Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

burp.byc

floyd Aug 29, 2018 09:42AM UTC

I was wondering if you have any idea what could lead to the following python stack trace when using the makeHttpRequest Burp extension API?

Traceback (most recent call last):
File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 903, in doActiveScan
self.do_checks(injector)
File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1029, in do_checks
colab_tests.extend(self._xxe_xmp(injector, burp_colab))
File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1029, in do_checks
colab_tests.extend(self._xxe_xmp(injector, burp_colab))
File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 2417, in _xxe_xmp
return x.do_collaborator_tests(injector, burp_colab, injector.opts.get_enabled_file_formats())
File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 5398, in do_collaborator_tests
c = self._send_collab(injector, burp_colab, types, basename, content, old_xmp, new_xmp, issue)
File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 5438, in _send_collab
urr = self._make_http_request(injector, req, redownload_filename=filename)
File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 4097, in _make_http_request
attack = self._callbacks.makeHttpRequest(service, req)
byc: burp.byc

I've never seen an error like "byc: burp.byc" before. What's "byc"?

Jython and Java version seems to be fine:
Jython version: 2.7.0 (default:9987c746f838, Apr 29 2015, 02:25:11)
[Java HotSpot(TM) 64-Bit Server VM (Oracle Corporation)]
Java version: 1.8.0_112

I got it as a github issue but don't know how I could help that poor soul:

https://github.com/modzero/mod0BurpUploadScanner/issues/21


Paul Johnston Aug 29, 2018 09:45AM UTC Support Center agent

Please let us know the version of Burp you’re using. burp.byc is an obfuscated class name. If I know the Burp version I can deobfuscate.


floyd Aug 29, 2018 11:24AM UTC
The OP didn't indicate the Burp version (and I just added the Burp version is going to be reported in the next version of the extension). But all reports I got so far were for 1.7.37 so that could be it. I'll let you know once I get it confirmed.

Paul Johnston Aug 29, 2018 12:53PM UTC Support Center agent

Ok, I just checked the obfuscator logs and it looks like this is ScanRequestTimedOutException in Burp 2.0.0.

Previously if there was a timeout we simply returned an empty response. We probably shouldn’t throw an obfuscated exception though. We will have a chat internally about what the desired behavior is.

In the meantime, can I encourage you to put makeHttpRequest in a try/catch block. If there’s just the odd timeout the extension can probably continue.


floyd Aug 30, 2018 08:50AM UTC
Thanks for the quick check!

Let me know once you know what you are planning to do. I can wrap the makeHttpRequest, but this probably breaks other extensions too.

Santiago Diaz Aug 30, 2018 01:35PM UTC Support Center agent

Hi Floyd,

This bug has now been fixed and it should go out in the next release. The behaviour should now be consistent with burp 1.x (when you call makeHttpRequest and get a timeout we return a null reference). If you register a scan check and call makeHttpRequest from doActiveScan and get a timeout, Burp will record that fact and it will re-run your scan check as may times as per the scan configuration. This means you should be able to revert your commit to handle the byc exception in your scan check after the next release.

Cheers!


floyd Aug 31, 2018 11:25AM UTC
Ah, nice, thanks guys!

Interesting, so makeHttpRequest will behave differently depending if called from doActiveScan or from another context... It will be important to communicate such stuff to extension developers. One day I mean, I know you guys are busy.

I will commit the revert as soon as there is the new Burp version out.

cheers!

Santiago Diaz Aug 31, 2018 01:53PM UTC Support Center agent

So makeHttpRequest will always return null if there was a timeout exception (regardless of where you call it) but if you call it in the context of doActiveScan we will attempt to repeat your extension-provided scan check in a second pass.

Just so you know this was released in yesterday in version 2.0.03beta


Post Your public answer

Your name
Your email address
Answer