Currently it seems to only be possible to load from a file

It would be really good to have some way to automatically add extra headers as the request is being sent to repeater etc. I'm currently having to manually add the Authorization: Bearer after each request has been sent.

Prerequisites Checklist

Before submitting the issue, please make sure you have:

• Thoroughly read the README file.
• Checked the project requirements and ensured they are met.
• Searched for existing issues that may address the problem.
• Performed basic troubleshooting steps.

Description

Hi, I'm using examples from OpenAPI-Specification json and yaml examples (and json from projecton my job, which complies with the Swager 2.0 specification, but for obvious reasons I cannot show it) and none of them can't be represented as Burp suite request, just blank text. I tried enabling the use of http 1.0 only, but this doesn't help.

Steps to Reproduce

1. load any of this examples: json and yaml
2. See that burp can't parse http, because there is a blank textm example on screenshot below.

Expected Behavior

I should be able to send HTTP messages to another Burp tools such as Repeater or Intruder, but instead of a message, empty text is generated which cannot be recognized by Burp suite.

Screenshots

Environment

• OS: Arch Linux x86_64 6.4.12-arch1-1
• Java version: openjdk 20.0.2 2023-07-18
• Gradle version: 8.1.1
• Burp Suite version: Professional 2023.10.1
• Swurg version: 4.0

OpenAPI Specification

2.0 json and yaml

Error Message

No error messages

Here is the User Token section from the Swagger.json I am attempting to load.

    "securitySchemes": {
      "User Token": {
        "type": "http",
        "description": "Enter User Token **_only_**",
        "scheme": "bearer",
        "bearerFormat": "JWT"
      }
    }
  },
  "security": [
    {
      "User Token": [ ]
    }
  ]
}

I'm failing to set this extension up and would love to edit the code, but it seems the files are some kind of diffs or have some metadata in them.

Mostly I can see strings like <<<<<<< HEAD, =======, and >>>>>>> origin/master that don't seem to be java code. The files affected are at least DataStructure.java and ContextMenu.java. If these are some residue from some tool or a mistake, then having them removed would enable me to debug and improve the extension.

I have a swagger 2.0 .json file that's got 172 different paths, 244 different path+method combinations.

Swagger Parser v1.4 from the Burp app store loads and imports the file without error, but only recognizes the first path, with three methods, for a total of three imported API calls.

I haven't started carving up my input file, or finished setting up a dev environment to play with the Swagger Parser code; thought I would ask if there's likely/known issues/limitations I should look for in particular.

Hi !

I'd like to help out on the project, but I don't really remember how to debug the code anymore, and the logs are not super verbose to explain "where in the spec" it failed

Here are a few examples:
https://bugcrowd.com/openapi/2021-10-28/openapi.yml

Cannot invoke "java.util.Map.entrySet()" because "properties" is null

https://www.secureflag.com/management/api/swagger-config.yaml

attribute is not of type `object`

https://app.swaggerhub.com/apiproxy/schema/file/apis/Veracode/veracode-sca_agent_api_specification/3.0?format=json

attribute paths. '/v3/workspaces/{id}/issues'(get).[status].default is not of type `array`]

I'm mostly interested in using swurg to understand how I could automatically download data from APIs, not really testing them, but this is already showing me how hard it is to parse and use OpenAPI specs... 😅
I'd be curious to see if swurg could have a "fail-safe" mode that just tries the list APIs that don't need any input parameter ? that would make the import more robust ?

Hi,

Is there a way to get access to more verbose errors ?

I would love to use this plugin but for some reason my file can't be parsed, I'm getting the error:

The OpenAPI specification contained in %s is ill formed and cannot be parsed

I see that the Swagger Parser is quite old, maybe updating it would solve the issue.

Prerequisites Checklist

Before submitting the issue, please make sure you have:

• Thoroughly read the README file.
• Checked the project requirements and ensured they are met.
• Searched for existing issues that may address the problem.
• Performed basic troubleshooting steps.

Description

It appears there is a failure during the parsing of the OpenAPI spec. I've tried using the hosted spec, YAML, and JSON formats. All return the same error.

I've also compiled the latest version of this repo and NOT using the BApp store extension.
I removed any OpenAPI extensions and restarted BSP and then manually loaded this extension.

Steps to Reproduce

1. Go to OpenAPI Parser Extension
2. Click on Browse to the YAML/JSON files (or paste in the endpoint for the hosted spec)
3. Click on Load
4. See error at the bottom of BSP
5. Check the error log in the Extensions tab

Expected Behavior

I would expect to see the extension load our API Spec the same as it does a common spec like https://petstore.swagger.io/v2/swagger.json

I've tested it with the above spec and everything loads fine.

Environment

• OS: MacOS
• Java version: 17
• Gradle version: 7.4.2
• Burp Suite version: Professional 2023.4.3
• Swurg version: Latest on Main

OpenAPI Specification

• OpenAPI version: 3.0.1
• Sample specification snippet (if applicable):
  Happy to share in a DM

Error Message

All 3 formats of the spec result in the follow error:

java.lang.NullPointerException: Cannot read the array length because "<parameter4>" is null
	at burp.Zjtf.ZU(Unknown Source)
	at burp.Zjtf.Zy(Unknown Source)
	at burp.Znk.ZV(Unknown Source)
	at burp.Zvtt.ZX(Unknown Source)
	at burp.Zp98.ZX(Unknown Source)
	at burp.Zqk1.ZV(Unknown Source)
	at burp.Zq9u.ZI(Unknown Source)
	at burp.Zh64.ZF(Unknown Source)
	at burp.Zioj.withAddedParameters(Unknown Source)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
	at java.base/java.lang.reflect.Method.invoke(Method.java:578)
	at burp.Zqs.invoke(Unknown Source)
	at jdk.proxy2/jdk.proxy2.$Proxy48.withAddedParameters(Unknown Source)
	at swurg.workers.Worker.lambda$parseOpenAPI$1(Worker.java:110)
	at java.base/java.util.HashMap.forEach(HashMap.java:1429)
	at swurg.workers.Worker.parseOpenAPI(Worker.java:85)
	at swurg.gui.views.ParserPanel$LoadButtonListener.actionPerformed(ParserPanel.java:172)
	at java.desktop/javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1972)
	at java.desktop/javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2313)
	at java.desktop/javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:405)
	at java.desktop/javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:262)
	at java.desktop/javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:279)
	at java.desktop/java.awt.Component.processMouseEvent(Component.java:6620)
	at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3398)
	at java.desktop/java.awt.Component.processEvent(Component.java:6385)
	at java.desktop/java.awt.Container.processEvent(Container.java:2266)
	at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:4995)
	at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2324)
	at java.desktop/java.awt.Component.dispatchEvent(Component.java:4827)
	at java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4948)
	at java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4575)
	at java.desktop/java.awt.LightweightDispatcher.dispatchEvent(Container.java:4516)
	at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2310)
	at java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2780)
	at java.desktop/java.awt.Component.dispatchEvent(Component.java:4827)
	at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:775)
	at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:720)
	at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:714)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:97)
	at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:747)
	at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:745)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
	at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:744)
	at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
	at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
	at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
Cannot read the array length because "<parameter4>" is null

Additional Context

One thing I would like to add:
I have ran our API Spec through https://editor.swagger.io/ and have confirmed there are no spec errors that it is showing.
If there is an error with out spec, the Swagger Editor and Linters aren't picking it up.

Suggested feature - recent history of parsed resources

Make the text box a combobox, and each time a new file/URL is opened add it to the combobox's list to record a history of previous files URLs. These could then be saved in the persistent configuration provided by Burp's API. Also, a button to "clear history" to remove the saved files/URLs.

When you send a request to swagger it could also add that as a URL to the history list, perhaps even place it in the text box at the top.

There's a number of InteliJ-specific files in the .idea folder which are specific to the maintainer's environment. A proper gitignore for JetBrains IDEs should be tracked (GitHub has a great example of one), and the unnecessary files removed.

This is an easy win, and could be bundled in with another PR.

When I try to load a Swagger.json file from the file system, I receive the following error:
java.lang.NullPointerException at burp.Helper.validateHostSyntax(Helper.java:54) at burp.Tab.populateJTable(Tab.java:233) at burp.Tab.processFile(Tab.java:135) at burp.Tab.access$000(Tab.java:53) at burp.Tab$ButtonListener.actionPerformed(Tab.java:103) at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022) at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2348) at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402) at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259) at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252) at java.awt.Component.processMouseEvent(Component.java:6533) at javax.swing.JComponent.processMouseEvent(JComponent.java:3324) at java.awt.Component.processEvent(Component.java:6298) at java.awt.Container.processEvent(Container.java:2236) at java.awt.Component.dispatchEventImpl(Component.java:4889) at java.awt.Container.dispatchEventImpl(Container.java:2294) at java.awt.Component.dispatchEvent(Component.java:4711) at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4888) at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4525) at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4466) at java.awt.Container.dispatchEventImpl(Container.java:2280) at java.awt.Window.dispatchEventImpl(Window.java:2746) at java.awt.Component.dispatchEvent(Component.java:4711) at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758) at java.awt.EventQueue.access$500(EventQueue.java:97) at java.awt.EventQueue$3.run(EventQueue.java:709) at java.awt.EventQueue$3.run(EventQueue.java:703) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90) at java.awt.EventQueue$4.run(EventQueue.java:731) at java.awt.EventQueue$4.run(EventQueue.java:729) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80) at java.awt.EventQueue.dispatchEvent(EventQueue.java:728) at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201) at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116) at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93) at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

I am running on Windows 10, have downloaded your version of gson, and installed directly from the BApp Store. I've reinstalled multiple times to no avail. The error does not show up until I try to load the Swagger.json file.

When trying to load an openapi v3 swagger, i get this error:

swurg.gui.ParserPanel$LoadButtonListener -> Cannot invoke "io.swagger.v3.oas.models.media.Content.entrySet()" because the return value of "io.swagger.v3.oas.models.responses.ApiResponse.getContent()" is null

The swagger.yaml file I was given is missing some key fields, I've just noticed that with basePath missing, null is used in its place:

GET null/version HTTP/1.1

It should either be mandatory or should default to /

Hi,

When I parse a swagger file, the creation of the request works fine.

Many swagger files I have parsed lately include examples of what is expected as body in POST requests. It would be nice to take this example value instead of body=fuzzMe.

Hi, I'm encountering the following problem while trying to load a YAML swagger file (OpenAPI 3.0.1) from local disk.
Running BurpSuite Professional 2022.3.8.
Using OpenAPI Parser 3.0a from PortSwigger BApp Store.

Thanks!

I have my burp running at 8080 port.

I want to send the requests for scan through automation.

Is that possible?

Prerequisites Checklist

Before submitting the issue, please make sure you have:

• Thoroughly read the README file.
• Checked the project requirements and ensured they are met.
• Searched for existing issues that may address the problem.
• Performed basic troubleshooting steps.

Description

When loading in a Swagger generated OpenAPI JSON spec, there's no guarantee the "servers" object will be populated.

Loading a file of this type into the the OpenAPI parse Extension fails cryptically with

Cannot invoke "io.swagger.v3.oas.models.media.Content.entrySet()" because the return value of "io.swagger.v3.oas.models.responses.ApiResponse.getContent()" is null

similar to this issue on the Burp Support forum

Steps to Reproduce

1. Generate a JSON OpenAPI spec from Swagger
2. Check the "servers" root key is not-present (remove it if it is, to replicate bug)
3. Import JSON file directly, not via URL
4. Observe above error

Expected Behavior

Hopefully a check for the presence of "servers" key and failing with a relevant error message should help the user rectify the fault manually.
(Took me a few minutes of Googling to find https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.1.0.md#server-object-example)

Ideally in the absence of any "server" object, a prompt appears asking for the BaseURL of the server to test

The schemes field in swagger is not mandatory, but swurg relies on it. Without the field swagger fails the file loading with a n Exception. The easy workaround for this is to add the field into the swagger file, but automatic guessing or user prompting could be a nice touch.

This issue is not very critical, but I'll make it visible by raising this issue.

Not sure if this is an extension issue or something wrong with our swagger.json. The table in the Swagger Parser tab looks correct (host, base path, endpoint, params are all populated). But when I send these to the site map they are all added under the root directory of the host without the base path being included. Same with sending to intruder/repeater - the requests are to "/endpoint" on the host, not to "/my_api/v1/endpoint".

Any pointers/possible issues?

I ran into this issue a couple of time:

The OpenAPI specification contained in https://.../api/v2/swagger/json is missing the mandatory field: 'host'

Adding the host in the JSON fixed the issue:

{
    "basePath": "/api/v2",
    "host": "www.xxx.com",
    "definitions": {

I would be nice to default the host to the host of the swagger doc when it's not set and we pass a URL to OpenAPI Parser.

Download https://repo1.maven.org/maven2/io/swagger/swagger-annotations/1.5.17/swagger-annotations-1.5.17.jar
Download https://repo1.maven.org/maven2/org/slf4j/slf4j-api/1.7.22/slf4j-api-1.7.22.jar
:compileJava FAILED

FAILURE: Build failed with an exception.

• What went wrong:
  Execution failed for task ':compileJava'.

Could not find tools.jar

• Try:
  Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.

BUILD FAILED

Total time: 12.702 secs

Burp Suite version v2021.12.1
The latest Swurg version installed from the Github repository.

Testing YAML OpenAPI definition at https://brp.mmquant.net/943b9a26-fb6c-11ec-b939-0242ac120002.yaml
Error message in the Burp Extender tab

We input the swagger file, and like:

"/api/open/v1/teams/{team_id}/users": {
      "get": {
        "summary": "TBD",
        "tags": [
          "Teams::Users"
        ],
        "parameters": [
          {
            "name": "team_id",
            "in": "path",
            "schema": {
              "type": "integer",
              "example": 1
            },
            "required": true,
            "description": "TBD"
          }
        ]
    }
}

However, the parameter {team_id} is not changed to the defined integer example: "1" when doing an active scan.
How should we let it know to get the change?
Thank you.

Hello, is it possible to avoid the use of the tool due to an error in the certificate?
It usually happens when the certificate was created for a domain and is entered by IP. I don't know what the domain is, I only know the IP. The plugin gives me the following error:

Hi there,

I've been trying to use swurg with an OAS 3.0 API document. It fails the import process, stating that the document is ill formed.

After reviewing the swurg code, it appears that swurg is still configured to use the V2-compatible version of the parser: https://github.com/aress31/swurg/blob/f592a287d3f588ddd01f895925584546c246b050/src/main/java/swurg/process/Loader.java#L47

Per their README, swagger-parser has a new syntax for parsing V3 files:

import io.swagger.v3.parser.OpenAPIV3Parser;
import io.swagger.v3.oas.models.OpenAPI;

// ... your code

// read a swagger description from the petstore
  
  
  OpenAPI openAPI = new OpenAPIV3Parser().read("https://petstore3.swagger.io/api/v3/openapi.json");

It looks like this would need to be called rather than the old SwaggerParser constructor for full V3 support. Additionally, an option should be added to the UI to parse as V2 or as V3, depending on the file (or detect it automatically).

The ExtensionHelper.parseAccept method throws a null pointer exception when the content is not set in the openAPI spec.

This may be related to issues:

• #76
• #74
• #90
• #87

And is hinted at in the comment #74 (comment)

Adjusting the affected lines allows for the spec to be parsed properly:

    if (responses != null && responses.get("200") != null && responses.get("200").getContent() != null) {
      for (Map.Entry<String, MediaType> response : responses.get("200").getContent().entrySet()) {
        stringJoiner.add(response.getKey());
      }
    }

Debugging this was made harder due to the try/catch and the error message output, in this case Class name -> null. Removing these and allowing the exception to dump the stack trace made the error immediately apparent.

I suggest this is done in all places where exceptions are not to be expected or to include a stack trace in those instances.

Prerequisites Checklist

Before submitting the issue, please make sure you have:

• Thoroughly read the README file.
• Checked the project requirements and ensured they are met.
• Searched for existing issues that may address the problem.
• Performed basic troubleshooting steps.

Description

I installed openapi-parser from the bApp store. After selecting an OpenAPI 3.0.0 specification file, I get the following error message:

Cannot invoke "io.swagger.v3.oas.models.media.Content.entrySet()" because the return value of "io.swagger.v3.oas.models.responses.ApiResponse.getContent()" is null

This message appears at the bottom of the Burp Suite Window. I have reviewed the file and it is readable YAML, not a corrupt file.

Steps to Reproduce

1. Open Extensions tab -> BApp store
2. Install OpenAPI Parser
3. Select OpenAPI Parser tab
4. Browse / Load file
5. Select api.yml file
6. Error is produced: "Cannot invoke "io.swagger.v3.oas.models.media.Content.entrySet()" because the return value of "io.swagger.v3.oas.models.responses.ApiResponse.getContent()" is null"

Expected Behavior

I expected the yaml file to be ingested

Screenshots

None useful.

Environment

• OS: Kali Linux 2022.4 kali-rolling
• Java version: openjdk 17.0.5 2022-10-18
• Jython version: standalone 2.7.3
• Gradle version: n/a; installed via BApp store: "Alternatively, you can skip the Compilation step entirely and download the extension directly from the [BApp Store]"
• Burp Suite version: Burp Suite Professional v2023.3.5
• Swurg version: OpenAPI Parser 3.1

OpenAPI Specification

• OpenAPI version: 3.0.0
• Sample specification snippet (if applicable):
  openapi: '3.0.0'
info:
version: '1.0.0'
title: '[REDACTED]'
description: [REDACTED] API
servers:
- url: [REDACTED]
description: [REDACTED]
paths:
/api/account/token/:
post:

^ Just do demonstrate that it is formatted as expected.

Error Message

I don't see an Extender Error tab but error message at bottom of the app reads: "Cannot invoke "io.swagger.v3.oas.models.media.Content.entrySet()" because the return value of "io.swagger.v3.oas.models.responses.ApiResponse.getContent()" is null"

Additional Context

None more I can think of. Please let me know if more information is needed.

I would post this issue on the PortSwigger/openapi-parser repo but I do not see any way to submit issues on that branch.

EDIT: formatting.

I can't get the project to build as you've described in the README.

Is there a supported range of gradle & java versions that need to be documented in the README?

is it possible to add a .github/workflows/gradle.yml build action? https://docs.gradle.org/current/userguide/github-actions.html

something that shows reproducibly how to build this extension?

gradle fatJar

FAILURE: Build failed with an exception.

* What went wrong:
Could not create service of type ScriptPluginFactory using BuildScopeServices.createScriptPluginFactory().
> Could not create service of type PluginResolutionStrategyInternal using BuildScopeServices.createPluginResolutionStrategy().

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 0s

gradle --version

------------------------------------------------------------
Gradle 4.4.1
------------------------------------------------------------

Build time:   2012-12-21 00:00:00 UTC
Revision:     none

Groovy:       2.4.17
Ant:          Apache Ant(TM) version 1.10.7 compiled on October 24 2019
JVM:          17.0.5 (Private Build 17.0.5+8-Ubuntu-2ubuntu120.04)
OS:           Linux 5.14.0-1057-oem amd64

java -version
openjdk version "17.0.5" 2022-10-18
OpenJDK Runtime Environment (build 17.0.5+8-Ubuntu-2ubuntu120.04)
OpenJDK 64-Bit Server VM (build 17.0.5+8-Ubuntu-2ubuntu120.04, mixed mode, sharing)

./gradlew build works fine, though.

I load the extension

without any errors.

Now I want to load the OpenAPI definition but after clicking Browse/Load nothing happens.

In the extension error log I get this message

The example OpenAPI definition can be found here https://brp.mmquant.net/37966bee-93c4-11ec-b909-0242ac120002.json
The extension was installed from the BApp store.
The Burp Suite version is 2021.12.1

For every request you extract from the API specification you create a request example. You use placeholders like:

key={string}&discount={integer->int32}

Which is fine to understand the request. However, that's not optimal when you want to send it to the repeater. Would it be possible that you add next to the "request" tab another tab called "hackvertor"? There you could then show a request which has:

key=<@random(10)>abcdefghijklmnopqrstuvwxyz<@/random>&discount=<@random_num(4)/>

Because if you have the Hackvertor extension installed from BApp, you can then send this request to the Repeater and everytime you send it, a different alphanumeric or numeric value is sent (have a look at the Logger tab).

Would that be possible?

When sending a request to Repeater, there is an exception happening. This issue is present in the jar in commit 935eb02. Similar exceptions are encountered when:

• sending to Active scanner and Intruder
• with and without the http:// prefix
• with and without the /somepath postfix

Here's a stacktrace of the error:

java.lang.IllegalArgumentException: Invalid host: http://some.random.host:8080/somepath
	at burp.bd.sendToRepeater(Unknown Source)
	at burp.ContextMenu$3.actionPerformed(ContextMenu.java:69)
	at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
	at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
	at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
	at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
	at javax.swing.AbstractButton.doClick(Unknown Source)
	at javax.swing.plaf.basic.BasicMenuItemUI.doClick(Unknown Source)
	at javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(Unknown Source)
	at java.awt.Component.processMouseEvent(Unknown Source)
	at javax.swing.JComponent.processMouseEvent(Unknown Source)
	at java.awt.Component.processEvent(Unknown Source)
	at java.awt.Container.processEvent(Unknown Source)
	at java.awt.Component.dispatchEventImpl(Unknown Source)
	at java.awt.Container.dispatchEventImpl(Unknown Source)
	at java.awt.Component.dispatchEvent(Unknown Source)
	at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
	at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
	at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
	at java.awt.Container.dispatchEventImpl(Unknown Source)
	at java.awt.Window.dispatchEventImpl(Unknown Source)
	at java.awt.Component.dispatchEvent(Unknown Source)
	at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
	at java.awt.EventQueue.access$500(Unknown Source)
	at java.awt.EventQueue$3.run(Unknown Source)
	at java.awt.EventQueue$3.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
	at java.awt.EventQueue$4.run(Unknown Source)
	at java.awt.EventQueue$4.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
	at java.awt.EventQueue.dispatchEvent(Unknown Source)
	at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
	at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
	at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
	at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
	at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
	at java.awt.EventDispatchThread.run(Unknown Source)

Prerequisites Checklist

Before submitting the issue, please make sure you have:

Using latest release of extension on Burp Suite

Description

A clear and concise description of what the bug is.

The OpenAPI parser extension cant import any swagger file because it always checks the file based on REGEXes and the content doesnt match against the regexes the app uses (theyre too restrictive or old)

Steps to Reproduce

Add Extension into Burp Suite
Import Swagger file

Expected Behavior

Expect the swagger file to load, possibly ability to turn off error checking

Screenshots

If applicable, add screenshots to help explain your problem.

Environment

Windows 10 with Burp Suite V2023.3.4

OpenAPI Specification

• OpenAPI version: [e.g. 3.1]

Error Message

Error message in above screenshot

Additional Context

Happens with importing swagger file, containing Microsoft AD credentials eg client secret value.

Other errors occur - never got the extension to work within burp because it ALWAYS does error checking and even though the Swagger files have content which dont conform to the tools REGEX theyre valid and work in Postman but not Swurg/OpenAPI parser in Burp

I'm struggling to upload to Burp the following file: openapi.json.zip

The error:

swurg.gui.ParserPanel$LoadButtonListener -> Cannot invoke "io.swagger.v3.oas.models.media.Content.entrySet()" because the return value of "io.swagger.v3.oas.models.responses.ApiResponse.getContent()" is null

I'm using a freshly built Swurg from the master branch.

Hi,

It would be really nice if the parser would also support swagger version 1.2 files.

Hi,

thanks for the tool which I am using in burp!

I am all in for being compliant with open standards. However as the tool should assist in testing I would personally find it better if the specification is not met it won't be a hard failure. Or at least if there would be a possibility to override swurg being strict.

In my case the scheme declaration was missing, see src/main/java/swurg/process/Loader.java,(git blame is telling me that it was changed in f592a28)

Cheers, Dirk

This is either just a UI issue or then this is the cause of #3.

Hi,
Swagger Code-Gen has an example generator

You can use this to automatically resolve DTOs and generate example bodys for requests.
Simply copy ExampeGenerator.java and use it in your /src/main/java/swurg/utils/ExtensionHelper.java
Example usage:
ExampleGenerator gen = new ExampleGenerator(swagger.getDefinitions());
List<Map<String,String>> generatedList = gen.generate(null, expectedTypes, refmodel.getSimpleRef());

I already implemented this in an older version of your extension. Here a part of my implementation as gist as detailed usage example: https://gist.github.com/monoxacc/130818c3dbe1fe360bef12eba5c74ace

Hi there.
When sorting the Parser table with a different key (ie, sorting by Method), the wrong request will be sent to the Repeater tab. I assume the original, default sorted one gets sent, instead of the one currently highlighted.

Steps to reproduce:

1. Download http://petstore.swagger.io/v2/swagger.json
2. Open swagger.json in Swagger Parser
3. Find the POST /pet endpoint and click "send to repeater"

POST /v2/pet HTTP/1.1
Host: petstore.swagger.io
Accept: application/xml, application/json
Content-Type: application/json, application/xml

id={integer}&id={integer}&name={string}&name={string}&photoUrls={array}&tags={array}&status={string}

This is an application/x-www-form-urlencoded while content-type says application/json, application/xml

When trying to parse/load the YAML or JSON from the Swagger Pets store example (linked below), The parser responds at the bottom with 'The OpenAPI specification contained in c:\source\pets3.yml is ill formed and cannot be parsed.

Is there any way to get more details on the problem it's having with the file? Same response for JSON.

When parsing the 2.0 version though everything works as expected.

We are using the Pet store example available in the Swagger Editor. The exact files are attached as well.

Yaml format
pets3.txt

The host parameter from swagger.json is filtered and doesn't retrieve the service's port which won't be parameterized when sending a request to the repeater.

Hi,

I tried to import my swagger file and it didn't work. Then I tried to use some samples from GitHub.

It didn't work on this sample:
https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v2.0/yaml/api-with-examples.yaml

But it did on this one:
https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v2.0/yaml/petstore-minimal.yaml

Do I miss something? Or maybe you know how I can fix it?

java.lang.StringIndexOutOfBoundsException: String index out of range: -2
	at java.lang.String.substring(String.java:1967)
	at burp.Helper.parseParams(Helper.java:65)

Comes from here where you are trying to remove the final comma:

https://github.com/AresS31/swurg/blob/master/burp/Helper.java#L65

But if there is no parameter, the string length is zero.

In SwaggerHub I try to export the YAML or JSON file like this:

When I try to import the file in burp I get the error "The OpenAPI specification obtained in XXXX is ill formed and cannot be parsed".

I tried to validate the YAML (or JSON) file with the swagger-cli validate command:

It seems that the file is correct.

Unfortunately I cannot share the YAML or JSON files.

Any ideas what I can check or try on my side?

Hi, hope you're doing good!!!

After the latest update from Burp the OpenAPI Parser is not working as expected. Before it used to.

When tried to import the swagger.json it gives an error. Cannot invoke "io.swagger.v3.oas.models.OpenAPI.getservers()" because "openAPI" is null.

Trying to import the swagger version 2.0 file

Can you please let us know what we can do here?

Thanks in Advance

When trying to import this file to the openapi parser, I get

Cannot invoke: "String.equals(Object)" because the return value of "java.net.URI.getSchreme()" is null.

I have the same issue with a non-public openapi definition.

The compilation step of the build fails on up-to date Debian 8 with javac 1.7.0_111. I have successfully compiled the code on OSX with javac 1.8.0_77, so this is a java version issue. The erors are related to calls to the callback functions sendToIntruder, sendToRepeater, and doActiveScan. These are also the functions failing in issue #3, so this might be the cause for it.

./burp/ContextMenu.java:54: error: local variable callbacks is accessed from within inner class; needs to be declared final
                    callbacks.sendToIntruder(httpRequest.getHost(), httpRequest.getPort(), httpRequest.getUseHttps(), httpRequest.getRequest());
                    ^
./burp/ContextMenu.java:69: error: local variable callbacks is accessed from within inner class; needs to be declared final
                    callbacks.sendToRepeater(httpRequest.getHost(), httpRequest.getPort(), httpRequest.getUseHttps(), 
                    ^
./burp/ContextMenu.java:85: error: local variable callbacks is accessed from within inner class; needs to be declared final
                    callbacks.doActiveScan(httpRequest.getHost(), httpRequest.getPort(), httpRequest.getUseHttps(), httpRequest.getRequest());
                    ^
./burp/Helper.java:151: error: cannot find symbol
                                + "Accept: " + String.join(",", produces) + "\n"
                                                     ^
  symbol:   method join(String,List<String>)
  location: class String
./burp/Helper.java:152: error: cannot find symbol
                                + "Content-Type: " + String.join(",", consumes)
                                                           ^
  symbol:   method join(String,List<String>)
  location: class String
./burp/Helper.java:160: error: cannot find symbol
                                + "Accept: " + String.join(",", produces) 
                                                     ^
  symbol:   method join(String,List<String>)
  location: class String

I wonder if body:s with JSON content-type are supported?

I've imported an OpenAPI file where requestBody content is application/json, but the content type in the imported entry is instead application/x-www-form-urlencoded. When I import the same file in other software (such as Postman and SwaggerUI) the body content type is handled properly.

I am not familar with the source code of this extension, but in ExtensionHelper.convertContentTypeToBurpCode it looks like it's just not implemented, but mostly wanted to double-check if I have missed something. One of the mentioned features is "fully compliant with OpenAPI 2.0/3.0 Specifications", but as I understand it only specific parts of the OpenAPI specification is implemented.

The windows version of the extension works fine, but on other paltforms the context menu does not appear. I'm running java versions 1.8.0_101 and 1.8.0_77 on OSX ElCapitan and Debian 8 without success and 1.8.0_111 on Windows with success.