search

modzero / mod0BurpUploadScanner

HTTP file upload scanner for Burp Proxy
Other
481 stars 138 forks source link

UploadScanner bug when Collaborator is disabled #8

Closed Hipapheralkus closed 6 years ago

Hipapheralkus commented 6 years ago

I have the Burp Collaborator disabled by default, as it is not reachable from the testing environment. If I understand it correctly, some payloads does not require Collaborator, but rather re-download of the files, which I configured. Is it possible to make it work without collaborator? Trace follows:

Traceback (most recent call last):
  File "E:\BurpSuite Settings and Extensions\Extenders\Upload_Scanner\UploadScanner.py", line 877, in doActiveScan
    self.do_checks(injector)
  File "E:\BurpSuite Settings and Extensions\Extenders\Upload_Scanner\UploadScanner.py", line 928, in do_checks
    burp_colab = BurpCollaborator(self._callbacks)
  File "E:\BurpSuite Settings and Extensions\Extenders\Upload_Scanner\UploadScanner.py", line 4142, in __init__
    self.is_ip_collaborator = '/' in FloydsHelpers.u2s(callbacks.createBurpCollaboratorClientContext().generatePayload(True))
IllegalStateException: java.lang.IllegalStateException: Burp Collaborator is disabled in the Project options
floyd-fuh commented 6 years ago

I fixed it in https://github.com/PortSwigger/upload-scanner/pull/3 . You have to wait until Portswigger updates in the BApp store, then update your copy in the BApp. Thanks for reporting!

Mind though that other extension might probably also have a bug like this and for them you usually have to check the error output to see if they work properly (so far only this extension notifies the user of a crash).

floyd-fuh commented 6 years ago

Btw. I highly recommend using an internal Burp Collaborator. Even when it is an IP-based (no DNS name or certificates or anything) and you just run it on the same machine as your Burp. This extension auto detects if it is an IP based one and will adjust its payloads accordingly.