search

tomsteele / burpbuddy

burpbuddy exposes Burp Suites's extender API over the network through various mediums, with the goal of enabling development in any language without the restrictions of the JVM
MIT License
156 stars 25 forks source link

Several pages always return 500 Internal Errors #8

Closed jabra- closed 10 years ago

jabra- commented 10 years ago

Working with the API, I constructed several requests that always returned a 500 Internal Error. I've read the documentation so I think I'm doing things correctly. Increased verbose messages would be helpful as well.

request:

GET /sitemap HTTP/1.1 Host: 127.0.0.1:8001

response:

HTTP/1.1 500 Server Error Content-Type: text/html; charset=UTF-8 Content-Length: 53 Server: Jetty(9.0.z-SNAPSHOT)

500 Internal Error

request:

GET /proxyhistory HTTP/1.1 Host: 127.0.0.1:8001

response:

HTTP/1.1 500 Server Error Content-Type: text/html; charset=UTF-8 Content-Length: 53 Server: Jetty(9.0.z-SNAPSHOT)

500 Internal Error

request:

POST /scan/active HTTP/1.1 Accept: application/json Accept-Encoding: gzip, deflate Content-Type: application/json Content-Length: 552 Host: 127.0.0.1:8001

{"host":"testasp.vulnweb.com","port":80,"useHttps":false,"request":{"host":"testasp.vulnweb.com","port":80,"protocol":"http","url":"http://testasp.vulnweb.com//","path":"/","httpVersion":"HTTP/1.1","method":"GET","headers":{"Accept-Language":"en-US,en;q=0.5","Cookie":"","Host":"testasp.vulnweb.com","Accept-Encoding":"gzip, deflate","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0)\nGecko/20100101 Firefox/30.0","Connection":"keep-alive","Accept":"text/css,/;q=0.1"},"body":[],"comment":"","inScope":true,"messageType":"request"}}

response:

HTTP/1.1 500 Server Error Content-Type: text/html; charset=UTF-8 Content-Length: 53 Server: Jetty(9.0.z-SNAPSHOT)

500 Internal Error

Lastly, I was able to add a site to the scope and spider it properly. When I tried to retrieve the sitemap it did not return any data.

request GET /sitemap/aHR0cDovL3Rlc3Rhc3AudnVsbndlYi5jb20K HTTP/1.1 Host: 127.0.0.1:8001

response:

HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 11 Server: Jetty(9.0.z-SNAPSHOT)

{"data":[]}

tomsteele commented 10 years ago

Thanks @jabra-, I'll work on this today and see what I can figure out.

jabra- commented 10 years ago

Thanks Tom!

tomsteele commented 10 years ago

@jabra- All the routes are fixed, with some changes in the way you initiate a scan in /scan/active. The message body should be something like the following:

'{"host": "stacktitan.com", "port": 80, "useHttps": false, "request": "R0VUIC8gSFRUUC8xLjENCkhvc3Q6IHN0YWNrdGl0YW4uY29tDQpBY2NlcHQ6ICovKg0KQWNjZXB0LUxhbmd1YWdlOiBlbg0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKGNvbXBhdGlibGU7IE1TSUUgOS4wOyBXaW5kb3dzIE5UIDYuMTsgV2luNjQ7IHg2NDsgVHJpZGVudC81LjApDQpDb25uZWN0aW9uOiBjbG9zZQ0KDQo="}

We had to move from using a byte array of octets to using base64 strings everywhere, which is actually quite a bit nicer, request is the entire request. You'll see if you decode it.

For the sitemap after spidering, it's because there is no trailing / in the url. If you make it "http://testasp.vulnweb.com/" it should work.

I'm going to test things out a bit more, update the documentation, and I will post a 2.0 version.

jabra- commented 10 years ago

That sounds great. Thanks!

tomsteele commented 10 years ago

Ok everything fixed and a new release published. Also added a ton of polish that was lacking. Thank again!

tomsteele commented 10 years ago

Also better exception messages :)