There are many requests. (handleNewAuditIssue)

[Nzoth9]

Hi, Teams! I don't want to bother you with repeated questions, but i need help. 😔 Thanks to that, recently the law of writing extensions has increased a little.

First of all, I want to create a new issue if the conditions are met. So I added in HttpHandlerExample like this:

    public void initialize(MontoyaApi api) {
        this.logging = api.logging();
        this.api = api;

        Http http = api.http();
        Proxy proxy = api.proxy();
        Extension extension = api.extension();
        Scanner scanner = api.scanner();

        api.http().registerHttpHandler(new MyHttpHandler(api));
        scanner.registerAuditIssueHandler(new HttpHandlerExample.MyAuditIssueListenerHandler());
        extension.registerUnloadingHandler(new MyExtensionUnloadHandler());
    }

Below is the MyAuditIssueListenerHandler I created. (HttpHandlerExample)

    public class MyAuditIssueListenerHandler implements AuditIssueHandler {
        @Override
        public void handleNewAuditIssue(AuditIssue auditIssue) {
            logging.logToOutput("call handle audit issue.");

            Optional<AuditIssue> duplicated = api.siteMap().issues().stream().filter(f -> f.name().equalsIgnoreCase(auditIssue.name())).findAny();
            if(duplicated.isEmpty()) {
                logging.logToOutput("Not Exist Issue.");
                api.siteMap().add(auditIssue);
                logging.logToOutput("New add Issue: " + auditIssue.name());
            } else {
                logging.logToOutput("Exist Issue");
            }
        }
    }

Among the issues recorded in the site map, if there is an issue with the same name, no issue will be created. (doesn't seem to well work, One login request results in numerous calls.)

Finally, HttpHandler

@Override
     public ResponseReceivedAction handleHttpResponseReceived(HttpResponseReceived responseReceived) {
         HttpRequest originalRequest = responseReceived.initiatingRequest();

         if (this.api.scope().isInScope(originalRequest.url())) {
             this.logging.logToOutput(String.format("%s is in scope", originalRequest.url()));
            if (checkData(originalRequest)) {
                String json = convertToJson(originalRequest);
                this.logging.logToOutput(String.format("%s is converted", json));

                originalRequest = originalRequest.withRemovedHeader("Content-Type");
                originalRequest = originalRequest.withAddedHeader("Content-Type", "application/json");

                String compareLength1 = responseReceived.headers().stream().filter(header -> header.name().equalsIgnoreCase("Content-Length")).findFirst().get().toString();

                HttpRequestResponse requestResponse = this.api.http().sendRequest(originalRequest.withBody(json));
                this.logging.logToOutput(String.format("%s sent", originalRequest.url()));
                String compareLength2 = requestResponse.response().headers().stream().filter(header -> header.name().equalsIgnoreCase("Content-Length")).findFirst().get().toString();

                String compare1 = compareLength1.split("Content-Length: ")[1];
                String compare2 = compareLength2.split("Content-Length: ")[1];

                this.logging.logToOutput(String.format("if %s ? %s", compare1, compare2));

                if (!compare1.equalsIgnoreCase(compare2)) { # test false!
                    this.logging.logToOutput("JSON!");
                    AuditIssue newIssue = new AuditIssue() {
                        @Override
                        public String name() {
                            return requestResponse.url();
                        }

                        @Override
                        public String detail() {
                            return "is Detail";
                        }

                        @Override
                        public String remediation() {
                            return "remediation";
                        }

                        @Override
                        public HttpService httpService() {
                            return requestResponse.httpService();
                        }

                        @Override
                        public String baseUrl() {
                            return requestResponse.url();
                        }

                        @Override
                        public AuditIssueSeverity severity() {
                            return AuditIssueSeverity.INFORMATION;
                        }

                        @Override
                        public AuditIssueConfidence confidence() {
                            return AuditIssueConfidence.FIRM;
                        }

                        @Override
                        public List<HttpRequestResponse> requestResponses() {
                            return null;
                        }
                        @Override
                        public AuditIssueDefinition definition() {
                            return null;
                        }
                    };

                    api.logging().logToOutput(newIssue.name());
                    issue.handleNewAuditIssue(newIssue); # many called ! 

                    return continueWith(responseReceived);
                }
            }
            return continueWith(responseReceived);
         }
         return continueWith(responseReceived);
     }

If the conditions are met, a new issue is created and issue.handleNewAuditIssue(newIssue) is called.

Then, when load the extension, see the following screen.

I thought I created an issue only once, but many issues are created.

Errors are also printed.

at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at burp.kjm.invoke(Unknown Source)
    at jdk.proxy2/jdk.proxy2.$Proxy194.handleNewAuditIssue(Unknown Source)
    at burp.k4e.V(Unknown Source)
    at burp.t4.N(Unknown Source)
    at burp.up.n(Unknown Source)
    at burp.up.s(Unknown Source)
    at burp.up.q(Unknown Source)
    at burp.up.L(Unknown Source)
    at burp.wrl.Z(Unknown Source)
    at burp.wrl.D(Unknown Source)
    at burp.gxw.x(Unknown Source)
    at burp.gxw.M(Unknown Source)
    at burp.e9i.t(Unknown Source)
    at burp._n0.run(Unknown Source)
    at burp.aeo.add(Unknown Source)
    at jdk.internal.reflect.GeneratedMethodAccessor131.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at burp.kjm.invoke(Unknown Source)
    at jdk.proxy2/jdk.proxy2.$Proxy50.add(Unknown Source)
    at burp.yra.add(Unknown Source)
    at example.httphandler.HttpHandlerExample$MyAuditIssueListenerHandler.handleNewAuditIssue(HttpHandlerExample.java:54)
    at jdk.internal.reflect.GeneratedMethodAccessor134.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at burp.kjm.invoke(Unknown Source)
    at jdk.proxy2/jdk.proxy2.$Proxy194.handleNewAuditIssue(Unknown Source)

1. How to create non-duplicate Issue? (Any good examples of generating issues?)
2. Why is MyHttpHandler called 5~6 times for one login request?
3. How can I create a List of AuditIssue?

I wish there were more examples, but should I refer to the previous extensions? Any help would be appreciated. thank you.

[seanjburns]

What you are doing seems fundamentally wrong. You should not be sending requests from the response handler (that is causing your multiple issues).

I think what you want is a custom active audit. Have a look at this example (specifically the active audit).

https://github.com/PortSwigger/burp-extensions-montoya-api-examples/tree/main/customscanchecks

https://portswigger.net/burp/documentation/desktop/scanning

[Nzoth9]

Thank you! @seanjburns! have a nice day! :)