Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scanner.generateReport and Audit.issues #11

Closed
yxw21 opened this issue Nov 12, 2022 · 12 comments
Closed

Scanner.generateReport and Audit.issues #11

yxw21 opened this issue Nov 12, 2022 · 12 comments
Labels
bug Something isn't working

Comments

@yxw21
Copy link

yxw21 commented Nov 12, 2022

Scanner.generateReport

api.scanner().generateReport(auditIssues, ReportFormat.HTML, Path.of("/tmp/1.html"));

After I update burpsuite to version 2022.9.5, the html generated by Scanner.generateReport will be missing some important information

2022.9.5

image

2022.8.5

image

Audit.issues

Pseudo code

Audit audit = scan.startAudit();
while(audit.statusMessage != "finished"){
  sleep(1000);
}
print(audit.issues)
[]

refer #9
@SeanBurnsUK SeanBurnsUK added the bug Something isn't working label Nov 17, 2022
@Hannah-PortSwigger
Copy link
Contributor

Apologies for the late reply. We are aware of this issue, and it will be resolved in a future release of Burp.

@yxw21
Copy link
Author

yxw21 commented Jan 13, 2023

Hi, which version is expected to solve this problem

@Hannah-PortSwigger
Copy link
Contributor

Hannah-PortSwigger commented Jan 13, 2023
edited
Loading

The issue with requests and responses not being reported should be resolved in v2023.1 - our current Early Adopter channel release.

@yxw21
Copy link
Author

yxw21 commented Jan 16, 2023

Hi
How to add url scanning in the new api version. Older versions can do this.

Scan scan = api.scanner().createScan();
scan.addUrl(Args.args.url.toString());

@SeanBurnsUK
Copy link
Collaborator

We removed addUrl as it was confusing to what it actually did (Ie did it do a crawl of the url or and audit on the base response).

We will be adding a new API in the future for Crawl And Audit, which will crawl a url and audit it (Similar to what burp does from he UI).

To answer your question depends on what you wanted. If you wanted to crawl the URL you can use

Crawl crawl = api.scanner.startCrawl(crawlConfiguration(url));

If you wanted to audit the base response when making a request to that URL you can use

Audit audit = api.scanner.startAudit(auditConfiguration(LEGACY_ACTIVE_AUDIT_CHECKS));
audit.addRequest(httpRequest(url));

@yxw21
Copy link
Author

yxw21 commented Jan 17, 2023
edited
Loading

Thanks for your quick reply, I found a new problem, can you check it

if (auditIssues.size() > 0) {
  // args.format = HTML, Path.of(args.output) = 123.html
  api.scanner().generateReport(auditIssues, args.format, Path.of(args.output));
}

java.lang.IllegalArgumentException: Invalid offsets: the list should be in sequence and offsets should not overlap.
	at burp.kko.W(Unknown Source)
	at burp.kko.<init>(Unknown Source)
	at burp.z7c.<init>(Unknown Source)
	at burp.jpi.lambda$generateReport$1(Unknown Source)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
	at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
	at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
	at burp.jpi.generateReport(Unknown Source)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at burp.kjm.invoke(Unknown Source)
	at jdk.proxy2/jdk.proxy2.$Proxy20.generateReport(Unknown Source)
        at burp.w5e.generateReport(Unknown Source)

@yxw21
Copy link
Author

yxw21 commented Jan 17, 2023

new error message

java.lang.NullPointerException: Cannot invoke "burp.api.montoya.http.message.responses.HttpResponse.withMarkers(java.util.List)" because "<local5>" is null
	at burp.an3.E(Unknown Source)
	at burp.jb2.j(Unknown Source)
	at burp.aa2.lambda$requestResponses$0(Unknown Source)
	at burp.z11.D(Unknown Source)
	at burp.z13.D(Unknown Source)
	at burp.aa2.lambda$requestResponses$1(Unknown Source)
	at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:183)
	at java.base/java.util.stream.SortedOps$SizedRefSortingSink.end(SortedOps.java:357)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:510)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
	at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
	at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:596)
	at burp.t0.k(Unknown Source)
	at burp.t0.K(Unknown Source)
	at burp.aa2.requestResponses(Unknown Source)
	at burp.z7c.<init>(Unknown Source)
	at burp.jpi.lambda$generateReport$1(Unknown Source)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
	at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
	at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
	at burp.jpi.generateReport(Unknown Source)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at burp.kjm.invoke(Unknown Source)
	at jdk.proxy2/jdk.proxy2.$Proxy20.generateReport(Unknown Source)
	at burp.w5e.generateReport(Unknown Source)

@Hannah-PortSwigger
Copy link
Contributor

Hi. Could you drop us an email at [email protected] with some more information so that we can look into this further, please?

@petrabrunner
Copy link

petrabrunner commented Feb 13, 2023
edited
Loading

@Hannah-PortSwigger I am seeing this exception: #11 (comment) as well...

exception happens when this method is called: burpApi.scanner().generateReport()

this is my code:

public class IssueHandler implements AuditIssueHandler {
    private final MontoyaApi burpApi;
    private final Set<AuditIssue> auditIssueList = new HashSet<>();


    public IssueHandler(final MontoyaApi api) {
        burpApi = api;
    }

    @Override
    public synchronized void handleNewAuditIssue(final AuditIssue auditIssue) {

        final File reportFile = new File(<filepath>);
        auditIssueList.add(auditIssue);
        
        Logger.info("IssueHandler: writing new issue to report-file");
        if (reportFile.getName().endsWith("html")) {
            burpApi.scanner().generateReport(new ArrayList<>(auditIssueList), ReportFormat.HTML, reportFile.toPath());
        } else {
            burpApi.scanner().generateReport(new ArrayList<>(auditIssueList), ReportFormat.XML, reportFile.toPath());
        }
    }
}

burp version == Burp Suite Professional 2023.1.1-18663
montoya-api version == 1.0.0

UPDATE: - currently retesting with latest version of montoya-api:2023.2

UPDATE2: - exception is still thrown with latest version of montoya-api:2023.2 and burp v. 2023.2-18958

@Hannah-PortSwigger
Copy link
Contributor

Hi.

Thanks for this information. We've been able to replicate this issue and have a bug ticket raised. We will be looking at resolving this issue, and other report-related issues, soon.

@yxw21
Copy link
Author

yxw21 commented Mar 2, 2023

Hi.
@Hannah-PortSwigger

Has this problem been solved now?

@Hannah-PortSwigger
Copy link
Contributor

Hi. @Hannah-PortSwigger

Has this problem been solved now?

The changes are not included in v2023.2.2. They should be present in our upcoming 2023.3 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yxw21 @SeanBurnsUK @petrabrunner @Hannah-PortSwigger