Giter Club home page Giter Club logo

apikit's Introduction

APIKit:Discovery, Scan and Audit APIs Toolkit All In One.

介绍

APIKitAPISecurity社区发布的第一个开源项目。

APIKit是基于BurpSuite提供的JavaAPI开发的插件。

APIKit可以主动/被动扫描发现应用泄露的API文档,并将API文档解析成BurpSuite中的数据包用于API安全测试

实际使用效果如图:

API技术指纹支持

APIKit v1.0支持的API技术的指纹有:

  • GraphQL
  • OpenAPI-Swagger
  • SpringbootActuator
  • SOAP-WSDL
  • REST-WADL

更多的API指纹正在努力更新~

如有新的API技术可以在issue中反馈。

安装

打开BurpSuite页面,点击Extender然后选择Extensions,添加APIKit.jar。 然后APIKit会对进入到BurpSuite的流量进行被动扫描。解析完成后可以在APIKit面板查看结果,同样Burpsuite的DashBoard也会有issue提示。

配置

默认情况下Request和Cookie都不开启。

Send with Cookie

开启Cookie,可以把包的Cookie存下来,生成请求的时候保留Cookie。

Auto Request Sending

开启对API的请求,注意开启API请求后。你需要明确以下几点:

1. 本工具仅面向合法授权的企业安全建设行为,如您需要测试本工具的可用性,请自行搭建靶机环境。

2. 在使用本工具进行检测时,您应确保该行为符合当地的法律法规,并且已经取得了足够的授权。请勿对非授权目标进行请求。

3. 如您在使用本工具的过程中存在任何非法行为或造成其他损失,您需自行承担相应后果,我们将不承担任何法律及连带责任。

4. 在安装并使用本工具前,请您务必审慎阅读、充分理解各条款内容,限制、免责条款或者其他涉及您重大权益的条款可能会以加粗、加下划线等形式提示您重点注意。 除非您已充分阅读、完全理解并接受本协议所有条款,否则,请您不要安装并使用本工具。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的,即视为您已阅读并同意本协议的约束。

选择开启Auto Request Sending后,可以对子API进行自动化鉴权测试,快速发现API未授权访问漏洞。

Clear history

点击清除所有API文档记录。

被动扫描

默认情况下流经BurpSuite的流量都会进行API探测解析和扫描。

主动扫描

Do Auto API scan

Do Auto API scan可以指定任意一个请求进行API指纹探测。

在任何一个Burpsuite可以右键打开更多选项的页面中,都可以点击右键,选择Do Auto API scan来发起一次主动扫描,进行API指纹探测。

Do Target API Scan

Do Target API scan可以指定任意API技术、任意BasePath、任意API文档Path、和任意Header进行API请求的生成和探测。

在任何一个Burpsuite可以右键打开更多选项的页面中,都可以点击右键,选择Do Target API scan来打开选项框。

填写指定任意API技术、任意BasePath、任意API文档Path、和任意Header,再点击Scan进行API请求的生成和探测。

注意BasePath要以/结尾。

API漏洞自动扫描

所有与BurpSuite联动的工具均可联动APIKit。比如xray。

xray配置

./xray_darwin_amd64 webscan --listen 127.0.0.1:7777  --html-output APIKit.html

BurpSuite配置

实战案例

  1. 某授权项目站点为/xxgateway/index,APIKit帮助发现/xxgateway/actuator并最后完成RCE。
  2. 某SRC站点使用了swagger,使用APIKit和xray联动遍历所有的API,最终发现多个高危严重漏洞。
  3. 更多白/黑盒测试...

TODO

更多的API指纹

  • 更多主流API技术...

更多实用功能

  • Fuzz鉴权绕过漏洞
  • 检测请求返回包中敏感信息 — 发现js中泄露的API — 常见数据解析依赖库识别,比如Fastjson等
  • 更多实用功能...

项目地址

https://github.com/API-Security/APIKit API Security是一个分享一切和API安全相关的工具、漏洞环境、书籍、技术文章、新闻资讯、最佳实践白皮书等资料的社区。

API Security知识星球永久免费,欢迎对API安全感兴趣的信息安全爱好者一起学习交流。

apikit's People

Contributors

aur0ra-m avatar rmb122 avatar yuligesec avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

heyzm j5s rapper-zc tyro-shan nszy007 flower-gjh tateydq x-team-robots lz1y webvul nixiteam yuligesec name5545 crackercat jeromeyoung f1vet explore-c iiiusky burpheart meowwbox the9527 fu1lmetal ta0ing laowang1026 cream-sec transferhhh ddostest123 lzb960827 mstheholy huangyuan666 gysf666 bingpo z0edff0x3d w4tchd09 thecryinggame t1ger7 1063122023 gitwk86 d-rn rajivraj polling-repo-continua santhoshinty osw1n syh4ck ch4o3 m3g4byt3 dk47os3r nu1l1 zzhsec nannanshen ahlo666 fleabane1 jorson-chen 5l1v3r1 nanaao hackerxj007 sylviagaytaneh2021 test502git xundididi darenwu666 rabbitsafe anfutest oakkaya davidliu88 wg1314 navin-hacsociety affilares j0f1 arno567 sunian19 elamaran619 wgya mochizukisec savior-only richard6666 dwtcourses kasjhkjasd linhai2015 liutufang crazymarky 1trapbox yaoyao-cool duoduozhifu gg-big-org sry309 dunggau ronin-dojo startagain2016 ashthes guliqbal87 ikpehlivan tobey123 chanpu9 cybersecuz yekutielyehuda rlima999 titounkle y0d4a y1nglamore magnologan

apikit's Issues

Burp插件Errors处报以下错误,同个站点朋友的可以测出来我测不出

我的环境
burp 2023.10.2.1
chrome 119.0.6045.159
朋友的环境
burp 2021.7.1
chrome 119.0.6045.159

使用的都是apikit 1.5.2

报错信息
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
... 3 more
java.util.concurrent.ExecutionException: java.lang.IndexOutOfBoundsException: Index: 0
at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
at com.nccgroup.loggerplusplus.logview.processor.LogProcessor$AbandonedRequestCleanupRunnable.run(LogProcessor.java:448)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577)
at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:358)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1589)
Caused by: java.lang.IndexOutOfBoundsException: Index: 0
at java.base/java.util.Collections$EmptyList.get(Collections.java:4586)
at com.nccgroup.loggerplusplus.logentry.LogEntry.processRequest(LogEntry.java:183)
at com.nccgroup.loggerplusplus.logentry.LogEntry.process(LogEntry.java:142)
at com.nccgroup.loggerplusplus.logview.processor.LogProcessor.processEntry(LogProcessor.java:265)
at com.nccgroup.loggerplusplus.logview.processor.LogProcessor.lambda$submitNewEntryProcessingRunnable$0(LogProcessor.java:300)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
... 3 more
java.lang.IllegalArgumentException: Invalid data
at burp.Zueg.ZY(Unknown Source)
at burp.Zka0.buildHttpRequest(Unknown Source)
at burp.Zxli.buildHttpRequest(Unknown Source)
at burp.Zhe4.buildHttpRequest(Unknown Source)
at burp.application.apitypes.swagger.ApiTypeSwagger.urlAddPath(ApiTypeSwagger.java:112)
at burp.application.apitypes.swagger.ApiTypeSwagger.urlAddPath(ApiTypeSwagger.java:256)
at burp.application.apitypes.swagger.ApiTypeSwagger.isFingerprintMatch(ApiTypeSwagger.java:71)
at burp.application.ApiScanner$1.run(ApiScanner.java:40)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1589)
java.lang.IllegalArgumentException: Invalid data
at burp.Zueg.ZY(Unknown Source)
at burp.Zka0.buildHttpRequest(Unknown Source)
at burp.Zxli.buildHttpRequest(Unknown Source)
at burp.Zhe4.buildHttpRequest(Unknown Source)
at burp.application.apitypes.swagger.ApiTypeSwagger.urlAddPath(ApiTypeSwagger.java:112)
at burp.application.apitypes.swagger.ApiTypeSwagger.urlAddPath(ApiTypeSwagger.java:256)
at burp.application.apitypes.swagger.ApiTypeSwagger.isFingerprintMatch(ApiTypeSwagger.java:71)
at burp.application.ApiScanner$1.run(ApiScanner.java:40)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1589)

java.util.concurrent.ExecutionException: java.lang.IndexOutOfBoundsException: Index: 0
at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
at com.nccgroup.loggerplusplus.logview.processor.LogProcessor$AbandonedRequestCleanupRunnable.run(LogProcessor.java:448)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577)
at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:358)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1589)
Caused by: java.lang.IndexOutOfBoundsException: Index: 0
at java.base/java.util.Collections$EmptyList.get(Collections.java:4586)
at com.nccgroup.loggerplusplus.logentry.LogEntry.processRequest(LogEntry.java:183)
at com.nccgroup.loggerplusplus.logentry.LogEntry.process(LogEntry.java:142)
at com.nccgroup.loggerplusplus.logview.processor.LogProcessor.processEntry(LogProcessor.java:265)
at com.nccgroup.loggerplusplus.logview.processor.LogProcessor.lambda$submitNewEntryProcessingRunnable$0(LogProcessor.java:300)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
... 3 more
java.util.concurrent.ExecutionException: java.lang.IndexOutOfBoundsException: Index: 0
at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
at com.nccgroup.loggerplusplus.logview.processor.LogProcessor$AbandonedRequestCleanupRunnable.run(LogProcessor.java:448)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577)
at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:358)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1589)
Caused by: java.lang.IndexOutOfBoundsException: Index: 0
at java.base/java.util.Collections$EmptyList.get(Collections.java:4586)
at com.nccgroup.loggerplusplus.logentry.LogEntry.processRequest(LogEntry.java:183)
at com.nccgroup.loggerplusplus.logentry.LogEntry.process(LogEntry.java:142)
at com.nccgroup.loggerplusplus.logview.processor.LogProcessor.processEntry(LogProcessor.java:265)
at com.nccgroup.loggerplusplus.logview.processor.LogProcessor.lambda$submitNewEntryProcessingRunnable$0(LogProcessor.java:300)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
... 3 more
java.lang.NullPointerException: Cannot invoke "burp.api.montoya.http.message.responses.HttpResponse.headers()" because "" is null
at burp.Zueg.ZY(Unknown Source)
at burp.Zka0.analyzeResponse(Unknown Source)
at burp.Zxli.analyzeResponse(Unknown Source)
at burp.Zhe4.analyzeResponse(Unknown Source)
at burp.utils.RedirectUtils.getFinalHttpRequestResponse(RedirectUtils.java:96)
at burp.utils.RedirectUtils.getRedirectedResponse(RedirectUtils.java:89)
at burp.application.apitypes.swagger.ApiTypeSwagger.urlAddPath(ApiTypeSwagger.java:123)
at burp.application.apitypes.swagger.ApiTypeSwagger.isFingerprintMatch(ApiTypeSwagger.java:78)
at burp.application.ApiScanner$1.run(ApiScanner.java:40)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1589)
java.lang.NullPointerException: Cannot invoke "burp.IHttpRequestResponse.getResponse()" because "newHttpRequestResponse" is null
at burp.application.apitypes.swagger.ApiTypeSwagger.urlAddPath(ApiTypeSwagger.java:128)
at burp.application.apitypes.swagger.ApiTypeSwagger.isFingerprintMatch(ApiTypeSwagger.java:78)
at burp.application.ApiScanner$1.run(ApiScanner.java:40)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1589)

使用ai查看不懂

你的错误堆栈表明在你的Java程序中发生了一系列异常,特别是与你使用的Burp Suite插件(burpsuite插件)相关的异常。让我们逐步解析这些信息:

IndexOutOfBoundsException: Index: 0:

这个错误表明你的代码试图从一个空列表或集合中访问索引0的元素。检查堆栈跟踪中提到的行附近的代码,特别是在LogEntry类及其processRequest方法中。
IllegalArgumentException: Invalid data:

这个错误表明传递给某个方法的一些数据是无效的。在这种情况下,它发生在ApiTypeSwagger类中。检查ApiTypeSwagger类中的urlAddPath和isFingerprintMatch方法,查找潜在问题。
NullPointerException: Cannot invoke "burp.api.montoya.http.message.responses.HttpResponse.headers()" because "" is null:

这个错误是由于空指针异常。堆栈跟踪表明你正在尝试在一个空对象上调用方法。检查ApiTypeSwagger类中的代码,特别是analyzeResponse方法。
NullPointerException: Cannot invoke "burp.IHttpRequestResponse.getResponse()" because "newHttpRequestResponse" is null:

另一个空指针异常,这次出现在ApiTypeSwagger类中。检查urlAddPath方法和isFingerprintMatch方法附近的代码。
为了排除问题并修复这些错误:

回顾类中的方法(LogEntry、ApiTypeSwagger等),识别可能在没有适当检查null或空条件的情况下访问列表、数组或对象的地方。

确保处理数据可能不符合预期格式或可能缺失的边缘情况。

仔细检查对列表进行基于索引访问的逻辑,以防止IndexOutOfBoundsException。

验证在调用对象上的方法之前,这些对象是否已经初始化,以避免NullPointerException。

可能还有助于查看Burp Suite API文档或你使用的特定插件的文档,以了解可能影响你的代码的任何更改或更新。

如果你能提供更具体的代码片段或有关你的代码相关部分的详细信息,我可以提供更有针对性的帮助。

image

加载插件后,使用报错

burp版本 2023.10 java 17

at java.base/java.lang.Thread.run(Thread.java:833)

java.lang.IllegalArgumentException: expected '>' at position 45
at dk.brics.automaton.RegExp.parseSimpleExp(Unknown Source)
at dk.brics.automaton.RegExp.parseCharClassExp(Unknown Source)
at dk.brics.automaton.RegExp.parseComplExp(Unknown Source)
at dk.brics.automaton.RegExp.parseRepeatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseConcatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseInterExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.parseSimpleExp(Unknown Source)
at dk.brics.automaton.RegExp.parseCharClassExp(Unknown Source)
at dk.brics.automaton.RegExp.parseComplExp(Unknown Source)
at dk.brics.automaton.RegExp.parseRepeatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseConcatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseInterExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.(Unknown Source)
at dk.brics.automaton.RegExp.(Unknown Source)
at burp.action.ExtractContent.lambda$null$0(ExtractContent.java:76)
at java.base/java.lang.Thread.run(Thread.java:833)
java.lang.IllegalArgumentException: expected '>' at position 45
at dk.brics.automaton.RegExp.parseSimpleExp(Unknown Source)
at dk.brics.automaton.RegExp.parseCharClassExp(Unknown Source)
at dk.brics.automaton.RegExp.parseComplExp(Unknown Source)
at dk.brics.automaton.RegExp.parseRepeatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseConcatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseInterExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.parseSimpleExp(Unknown Source)
at dk.brics.automaton.RegExp.parseCharClassExp(Unknown Source)
at dk.brics.automaton.RegExp.parseComplExp(Unknown Source)
at dk.brics.automaton.RegExp.parseRepeatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseConcatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseInterExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.(Unknown Source)
at dk.brics.automaton.RegExp.(Unknown Source)
at burp.action.ExtractContent.lambda$null$0(ExtractContent.java:76)
at java.base/java.lang.Thread.run(Thread.java:833)
java.lang.IllegalArgumentException: expected '>' at position 45
at dk.brics.automaton.RegExp.parseSimpleExp(Unknown Source)
at dk.brics.automaton.RegExp.parseCharClassExp(Unknown Source)
at dk.brics.automaton.RegExp.parseComplExp(Unknown Source)
at dk.brics.automaton.RegExp.parseRepeatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseConcatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseInterExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.parseSimpleExp(Unknown Source)
at dk.brics.automaton.RegExp.parseCharClassExp(Unknown Source)
at dk.brics.automaton.RegExp.parseComplExp(Unknown Source)
at dk.brics.automaton.RegExp.parseRepeatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseConcatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseInterExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.(Unknown Source)
at dk.brics.automaton.RegExp.(Unknown Source)
at burp.action.ExtractContent.lambda$null$0(ExtractContent.java:76)
at java.base/java.lang.Thread.run(Thread.java:833)
java.lang.IllegalArgumentException: expected '>' at position 45
at dk.brics.automaton.RegExp.parseSimpleExp(Unknown Source)
at dk.brics.automaton.RegExp.parseCharClassExp(Unknown Source)
at dk.brics.automaton.RegExp.parseComplExp(Unknown Source)
at dk.brics.automaton.RegExp.parseRepeatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseConcatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseInterExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.parseSimpleExp(Unknown Source)
at dk.brics.automaton.RegExp.parseCharClassExp(Unknown Source)
at dk.brics.automaton.RegExp.parseComplExp(Unknown Source)
at dk.brics.automaton.RegExp.parseRepeatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseConcatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseInterExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.(Unknown Source)
at dk.brics.automaton.RegExp.(Unknown Source)
at burp.action.ExtractContent.lambda$null$0(ExtractContent.java:76)
at java.base/java.lang.Thread.run(Thread.java:833)
java.lang.IllegalArgumentException: expected '>' at position 45
at dk.brics.automaton.RegExp.parseSimpleExp(Unknown Source)
at dk.brics.automaton.RegExp.parseCharClassExp(Unknown Source)
at dk.brics.automaton.RegExp.parseComplExp(Unknown Source)
at dk.brics.automaton.RegExp.parseRepeatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseConcatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseInterExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.parseSimpleExp(Unknown Source)
at dk.brics.automaton.RegExp.parseCharClassExp(Unknown Source)
at dk.brics.automaton.RegExp.parseComplExp(Unknown Source)
at dk.brics.automaton.RegExp.parseRepeatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseConcatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseInterExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.(Unknown Source)
at dk.brics.automaton.RegExp.(Unknown Source)
at burp.action.ExtractContent.lambda$null$0(ExtractContent.java:76)
at java.base/java.lang.Thread.run(Thread.java:833)
java.lang.IllegalArgumentException: expected '>' at position 45
at dk.brics.automaton.RegExp.parseSimpleExp(Unknown Source)
at dk.brics.automaton.RegExp.parseCharClassExp(Unknown Source)
at dk.brics.automaton.RegExp.parseComplExp(Unknown Source)
at dk.brics.automaton.RegExp.parseRepeatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseConcatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseInterExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.parseSimpleExp(Unknown Source)
at dk.brics.automaton.RegExp.parseCharClassExp(Unknown Source)
at dk.brics.automaton.RegExp.parseComplExp(Unknown Source)
at dk.brics.automaton.RegExp.parseRepeatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseConcatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseInterExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.(Unknown Source)
at dk.brics.automaton.RegExp.(Unknown Source)
at burp.action.ExtractContent.lambda$null$0(ExtractContent.java:76)
at java.base/java.lang.Thread.run(Thread.java:833)
java.lang.IllegalArgumentException: expected '>' at position 45
at dk.brics.automaton.RegExp.parseSimpleExp(Unknown Source)
at dk.brics.automaton.RegExp.parseCharClassExp(Unknown Source)
at dk.brics.automaton.RegExp.parseComplExp(Unknown Source)
at dk.brics.automaton.RegExp.parseRepeatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseConcatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseInterExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.parseSimpleExp(Unknown Source)
at dk.brics.automaton.RegExp.parseCharClassExp(Unknown Source)
at dk.brics.automaton.RegExp.parseComplExp(Unknown Source)
at dk.brics.automaton.RegExp.parseRepeatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseConcatExp(Unknown Source)
at dk.brics.automaton.RegExp.parseInterExp(Unknown Source)
at dk.brics.automaton.RegExp.parseUnionExp(Unknown Source)
at dk.brics.automaton.RegExp.(Unknown Source)
at dk.brics.automaton.RegExp.(Unknown Source)
at burp.action.ExtractContent.lambda$null$0(ExtractContent.java:76)
at java.base/java.lang.Thread.run(Thread.java:833)

爬目录问题

能否修改下爬到api或者actuator的时候,在当前actuator下面跑env等的目录
image

安装HaE插件后安装APIKit报错

我的环境
burp 2023.9.2
APIKit 1.5.3
HaE 2.5.8
两个插件一个安装完再安全另外一个,APIKit 报错,顺序调反去装也是APIKit 报错。
能帮忙看看是什么问题吗?谢谢。
报错信息如下:
at java.base/jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64)
at java.base/jdk.internal.util.Preconditions.outOfBoundsCheckIndex(Preconditions.java:70)
at java.base/jdk.internal.util.Preconditions.checkIndex(Preconditions.java:266)
at java.base/java.util.Objects.checkIndex(Objects.java:359)
at java.base/java.util.ArrayList.get(ArrayList.java:427)
at burp.core.processor.MessageProcessor.processRequestMessage(MessageProcessor.java:41)
at burp.BurpExtender$MarkInfoTab.isEnabled(BurpExtender.java:229)
at burp.Zvdj.isEnabledFor(Unknown Source)
at jdk.internal.reflect.GeneratedMethodAccessor28.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at burp.Zs6r.invoke(Unknown Source)
at jdk.proxy2/jdk.proxy2.$Proxy25.isEnabledFor(Unknown Source)
at burp.Zk2a.ZC(Unknown Source)
at burp.Zq1x.Zv(Unknown Source)
at burp.Zgsq.lambda$updateVisiblePanes$1(Unknown Source)
at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:178)
at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
at burp.Zkz.ZQ(Unknown Source)
at burp.Zkz.Zt(Unknown Source)
at burp.Zgsq.Zw(Unknown Source)
at burp.Zgsq.ZC(Unknown Source)
at burp.Zibm.Zc(Unknown Source)
at burp.Zibm.lambda$new$0(Unknown Source)
at java.desktop/java.awt.Component.processHierarchyEvent(Component.java:6793)
at java.desktop/java.awt.Component.processEvent(Component.java:6412)
at java.desktop/java.awt.Container.processEvent(Container.java:2266)
at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:5001)
at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2324)
at java.desktop/java.awt.Component.dispatchEvent(Component.java:4833)
at java.desktop/java.awt.Component.addNotify(Component.java:7097)
at java.desktop/java.awt.Container.addNotify(Container.java:2793)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4839)
at burp.Zibm.addNotify(Unknown Source)
at java.desktop/java.awt.Container.addNotify(Container.java:2804)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4839)
at java.desktop/java.awt.Container.addNotify(Container.java:2804)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4839)
at java.desktop/java.awt.Container.addNotify(Container.java:2804)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4839)
at java.desktop/java.awt.Container.addNotify(Container.java:2804)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4839)
at java.desktop/java.awt.Container.addNotify(Container.java:2804)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4839)
at java.desktop/java.awt.Container.addImpl(Container.java:1150)
at java.desktop/javax.swing.JTabbedPane.insertTab(JTabbedPane.java:756)
at burp.Zp47.Zx(Unknown Source)
at burp.Zp47.Zi(Unknown Source)
at burp.Zb6j.Zd(Unknown Source)
at burp.Zb6j.Z_(Unknown Source)
at burp.Zvdd.ZW(Unknown Source)
at burp.Zg3l.Zv(Unknown Source)
at burp.Zsm0.ZY(Unknown Source)
at burp.Zsm0.lambda$extensionConfigChanged$4(Unknown Source)
at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:318)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:771)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:722)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:716)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:741)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
java.lang.IndexOutOfBoundsException: Index 0 out of bounds for length 0
at java.base/jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64)
at java.base/jdk.internal.util.Preconditions.outOfBoundsCheckIndex(Preconditions.java:70)
at java.base/jdk.internal.util.Preconditions.checkIndex(Preconditions.java:266)
at java.base/java.util.Objects.checkIndex(Objects.java:359)
at java.base/java.util.ArrayList.get(ArrayList.java:427)
at burp.core.processor.MessageProcessor.processRequestMessage(MessageProcessor.java:41)
at burp.BurpExtender$MarkInfoTab.isEnabled(BurpExtender.java:229)
at burp.Zvdj.isEnabledFor(Unknown Source)
at jdk.internal.reflect.GeneratedMethodAccessor28.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at burp.Zs6r.invoke(Unknown Source)
at jdk.proxy2/jdk.proxy2.$Proxy25.isEnabledFor(Unknown Source)
at burp.Zk2a.ZC(Unknown Source)
at burp.Zq1x.Zv(Unknown Source)
at burp.Zgsq.lambda$updateVisiblePanes$1(Unknown Source)
at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:178)
at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
at burp.Zkz.ZQ(Unknown Source)
at burp.Zkz.Zt(Unknown Source)
at burp.Zgsq.Zw(Unknown Source)
at burp.Zgsq.ZC(Unknown Source)
at burp.Zibm.Zc(Unknown Source)
at burp.Zibm.lambda$new$0(Unknown Source)
at java.desktop/java.awt.Component.processHierarchyEvent(Component.java:6793)
at java.desktop/java.awt.Component.processEvent(Component.java:6412)
at java.desktop/java.awt.Container.processEvent(Container.java:2266)
at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:5001)
at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2324)
at java.desktop/java.awt.Component.dispatchEvent(Component.java:4833)
at java.desktop/java.awt.Component.addNotify(Component.java:7097)
at java.desktop/java.awt.Container.addNotify(Container.java:2793)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4839)
at burp.Zibm.addNotify(Unknown Source)
at java.desktop/java.awt.Container.addNotify(Container.java:2804)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4839)
at java.desktop/java.awt.Container.addNotify(Container.java:2804)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4839)
at java.desktop/java.awt.Container.addNotify(Container.java:2804)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4839)
at java.desktop/java.awt.Container.addNotify(Container.java:2804)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4839)
at java.desktop/java.awt.Container.addNotify(Container.java:2804)
at java.desktop/javax.swing.JComponent.addNotify(JComponent.java:4839)
at java.desktop/java.awt.Container.addImpl(Container.java:1150)
at java.desktop/javax.swing.JTabbedPane.insertTab(JTabbedPane.java:756)
at burp.Zp47.Zx(Unknown Source)
at burp.Zp47.Zi(Unknown Source)
at burp.Zb6j.Zd(Unknown Source)
at burp.Zb6j.Z_(Unknown Source)
at burp.Zvdd.ZW(Unknown Source)
at burp.Zg3l.Zv(Unknown Source)
at burp.Zsm0.ZY(Unknown Source)
at burp.Zsm0.lambda$extensionConfigChanged$4(Unknown Source)
at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:318)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:771)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:722)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:716)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:741)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
image
Snipaste_2023-11-24_14-28-07

加载一直报错

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

com.alibaba.fastjson.JSONException: syntax error, pos 1, line 1, column 2

<title>503 service temporarily unavailable</title>

503 service temporarily unavailable

nginx/1.20.1

APIKit插件那没有任何数据

  1. 环境情况如下
  • burpsuit v1.7.35
  • firefox浏览器配置了127.0.0.1:8080代理,burpsuite代理处有流量,网站可以正常访问
  • APIKit没有数据

  1. 说明:
    我访问的API信息如下:
    https://172.24.23.139/apisec/v1/thlog/data/thead
    https://172.24.23.139/apisec/v1/detect/desensitize/template?offset=0&limit=10
    网站并提供没有任何的文档。

  2. 我想咨询的是:

  • 被动扫描我理解,可以不依赖文档,咱们这个插件依赖文档吗(被动扫描)
  • 如果没有文档,只根据流量能扫描出内容吗?

被动扫描添加send with header

大部分站点的鉴权参数在header头中,希望可以在被动扫描的时候带着原数据包中的全部请求头去请求。

1.5仍然存在bug

版本:1.5
burpsuite:2023.5

请求仍然自动带上上级目录,导致对actuator端点遍历进了两层根目录中
image

image

bp加载卡死,资源占用高

burp加载jar包后无法正常使用,没有响应,cpu使用率高,强制退出重新打开bp,插件也不见了。

解决方式:设定burp扩展的时候指定标准输出文件和标准错误文件就正常了,不知道什么原因导致。
image

burpsuite 最新版报错

也不能右键doscan

`
java.lang.NullPointerException: Cannot invoke "burp.IHttpRequestResponse.getResponse()" because "newHttpRequestResponse" is null
at burp.application.apitypes.soap.ApiTypeSoap.urlAddPath(ApiTypeSoap.java:96)
at burp.application.apitypes.soap.ApiTypeSoap.isFingerprintMatch(ApiTypeSoap.java:62)
at burp.application.ApiScanner.detect(ApiScanner.java:30)
at burp.PassiveScanner.doPassiveScan(PassiveScanner.java:45)
at burp.hs6.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:831)

`
好像扫描会有重复,两个扫出来是一模样的
image

burp1.7没有反应

do api scan 没有日志 没有提示
是否只能应用在burp2.0以后的版本

burpsuite v2023.9 安装不了该插件

java.lang.Exception: Extension class is not a recognized type
at burp.Zig1.ZE(Unknown Source)
at burp.Zig1.Zx(Unknown Source)
at burp.Zvex.ZN(Unknown Source)
at burp.Zsm0.Zr(Unknown Source)
at burp.Zih1.lambda$panelLoaded$0(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)

1.5有bug

自从换了1.5啥也没扫到过~

Burpsuite 2023.9安装后无法AutoScan

java.lang.NullPointerException: Cannot read the array length because the return value of "burp.IHttpRequestResponse.getResponse()" is null
at burp.utils.RedirectUtils.isRedirectedResponse(RedirectUtils.java:82)
at burp.application.apitypes.swagger.ApiTypeSwagger.urlAddPath(ApiTypeSwagger.java:122)
at burp.application.apitypes.swagger.ApiTypeSwagger.isFingerprintMatch(ApiTypeSwagger.java:71)
at burp.application.ApiScanner$1.run(ApiScanner.java:40)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)

java.lang.NullPointerException: Cannot read the array length because the return value of "burp.IHttpRequestResponse.getResponse()" is null
at burp.utils.RedirectUtils.isRedirectedResponse(RedirectUtils.java:82)
at burp.application.apitypes.soap.ApiTypeSoap.urlAddPath(ApiTypeSoap.java:104)
at burp.application.apitypes.soap.ApiTypeSoap.isFingerprintMatch(ApiTypeSoap.java:70)
at burp.application.ApiScanner$1.run(ApiScanner.java:40)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)

java.lang.NullPointerException: Cannot read the array length because the return value of "burp.IHttpRequestResponse.getResponse()" is null
at burp.utils.RedirectUtils.isRedirectedResponse(RedirectUtils.java:82)
at burp.application.apitypes.rest.ApiTypeRest.urlAddPath(ApiTypeRest.java:99)
at burp.application.apitypes.rest.ApiTypeRest.isFingerprintMatch(ApiTypeRest.java:55)
at burp.application.ApiScanner$1.run(ApiScanner.java:40)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)

能否增加插件扫描黑名单

在黑名单内的域名默认不使用插件扫描,很多google的api接口github的接口都是没有必要的,希望作者能考虑下

建议添加可添加多个headers的功能,以及可覆盖headers功能

工具非常好用,结合日常工作想提些建议:

1、建议添加可添加多个headers的功能;
目前工具可以自定义扫描且可以设置headers,但是好像并不可以设置多个headers,我试过这样设置:header1: abc; headers2: cba,但并没用起作用;

2、建议可设置自定义的headers是否覆盖,或者可选择不自动构造 api 文档中的 headers;
此提议来自于扫描到某个 swagger-ui.html 的情况,其里面的文档指示已经设置有了 Authorization,工具在自动发送请求的时候会提取 api 文档所需的参数,也就是自动会带上 Authorization: test 去请求,此时若再自定义正确的 Authorization,请求里就会出现两个 Authorization 从而导致请求错误。

建议给DELETE加个开关

如果被动测试的时候,真的未授权DELETE了,有点危险,建议默认关闭DELETE,可选择手动打开

base path url没有生效

你好!
burpsuite 2023.6.2
apikit 1.5.2

手动扫描时,api doc中的basePath值依然被强行带入,导致url不正确
image

红框 这块多出来了
image

经过观察发现是从响应体中取了basePath的值,这个值不一定准确的,而手动传入的base path url没有生效
image

大佬你好,请问这个插件是只适配老版本的Burp吗?就红色图标那个

蓝色图标的burp安装的时候又提示成功安装然后error里面也有输出,我将error里的输出复制粘贴去问gpt,gpt回复:

该错误是由于rubyobj.ExtensionUI没有定义或继承ComponentListener接口的componentShown和componentHidden方法导致的。可能是因为插件的代码不兼容您正在使用的Burp版本。
尝试使用兼容您当前Burp版本的另一个版本的插件,或者更新Burp到最新版本,并尝试重新安装插件。如果问题仍然存在,请查看插件文档或联系插件作者进行更多帮助。

应该就是不适配新版本导致无法正常使用该插件,后面我会尝试安装旧版本的burp,希望大佬也能抽空看一下是否是版本不适配的原因,最后感谢大佬制作的插件

Extension is not loading 

java.lang.ClassNotFoundException: burp.BurpExtender
	at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:433)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:586)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:519)
	at java.base/java.lang.Class.forName0(Native Method)
	at java.base/java.lang.Class.forName(Class.java:466)
	at burp.ab5.a(Unknown Source)
	at burp.ab5.<init>(Unknown Source)
	at burp.b__.a(Unknown Source)
	at burp.gly.lambda$panelLoaded$0(Unknown Source)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
	at java.base/java.lang.Thread.run(Thread.java:831)

加载成功使用时报错,是我环境问题吗

java.lang.NullPointerException
at burp.utils.RedirectUtils.isRedirectedResponse(RedirectUtils.java:82)
at burp.application.apitypes.rest.ApiTypeRest.urlAddPath(ApiTypeRest.java:102)
at burp.application.apitypes.rest.ApiTypeRest.isFingerprintMatch(ApiTypeRest.java:58)
at burp.application.ApiScanner$1.run(ApiScanner.java:40)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)

5点功能建议

1、希望支持ASP.NET Web API Help Page 的接口测试;

web.title="Home Page"
图片

2、建议在ui界面增加是否带参数提示;
像burp的history中一样,通过Params字段提示:
图片

3、Auto request sending 时添加黑名单;
自定义正则匹配接口不自动send的接口(全局模式,包括第4点建议手动模式下也处于黑名单),可以参考:
.*delete.*|.*edit.*|.*import.*|.*del.*|.*add.*|.*reject.*|.*update.*|.*cancel.*|.*insert.*|.*create.*|.*modify.*|.*save.*

4、建议增加Auto request sending 的手动模式;
希望支持在没开Auto request sending的情况下,选择某个接口可以手动右键request send。
在这个手动的过程中,还得需要支持加header头。

5、时间格式的修复。
图片
好像一般没有60,要不换成59或者00?另外可以更新一下时间到2023年,哈哈。

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.