Markers intersection in issue

augustd / burp-suite-software-version-checks

Burp extension to passively scan for applications revealing software version numbers

30 stars 17 forks source link

Markers intersection in issue #94

Closed BlackFan closed 3 years ago

BlackFan commented 3 years ago

When adding a large number of rules, the intersection of highlight markers is possible in the issue. In this case, Burp does not create an issue and does not display an error about it, and the extension may lose results.

For example, you can make the following rules

(HTTP/\d\.\d)   1   HTTP    High    Certain
(HTTP/1\.\d)    1   HTTP    High    Certain

Together they do not create an issue, but if you delete one of them, everything works correctly.

Links:

https://github.com/augustd/burp-suite-utils/blob/18cd784424130c038f9b58d338f9821e7c8e4bb9/src/main/java/com/codemagi/burp/ScanIssue.java#L56

https://portswigger.net/burp/extender/api/burp/IBurpExtenderCallbacks.html#applyMarkers(burp.IHttpRequestResponse,%20java.util.List,%20java.util.List)

BlackFan commented 3 years ago

Same problem in https://github.com/augustd/burp-suite-error-message-checks

augustd commented 3 years ago

The API docs say "The markers in the list should be in sequence and not overlapping."

I think in this instance you have two rules that both match the same chunk of the response and thus overlap. This could be causing an issue internally in the Burp API resulting in neither highlight being shown.

You mentioned that no issue is created, but does your matched string show up in the Software Versions Discovered component on the extension's Versions tab?

BlackFan commented 3 years ago

You mentioned that no issue is created, but does your matched string show up in the Software Versions Discovered component on the extension's Versions tab?

Yes, everything is displayed correctly there.

And now the error is displayed in the log. Although when I started analyzing the problem with creating an Issue in Burp, I was sure that the error log was empty. Maybe I was wrong.

java.lang.IllegalArgumentException: Invalid offsets: the list should be in sequence and offsets should not overlap.
    at burp.hy0.addScanIssue(Unknown Source)

Nevertheless, it might be worth adding some kind of check to the Extensions. I use the extension to search for vulnerable js libraries and for this I generate regular expressions based on a random piece of code from this library. With a large number of rules, it is very difficult to control so that the markers do not overlap.