param miner not quite working, crashing, etc.

Question

param miner not quite working, crashing, etc.

musashi42 opened this issue 4 years ago · 2 comments

in burp community edition v2020.8:
param miner v1.20

java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:189)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:189)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:189)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:189)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:210)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:210)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:210)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:189)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:210)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:189)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)

I have used logger++ together with param miner in order to determine if it's even working, and at times it does, at times it doesn't.
Issuing Guess GET headers on lab: Web cache poisoning via an unkeyed query string
results in around 15-16 requests judging from logger++ and filtering only for extender requests and then nothing,
adding the lab url to the target list, having param miner enabled, and refreshing the page results in a lot more requests, so far got 1319, and then the above error.
Issuing the Bulk Scan -> Unkeyed param results in nothing other than Attack Qued.

I don't know what's going on, I had the same issue yesterday, but upon reinstalling param miner it worked fine, until today, I have reinstalled it, but still same issues.

Hopefully there is a simple explanation/fix, in the meantime I guess I'll try to figure out the code and convert it into python unless if someone had already done that.

Thanks for looking into this.

Sincerely,
musashi42

Answer 1 · 2020-08-31T13:49:17.000Z

Hello,

I can confirm, that the "Bulk -> Unkeyed Paramter" does noting.
The only thing which is happening is, that the extension is writing the following line into the extender log: Queued 0 attacks from 1 requests in 0 seconds

Logger++ is not showing a single request.

I tried this for this Lab: https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-unkeyed-query

Environment:
OS Kali Linux (last patches)
Burp Suite Pro 2020.8.1

Greetings,
fabSeKo3429

Answer 2 · 2020-09-01T15:08:28.000Z

Unkeyed parameter operates on existing parameters. If there aren't any parameters, queuing 0 requests is expected behaviour.