Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Plugin's Java runnable processes keep running, even after fully removing the plugin.

Stan Frambach Aug 22, 2019 02:07PM UTC

Using Burp Suite v2.1.03, runnable Java processes (Java: ScheduledFuture) are not killed or interrupted, when stopping or even removing the plugin.

1. Install Logger++ from the BApp store.
2. Enter an Elasticsearch server under options, this server must be over v 7.0.0 (not compatible for the plugin).
3. Press the start button. You should receive an error, but the runnable process is created;
/src/main/java/loggerplusplus/ 63

indexTask = executorService.scheduleAtFixedRate(new Runnable() {
public void run() {
}, prefs.getEsDelay(), prefs.getEsDelay(), TimeUnit.SECONDS);

4. Fully remove or disable the plugin.
5. Now at the chosen interval time, a request will be sent to the Elasticsearch server, amounting to 100's of requests in a day in this case. This runnable process can only be stopped by fully exiting out of Burp Suite.

Possible remedies:
Run plugins in a sandbox that can be killed by Burp Suite at any time.

Mike Eaton Aug 23, 2019 01:55PM UTC Support Center agent

Hi Stan, have you been able to reproduce this issue with other extensions? or just Logger++?

Stan Frambach Aug 26, 2019 08:53AM UTC
Hello Mike,
I have written my own plug-in quickly, which reproduces the same issue, but only uses System.out to demonstrate the functionality. You can view the code on this github page: .
Thanks in advance.

Mike Eaton Aug 27, 2019 11:13AM UTC Support Center agent

Hi Stan,

Thank you for your example code.

Looking at your sample extension code, you are using a ScheduledExecutorService thread pool to schedule a task to run at a set interval. As we don’t execute extensions as individual run times, when we un-load the extension, the thread will continue to run as the Runnable() instance has not been explicitly told to stop, so this is correct behavior as something is missing.

In our extension API, we have an interface named IExtensionStateListener that you can implement on your BurpExtender class, once registered with the callbacks instance using IBurpExtenderCallbacks.registerExtensionStateListener() you can use it’s IExtensionStateListener.extensionUnloaded() method to implement cleanup code to explicitly command the executor object to cancel it’s running tasks. Which will prevent the thread from running once the extension has been unloaded as that method will be called when the extension is unloaded.

Stan Frambach Aug 27, 2019 03:17PM UTC
Hello Mike,

Thank you for your response and the solution, but my main concern still stands. Let's say someone writes a malicious plug-in or updates an existing plug-in with malicious code. With this method they could keep their code running in the background, while the user is under the impression that the plug-in has been closed. I would personally like to see this changed. Is there any chance that that will happen in the future?


Mike Eaton Aug 28, 2019 02:28PM UTC Support Center agent

Hi Stan,

I agree, there is a potential for malicious code to continue executing after the plugin has been un-loaded with this setup. However we have a review process that all BApps undergo before they are eligible to be listed on our BApp store within Burp Suite, so this is something we will look for and would require fixing before we would allow it to be listed.

In regards to open source extensions that you load manually, it is up to the user of the extension to examine the extension to ensure it is safe to use before they load it into their environment as it has not been reviewed by our support team. So as with any software you would use those extensions at your own risk.

However, this is something that we would like to improve in the future, so I have logged a request with the development team and if this change get’s implemented then we will notify you when it’s available.

Please let us know if you need any further assistance.

Stan Frambach Aug 30, 2019 08:53AM UTC
Hello Mike,

Thanks for your extensive replies and clearing up the situation. I have no further questions regarding this topic.


Mike Eaton Aug 30, 2019 12:40PM UTC Support Center agent

Hi Stan,

No problem. Please let us know if you need any further assistance.

Have a good day!

Post Your public answer

Your name
Your email address