search

benteveo-kiwi / benteveo-toolbox

A burp extension that allows for IDOR testing and facilitates automatic scanning.
1 stars 0 forks source link

Exception during scan #32

Closed SamJoan closed 4 years ago

SamJoan commented 4 years ago 
[ERROR 2020-04-05 00:03:04,184]: Scan failed due to an unknown exception.
Traceback (most recent call last):
  File "C:\Users\pedro\code\benteveo-toolbox\ui.py", line 604, in fuzzButtonClicked
    nbFuzzedTotal, nbExceptions = fuzzRunner.run()
  File "C:\Users\pedro\code\benteveo-toolbox\fuzz.py", line 29, in run
    return self.fuzzEndpoints()
  File "C:\Users\pedro\code\benteveo-toolbox\fuzz.py", line 69, in fuzzEndpoints
    if request.wasReproducible():
  File "C:\Users\pedro\code\benteveo-toolbox\models.py", line 140, in wasReproducible
    return self.analyzedResponse.statusCode == self.repeatedAnalyzedResponse.statusCode

Exception above was caused when running with 32 + 32 threads. This could have caused some of burp APIs to return a null object. Alternatively, this could have been caused by running on 1.7 instead of 2.x.

SamJoan commented 4 years ago

Agregue un print a la comparacion y este es el log:

[INFO 2020-04-05 06:19:22,059]: burp.xz@1981907c, burp.xz@8539575
[INFO 2020-04-05 06:19:23,839]: burp.xz@3d76e89e, burp.xz@1273e89f
[INFO 2020-04-05 06:19:25,907]: burp.xz@3c66c4c9, burp.xz@365ef9c3
[INFO 2020-04-05 06:19:27,786]: burp.xz@69b8e045, burp.xz@28698c50
[INFO 2020-04-05 06:19:29,621]: burp.xz@47576eae, burp.xz@69c304c9
[INFO 2020-04-05 06:19:30,835]: burp.xz@6678b4cf, burp.xz@176c0185
[INFO 2020-04-05 06:19:33,227]: burp.xz@54891f90, burp.xz@77741702
[INFO 2020-04-05 06:19:35,142]: burp.xz@5f76f749, burp.xz@3dbda1fb
[INFO 2020-04-05 06:19:37,000]: burp.xz@3df71878, burp.xz@7fad74c4
[INFO 2020-04-05 06:19:38,821]: burp.xz@51e7740a, burp.xz@311a0f32
[INFO 2020-04-05 06:19:40,585]: burp.xz@281b5175, burp.xz@6afe202a
[INFO 2020-04-05 06:19:41,733]: burp.xz@7f39658d, burp.xz@54fd158a
[INFO 2020-04-05 06:19:43,510]: burp.xz@56542da9, burp.xz@2b19c5a0
[INFO 2020-04-05 06:19:43,717]: Warning: Request for '/einvoice/' endpoint was not modified.
[INFO 2020-04-05 06:19:45,279]: burp.xz@5f5a8a92, burp.xz@7c6019cc
[INFO 2020-04-05 06:19:45,486]: Warning: Request for '/einvoice/js/' endpoint was not modified.
[INFO 2020-04-05 06:19:47,051]: burp.xz@e57c78d, burp.xz@6f981410
[INFO 2020-04-05 06:19:48,240]: burp.xz@7cb8d5e7, burp.xz@532f66f4
[INFO 2020-04-05 06:19:48,447]: Warning: Request for '/c2c/index/' endpoint was not modified.
[INFO 2020-04-05 06:19:50,005]: burp.xz@7a72e152, burp.xz@17a0cda5
[INFO 2020-04-05 06:20:15,558]: Warning: Request for '/' endpoint was not modified.
[INFO 2020-04-05 06:20:17,117]: burp.xz@7e5b7a98, burp.xz@2ff584cf
[INFO 2020-04-05 06:20:17,128]: Finished fuzzing https://tw.billing.yahoo.com:443/
[INFO 2020-04-05 06:20:17,329]: Warning: Request for '/c2c/index/c2c_index/' endpoint was not modified.
[INFO 2020-04-05 06:20:18,900]: burp.xz@36e119b8, burp.xz@b9c1407
[INFO 2020-04-05 06:20:19,407]: Warning: Request for '/robots.txt' endpoint was not modified.
[INFO 2020-04-05 06:20:20,967]: burp.xz@14abf73d, burp.xz@193da366
[INFO 2020-04-05 06:20:20,970]: Finished fuzzing https://tw.billing.yahoo.com:443/robots.txt
[INFO 2020-04-05 06:20:22,746]: burp.xz@72fbddbe, burp.xz@3bf9566e
[INFO 2020-04-05 06:20:30,688]: burp.xz@3c66c4c9, burp.xz@417ff49a
[INFO 2020-04-05 06:20:30,700]: Finished fuzzing https://tw.billing.yahoo.com:443/mybilling/
[INFO 2020-04-05 06:20:30,904]: Warning: Request for '/c2c/reg/' endpoint was not modified.
[INFO 2020-04-05 06:20:32,469]: burp.xz@59a66c67, burp.xz@4045fa57
[INFO 2020-04-05 06:26:23,117]: burp.xz@281b5175, burp.xz@56676944
[INFO 2020-04-05 06:26:23,124]: Finished fuzzing https://tw.billing.yahoo.com:443/mybilling/mb_index.php
[INFO 2020-04-05 06:26:23,325]: Ignoring request to /c2c/reg/logout/ to avoid invalidating the session.
[INFO 2020-04-05 06:26:23,332]: burp.xz@46882ec8, None

Es decir en la linea siguiente repeatedAnalyzedResponse es None.

        return self.analyzedResponse.statusCode == self.repeatedAnalyzedResponse.statusCode
SamJoan commented 4 years ago

I found the error:

[INFO 2020-04-05 06:38:58,456]: Ignoring request to /c2c/reg/logout/ to avoid invalidating the session.
[INFO 2020-04-05 06:38:58,461]: burp.xz@267e7b7, None
[ERROR 2020-04-05 06:38:59,049]: Scan failed due to an unknown exception.
Traceback (most recent call last):
  File "C:\Users\pedro\code\benteveo-toolbox\ui.py", line 604, in fuzzButtonClicked
    nbFuzzedTotal, nbExceptions = fuzzRunner.run()
  File "C:\Users\pedro\code\benteveo-toolbox\fuzz.py", line 29, in run
    return self.fuzzEndpoints()
  File "C:\Users\pedro\code\benteveo-toolbox\fuzz.py", line 69, in fuzzEndpoints
    if request.wasReproducible():
  File "C:\Users\pedro\code\benteveo-toolbox\models.py", line 141, in wasReproducible
    return self.analyzedResponse.statusCode == self.repeatedAnalyzedResponse.statusCode
AttributeError: 'NoneType' object has no attribute 'statusCode'

The issue is that the request is not resent due to having logout in the URL. 

[INFO 2020-04-05 06:38:58,456]: Ignoring request to /c2c/reg/logout/ to avoid invalidating the session.

And then on the next line the httpRequestResponse for the resent request is not set.