Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB


floyd Aug 29, 2018 09:42AM UTC

I was wondering if you have any idea what could lead to the following python stack trace when using the makeHttpRequest Burp extension API?

Traceback (most recent call last):
File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/", line 903, in doActiveScan
File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/", line 1029, in do_checks
colab_tests.extend(self._xxe_xmp(injector, burp_colab))
File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/", line 1029, in do_checks
colab_tests.extend(self._xxe_xmp(injector, burp_colab))
File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/", line 2417, in _xxe_xmp
return x.do_collaborator_tests(injector, burp_colab, injector.opts.get_enabled_file_formats())
File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/", line 5398, in do_collaborator_tests
c = self._send_collab(injector, burp_colab, types, basename, content, old_xmp, new_xmp, issue)
File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/", line 5438, in _send_collab
urr = self._make_http_request(injector, req, redownload_filename=filename)
File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/", line 4097, in _make_http_request
attack = self._callbacks.makeHttpRequest(service, req)
byc: burp.byc

I've never seen an error like "byc: burp.byc" before. What's "byc"?

Jython and Java version seems to be fine:
Jython version: 2.7.0 (default:9987c746f838, Apr 29 2015, 02:25:11)
[Java HotSpot(TM) 64-Bit Server VM (Oracle Corporation)]
Java version: 1.8.0_112

I got it as a github issue but don't know how I could help that poor soul:

Paul Johnston Aug 29, 2018 09:45AM UTC Support Center agent

Please let us know the version of Burp you’re using. burp.byc is an obfuscated class name. If I know the Burp version I can deobfuscate.

floyd Aug 29, 2018 11:24AM UTC
The OP didn't indicate the Burp version (and I just added the Burp version is going to be reported in the next version of the extension). But all reports I got so far were for 1.7.37 so that could be it. I'll let you know once I get it confirmed.

Paul Johnston Aug 29, 2018 12:53PM UTC Support Center agent

Ok, I just checked the obfuscator logs and it looks like this is ScanRequestTimedOutException in Burp 2.0.0.

Previously if there was a timeout we simply returned an empty response. We probably shouldn’t throw an obfuscated exception though. We will have a chat internally about what the desired behavior is.

In the meantime, can I encourage you to put makeHttpRequest in a try/catch block. If there’s just the odd timeout the extension can probably continue.

floyd Aug 30, 2018 08:50AM UTC
Thanks for the quick check!

Let me know once you know what you are planning to do. I can wrap the makeHttpRequest, but this probably breaks other extensions too.

Santiago Diaz Aug 30, 2018 01:35PM UTC Support Center agent

Hi Floyd,

This bug has now been fixed and it should go out in the next release. The behaviour should now be consistent with burp 1.x (when you call makeHttpRequest and get a timeout we return a null reference). If you register a scan check and call makeHttpRequest from doActiveScan and get a timeout, Burp will record that fact and it will re-run your scan check as may times as per the scan configuration. This means you should be able to revert your commit to handle the byc exception in your scan check after the next release.


floyd Aug 31, 2018 11:25AM UTC
Ah, nice, thanks guys!

Interesting, so makeHttpRequest will behave differently depending if called from doActiveScan or from another context... It will be important to communicate such stuff to extension developers. One day I mean, I know you guys are busy.

I will commit the revert as soon as there is the new Burp version out.


Santiago Diaz Aug 31, 2018 01:53PM UTC Support Center agent

So makeHttpRequest will always return null if there was a timeout exception (regardless of where you call it) but if you call it in the context of doActiveScan we will attempt to repeat your extension-provided scan check in a second pass.

Just so you know this was released in yesterday in version 2.0.03beta

Post Your public answer

Your name
Your email address