Scanner.generateReport and Audit.issues

[yxw21]

Scanner.generateReport

api.scanner().generateReport(auditIssues, ReportFormat.HTML, Path.of("/tmp/1.html"));

After I update burpsuite to version 2022.9.5, the html generated by Scanner.generateReport will be missing some important information

2022.9.5

2022.8.5

Audit.issues

Pseudo code

Audit audit = scan.startAudit();
while(audit.statusMessage != "finished"){
  sleep(1000);
}
print(audit.issues)
[]

refer #9

[Hannah-PortSwigger]

Apologies for the late reply. We are aware of this issue, and it will be resolved in a future release of Burp.

[yxw21]

Hi, which version is expected to solve this problem

[Hannah-PortSwigger]

The issue with requests and responses not being reported should be resolved in v2023.1 - our current Early Adopter channel release.

[yxw21]

Hi How to add url scanning in the new api version. Older versions can do this.

Scan scan = api.scanner().createScan();
scan.addUrl(Args.args.url.toString());

[SeanBurnsUK]

We removed addUrl as it was confusing to what it actually did (Ie did it do a crawl of the url or and audit on the base response).

We will be adding a new API in the future for Crawl And Audit, which will crawl a url and audit it (Similar to what burp does from he UI).

To answer your question depends on what you wanted. If you wanted to crawl the URL you can use

Crawl crawl = api.scanner.startCrawl(crawlConfiguration(url));

If you wanted to audit the base response when making a request to that URL you can use

Audit audit = api.scanner.startAudit(auditConfiguration(LEGACY_ACTIVE_AUDIT_CHECKS));
audit.addRequest(httpRequest(url));

[yxw21]

Thanks for your quick reply, I found a new problem, can you check it

if (auditIssues.size() > 0) {
  // args.format = HTML, Path.of(args.output) = 123.html
  api.scanner().generateReport(auditIssues, args.format, Path.of(args.output));
}

java.lang.IllegalArgumentException: Invalid offsets: the list should be in sequence and offsets should not overlap.
    at burp.kko.W(Unknown Source)
    at burp.kko.<init>(Unknown Source)
    at burp.z7c.<init>(Unknown Source)
    at burp.jpi.lambda$generateReport$1(Unknown Source)
    at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
    at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625)
    at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
    at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
    at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
    at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
    at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
    at burp.jpi.generateReport(Unknown Source)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at burp.kjm.invoke(Unknown Source)
    at jdk.proxy2/jdk.proxy2.$Proxy20.generateReport(Unknown Source)
        at burp.w5e.generateReport(Unknown Source)

[yxw21]

new error message

java.lang.NullPointerException: Cannot invoke "burp.api.montoya.http.message.responses.HttpResponse.withMarkers(java.util.List)" because "<local5>" is null
    at burp.an3.E(Unknown Source)
    at burp.jb2.j(Unknown Source)
    at burp.aa2.lambda$requestResponses$0(Unknown Source)
    at burp.z11.D(Unknown Source)
    at burp.z13.D(Unknown Source)
    at burp.aa2.lambda$requestResponses$1(Unknown Source)
    at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:183)
    at java.base/java.util.stream.SortedOps$SizedRefSortingSink.end(SortedOps.java:357)
    at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:510)
    at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
    at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
    at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
    at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
    at java.base/java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:596)
    at burp.t0.k(Unknown Source)
    at burp.t0.K(Unknown Source)
    at burp.aa2.requestResponses(Unknown Source)
    at burp.z7c.<init>(Unknown Source)
    at burp.jpi.lambda$generateReport$1(Unknown Source)
    at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
    at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625)
    at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
    at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
    at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
    at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
    at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
    at burp.jpi.generateReport(Unknown Source)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at burp.kjm.invoke(Unknown Source)
    at jdk.proxy2/jdk.proxy2.$Proxy20.generateReport(Unknown Source)
    at burp.w5e.generateReport(Unknown Source)

[Hannah-PortSwigger]

Hi. Could you drop us an email at support@portswigger.net with some more information so that we can look into this further, please?

[petrabrunner]

@Hannah-PortSwigger I am seeing this exception: https://github.com/PortSwigger/burp-extensions-montoya-api/issues/11#issuecomment-1384779615 as well...

exception happens when this method is called: burpApi.scanner().generateReport()

this is my code:

public class IssueHandler implements AuditIssueHandler {
    private final MontoyaApi burpApi;
    private final Set<AuditIssue> auditIssueList = new HashSet<>();

    public IssueHandler(final MontoyaApi api) {
        burpApi = api;
    }

    @Override
    public synchronized void handleNewAuditIssue(final AuditIssue auditIssue) {

        final File reportFile = new File(<filepath>);
        auditIssueList.add(auditIssue);

        Logger.info("IssueHandler: writing new issue to report-file");
        if (reportFile.getName().endsWith("html")) {
            burpApi.scanner().generateReport(new ArrayList<>(auditIssueList), ReportFormat.HTML, reportFile.toPath());
        } else {
            burpApi.scanner().generateReport(new ArrayList<>(auditIssueList), ReportFormat.XML, reportFile.toPath());
        }
    }
}

burp version == Burp Suite Professional 2023.1.1-18663 montoya-api version == 1.0.0

---

UPDATE: - currently retesting with latest version of montoya-api:2023.2

UPDATE2: - exception is still thrown with latest version of montoya-api:2023.2 and burp v. 2023.2-18958

[Hannah-PortSwigger]

Hi.

Thanks for this information. We've been able to replicate this issue and have a bug ticket raised. We will be looking at resolving this issue, and other report-related issues, soon.

[yxw21]

Hi. @Hannah-PortSwigger

Has this problem been solved now?

[Hannah-PortSwigger]

Hi. @Hannah-PortSwigger

Has this problem been solved now?

The changes are not included in v2023.2.2. They should be present in our upcoming 2023.3 release.