path [] threw exception [Request processing failed; nested exception is java.lang.RuntimeException: java.lang.RuntimeException: An error occurred during r
estore operation] with root cause

java.lang.RuntimeException: java.lang.RuntimeException: An error occurred during restore operation
at burp.fwe.a(Unknown Source) ~[burpsuite_pro.jar:na]
at burp.ar.restoreState(Unknown Source) ~[burpsuite_pro.jar:na]
at com.vmware.burp.extension.service.BurpService.restoreState(BurpService.java:244) ~[main/:na]
at com.vmware.burp.extension.web.BurpController.resetState(BurpController.java:337) ~[main/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_131]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_131]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_131]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_131]
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:222) ~[spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]

Hi there,

I tried using gradle to build the .jar and this is the error I have:

$ ./gradlew clean build
:clean
:createschemaTargetDir UP-TO-DATE
:compileJava
/home/paul/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:89: error: cannot find symbol
         burp.StartBurp.main(burpOptions);
             ^
  symbol:   class StartBurp
  location: package burp
/home/paul/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java:98: error: cannot find symbol
         burp.StartBurp.main(args.getSourceArgs());
             ^
  symbol:   class StartBurp
  location: package burp
Note: /home/paul/burp-rest-api/src/main/java/com/vmware/burp/extension/service/BurpService.java uses or overrides a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
2 errors
:compileJava FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':compileJava'.
> Compilation failed; see the compiler error output for details.

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.

BUILD FAILED

Total time: 10.199 secs

Any idea what I can do to build it?

Cheers,

In the built and run section , it is mentioned that :
Create a lib folder under the project directory and place the Burp Suite JAR file into it.

we are not able to understand this step . Kindly elaborate on this one .
Do we need to perform this step ,in burp project , or in the eclipse project while creating a jar file ?

While trying to build the project via gradle build I am getting following error message:-
A problem occurred evaluating root project 'burp-rest-api-master'.

Failed to apply plugin [class 'io.spring.gradle.dependencymanagement.DependencyManagementPlugin']
Could not create task of type 'DependencyManagementReportTask'.

Gradle version :- 4.6
Groovy version :- 2.4.12

Can someone help me out ? I need to use these RestAPI soon

Thanks,
NIshant Shah

It doesn't load my config file and falls back to the default config.
I just changed the proxy listen_mode from "loopback_only" to "all_interfaces" in my new config file, and run it using the following command:
$ java -jar burp-rest-api/build/libs/burp-rest-api-1.0.0.jar --config-file=/tmp/project-options.json

Log:

2017-08-01 06:59:16.239  INFO 28104 --- [           main] c.vmware.burp.extension.BurpApplication  : Starting BurpApplication v1.0.0 with PID 28104 (burp-rest-api/build/libs/burp-rest-api-1.0.0.jar started by ec2-user in /tmp/burp)
2017-08-01 06:59:16.265  INFO 28104 --- [           main] c.vmware.burp.extension.BurpApplication  : No active profile set, falling back to default profiles: default
2017-08-01 06:59:16.457  INFO 28104 --- [           main] ationConfigEmbeddedWebApplicationContext : Refreshing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@36f8f43d: startup date [Tue Aug 01 06:59:16 UTC 2017]; root of context hierarchy
...
2017-08-01 06:59:21.025  INFO 28104 --- [           main] c.v.burp.extension.service.BurpService   : Launching the Burp suite (pro edition) in headless mode...
2017-08-01 06:59:21.033  INFO 28104 --- [           main] c.v.burp.extension.service.BurpService   : Launching the Burp suite with options: [--project-file=temp-project.burp, --config-file=/tmp/project-options8553372049623231948.json, --config-file=/tmp/user-options2287475060260215367.json]
Proxy: Proxy service started on 127.0.0.1:8080

Currently the wrapper is set to build with 2.13 (Apr 25, 2016):

• https://github.com/vmware/burp-rest-api/blob/master/gradle/wrapper/gradle-wrapper.properties#L6

The latest version appears to be 4.6 (Feb 28, 2018):

• https://gradle.org/releases/

Hi!
I have problems with using extensions.
Burp version 1.7.27
If I launch jar with UI:
java -jar burp-rest-api.jar --headless.mode=false
No one extensions doesn't work with error:

java.lang.Exception: Extension does not implement any usable methods
	at burp.eqh.<init>(Unknown Source)
	at burp.b0g.a(Unknown Source)
	at burp.kpe.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:748)

If I launch from gradle:
./gradlew bootRun -Djava.awt.headless=false
got errors:

• with extension Backslash Powered Scanner

This extension requires Burp Suite Pro 1.7.10 or later
java.lang.NoSuchMethodError
	at burp.BurpExtender.registerExtenderCallbacks(BurpExtender.java:39)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at burp.mch.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:748)

• with extension Additional Scanner Checks

java.lang.IllegalArgumentException: Cannot create PyString with non-byte value
	at org.python.core.PyString.<init>(PyString.java:64)
	at org.python.core.PyString.<init>(PyString.java:70)
	at org.python.core.Py.newString(Py.java:641)
	at org.python.core.PySystemState.initRegistry(PySystemState.java:800)
	at org.python.core.PySystemState.doInitialize(PySystemState.java:1045)
	at org.python.core.PySystemState.initialize(PySystemState.java:974)
	at org.python.core.PySystemState.initialize(PySystemState.java:930)
	at org.python.core.PySystemState.initialize(PySystemState.java:925)
	at org.python.core.PySystemState.initialize(PySystemState.java:920)
	at org.python.core.PySystemState.initialize(PySystemState.java:916)
	at org.python.core.ThreadStateMapping.getThreadState(ThreadStateMapping.java:32)
	at org.python.core.Py.getThreadState(Py.java:1440)
	at org.python.core.Py.getThreadState(Py.java:1436)
	at org.python.core.Py.getSystemState(Py.java:1456)
	at org.python.util.PythonInterpreter.<init>(PythonInterpreter.java:105)
	at org.python.util.PythonInterpreter.<init>(PythonInterpreter.java:94)
	at org.python.util.PythonInterpreter.<init>(PythonInterpreter.java:71)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at burp.gqh.<init>(Unknown Source)
	at burp.b0g.a(Unknown Source)
	at burp.kpe.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:748)

path to jython is correct.

I am new to burp and I am willing to implement testing using java code. So is it required to have burp .exe file to execute file.
And what is the flow of code when we do it with java.

Team,

I have performed the following steps:
1-used ./gradlew bootRun, I am able to launch an instance of Burp.
Following instructions in #6 and #11.
2-copied my project and user options into "src/main/resources/static/" and then ran the gradlew executable present in the folder structure

• What would be my next steps to run burp scans?