govtech-csg / autowasp Goto Github PK

Hi,

I am able to save project (or at least some file can be automatically generated - autowasp_project.ser), but the project cannot be loaded then. There is no error message in Burp UI neither in console.

Tried installation via Extender and downloading Autowasp_v1.0.1.jar manually - the same result.

I use Burp 2021.8.4 Pro.

Thanks
Michal

Hello,

I faced with issue while installing the extension. The error is

java.lang.NullPointerException: Cannot invoke "burp.IBurpCollaboratorClientContext.generatePayload(boolean)" because "this.extender.iBurpCollaboratorClientContext" is null
	at autowasp.logger.TrafficLogic.<init>(TrafficLogic.java:69)
	at autowasp.Autowasp.registerExtenderCallbacks(Autowasp.java:98)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:564)
	at burp.amj.lambda$registerExtenderCallbacks$0(Unknown Source)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
	at java.base/java.lang.Thread.run(Thread.java:832)

How can I fix it? I've tried to install extension through BApp Store, compiling and adding compiled file and adding pre-compiled file.

Hi,
I found that the plugin generates unwanted/superfluous network traffic. With the plugin enabled Burp sends additional (sometimes invalid) packets to the target when submitting HTTP POST requests. The extra packets are not logged by Burp but can be confirmed with packet capture.

Requirements:

• Plugin has Logging enabled ("Enable Burp Scanner logging")
• Suite Scope is set and enabled

Reproduce:

• load Burp with default settings
• set Suite scope and enable logging (s. above)
• visit webpage with POST form with Burp as Proxy
• trigger post request in browser and capture the traffic
• (toggle Suite scope)

Cheers.

Perceived Issue: Autowasp is unable to be loaded without Collaborator

Burp Version: Professional v2021.3.1
Error message:
java.lang.IllegalStateException: Burp Collaborator is disabled in the Project options at burp.b8i.a(Unknown Source) at burp.b8i.generatePayload(Unknown Source) at burp.aq8.generatePayload(Unknown Source) at autowasp.logger.TrafficLogic.<init>(TrafficLogic.java:69) at autowasp.Autowasp.registerExtenderCallbacks(Autowasp.java:98) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:564) at burp.bza.lambda$registerExtenderCallbacks$0(Unknown Source) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) at java.base/java.lang.Thread.run(Thread.java:832)

Needing Collaborator for some features is known via Dev response

Desired/Expected State: Able to load and use Autowasp without Collaborator

I have managed to identify a bug in the Autowasp menu. As you can see in the image, the buttons and information displayed by the plugin are not clearly visible.

First-off, when installing the extension via BAPP, the extension can't reach the checklist online. Thus, using the local checklist is not good because it is from 2021, while the latest one is from 2 months ago: https://github.com/OWASP/wstg/blob/master/checklists/checklist.xlsx

Hi - Thank you for developing Autowasp. Would it be possible to add a search box in your extension? It would act like the search box in Burp's extensions store. That way I could filter test cases by type, say only display those related to Configuration or only those related to Authorization, etc.

When trying to fetch:

Hi folks! First off awesome job with this extension, it solves a gap in the pentesters flow and it's really well documented.

I have a couple of suggestions, which I'd love to be added. The first is adding a "Done" column, equal to the "To Exclude". Basically this would allow us to keep track of what tests have been done and complement the excluded tests very nicely.

The second one would be adding a host column. I assume this is much more tricky and probably not for everyone. But personally, when testing a target I have multiple targets/hosts. As such, for me to cover everything I need to distinguish the tests done in one host for another. With that host tab, I could make sure that all the tests were done and covered in all of the scope. I'm not sure the best way to implement this - e.g. duplicating the checklist items for every host in scope to test, or being able to duplicate only some items, or simply making the host column a text input where we could manually write the targets we tested.

Very crude mockup:

Thanks and keep up the good work!

Hi,

Firstly, awesome project, but is there a way that you also include a column for the ignored and completed test cases in the XLSX export?

Thank you

hi there ,

add a feature like add own checklist and import ,export my checklist