search

simioni87 / auth_analyzer

Burp Extension for testing authorization issues. Automated request repeating and parameter value extraction on the fly.
MIT License
182 stars 47 forks source link

Send from the logger #44

Closed Ginryn closed 8 months ago

Ginryn commented 8 months ago

Hey , simioni87 , I can’t find the option to send to auth_analyzer on the logger, but I can find the option to send to other plugins. could you please add the functionality to receive requests from the logger? There's a scenario where can use other plugins to batch parse api docs like swagger-ui, insert default parameters, and then forward them in bulk to auth_analyzer for preliminary validation of unauthorized and privilege escalation requests.

simioni87 commented 8 months ago

Hey Ginryn, About which GUI element are you talking about? A print screen of the location of the missing function would help to understand what you mean. If you mean the context menu of the message editor, this one is out of the box from the burp extender API.

Ginryn commented 8 months ago

Hi, Thank you for your reply. Please review the additional image I've provided. c8c87134d2ad1630b7386a2cd29fa7ce

simioni87 commented 8 months ago

According to analysis this is actually a bug raised due to an inconsistent IContextMenuInvocation object passed from the logger. The following unhandled exception is thrown as soon as invocation.getSelectionBounds() or invocation.getInvocationContext() is invoked within the interface method List<JMenuItem> createMenuItems(IContextMenuInvocation invocation):

java.lang.NullPointerException: Invocation type cannot be null
    at burp.Zilx.ZG(Unknown Source)
    at burp.Zepc.getInvocationContext(Unknown Source)
    at com.protect7.authanalyzer.controller.ContextMenuController.createMenuItems(ContextMenuController.java:43)
    at burp.Ztyb.provideMenuItems(Unknown Source)
    at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
    at java.base/java.lang.reflect.Method.invoke(Method.java:578)
    at burp.Zi56.invoke(Unknown Source)
    at jdk.proxy2/jdk.proxy2.$Proxy32.provideMenuItems(Unknown Source)
    at burp.Zdsn.Zg(Unknown Source)
    at burp.Zfhn.ZR(Unknown Source)
    at burp.Zuc6.Zc(Unknown Source)
    at burp.Zuc6.Zo(Unknown Source)
    at burp.Zuc6.ZT(Unknown Source)
    at burp.Zuc6.Zs(Unknown Source)
    at burp.Zt_b.Zd(Unknown Source)
    at burp.Zt90.Zr(Unknown Source)
    at burp.Zb2.mouseReleased(Unknown Source)
    at java.desktop/java.awt.AWTEventMulticaster.mouseReleased(AWTEventMulticaster.java:298)
    at java.desktop/java.awt.Component.processMouseEvent(Component.java:6620)
    at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3398)
    at java.desktop/java.awt.Component.processEvent(Component.java:6385)
    at java.desktop/java.awt.Container.processEvent(Container.java:2266)
    at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:4995)
    at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2324)
    at java.desktop/java.awt.Component.dispatchEvent(Component.java:4827)
    at java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4948)
    at java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4575)
    at java.desktop/java.awt.LightweightDispatcher.dispatchEvent(Container.java:4516)
    at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2310)
    at java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2780)
    at java.desktop/java.awt.Component.dispatchEvent(Component.java:4827)
    at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:775)
    at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:720)
    at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:714)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:400)
    at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:87)
    at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:98)
    at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:747)
    at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:745)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:400)
    at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:87)
    at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:744)
    at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
    at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
    at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
    at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
    at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
    at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)

Would be nice if you could report this to PortSwigger