Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Burp Infiltrator Patching Fails On Webgoat 6.0.1

Sasha Dec 11, 2019 03:17PM UTC

wget https://github.com/WebGoat/WebGoat-Legacy/releases/download/v6.0.1/WebGoat-6.0.1-war-exec.jar

$ md5sum WebGoat-6.0.1-war-exec.jar
8071e4be1c3d8b6dd6520b2c63031eca WebGoat-6.0.1-war-exec.jar

java -verbose -jar burp_infiltrator_java.jar WebGoat-6.0.1-war-exec.jar
<snip>...
[0.256s][info][class,load] net.portswigger.infiltrator.patcher.c source: file:/data/home/Desktop/training/webgoat/burp_infiltrator_java.jar
Please read and confirm the following statements.

I confirm that I have read and understood the Burp Suite Documentation relating to Burp Infiltrator. By deploying Burp Infiltrator, I confirm that I am doing so in full understanding of the nature of Burp Infiltrator and the risks inherent in its utilization. I confirm that either I am a licensed user of Burp Suite Professional or a licensed user has recommended that I deploy Burp Infiltrator and in the latter case the licensed user has discussed with me the contents of the Documentation relating to Burp Infiltrator and the potential consequences of such installation.

Do you confirm the above statements? [y/N] Y
Do you want Burp Infiltrator to report the full parameter value when input reaches a potentially unsafe API? [Y/n] [5.236s][info][class,load] java.util.IdentityHashMap$IdentityHashMapIterator source: jrt:/java.base
[5.236s][info][class,load] java.util.IdentityHashMap$KeyIterator source: jrt:/java.base

Do you want Burp Infiltrator to report the call stack when input reaches a potentially unsafe API? [Y/n]
Do you want to allow communication over unencrypted HTTP? [y/N]
Do you want to restrict the Burp Collaborator servers that can be used? [y/N]

Enter the file path to the target application bytecode. Use commas to enter multiple paths: [/data/home/Desktop/training/webgoat] WebGoat-6.0.1-war-exec.jar
[18.686s][info][class,load] net.portswigger.infiltrator.patcher.e source: file:/data/home/Desktop/training/webgoat/burp_infiltrator_java.jar
[18.687s][info][class,load] java.net.URISyntaxException source: jrt:/java.base
[18.689s][info][class,load] net.portswigger.infiltrator.patcher.v source: file:/data/home/Desktop/training/webgoat/burp_infiltrator_java.jar
[18.690s][info][class,load] java.util.zip.DeflaterOutputStream source: jrt:/java.base
[18.690s][info][class,load] java.util.zip.ZipOutputStream source: jrt:/java.base
[18.690s][info][class,load] java.util.jar.JarOutputStream source: jrt:/java.base
[18.691s][info][class,load] java.awt.peer.SystemTrayPeer source: jrt:/java.desktop
[18.691s][info][class,load] sun.awt.X11.XMSelectionListener source: jrt:/java.desktop
[18.691s][info][class,load] sun.awt.X11.XSystemTrayPeer source: jrt:/java.desktop

md5sum WebGoat-6.0.1-war-exec.jar
8071e4be1c3d8b6dd6520b2c63031eca WebGoat-6.0.1-war-exec.jar

javac --version
javac 11.0.5


Liam Tai-Hogan Dec 11, 2019 03:29PM UTC Support Center agent

Infiltrator has official support for Java applications compiled between Java 5 and Java 8.

I’ve added a note to our development backlog to "Support for new Java versions in Infiltrator. Unfortunately, we have a large backlog of feature requests, so I can’t give you an ETA.


Post Your public answer

Your name
Your email address
Answer