Getting Started with Burp Suite
Burp Suite Documentation
Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.
| Burp Suite Professional and Community editions | Burp Suite Enterprise Edition |
| Burp Scanner | Burp Collaborator |
| Burp Infiltrator | Full Documentation Contents |
Burp Extender
Burp Extender lets you extend the functionality of Burp Suite in numerous ways.
Extensions can be written in Java, Python or Ruby.
| API documentation | Writing your first Burp Suite extension |
| Sample extensions | View community discussions about Extensibility |
Plugin's Java runnable processes keep running, even after fully removing the plugin.
Using Burp Suite v2.1.03, runnable Java processes (Java: ScheduledFuture) are not killed or interrupted, when stopping or even removing the plugin.
Reproduction:
1. Install Logger++ from the BApp store.
2. Enter an Elasticsearch server under options, this server must be over v 7.0.0 (not compatible for the plugin).
3. Press the start button. You should receive an error, but the runnable process is created;
/src/main/java/loggerplusplus/ElasticSearchLogger.java: 63
indexTask = executorService.scheduleAtFixedRate(new Runnable() {
@Override
public void run() {
indexPendingEntries();
}
}, prefs.getEsDelay(), prefs.getEsDelay(), TimeUnit.SECONDS);
4. Fully remove or disable the plugin.
5. Now at the chosen interval time, a request will be sent to the Elasticsearch server, amounting to 100's of requests in a day in this case. This runnable process can only be stopped by fully exiting out of Burp Suite.
Possible remedies:
Run plugins in a sandbox that can be killed by Burp Suite at any time.
Hi Stan, have you been able to reproduce this issue with other extensions? or just Logger++?
I have written my own plug-in quickly, which reproduces the same issue, but only uses System.out to demonstrate the functionality. You can view the code on this github page: https://github.com/StanHVA/Burp-Runnable-Demo .
Thanks in advance.
Hi Stan,
Thank you for your example code.
Looking at your sample extension code, you are using a ScheduledExecutorService thread pool to schedule a task to run at a set interval. As we don’t execute extensions as individual run times, when we un-load the extension, the thread will continue to run as the Runnable() instance has not been explicitly told to stop, so this is correct behavior as something is missing.
In our extension API, we have an interface named IExtensionStateListener that you can implement on your BurpExtender class, once registered with the callbacks instance using IBurpExtenderCallbacks.registerExtensionStateListener() you can use it’s IExtensionStateListener.extensionUnloaded() method to implement cleanup code to explicitly command the executor object to cancel it’s running tasks. Which will prevent the thread from running once the extension has been unloaded as that method will be called when the extension is unloaded.
Thank you for your response and the solution, but my main concern still stands. Let's say someone writes a malicious plug-in or updates an existing plug-in with malicious code. With this method they could keep their code running in the background, while the user is under the impression that the plug-in has been closed. I would personally like to see this changed. Is there any chance that that will happen in the future?
Stan.
Hi Stan,
I agree, there is a potential for malicious code to continue executing after the plugin has been un-loaded with this setup. However we have a review process that all BApps undergo before they are eligible to be listed on our BApp store within Burp Suite, so this is something we will look for and would require fixing before we would allow it to be listed.
In regards to open source extensions that you load manually, it is up to the user of the extension to examine the extension to ensure it is safe to use before they load it into their environment as it has not been reviewed by our support team. So as with any software you would use those extensions at your own risk.
However, this is something that we would like to improve in the future, so I have logged a request with the development team and if this change get’s implemented then we will notify you when it’s available.
Please let us know if you need any further assistance.
Thanks for your extensive replies and clearing up the situation. I have no further questions regarding this topic.
Stan
Hi Stan,
No problem. Please let us know if you need any further assistance.
Have a good day!