Closed Hipapheralkus closed 6 years ago
Hello! The backtrace is a little bit untelling... Could you share a request that results in this backtrace and/or steps to reproduce the issue? In this case it seems that removeParameter call (https://github.com/ngo/burp-request-minimizer/blob/master/minimizer.py#L53) causes the trace. The extension prints some debug output to stdout, and before the trace you should be able to see a line 'Trying ...' with the name, type and value of the parameter that the extention is trying to remove. Can you share this information?
Original request:
POST /page?param1=value2¶m2=2¶m3=value3¶m4=value4 HTTP/1.1
Host: somerandom.host
Connection: close
Content-Length: 111
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://somerandom.host
X-CSRF-TOKEN: 82e61c11-1a04-4491-a0b1-2a14021afeba
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
X-Requested-With: XMLHttpRequest
Content-Type: application/json; charset=UTF-8
Referer: https://somerandom.host?paramxx=s
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: cookie1=value1;cookie2=value2;cookie3=value3
{"someText":"123456789","actions":[{"type":"someRandom","Id":"aaavbbb","answer":1}]}
Output:
('Request invariants', set([u'input_image_labels', u'status_code', u'non_hidden_form_input_types', u'page_title', u'visible_text', u'button_submit_labels', u'div_ids', u'word_count', u'content_type', u'outbound_edge_tag_names', u'whole_body_content', u'etag_header', u'visible_word_count', u'content_length', u'header_tags', u'tag_ids', u'comments', u'line_count', u'set_cookie_names', u'first_header_tag', u'tag_names', u'input_submit_labels', u'outbound_edge_count', u'initial_body_content', u'content_location', u'limited_body_content', u'canonical_link', u'css_classes', u'location', u'anchor_labels']))
('Trying', 0, u'param1', u'value2')
('Invariant', set([u'input_image_labels', u'status_code', u'non_hidden_form_input_types', u'page_title', u'visible_text', u'button_submit_labels', u'div_ids', u'word_count', u'content_type', u'outbound_edge_tag_names', u'whole_body_content', u'etag_header', u'visible_word_count', u'content_length', u'header_tags', u'tag_ids', u'comments', u'line_count', u'set_cookie_names', u'last_modified_header', u'first_header_tag', u'tag_names', u'input_submit_labels', u'outbound_edge_count', u'initial_body_content', u'content_location', u'limited_body_content', u'canonical_link', u'css_classes', u'location', u'anchor_labels']))
('diff', set([]))
('excluded:', 0, u'param1', u'value2')
('Trying', 0, u'param2', u'2')
('Invariant', set([u'input_image_labels', u'status_code', u'non_hidden_form_input_types', u'page_title', u'visible_text', u'button_submit_labels', u'div_ids', u'word_count', u'content_type', u'outbound_edge_tag_names', u'whole_body_content', u'etag_header', u'visible_word_count', u'content_length', u'header_tags', u'tag_ids', u'comments', u'line_count', u'set_cookie_names', u'last_modified_header', u'first_header_tag', u'tag_names', u'input_submit_labels', u'outbound_edge_count', u'initial_body_content', u'content_location', u'limited_body_content', u'canonical_link', u'css_classes', u'location', u'anchor_labels']))
('diff', set([]))
('excluded:', 0, u'param2', u'2')
('Trying', 0, u'param3', u'value3')
('Invariant', set([u'input_image_labels', u'status_code', u'non_hidden_form_input_types', u'page_title', u'visible_text', u'button_submit_labels', u'div_ids', u'word_count', u'content_type', u'outbound_edge_tag_names', u'whole_body_content', u'etag_header', u'visible_word_count', u'content_length', u'header_tags', u'tag_ids', u'comments', u'line_count', u'set_cookie_names', u'last_modified_header', u'first_header_tag', u'tag_names', u'input_submit_labels', u'outbound_edge_count', u'initial_body_content', u'content_location', u'limited_body_content', u'canonical_link', u'css_classes', u'location', u'anchor_labels']))
('diff', set([]))
('excluded:', 0, u'param3', u'value3')
('Trying', 0, u'param4', u'value4')
('Invariant', set([u'input_image_labels', u'status_code', u'non_hidden_form_input_types', u'page_title', u'visible_text', u'button_submit_labels', u'div_ids', u'word_count', u'content_type', u'outbound_edge_tag_names', u'whole_body_content', u'etag_header', u'visible_word_count', u'content_length', u'header_tags', u'tag_ids', u'comments', u'line_count', u'set_cookie_names', u'last_modified_header', u'first_header_tag', u'tag_names', u'input_submit_labels', u'outbound_edge_count', u'initial_body_content', u'content_location', u'limited_body_content', u'canonical_link', u'css_classes', u'location', u'anchor_labels']))
('diff', set([]))
('excluded:', 0, u'param4', u'value4')
('Trying', 2, u'cookie1', u'value1')
('Invariant', set([u'input_image_labels', u'status_code', u'non_hidden_form_input_types', u'page_title', u'visible_text', u'button_submit_labels', u'div_ids', u'word_count', u'content_type', u'outbound_edge_tag_names', u'whole_body_content', u'etag_header', u'visible_word_count', u'content_length', u'header_tags', u'tag_ids', u'comments', u'line_count', u'set_cookie_names', u'last_modified_header', u'first_header_tag', u'tag_names', u'input_submit_labels', u'outbound_edge_count', u'initial_body_content', u'content_location', u'limited_body_content', u'canonical_link', u'css_classes', u'location', u'anchor_labels']))
('diff', set([]))
('excluded:', 2, u'cookie1', u'value1')
('Trying', 2, u'cookie2', u'value2')
('Invariant', set([u'input_image_labels', u'status_code', u'non_hidden_form_input_types', u'page_title', u'visible_text', u'button_submit_labels', u'div_ids', u'word_count', u'content_type', u'outbound_edge_tag_names', u'whole_body_content', u'etag_header', u'visible_word_count', u'content_length', u'header_tags', u'tag_ids', u'comments', u'line_count', u'set_cookie_names', u'last_modified_header', u'first_header_tag', u'tag_names', u'input_submit_labels', u'outbound_edge_count', u'initial_body_content', u'content_location', u'limited_body_content', u'canonical_link', u'css_classes', u'location', u'anchor_labels']))
('diff', set([]))
('excluded:', 2, u'cookie2', u'value2')
('Trying', 2, u'cookie3', u'value3')
('Invariant', set([u'input_image_labels', u'non_hidden_form_input_types', u'last_modified_header', u'button_submit_labels', u'input_submit_labels', u'outbound_edge_count', u'initial_body_content', u'content_type', u'content_location', u'outbound_edge_tag_names', u'canonical_link', u'location', u'anchor_labels']))
('diff', set([u'status_code', u'page_title', u'visible_text', u'div_ids', u'word_count', u'whole_body_content', u'etag_header', u'visible_word_count', u'content_length', u'header_tags', u'tag_ids', u'comments', u'line_count', u'set_cookie_names', u'first_header_tag', u'tag_names', u'limited_body_content', u'css_classes']))
('Trying', 6, u'someText', u'123456789')
Error trace:
java.lang.UnsupportedOperationException: Action is not supported for this parameter type
at burp.r3c.a(Unknown Source)
at burp.r3c.removeParameter(Unknown Source)
at burp.ltf.removeParameter(Unknown Source)
at sun.reflect.GeneratedMethodAccessor17.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:186)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:204)
at org.python.core.PyObject.__call__(PyObject.java:496)
at org.python.core.PyObject.__call__(PyObject.java:500)
at org.python.core.PyMethod.__call__(PyMethod.java:156)
at org.python.pycode._pyx4._minimize$6(C:\Users\user\AppData\Roaming\BurpSuite\bapps\cc16f37549ff416b990d4312490f5fd1\minimizer.py:69)
at org.python.pycode._pyx4.call_function(C:\Users\user\AppData\Roaming\BurpSuite\bapps\cc16f37549ff416b990d4312490f5fd1\minimizer.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
at org.python.core.PyFunction.__call__(PyFunction.java:482)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at org.python.core.PyMethod.__call__(PyMethod.java:223)
at org.python.core.PyObject._callextra(PyObject.java:601)
at threading$py.run$35(C:\jython2.7.0\Lib\threading.py:213)
at threading$py.call_function(C:\jython2.7.0\Lib\threading.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:138)
at org.python.core.PyFunction.__call__(PyFunction.java:413)
at org.python.core.PyMethod.__call__(PyMethod.java:126)
at threading$py._Thread__bootstrap$36(C:\jython2.7.0\Lib\threading.py:266)
at threading$py.call_function(C:\jython2.7.0\Lib\threading.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
at org.python.core.PyFunction.__call__(PyFunction.java:482)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at org.python.core.PyMethod.__call__(PyMethod.java:218)
at org.python.core.PyMethod.__call__(PyMethod.java:213)
at org.python.core.FunctionThread.run(FunctionThread.java:25)
I see that most likely JSON is not supported in the request. However, since there are many parameters in the URL, as well as cookies and different headers, maybe the extender could minimize supported data, and leave the JSON intact? Or maybe you have a better idea:) Thanks
Thank you, I've successfully reproduced the issue.
I've added a check for param type, so that JSON params won't crash the plugin. Currently it just leaves JSON and XML params as is, I've added an issue #2 to support JSON/XML minimization properly.
@Hipapheralkus Thank you for the bug report!
@Hipapheralkus, I've pushed an experimental support for JSON minimization in the xml-json-minimization branch. Would you please check that it works correctly for your use case?
Hi, I get following trace:
Would it be possible to fix it? Thanks :)