search

PortSwigger / burp-extensions-montoya-api

Burp Extensions Api
Other
139 stars 5 forks source link

How to "unpause all tasks" via extension #29

Closed petrabrunner closed 1 year ago

petrabrunner commented 1 year ago

Hi,

I have the following problem:

It seems audits that are started within my extension (like below) never get any other status than "waiting" final Audit newScan = burpApi.scanner().startAudit(AuditConfiguration.auditConfiguration(BuiltInAuditConfiguration.LEGACY_PASSIVE_AUDIT_CHECKS)); newScan.addRequestResponse(requestResponse);

This extension is applied to a --headless burp - that means I cannot simply press the button "resume task processing" that is available via ui...

Any idea how to get burp to "resume task processing" within the --headless state?

Details: 

private void removeCompletedElementsFromList() {
        for (final Audit scanElement : currentlyRunningAudits) {
            if (!isScanStatusInProgress(scanElement)) {
//                do something...
            }
        }
    }
    private boolean isScanStatusInProgress(final Audit scanElement) {
        //TODO check which possible status messages exist
        Logger.info("ScanThread: scan status: " + scanElement.statusMessage() + "; request count: " + scanElement.requestCount());
//        if(scanElement.statusMessage().contains("in progress")) {
//            return false;
//        }
        return true;
    }

thx in advance

Hannah-PortSwigger commented 1 year ago

Hi

When you start Burp, are you using the --unpause-spider-and-scanner argument?

You can find the full list of available command line arguments here.

petrabrunner commented 1 year ago

Hi Hannah, I am not - will try right away. Thank you~

petrabrunner commented 1 year ago

unfortunately the flag does not change things... btw. this is the complete cmd-line I use: java -Xmx16G -Xms6G -Djava.awt.headless=true -jar /home/root/burp/sources/burpsuite_pro.jar --unpause-spider-and-scanner --project-file=/home/root/burp/init.burp --config-file=/home/root/burp/sources/projectOptions.json --config-file=/home/root/burp/sources/userOptions.json 2>&1 | tee /home/root/burp/burpOut.txt

btw. is there a config-file property that configures that behavior?

petrabrunner commented 1 year ago

Also - question as I just noticed this:

if it is meant to be the second - how do I know, how many of the Audit Items are still in progress within the extension (if I cannot use the ui). is there a possibility to get information on the scan-progress?

I mean if hundreds of Audit Items (HttpRequestResponses) are part of an Audit (started via burpApi.scanner().startAudit()) - then the completion of that Audit can take a very long time... And it would be good to know if the scan is still running or if some problem has occurred hours ago, and the program could stop waiting for the Audit to complete.

Hannah-PortSwigger commented 1 year ago

Extension-generated audit tasks are similar to live audit tasks - they create their own separate task and add to that.

We will be looking at adding additional functionality to the Montoya API to support scanning further in the near future.

For monitoring scan progress, periodically polling Audit.status() may help. You could also use an HttpHandler to monitor the network traffic passing through Burp.

petrabrunner commented 1 year ago

@Hannah-PortSwigger are you saying that it is possible that there is a bug in the montoya-api? or do you suspect a problem with my setup? were you able to confirm that this is not working?

petrabrunner commented 1 year ago

fyi @Hannah-PortSwigger - I tested the same setup but without --project-file=/home/root/burp/init.burp and then it works.

I also retested with a new "clean" project - and it seems now it works as well. must have been a setting in my original "init.burp" project that conflicted with the settings given via cmd/config-property files

Hannah-PortSwigger commented 1 year ago

Glad to hear that a fresh project file is not having any issues!

Please let us know if you need any further assistance.