Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Adding a header with ISessionHandlingAction

Bill | Last updated: May 20, 2015 02:41AM UTC

I have a super simple extension to just jack in a static header for an api authentication on a Backbone site. It doesn't work, and I don't know why. Anyone have any ideas? from burp import IBurpExtender from burp import ISessionHandlingAction from burp import IParameter class BurpExtender(IBurpExtender, ISessionHandlingAction): def registerExtenderCallbacks(self, callbacks): self._callbacks = callbacks self._helpers = callbacks.getHelpers() callbacks.setExtensionName("Bypass WAF") callbacks.registerSessionHandlingAction(self) return def performAction(self, currentRequest, macroItems): requestInfo = self._helpers.analyzeRequest(currentRequest) headers = requestInfo.getHeaders() reqBody = currentRequest.getRequest()[requestInfo.getBodyOffset():] headers.add(thetoken: B7DFD45BB3A4120A224929464F899F43779D725AD3D1341295354') message = self._helpers.buildHttpMessage(headers, reqBody) currentRequest.setRequest(message) return Here is the error: java.lang.RuntimeException at burp.rg.registerSessionHandlingAction(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:186) at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:204) at org.python.core.PyObject.__call__(PyObject.java:478) at org.python.core.PyObject.__call__(PyObject.java:482) at org.python.core.PyMethod.__call__(PyMethod.java:141) at org.python.pycode._pyx2.registerExtenderCallbacks$2(C:\burp\Extensions\apiToken.py:12) at org.python.pycode._pyx2.call_function(C:\burp\Extensions\apiToken.py) at org.python.core.PyTableCode.call(PyTableCode.java:167) at org.python.core.PyBaseCode.call(PyBaseCode.java:307) at org.python.core.PyBaseCode.call(PyBaseCode.java:198) at org.python.core.PyFunction.__call__(PyFunction.java:482) at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237) at org.python.core.PyMethod.__call__(PyMethod.java:228) at org.python.core.PyMethod.__call__(PyMethod.java:218) at org.python.core.PyMethod.__call__(PyMethod.java:213) at org.python.core.PyObject._jcallexc(PyObject.java:3626) at org.python.core.PyObject._jcall(PyObject.java:3658) at org.python.proxies.__main__$BurpExtender$0.registerExtenderCallbacks(Unknown Source) at burp.d6c.run(Unknown Source) at java.lang.Thread.run(Unknown Source) java.lang.RuntimeException at burp.rg.registerSessionHandlingAction(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:186) at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:204) at org.python.core.PyObject.__call__(PyObject.java:478) at org.python.core.PyObject.__call__(PyObject.java:482) at org.python.core.PyMethod.__call__(PyMethod.java:141) at org.python.pycode._pyx2.registerExtenderCallbacks$2(C:\burp\Extensions\apiToken.py:12) at org.python.pycode._pyx2.call_function(C:\burp\Extensions\apiToken.py) at org.python.core.PyTableCode.call(PyTableCode.java:167) at org.python.core.PyBaseCode.call(PyBaseCode.java:307) at org.python.core.PyBaseCode.call(PyBaseCode.java:198) at org.python.core.PyFunction.__call__(PyFunction.java:482) at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237) at org.python.core.PyMethod.__call__(PyMethod.java:228) at org.python.core.PyMethod.__call__(PyMethod.java:218) at org.python.core.PyMethod.__call__(PyMethod.java:213) at org.python.core.PyObject._jcallexc(PyObject.java:3626) at org.python.core.PyObject._jcall(PyObject.java:3658) at org.python.proxies.__main__$BurpExtender$0.registerExtenderCallbacks(Unknown Source) at burp.d6c.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Running burp 1.5.17 on Windows 7.

PortSwigger Agent | Last updated: May 20, 2015 08:01AM UTC

I noticed you're missing a quote in the call to headers.add(). I fixed that and the extension loads fine for me.

Burp User | Last updated: May 20, 2015 05:18PM UTC

Code reviewed by Dafydd Stuttard. Can't believe I missed that, Dafydd. Thank you very much. S

PortSwigger Agent | Last updated: May 22, 2015 03:17PM UTC

We did run your original extension (with the missing quote fixed) and it worked for us. We just needed to fix appropriate whitespace indentation in the Python code, as this was lost in the Support Center post. Are you sure there isn't any issue with your code formatting in the version you are trying to run?

Burp User | Last updated: May 27, 2015 08:17PM UTC

I jsut got back to this, and while I thought it had loaded OK when Dafydd found my missing quote, it certainly isn't now. Here is the error: java.lang.RuntimeException at burp.rg.registerSessionHandlingAction(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:186) at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:204) at org.python.core.PyObject.__call__(PyObject.java:478) at org.python.core.PyObject.__call__(PyObject.java:482) at org.python.core.PyMethod.__call__(PyMethod.java:141) at org.python.pycode._pyx2.registerExtenderCallbacks$2(C:\burp\Extensions\apiToken.py:12) at org.python.pycode._pyx2.call_function(C:\burp\Extensions\apiToken.py) at org.python.core.PyTableCode.call(PyTableCode.java:167) at org.python.core.PyBaseCode.call(PyBaseCode.java:307) at org.python.core.PyBaseCode.call(PyBaseCode.java:198) at org.python.core.PyFunction.__call__(PyFunction.java:482) at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237) at org.python.core.PyMethod.__call__(PyMethod.java:228) at org.python.core.PyMethod.__call__(PyMethod.java:218) at org.python.core.PyMethod.__call__(PyMethod.java:213) at org.python.core.PyObject._jcallexc(PyObject.java:3626) at org.python.core.PyObject._jcall(PyObject.java:3658) at org.python.proxies.__main__$BurpExtender$0.registerExtenderCallbacks(Unknown Source) at burp.d6c.run(Unknown Source) at java.lang.Thread.run(Unknown Source) java.lang.RuntimeException at burp.rg.registerSessionHandlingAction(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:186) at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:204) at org.python.core.PyObject.__call__(PyObject.java:478) at org.python.core.PyObject.__call__(PyObject.java:482) at org.python.core.PyMethod.__call__(PyMethod.java:141) at org.python.pycode._pyx2.registerExtenderCallbacks$2(C:\burp\Extensions\apiToken.py:12) at org.python.pycode._pyx2.call_function(C:\burp\Extensions\apiToken.py) at org.python.core.PyTableCode.call(PyTableCode.java:167) at org.python.core.PyBaseCode.call(PyBaseCode.java:307) at org.python.core.PyBaseCode.call(PyBaseCode.java:198) at org.python.core.PyFunction.__call__(PyFunction.java:482) at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237) at org.python.core.PyMethod.__call__(PyMethod.java:228) at org.python.core.PyMethod.__call__(PyMethod.java:218) at org.python.core.PyMethod.__call__(PyMethod.java:213) at org.python.core.PyObject._jcallexc(PyObject.java:3626) at org.python.core.PyObject._jcall(PyObject.java:3658) at org.python.proxies.__main__$BurpExtender$0.registerExtenderCallbacks(Unknown Source) at burp.d6c.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Anyone have any ideas? S

Burp User | Last updated: May 27, 2015 08:56PM UTC

I went and got the registerExtenderCallbacks method from the examples site, and replaced mine, and I still get the same error. If I comment out the registerHttpListener it works, but then of course it doesn't show up when I go to implement it. from burp import IBurpExtender from burp import ISessionHandlingAction from burp import IParameter class BurpExtender(IBurpExtender, ISessionHandlingAction): def registerExtenderCallbacks(self, callbacks): # obtain an extension helpers object self._helpers = callbacks.getHelpers() # set our extension name callbacks.setExtensionName("API Token") # register ourselves as an HTTP listener callbacks.registerHttpListener(self) return def performAction(self, currentRequest, macroItems): requestInfo = self._helpers.analyzeRequest(currentRequest) headers = requestInfo.getHeaders() reqBody = currentRequest.getRequest()[requestInfo.getBodyOffset():] headers.add('thetoken: B7DFD45BB3A4120A224929464F899F43779D725AD3D1341295354') message = self._helpers.buildHttpMessage(headers, reqBody) currentRequest.setRequest(message) return

Burp User | Last updated: May 29, 2015 11:12AM UTC

In case this comes up in a search one day, I figured out that the Proxy Tab's Match and Replace will add a header for you if you leave the match blank. So I didn't have to get this working at all. Still would like to figure out what was wrong one day. S

Burp User | Last updated: Jun 02, 2015 01:13PM UTC

I've run into a similar issue. I want to use a python extension to calculate a custom header I need to read a header, url and body (in case of POST) and calc a SHA1. my code so far: https://paste.cybertinus.nl/p/u33AS8kCnT ======= from burp import IBurpExtender from burp import ISessionHandlingAction from burp import IParameter import hashlib import sys class BurpExtender(IBurpExtender, ISessionHandlingAction): # # implement IBurpExtender # def registerExtenderCallbacks(self, callbacks): self._callbacks = callbacks self._helpers = callbacks.getHelpers() callbacks.setExtensionName("Custom Header") print "registered" callbacks.registerSessionHandlingAction(self) return def performAction(self, currentRequest, macroItems): print "CALLLL" sys.stdout.flush() requestInfo = self._helpers.analyzeRequest(currentRequest) headers = requestInfo.getHeaders() print headers msgBody = currentRequest.getRequest()[requestInfo.getBodyOffset():] m = hashlib.sha1() m.update(self._helpers.bytesToString(msgBody)) # Add Custom Hash Header Here headers.add('Hash: %s' % m.hexdigest()) # Build new Http Message with the new Hash Header message = self._helpers.buildHttpMessage(headers, msgBody) # Print Header into UI print self._helpers.bytesToString(message) # Update Request with New Header #currentRequest.setRequest(message) return ======= it loads fine however that seems all it does. It never prints "CALLLL". Did I miss something ??? my scanner is running full speed while loading this extension. So there should be loads of calls getting though. thanks

PortSwigger Agent | Last updated: Jun 04, 2015 02:24PM UTC

Mark - This was presumably the same issue as with your other post, in that you need to create a session handling rule in the Burp UI which calls into your extension-provided action.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.