search

PortSwigger / burp-extensions-montoya-api

Burp Extensions Api
Other
125 stars 3 forks source link

Montoya API - missing audit issues #9

Open armin-weber opened 1 year ago

armin-weber commented 1 year ago

Hi!

I've just started experimenting with the new API and ran into some issues I didn't expect. I've successfully launched a scan which works just fine according to what I see in the GUI. Unfortunately, Audit#issues is always empty, even if I can see in the GUI that some issues were found. Also, AuditIssueHandler#handleNewAuditIssue is never called, even though there are issues in the GUI and I have registered this handler.

When I call api.siteMap().issues(), I get all the issues I can see in the GUI, but now, AuditIssue#requestResponses is always empty, although I can see requests and responses in the GUI.

According to the JavaDocs, I would expect neither Audit#issues nor AuditIssue#requestResponses to be empty. Am I missing something?

I've tried Burp Suite Professional 2022.9.5 and 2022.11, the problem exists in both versions. But I don't know the old API well, so I'm not sure if this is a bug or just a misunderstanding on my part.

Any help would be appreciated!

Thank you!

Hannah-PortSwigger commented 1 year ago

Thanks for reporting this! We're currently looking into this, but would it be possible for you to drop us an email at support@portswigger.net with the code that triggers this issue?

petrabrunner commented 1 year ago

@Hannah-PortSwigger @SeanBurnsUK is a fix coming for this? (and if so - when) I noticed the same in my own code.

specifically -> a registered AuditIssueHandler does not seem to be called even if issues are found

Hannah-PortSwigger commented 1 year ago

Hi @petrabrunner Are you on the latest Early Adopter version? Could you drop us an email at support@portswigger.net with an example of your code? I've just tested registering an AuditIssueHandler and retrieving data from the AuditIssue that is passed to handleNewAuditIssue(), but have not experienced any issues.

petrabrunner commented 1 year ago

@Hannah-PortSwigger you mean the latest early adopter version of burp suite (which version should I be using) or a specific new version of the montoya-api?

Hannah-PortSwigger commented 1 year ago

Sorry, I meant the latest early adopter version of Burp - currently v2023.1.1

petrabrunner commented 1 year ago

can confirm - I am using that version of burp suite - and yes - I will send an example your way. thx