Comments (3)
floyd-fuh
commented on September 28, 2024
3
@theblackturtle that would mean it's Burp's API that does it wrong. Interesting take, but unsure if that is really the issue.
@c3l3si4n thanks for the bug report. I have experienced high disc load as well, but your system shouldn't crash because of that, at max Burp ;)
All I'm saying now applies to the "old" Burp API all extensions are currently using. The new Montoya API was not usable when I last tested a couple of months ago.
This extension is still under heavy development, so it's not finished yet.
I guess I just realized what it might be (although not 100% sure). It's actually stupid I haven't thought about this before, but that's probably because I thought more about requests than responses when developing this extension.
Here's the issue:
- We need the responses to filter items by response code, content-type, and custom regex (actually some of this are features that are only in my development branch yet)
- Burp API doesn't have a good way to store project-level data (only user-level), therefore we have to abuse the "save to sitemap" feature to store things, which is slow and inefficient.
- I'm storing every request/response twice in the sitemap (the original and the "repeatable" version). This is probably not necessary in 95% of the cases because they are identical, but I haven't optimised it yet
- Here's the stupid part: I don't look at the request/response sizes yet. If you get 5MB of Javascript from the server, I store 10MB. I have to limit this. I limit this in all my other Burp extensions, but not here yet.
I could now just ignore all responses with large sizes, but I might actually get away with only storing the headers of responses. However, this might take some time to fix.
from pentagridscancontroller.
theblackturtle
commented on September 28, 2024
Hi,
I think this because Burp active scan module save requests/responses for tracking OOB vulns. You can solve this by save a new project.
from pentagridscancontroller.
c3l3si4n
commented on September 28, 2024
I have made a workaround to make this issue better on my system. Here's the patch i've made to src/main/kotlin/Persist.kt:
internal fun writeFile(filename: String, bytes: ByteArray){
val file = File(filename)
val fos = FileOutputStream(file)
fos.write(bytes)
fos.close()
}
internal fun readFile(filename: String): ByteArray? {
val file = File(filename)
if(!file.exists()){
return null
}
val fis = FileInputStream(file)
val bytes = fis.readBytes()
fis.close()
return bytes
}
internal fun saveExtensionSettings(serializableThing: Serializable, name: String){
//println("Serializing $serializableThing")
val byteOut = ByteArrayOutputStream()
val objectOut = ObjectOutputStream(byteOut)
objectOut.writeObject(serializableThing)
objectOut.close()
val bytes = byteOut.toByteArray()
byteOut.close()
BurpExtender.c.saveExtensionSetting(name, bytes.toBase64())
}
internal fun loadExtensionSettings(name: String): Any? {
val value = BurpExtender.c.loadExtensionSetting(name)
return if(value == null){
null
}else {
val serializedThing = value.fromBase64()
//println("Deserialized $serializedThing")
val byteIn = ByteArrayInputStream(serializedThing)
try {
val obj = ObjectInputStream(byteIn).readObject()
obj
}catch(e: Exception){
println(e)
null
}
}
}
internal fun saveProjectSettings(serializableThing: Serializable, name: String){
val byteOut = ByteArrayOutputStream()
val objectOut = ObjectOutputStream(byteOut)
objectOut.writeObject(serializableThing)
objectOut.close()
val bytes = byteOut.toByteArray()
byteOut.close()
val rr = writeFile("/tmp/pentagrid_$name", bytes)
}
internal fun loadProjectSettings(name: String): Any? {
val rr = readFile("/tmp/pentagrid_$name")
if(rr == null){
return null
}
val serializedThing = rr
var obj: Any? = null
try {
val byteIn = ByteArrayInputStream(serializedThing)
obj = ObjectInputStream(byteIn).readObject()
}catch(ice: InvalidClassException){
println("Unfortunately deserialization did not work. Probably the extension was updated and the " +
"serialVersionUID changed of the objects and differs with the ones stored. " + ice.toString())
}catch(cnfe: ClassNotFoundException){
println("Unfortunately deserialization did not work. Probably the extension was updated and the " +
"serialVersionUID changed of the objects and differs with the ones stored. " + cnfe.toString())
}
return obj
}from pentagridscancontroller.
Related Issues (6)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pentagridscancontroller.