Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Retire.js not working

Wealot Aug 07, 2018 01:33PM UTC

Hi,

The retire.js extension in Burp Suite Pro is not working.
I do not see any feedback during passive scanning in either the "Target>Issue" or "Scanner>Issue activity" tabs. The firefox Retire.js plugin does show issues so I know it should show something.

I just downloaded Pro with this plugin as one of the reasons. I do run on the newest Kali which has JRE version 10.0.2, please tell me if it is logical that it would be that. The extension it self has no errors, only shows Loading the latest...... as the last output.

Kind regards,


Liam Tai-Hogan Aug 07, 2018 01:41PM UTC Support Center agent

Could you try using the Linux platform installer version of Burp Suite? This comes bundled with it’s own version of Java.


Wealot Aug 07, 2018 02:14PM UTC
That one actually gives instant Java errors on the Azure Kali default installation.
So the installer doesn't work at all....
(might be a second support ticket I should create :P)

Liam Tai-Hogan Aug 07, 2018 02:22PM UTC Support Center agent

Would it be possible to send us screenshots of the error messages you are encountering?


Wealot Aug 08, 2018 06:52AM UTC
Ok, the installation script was my mistake :D.
I got the following error: Could not initialize class sun.awt.X11GraphicsEnvironment
Which was due to how I was displaying over VNC and running the script with root.
For everyone with this issue, "unset DISPLAY" was all I had to do (as root) and then it worked.

Now for Retire.js, it also doesn't work with an installed Burp. The active scan that I did this night did show 1 of the vulnerable JS, but not the others (should be 4 if I believe Retire.js FireFox plugin). When passive browsing the scanner tab does report "Cross-domain script includes" that have the vulnerable JS libraries in them so I am sure something crosses through Burp that should be flagged by Retire.js.....

Any ideas?

Liam Tai-Hogan Aug 08, 2018 11:50AM UTC Support Center agent

It might be worth contacting the developers of the extension to find out if they are doing anything differently:

- https://github.com/portswigger/retire-js

If the application is public facing / part of a bug bounty scheme we could perform some testing ourselves?


Wealot Aug 08, 2018 01:49PM UTC
I'll ask the developers, and it is not public facing :D

Krzysztof Młynarski Jan 15, 2019 12:22PM UTC
There's a new version available directly from the GitHub, and it works very well in both 1.7.37, and 2.0.13beta (so far...).
https://github.com/h3xstream/burp-retire-js

Liam Tai-Hogan Jan 15, 2019 01:57PM UTC Support Center agent

Thanks for the update Krzysztof.


Post Your public answer

Your name
Your email address
Answer