Parse OpenAPI documents into Burp Suite for automating OpenAPI-based APIs security assessments (approved by PortSwigger for inclusion in their official BApp Store).
License: Apache License 2.0
Before submitting the issue, please make sure you have:
Hi, I'm using examples from OpenAPI-Specification json and yaml examples (and json from projecton my job, which complies with the Swager 2.0 specification, but for obvious reasons I cannot show it) and none of them can't be represented as Burp suite request, just blank text. I tried enabling the use of http 1.0 only, but this doesn't help.
I should be able to send HTTP messages to another Burp tools such as Repeater or Intruder, but instead of a message, empty text is generated which cannot be recognized by Burp suite.
2.0 json and yaml
No error messages
Download https://repo1.maven.org/maven2/io/swagger/swagger-annotations/1.5.17/swagger-annotations-1.5.17.jar
Download https://repo1.maven.org/maven2/org/slf4j/slf4j-api/1.7.22/slf4j-api-1.7.22.jar
:compileJava FAILED
FAILURE: Build failed with an exception.
Could not find tools.jar
BUILD FAILED
Total time: 12.702 secs
When I try to load a Swagger.json file from the file system, I receive the following error:
java.lang.NullPointerException at burp.Helper.validateHostSyntax(Helper.java:54) at burp.Tab.populateJTable(Tab.java:233) at burp.Tab.processFile(Tab.java:135) at burp.Tab.access$000(Tab.java:53) at burp.Tab$ButtonListener.actionPerformed(Tab.java:103) at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022) at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2348) at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402) at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259) at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252) at java.awt.Component.processMouseEvent(Component.java:6533) at javax.swing.JComponent.processMouseEvent(JComponent.java:3324) at java.awt.Component.processEvent(Component.java:6298) at java.awt.Container.processEvent(Container.java:2236) at java.awt.Component.dispatchEventImpl(Component.java:4889) at java.awt.Container.dispatchEventImpl(Container.java:2294) at java.awt.Component.dispatchEvent(Component.java:4711) at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4888) at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4525) at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4466) at java.awt.Container.dispatchEventImpl(Container.java:2280) at java.awt.Window.dispatchEventImpl(Window.java:2746) at java.awt.Component.dispatchEvent(Component.java:4711) at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758) at java.awt.EventQueue.access$500(EventQueue.java:97) at java.awt.EventQueue$3.run(EventQueue.java:709) at java.awt.EventQueue$3.run(EventQueue.java:703) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90) at java.awt.EventQueue$4.run(EventQueue.java:731) at java.awt.EventQueue$4.run(EventQueue.java:729) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80) at java.awt.EventQueue.dispatchEvent(EventQueue.java:728) at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201) at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116) at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93) at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
I am running on Windows 10, have downloaded your version of gson, and installed directly from the BApp Store. I've reinstalled multiple times to no avail. The error does not show up until I try to load the Swagger.json file.
Hi, I'm encountering the following problem while trying to load a YAML swagger file (OpenAPI 3.0.1) from local disk.
Running BurpSuite Professional 2022.3.8.
Using OpenAPI Parser 3.0a from PortSwigger BApp Store.
Thanks!
I'm struggling to upload to Burp the following file: openapi.json.zip
The error:
swurg.gui.ParserPanel$LoadButtonListener -> Cannot invoke "io.swagger.v3.oas.models.media.Content.entrySet()" because the return value of "io.swagger.v3.oas.models.responses.ApiResponse.getContent()" is null
I'm using a freshly built Swurg from the master branch.
I can't get the project to build as you've described in the README.
Is there a supported range of gradle & java versions that need to be documented in the README?
is it possible to add a .github/workflows/gradle.yml build action? https://docs.gradle.org/current/userguide/github-actions.html
something that shows reproducibly how to build this extension?
gradle fatJar
FAILURE: Build failed with an exception.
* What went wrong:
Could not create service of type ScriptPluginFactory using BuildScopeServices.createScriptPluginFactory().
> Could not create service of type PluginResolutionStrategyInternal using BuildScopeServices.createPluginResolutionStrategy().
* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.
* Get more help at https://help.gradle.org
BUILD FAILED in 0s
gradle --version
------------------------------------------------------------
Gradle 4.4.1
------------------------------------------------------------
Build time: 2012-12-21 00:00:00 UTC
Revision: none
Groovy: 2.4.17
Ant: Apache Ant(TM) version 1.10.7 compiled on October 24 2019
JVM: 17.0.5 (Private Build 17.0.5+8-Ubuntu-2ubuntu120.04)
OS: Linux 5.14.0-1057-oem amd64
java -version
openjdk version "17.0.5" 2022-10-18
OpenJDK Runtime Environment (build 17.0.5+8-Ubuntu-2ubuntu120.04)
OpenJDK 64-Bit Server VM (build 17.0.5+8-Ubuntu-2ubuntu120.04, mixed mode, sharing)
./gradlew build works fine, though.
When trying to load an openapi v3 swagger, i get this error:
swurg.gui.ParserPanel$LoadButtonListener -> Cannot invoke "io.swagger.v3.oas.models.media.Content.entrySet()" because the return value of "io.swagger.v3.oas.models.responses.ApiResponse.getContent()" is null
When sending a request to Repeater, there is an exception happening. This issue is present in the jar in commit 935eb02. Similar exceptions are encountered when:
http:// prefix/somepath postfixHere's a stacktrace of the error:
java.lang.IllegalArgumentException: Invalid host: http://some.random.host:8080/somepath
at burp.bd.sendToRepeater(Unknown Source)
at burp.ContextMenu$3.actionPerformed(ContextMenu.java:69)
at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
at javax.swing.AbstractButton.doClick(Unknown Source)
at javax.swing.plaf.basic.BasicMenuItemUI.doClick(Unknown Source)
at javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(Unknown Source)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Window.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
at java.awt.EventQueue.access$500(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue$4.run(Unknown Source)
at java.awt.EventQueue$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
There's a number of InteliJ-specific files in the .idea folder which are specific to the maintainer's environment. A proper gitignore for JetBrains IDEs should be tracked (GitHub has a great example of one), and the unnecessary files removed.
This is an easy win, and could be bundled in with another PR.
We input the swagger file, and like:
"/api/open/v1/teams/{team_id}/users": {
"get": {
"summary": "TBD",
"tags": [
"Teams::Users"
],
"parameters": [
{
"name": "team_id",
"in": "path",
"schema": {
"type": "integer",
"example": 1
},
"required": true,
"description": "TBD"
}
]
}
}
However, the parameter {team_id} is not changed to the defined integer example: "1" when doing an active scan.
How should we let it know to get the change?
Thank you.
Before submitting the issue, please make sure you have:
When loading in a Swagger generated OpenAPI JSON spec, there's no guarantee the "servers" object will be populated.
Loading a file of this type into the the OpenAPI parse Extension fails cryptically with
Cannot invoke "io.swagger.v3.oas.models.media.Content.entrySet()" because the return value of "io.swagger.v3.oas.models.responses.ApiResponse.getContent()" is null
similar to this issue on the Burp Support forum
Hopefully a check for the presence of "servers" key and failing with a relevant error message should help the user rectify the fault manually.
(Took me a few minutes of Googling to find https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.1.0.md#server-object-example)
Ideally in the absence of any "server" object, a prompt appears asking for the BaseURL of the server to test
I have a swagger 2.0 .json file that's got 172 different paths, 244 different path+method combinations.
Swagger Parser v1.4 from the Burp app store loads and imports the file without error, but only recognizes the first path, with three methods, for a total of three imported API calls.
I haven't started carving up my input file, or finished setting up a dev environment to play with the Swagger Parser code; thought I would ask if there's likely/known issues/limitations I should look for in particular.
Not sure if this is an extension issue or something wrong with our swagger.json. The table in the Swagger Parser tab looks correct (host, base path, endpoint, params are all populated). But when I send these to the site map they are all added under the root directory of the host without the base path being included. Same with sending to intruder/repeater - the requests are to "/endpoint" on the host, not to "/my_api/v1/endpoint".
Any pointers/possible issues?
The schemes field in swagger is not mandatory, but swurg relies on it. Without the field swagger fails the file loading with a n Exception. The easy workaround for this is to add the field into the swagger file, but automatic guessing or user prompting could be a nice touch.
This issue is not very critical, but I'll make it visible by raising this issue.
Hi, hope you're doing good!!!
After the latest update from Burp the OpenAPI Parser is not working as expected. Before it used to.
When tried to import the swagger.json it gives an error. Cannot invoke "io.swagger.v3.oas.models.OpenAPI.getservers()" because "openAPI" is null.
Trying to import the swagger version 2.0 file
Can you please let us know what we can do here?
Thanks in Advance
For every request you extract from the API specification you create a request example. You use placeholders like:
key={string}&discount={integer->int32}
Which is fine to understand the request. However, that's not optimal when you want to send it to the repeater. Would it be possible that you add next to the "request" tab another tab called "hackvertor"? There you could then show a request which has:
key=<@random(10)>abcdefghijklmnopqrstuvwxyz<@/random>&discount=<@random_num(4)/>
Because if you have the Hackvertor extension installed from BApp, you can then send this request to the Repeater and everytime you send it, a different alphanumeric or numeric value is sent (have a look at the Logger tab).
Would that be possible?
Hi !
I'd like to help out on the project, but I don't really remember how to debug the code anymore, and the logs are not super verbose to explain "where in the spec" it failed
Here are a few examples:
https://bugcrowd.com/openapi/2021-10-28/openapi.yml
Cannot invoke "java.util.Map.entrySet()" because "properties" is null
https://www.secureflag.com/management/api/swagger-config.yaml
attribute is not of type `object`
https://app.swaggerhub.com/apiproxy/schema/file/apis/Veracode/veracode-sca_agent_api_specification/3.0?format=json
attribute paths. '/v3/workspaces/{id}/issues'(get).[status].default is not of type `array`]
I'm mostly interested in using swurg to understand how I could automatically download data from APIs, not really testing them, but this is already showing me how hard it is to parse and use OpenAPI specs... ๐
I'd be curious to see if swurg could have a "fail-safe" mode that just tries the list APIs that don't need any input parameter ? that would make the import more robust ?
I wonder if body:s with JSON content-type are supported?
I've imported an OpenAPI file where requestBody content is application/json, but the content type in the imported entry is instead application/x-www-form-urlencoded. When I import the same file in other software (such as Postman and SwaggerUI) the body content type is handled properly.
I am not familar with the source code of this extension, but in ExtensionHelper.convertContentTypeToBurpCode it looks like it's just not implemented, but mostly wanted to double-check if I have missed something. One of the mentioned features is "fully compliant with OpenAPI 2.0/3.0 Specifications", but as I understand it only specific parts of the OpenAPI specification is implemented.
Hi,
Is there a way to get access to more verbose errors ?
I would love to use this plugin but for some reason my file can't be parsed, I'm getting the error:
The OpenAPI specification contained in %s is ill formed and cannot be parsed
I see that the Swagger Parser is quite old, maybe updating it would solve the issue.
Currently it seems to only be possible to load from a file
Steps to reproduce:
POST /v2/pet HTTP/1.1
Host: petstore.swagger.io
Accept: application/xml, application/json
Content-Type: application/json, application/xml
id={integer}&id={integer}&name={string}&name={string}&photoUrls={array}&tags={array}&status={string}
This is an application/x-www-form-urlencoded while content-type says application/json, application/xml
Here is the User Token section from the Swagger.json I am attempting to load.
"securitySchemes": {
"User Token": {
"type": "http",
"description": "Enter User Token **_only_**",
"scheme": "bearer",
"bearerFormat": "JWT"
}
}
},
"security": [
{
"User Token": [ ]
}
]
}
The ExtensionHelper.parseAccept method throws a null pointer exception when the content is not set in the openAPI spec.
This may be related to issues:
And is hinted at in the comment #74 (comment)
Adjusting the affected lines allows for the spec to be parsed properly:
if (responses != null && responses.get("200") != null && responses.get("200").getContent() != null) {
for (Map.Entry<String, MediaType> response : responses.get("200").getContent().entrySet()) {
stringJoiner.add(response.getKey());
}
}Debugging this was made harder due to the try/catch and the error message output, in this case Class name -> null. Removing these and allowing the exception to dump the stack trace made the error immediately apparent.
I suggest this is done in all places where exceptions are not to be expected or to include a stack trace in those instances.
Suggested feature - recent history of parsed resources
Make the text box a combobox, and each time a new file/URL is opened add it to the combobox's list to record a history of previous files URLs. These could then be saved in the persistent configuration provided by Burp's API. Also, a button to "clear history" to remove the saved files/URLs.
When you send a request to swagger it could also add that as a URL to the history list, perhaps even place it in the text box at the top.
Hi,
Swagger Code-Gen has an example generator
You can use this to automatically resolve DTOs and generate example bodys for requests.
Simply copy ExampeGenerator.java and use it in your /src/main/java/swurg/utils/ExtensionHelper.java
Example usage:
ExampleGenerator gen = new ExampleGenerator(swagger.getDefinitions());
List<Map<String,String>> generatedList = gen.generate(null, expectedTypes, refmodel.getSimpleRef());
I already implemented this in an older version of your extension. Here a part of my implementation as gist as detailed usage example: https://gist.github.com/monoxacc/130818c3dbe1fe360bef12eba5c74ace
Hi,
When I parse a swagger file, the creation of the request works fine.
Many swagger files I have parsed lately include examples of what is expected as body in POST requests. It would be nice to take this example value instead of body=fuzzMe.
The windows version of the extension works fine, but on other paltforms the context menu does not appear. I'm running java versions 1.8.0_101 and 1.8.0_77 on OSX ElCapitan and Debian 8 without success and 1.8.0_111 on Windows with success.
When trying to parse/load the YAML or JSON from the Swagger Pets store example (linked below), The parser responds at the bottom with 'The OpenAPI specification contained in c:\source\pets3.yml is ill formed and cannot be parsed.
Is there any way to get more details on the problem it's having with the file? Same response for JSON.
When parsing the 2.0 version though everything works as expected.
We are using the Pet store example available in the Swagger Editor. The exact files are attached as well.
Yaml format
pets3.txt
Burp Suite version v2021.12.1
The latest Swurg version installed from the Github repository.
Testing YAML OpenAPI definition at https://brp.mmquant.net/943b9a26-fb6c-11ec-b939-0242ac120002.yaml
Error message in the Burp Extender tab
I ran into this issue a couple of time:
The OpenAPI specification contained in https://.../api/v2/swagger/json is missing the mandatory field: 'host'
Adding the host in the JSON fixed the issue:
{
"basePath": "/api/v2",
"host": "www.xxx.com",
"definitions": {I would be nice to default the host to the host of the swagger doc when it's not set and we pass a URL to OpenAPI Parser.
Before submitting the issue, please make sure you have:
Using latest release of extension on Burp Suite
A clear and concise description of what the bug is.
The OpenAPI parser extension cant import any swagger file because it always checks the file based on REGEXes and the content doesnt match against the regexes the app uses (theyre too restrictive or old)
Add Extension into Burp Suite
Import Swagger file
Expect the swagger file to load, possibly ability to turn off error checking
If applicable, add screenshots to help explain your problem.
Windows 10 with Burp Suite V2023.3.4
Error message in above screenshot
Happens with importing swagger file, containing Microsoft AD credentials eg client secret value.
Other errors occur - never got the extension to work within burp because it ALWAYS does error checking and even though the Swagger files have content which dont conform to the tools REGEX theyre valid and work in Postman but not Swurg/OpenAPI parser in Burp
java.lang.StringIndexOutOfBoundsException: String index out of range: -2
at java.lang.String.substring(String.java:1967)
at burp.Helper.parseParams(Helper.java:65)
Comes from here where you are trying to remove the final comma:
https://github.com/AresS31/swurg/blob/master/burp/Helper.java#L65
But if there is no parameter, the string length is zero.
In SwaggerHub I try to export the YAML or JSON file like this:
When I try to import the file in burp I get the error "The OpenAPI specification obtained in XXXX is ill formed and cannot be parsed".
I tried to validate the YAML (or JSON) file with the swagger-cli validate command:
It seems that the file is correct.
Unfortunately I cannot share the YAML or JSON files.
Any ideas what I can check or try on my side?
Hi there,
I've been trying to use swurg with an OAS 3.0 API document. It fails the import process, stating that the document is ill formed.
After reviewing the swurg code, it appears that swurg is still configured to use the V2-compatible version of the parser: https://github.com/aress31/swurg/blob/f592a287d3f588ddd01f895925584546c246b050/src/main/java/swurg/process/Loader.java#L47
Per their README, swagger-parser has a new syntax for parsing V3 files:
import io.swagger.v3.parser.OpenAPIV3Parser;
import io.swagger.v3.oas.models.OpenAPI;
// ... your code
// read a swagger description from the petstore
OpenAPI openAPI = new OpenAPIV3Parser().read("https://petstore3.swagger.io/api/v3/openapi.json");
It looks like this would need to be called rather than the old SwaggerParser constructor for full V3 support. Additionally, an option should be added to the UI to parse as V2 or as V3, depending on the file (or detect it automatically).
Hello, is it possible to avoid the use of the tool due to an error in the certificate?
It usually happens when the certificate was created for a domain and is entered by IP. I don't know what the domain is, I only know the IP. The plugin gives me the following error:
When trying to import this file to the openapi parser, I get
Cannot invoke: "String.equals(Object)" because the return value of "java.net.URI.getSchreme()" is null.
I have the same issue with a non-public openapi definition.
Before submitting the issue, please make sure you have:
I installed openapi-parser from the bApp store. After selecting an OpenAPI 3.0.0 specification file, I get the following error message:
Cannot invoke "io.swagger.v3.oas.models.media.Content.entrySet()" because the return value of "io.swagger.v3.oas.models.responses.ApiResponse.getContent()" is null
This message appears at the bottom of the Burp Suite Window. I have reviewed the file and it is readable YAML, not a corrupt file.
Cannot invoke "io.swagger.v3.oas.models.media.Content.entrySet()" because the return value of "io.swagger.v3.oas.models.responses.ApiResponse.getContent()" is null"I expected the yaml file to be ingested
None useful.
openapi: '3.0.0'info: version: '1.0.0' title: '[REDACTED]' description: [REDACTED] APIservers: - url: [REDACTED] description: [REDACTED]paths: /api/account/token/: post:^ Just do demonstrate that it is formatted as expected.
I don't see an Extender Error tab but error message at bottom of the app reads: "Cannot invoke "io.swagger.v3.oas.models.media.Content.entrySet()" because the return value of "io.swagger.v3.oas.models.responses.ApiResponse.getContent()" is null"
None more I can think of. Please let me know if more information is needed.
I would post this issue on the PortSwigger/openapi-parser repo but I do not see any way to submit issues on that branch.
EDIT: formatting.
Before submitting the issue, please make sure you have:
It appears there is a failure during the parsing of the OpenAPI spec. I've tried using the hosted spec, YAML, and JSON formats. All return the same error.
I've also compiled the latest version of this repo and NOT using the BApp store extension.
I removed any OpenAPI extensions and restarted BSP and then manually loaded this extension.
I would expect to see the extension load our API Spec the same as it does a common spec like https://petstore.swagger.io/v2/swagger.json
I've tested it with the above spec and everything loads fine.
All 3 formats of the spec result in the follow error:
java.lang.NullPointerException: Cannot read the array length because "<parameter4>" is null
at burp.Zjtf.ZU(Unknown Source)
at burp.Zjtf.Zy(Unknown Source)
at burp.Znk.ZV(Unknown Source)
at burp.Zvtt.ZX(Unknown Source)
at burp.Zp98.ZX(Unknown Source)
at burp.Zqk1.ZV(Unknown Source)
at burp.Zq9u.ZI(Unknown Source)
at burp.Zh64.ZF(Unknown Source)
at burp.Zioj.withAddedParameters(Unknown Source)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
at java.base/java.lang.reflect.Method.invoke(Method.java:578)
at burp.Zqs.invoke(Unknown Source)
at jdk.proxy2/jdk.proxy2.$Proxy48.withAddedParameters(Unknown Source)
at swurg.workers.Worker.lambda$parseOpenAPI$1(Worker.java:110)
at java.base/java.util.HashMap.forEach(HashMap.java:1429)
at swurg.workers.Worker.parseOpenAPI(Worker.java:85)
at swurg.gui.views.ParserPanel$LoadButtonListener.actionPerformed(ParserPanel.java:172)
at java.desktop/javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1972)
at java.desktop/javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2313)
at java.desktop/javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:405)
at java.desktop/javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:262)
at java.desktop/javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:279)
at java.desktop/java.awt.Component.processMouseEvent(Component.java:6620)
at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3398)
at java.desktop/java.awt.Component.processEvent(Component.java:6385)
at java.desktop/java.awt.Container.processEvent(Container.java:2266)
at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:4995)
at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2324)
at java.desktop/java.awt.Component.dispatchEvent(Component.java:4827)
at java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4948)
at java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4575)
at java.desktop/java.awt.LightweightDispatcher.dispatchEvent(Container.java:4516)
at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2310)
at java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2780)
at java.desktop/java.awt.Component.dispatchEvent(Component.java:4827)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:775)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:720)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:714)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:97)
at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:747)
at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:745)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:744)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
Cannot read the array length because "<parameter4>" is null
One thing I would like to add:
I have ran our API Spec through https://editor.swagger.io/ and have confirmed there are no spec errors that it is showing.
If there is an error with out spec, the Swagger Editor and Linters aren't picking it up.
I load the extension
without any errors.
Now I want to load the OpenAPI definition but after clicking Browse/Load nothing happens.
In the extension error log I get this message
The example OpenAPI definition can be found here https://brp.mmquant.net/37966bee-93c4-11ec-b909-0242ac120002.json
The extension was installed from the BApp store.
The Burp Suite version is 2021.12.1
Hi,
I tried to import my swagger file and it didn't work. Then I tried to use some samples from GitHub.
It didn't work on this sample:
https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v2.0/yaml/api-with-examples.yaml
But it did on this one:
https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v2.0/yaml/petstore-minimal.yaml
Do I miss something? Or maybe you know how I can fix it?
I have my burp running at 8080 port.
I want to send the requests for scan through automation.
Is that possible?
The compilation step of the build fails on up-to date Debian 8 with javac 1.7.0_111. I have successfully compiled the code on OSX with javac 1.8.0_77, so this is a java version issue. The erors are related to calls to the callback functions sendToIntruder, sendToRepeater, and doActiveScan. These are also the functions failing in issue #3, so this might be the cause for it.
./burp/ContextMenu.java:54: error: local variable callbacks is accessed from within inner class; needs to be declared final
callbacks.sendToIntruder(httpRequest.getHost(), httpRequest.getPort(), httpRequest.getUseHttps(), httpRequest.getRequest());
^
./burp/ContextMenu.java:69: error: local variable callbacks is accessed from within inner class; needs to be declared final
callbacks.sendToRepeater(httpRequest.getHost(), httpRequest.getPort(), httpRequest.getUseHttps(),
^
./burp/ContextMenu.java:85: error: local variable callbacks is accessed from within inner class; needs to be declared final
callbacks.doActiveScan(httpRequest.getHost(), httpRequest.getPort(), httpRequest.getUseHttps(), httpRequest.getRequest());
^
./burp/Helper.java:151: error: cannot find symbol
+ "Accept: " + String.join(",", produces) + "\n"
^
symbol: method join(String,List<String>)
location: class String
./burp/Helper.java:152: error: cannot find symbol
+ "Content-Type: " + String.join(",", consumes)
^
symbol: method join(String,List<String>)
location: class String
./burp/Helper.java:160: error: cannot find symbol
+ "Accept: " + String.join(",", produces)
^
symbol: method join(String,List<String>)
location: class String
Hi,
It would be really nice if the parser would also support swagger version 1.2 files.
This is either just a UI issue or then this is the cause of #3.
Hi there.
When sorting the Parser table with a different key (ie, sorting by Method), the wrong request will be sent to the Repeater tab. I assume the original, default sorted one gets sent, instead of the one currently highlighted.
It would be really good to have some way to automatically add extra headers as the request is being sent to repeater etc. I'm currently having to manually add the Authorization: Bearer after each request has been sent.
Hi,
thanks for the tool which I am using in burp!
I am all in for being compliant with open standards. However as the tool should assist in testing I would personally find it better if the specification is not met it won't be a hard failure. Or at least if there would be a possibility to override swurg being strict.
In my case the scheme declaration was missing, see src/main/java/swurg/process/Loader.java,(git blame is telling me that it was changed in f592a28)
Cheers, Dirk
The swagger.yaml file I was given is missing some key fields, I've just noticed that with basePath missing, null is used in its place:
GET null/version HTTP/1.1
It should either be mandatory or should default to /
I'm failing to set this extension up and would love to edit the code, but it seems the files are some kind of diffs or have some metadata in them.
Mostly I can see strings like <<<<<<< HEAD, =======, and >>>>>>> origin/master that don't seem to be java code. The files affected are at least DataStructure.java and ContextMenu.java. If these are some residue from some tool or a mistake, then having them removed would enable me to debug and improve the extension.
The host parameter from swagger.json is filtered and doesn't retrieve the service's port which won't be parameterized when sending a request to the repeater.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.