Updated Burp to 2021.8 today on MacOS and installed HTTP Request Smuggler from the BApp store.
Logged in to the Academy and started the CL.TE lab.
Located request in Proxy History, right-clicked, selected Extensions|HTTP Request Smuggler|Smuggle probe.
On the Output pane for the extension, I am getting the following:
Using albinowaxUtils v0.4
Loaded HTTP Request Smuggler v2.0
Updating active thread pool size to 8
Loop 0
Queued 1 attacks from 1 requests in 0 seconds
TImeout with response. Start time: 1628558700578 Current time: 1628558711713 Difference: 11135 Tolerance: 10000
Unexpected report with response
Error in thread: Cannot invoke "String.length()" because "decoded" is null. See error pane for stack trace.
And in the error pane, I get
java.lang.NullPointerException: Cannot invoke "String.length()" because "decoded" is null
at burp.ConfigurableSettings.getString(ConfigurableSettings.java:177)
at burp.ChunkContentScan.sendPoc(ChunkContentScan.java:132)
at burp.ChunkContentScan.doConfiguredScan(ChunkContentScan.java:76)
at burp.SmuggleScanBox.doScan(SmuggleScanBox.java:111)
at burp.Scan.doScan(BulkScan.java:552)
at burp.BulkScanItem.run(BulkScan.java:472)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
FWIW, I originally was attempting on the lab description page, not the lab itself, and I was not getting any errors (maybe because it isn't vulnerable, but ¯\_(ツ)_/¯).
Edit: I hadn't checked earlier; it did show the vulnerability in the Dashboard, but I was waiting for the extension output to show completed and I never got that message.
Updated Burp to 2021.8 today on MacOS and installed HTTP Request Smuggler from the BApp store. Logged in to the Academy and started the CL.TE lab. Located request in Proxy History, right-clicked, selected Extensions|HTTP Request Smuggler|Smuggle probe. On the Output pane for the extension, I am getting the following:
And in the error pane, I get
FWIW, I originally was attempting on the lab description page, not the lab itself, and I was not getting any errors (maybe because it isn't vulnerable, but ¯\_(ツ)_/¯).
Edit: I hadn't checked earlier; it did show the vulnerability in the Dashboard, but I was waiting for the extension output to show completed and I never got that message.