Closed drwetter closed 1 year ago
Unfortunately this is expected behaviour. Some request smuggler checks have to use Turbo Intruder's network stack (ThreadedRequestEngine). This stack doesn't support any of Burp's settings, including client TLS and SOCKS proxying.
Hi,
thanks for the HTTP request smuggling extension which I use frequently.
Recently I was testing an mTLS enabled API from a customer. In order to get to the destination IP I had to tunnel all requests to a SOCKS proxy (via SSH).
However I had a problem executing the majority of requests when choosing a POST Request ==> Extensions --> HTTP Request Smuggler --> Launch all scans. They timed out like (output tab):
Logger++ showed me like ~9 requests only, Also I got a Java errors in the output tab like
Intruder, proxy, repeater and all standard requests worked fine. Also as far as I saw extensions. The JDK was from a Linux distro. Above. In order to exclude probs with the JDK I was using I also used the full BurpPro downloads including Java 19 on Linux and Mac and there was no difference I noticed.
The client certificate I used imported just fine:
The file a was able to export using Burp looked fine too:
As a baseline I tried to scan a node with Nginx and Apache, both requiring not a client certificate and it worked fine. Apache threw some similar SSLSocketFactory stack traces and a few requests timed out but Logger++ showed >~600 requests instead of 9.
I filed this also with support (06ff6abde82f6f666e16:6ndi). As requested by support I am filing the issue also here.
Thanks, Dirk
PS: I don't have access to the server requiring the certificate anymore.