search

PortSwigger / burp-extensions-montoya-api

Burp Extensions Api
Other
125 stars 3 forks source link

audit.issues().size() is empty #49

Closed Kaide0521 closed 1 year ago

Kaide0521 commented 1 year ago

I run burpsuite pro in cmdline mode and set argument --user-config-file=custom.json. Then I initiate a task through the MontoyaApi(). scanner(). startAudit() interface. Finally, obtain the issues through audit. isssues(), and the obtained result is empty. However, the issues can be obtained normally through the sitemap related interface. Why ?

custom.json :

{ "scanner":{ "audit_optimization":{ "consolidate_passive_issues":true, "follow_redirections":true, "maintain_session":true, "maximum_crawl_and_audit_time":0, "scan_accuracy":"normal", "scan_speed":"normal", "skip_ineffective_checks":true }, "audit_project_option_overrides":{ "connect_timeout":-1, "normal_timeout":-1 }, "error_handling":{ "consecutive_audit_check_failures_to_skip_insertion_point":2, "consecutive_insertion_point_failures_to_fail_audit_item":2, "number_of_follow_up_passes":1, "pause_task_failed_audit_item_count":15, "pause_task_failed_audit_item_percentage":0 }, "frequently_occurring_insertion_points":{ "quick_scan_body_params":true, "quick_scan_cookies":true, "quick_scan_entire_body":true, "quick_scan_http_headers":true, "quick_scan_param_name":true, "quick_scan_url_params":true, "quick_scan_url_path_filename":true, "quick_scan_url_path_folders":true }, "ignored_insertion_points":{ "skip_all_tests_for_parameters":[ { "enabled":true, "expression":"version", "item":"name", "match_type":"is", "parameter":"xml_attribute" }, { "enabled":true, "expression":"encoding", "item":"name", "match_type":"is", "parameter":"xml_attribute" }, { "enabled":true, "expression":"standalone", "item":"name", "match_type":"is", "parameter":"xml_attribute" }, { "enabled":true, "expression":"xmlns.*", "item":"name", "match_type":"matches_regex", "parameter":"xml_attribute" }, { "enabled":true, "expression":"xml:lang", "item":"name", "match_type":"is", "parameter":"xml_attribute" }, { "enabled":true, "expression":"lang", "item":"name", "match_type":"is", "parameter":"xml_attribute" }, { "enabled":true, "expression":"_ga", "item":"name", "match_type":"is", "parameter":"cookie" }, { "enabled":true, "expression":"_gid", "item":"name", "match_type":"is", "parameter":"cookie" }, { "enabled":true, "expression":"_gat", "item":"name", "match_type":"is", "parameter":"cookie" }, { "enabled":true, "expression":"_ga_.*", "item":"name", "match_type":"matches_regex", "parameter":"cookie" }, { "enabled":true, "expression":"_gac_.*", "item":"name", "match_type":"matches_regex", "parameter":"cookie" }, { "enabled":true, "expression":"AWSALB.*", "item":"name", "match_type":"matches_regex", "parameter":"cookie" } ], "skip_server_side_injection_for_parameters":[ { "enabled":true, "expression":"aspsessionid.*", "item":"name", "match_type":"matches_regex", "parameter":"cookie" }, { "enabled":true, "expression":"asp.net_sessionid", "item":"name", "match_type":"is", "parameter":"cookie" }, { "enabled":true, "expression":"__eventtarget", "item":"name", "match_type":"is", "parameter":"body_parameter" }, { "enabled":true, "expression":"__eventargument", "item":"name", "match_type":"is", "parameter":"body_parameter" }, { "enabled":true, "expression":"__viewstate", "item":"name", "match_type":"is", "parameter":"body_parameter" }, { "enabled":true, "expression":"__eventvalidation", "item":"name", "match_type":"is", "parameter":"body_parameter" }, { "enabled":true, "expression":"jsessionid", "item":"name", "match_type":"is", "parameter":"any_parameter" }, { "enabled":true, "expression":"cfid", "item":"name", "match_type":"is", "parameter":"cookie" }, { "enabled":true, "expression":"cftoken", "item":"name", "match_type":"is", "parameter":"cookie" }, { "enabled":true, "expression":"PHPSESSID", "item":"name", "match_type":"is", "parameter":"cookie" }, { "enabled":true, "expression":"session_id", "item":"name", "match_type":"is", "parameter":"cookie" } ] }, "insertion_point_types":{ "insert_body_params":true, "insert_cookies":true, "insert_entire_body":true, "insert_http_headers":true, "insert_param_name":true, "insert_url_params":true, "insert_url_path_filename":true, "insert_url_path_folders":true }, "issues_reported":{ "scan_type_intrusive_active":true, "scan_type_javascript_analysis":true, "scan_type_light_active":true, "scan_type_medium_active":true, "scan_type_passive":true, "select_individual_issues":true, "selected_issues":[ { "detection_methods":[], "enabled":false, "type_index":"0x00800300" }, { "detection_methods":[], "enabled":false, "type_index":"0x00800200" }, { "detection_methods":[], "enabled":false, "type_index":"0x00800500" }, { "detection_methods":[], "enabled":false, "type_index":"0x01000500" }, { "detection_methods":[ { "enabled":true, "name":"Passive checks" }, { "enabled":true, "name":"Active checks" } ], "enabled":false, "type_index":"0x08000000" }, { "detection_methods":[], "enabled":false, "type_index":"0x01000400" }, { "detection_methods":[], "enabled":false, "type_index":"0x00800100" }, { "detection_methods":[], "enabled":false, "type_index":"0x00200328" }, { "detection_methods":[], "enabled":true, "type_index":"0x00300220" }, { "detection_methods":[], "enabled":false, "type_index":"0x00200600" }, { "detection_methods":[ { "enabled":true, "name":"Burp Collaborator" }, { "enabled":true, "name":"Burp Infiltrator" } ], "enabled":true, "type_index":"0x00300210" }, { "detection_methods":[], "enabled":true, "type_index":"0x00200904" }, { "detection_methods":[], "enabled":true, "type_index":"0x00200905" }, { "detection_methods":[], "enabled":true, "type_index":"0x00600550" }, { "detection_methods":[ { "enabled":true, "name":"Burp Collaborator" }, { "enabled":true, "name":"Burp Infiltrator" } ], "enabled":true, "type_index":"0x00300200" }, { "detection_methods":[], "enabled":true, "type_index":"0x00300100" }, { "detection_methods":[ { "enabled":true, "name":"Javascript static analysis" }, { "enabled":true, "name":"Javascript dynamic analysis" } ], "enabled":false, "type_index":"0x00200316" }, { "detection_methods":[], "enabled":true, "type_index":"0x00400900" }, { "detection_methods":[], "enabled":false, "type_index":"0x00400a00" }, { "detection_methods":[], "enabled":true, "type_index":"0x00400600" }, { "detection_methods":[], "enabled":false, "type_index":"0x00400500" }, { "detection_methods":[ { "enabled":true, "name":"Javascript static analysis" }, { "enabled":true, "name":"Javascript dynamic analysis" } ], "enabled":true, "type_index":"0x00200360" }, { "detection_methods":[], "enabled":false, "type_index":"0x00400100" }, { "detection_methods":[], "enabled":false, "type_index":"0x00400b00" }, { "detection_methods":[], "enabled":false, "type_index":"0x00400c00" }, { "detection_methods":[], "enabled":false, "type_index":"0x00400d00" }, { "detection_methods":[], "enabled":false, "type_index":"0x00400e00" }, { "detection_methods":[], "enabled":false, "type_index":"0x00400f00" }, { "detection_methods":[ { "enabled":true, "name":"Javascript static analysis" }, { "enabled":true, "name":"Javascript dynamic analysis" } ], "enabled":false, "type_index":"0x00500d00" }, { "detection_methods":[ { "enabled":true, "name":"Javascript static analysis" }, { "enabled":true, "name":"Javascript dynamic analysis" } ], "enabled":false, "type_index":"0x00501200" }, { "detection_methods":[ { "enabled":true, "name":"Javascript static analysis" }, { "enabled":true, "name":"Javascript dynamic analysis" } ], "enabled":false, "type_index":"0x00500f00" }, { "detection_methods":[ { "enabled":true, "name":"Javascript static analysis" }, { "enabled":true, "name":"Javascript dynamic analysis" } ], "enabled":false, "type_index":"0x00500e00" }, { "detection_methods":[], "enabled":false, "type_index":"0x00500a00" }, { "detection_methods":[], "enabled":false, "type_index":"0x00500500" }, { "detection_methods":[], "enabled":false, "type_index":"0x00500400" }, { "detection_methods":[ { "enabled":true, "name":"Response diffing" }, { "enabled":true, "name":"Burp Collaborator" } ], "enabled":false, "type_index":"0x00400110" }, { "detection_methods":[ { "enabled":true, "name":"Javascript static analysis" }, { "enabled":true, "name":"Javascript dynamic analysis" } ], "enabled":false, "type_index":"0x00501201" }, { "detection_methods":[ { "enabled":true, "name":"Javascript static analysis" }, { "enabled":true, "name":"Javascript dynamic analysis" } ], "enabled":false, "type_index":"0x00500f01" }, { "detection_methods":[ { "enabled":true, "name":"Javascript static analysis" }, { "enabled":true, "name":"Javascript dynamic analysis" } ], "enabled":false, "type_index":"0x00500e01" }, { "detection_methods":[ { "enabled":true, "name":"Javascript static analysis" }, { "enabled":true, "name":"Javascript dynamic analysis" } ], "enabled":false, "type_index":"0x00500d01" }, { "detection_methods":[ { "enabled":true, "name":"Javascript static analysis" }, { "enabled":true, "name":"Javascript dynamic analysis" } ], "enabled":false, "type_index":"0x00501202" }, { "detection_methods":[ { "enabled":true, "name":"Javascript static analysis" }, { "enabled":true, "name":"Javascript dynamic analysis" } ], "enabled":false, "type_index":"0x00500f02" }, { "detection_methods":[ { "enabled":true, "name":"Javascript static analysis" }, { "enabled":true, "name":"Javascript dynamic analysis" } ], "enabled":false, "type_index":"0x00500e02" }, { "detection_methods":[], "enabled":false, "type_index":"0x00501003" }, { "detection_methods":[], "enabled":false, "type_index":"0x00501004" }, { "detection_methods":[], "enabled":true, "type_index":"0x00600500" }, { "detection_methods":[], "enabled":true, "type_index":"0x00600400" }, { "detection_methods":[], "enabled":false, "type_index":"0x00600700" }, { "detection_methods":[], "enabled":true, "type_index":"0x00600800" }, { "detection_methods":[], "enabled":true, "type_index":"0x00600600" }, { "detection_methods":[], "enabled":true, "type_index":"0x00600300" }, { "detection_methods":[], "enabled":true, "type_index":"0x00600200" }, { "detection_methods":[], "enabled":true, "type_index":"0x005009b0" }, { "detection_methods":[], "enabled":false, "type_index":"0x00400120" }, { "detection_methods":[], "enabled":false, "type_index":"0x00700200" }, { "detection_methods":[], "enabled":false, "type_index":"0x00700100" }, { "detection_methods":[], "enabled":true, "type_index":"0x005009a0" } ], "store_issues_within_queue_items":true }, "javascript_analysis":{ "fetch_out_of_scope_resources":true, "max_dynamic_time_per_item":30, "max_static_time_per_item":30, "request_missing_dependencies":true, "use_dynamic_analysis":true, "use_static_analysis":true }, "misc_insertion_point_options":{ "max_insertion_points_per_base_request":30, "use_nested_insertion_points":true }, "modifying_parameter_locations":{ "body_to_cookie":false, "body_to_url":false, "cookie_to_body":false, "cookie_to_url":false, "url_to_body":false, "url_to_cookie":false } } }

Hannah-PortSwigger commented 1 year ago

Hi

--user-config-file refers to your user settings. These are the settings that are marked as "User setting" in your "Settings" panel. This does not include scan configuration settings.

When triggering scans using the Montoya API, it is not currently possible to specify a scan configuration. A task will be started with the default configuration.

If you'd like to trigger a crawl and audit with a specific scan configuration, then you would need to use Burp's REST API. This option can be found under "Settings > Suite > REST API". Once the REST API is running, you can use the service URL to trigger a scan. The REST API has an interactable interface to help you build your curl command.

You can find documentation on this here: https://portswigger.net/burp/documentation/desktop/settings/suite/rest-api