burpsuite: 2023.7.2 -> 2023.10.2.4, add Professional Edition

[Arcayr]

Description of changes

Bump Burp Suite from 2023.7.2 to 2023.10.2.4, and adds the ability to install the Professional Edition of Burp Suite by overriding the proEdition argument to true.

Some of upstream's URLs now redirect from the word "free" to "community". They have been amended as part of this update.

A list of upstream changes since the last version in nixpkgs, from https://portswigger.net/burp/releases:

• 2023.10.2.4: We have upgraded Burp's built-in browser to 118.0.5993.117 for Mac / Linux and 118.0.5993.90 for Windows. For more information, see the Chromium release notes.
• 2023.10.2.3: We have upgraded Burp's built-in browser to 118.0.5993.88 for Mac / Linux and 118.0.5993.88/.89 for Windows. This update contains a security fix. For more information, see the Chromium release notes.
• 2023.10.2.2: This release introduces new functionality for BChecks, including the ability to test your checks from within the editor and create definitions from a blank template. We have also added a notes feature to Repeater tabs.
• 2023.10.1.2: We have upgraded Burp's built-in browser to 117.0.5938.132 for Mac, Linux, and Windows. This update contains security fixes. For more information, see the Chromium release notes.
• 2023.10.1.1: This release includes the introduction of user activity logging, and a number of other improvements.
• 2023.9.4: We have upgraded Burp's built-in browser to 116.0.5845.140 for Mac and Linux and 116.0.5845.140/.141 for Windows. This update contains security fixes.
• 2023.9.3: This release introduces the ability to unpack Brotli-compressed messages in the Proxy and Repeater tools, and adds Organizer functionality to the Montoya API.
• 2023.9.2: This release upgrades Burp's built-in browser and fixes a bug when scanning GraphQL APIs.
• 2023.9.1: This release introduces new Repeater functionality based on the techniques discussed in James Kettle's talk "Smashing the State Machine: The True Potential of Web Race Conditions", first presented at Black Hat USA 2023. Repeater's new single-packet attack feature nullifies network jitter, enabling you to send multiple requests in parallel. These requests are synchronized to arrive within a very small time window, making it much simpler to test for race conditions.
• 2023.8.1: We have upgraded Burp's built-in browser to 115.0.5790.170 for Mac and Linux and 115.0.5790.170/.171 for Windows. This update contains multiple high-severity security fixes.
• 2023.7.3: We have upgraded Burp's built-in browser to 115.0.5790.170 for Mac and Linux and 115.0.5790.170/.171 for Windows. This update contains multiple high-severity security fixes.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.11 Release Notes (or backporting 23.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

Result of nixpkgs-review run on x86_64-linux 1

1 package built:

• burpsuite

[AkechiShiro]

@Arcayr I believe that Playwright has some kind of embedded browser to be used as well and is packaged in Nixpkgs but I'm pretty sure it's not the same case as Burpsuite (it's not an embeded browser inside a .jar)

nixpkgs/pkgs/development/web/playwright/driver.nix

Line 102 in e87fc0b

browsers-linux = { withChromium ? true }: let

But, it might be helpful to give some ideas maybe.

[buckley310]

The embedded browser works for me. Has ever since #210155

[Arcayr]

The embedded browser works for me. Has ever since #210155

Weird, 3 systems here with none of them working. Do you mind showing the contents of your ~/.BurpSuite/burpbrowser? I'm interested to see if the bin/chrome in the latest version is wrapped in any way.

[buckley310]

Does not appear to be weapped in any way. burp runs in a FHSUserEnv which provides missing libraries.

You can test out my working setup with nixos-rebuild build-vm --flake github:buckley310/nixos-config#testbox
(The default password is just the username)

[Arcayr]

That helped me find the problem - it's actually in my personal overlay that I'm using to grab the Professional edition instead of the Community edition. The overlay is nuking the FHS environment's buildCommand. No changes needed on this side.

I'll bump the version to the latest upstream and mark the PR as RFR. Thanks @buckley310. :)

[AkechiShiro]

On my side, I'm on ArchLinux whether on X11 or Wayland, Burpsuite installed via nix (nix-build or nix-shell -p burpsuite) never launches, I always get an error at startup, says :

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true # 2 options I've probably set as an ENV variable for text antialiasing.
Could not start Burp: java.lang.Error: Cannot load com.sun.java.swing.plaf.gtk.GTKLookAndFeel

If you have any idea to what this could be related @Arcayr, I will try to reproduce under NixOS using Sway in a VM but I haven't had the time to experiment yet.

[Arcayr]

@AkechiShiro I can't replicate this on either this package or the pending burpsuite-pro package. If you can let me know how it goes on NixOS it may inform our path forward. I have a feeling this is due to it being "nix on arch" as opposed to "nix on nixos".

@buckley310 apologies for the ping, but as you're already across burp on nix, do you mind testing the above to confirm?

[AkechiShiro]

I fear that you are right @Arcayr I'm not sure exactly how to go around debugging this kinda of issue, maybe the Java installed on Arch is conflicting with the one used by BurpSuite

[buckley310]

I gave this PR a test and it works well.

I ran burp, launched the integrated browser, captured a bunch of traffic and tested some items in the repeater.

[Arcayr]

Cheers buckley. Happy to let this go forward and be merged now if acceptable.

[Arcayr]

nix discord recommended i roll this into this pr, so support for professional edition has been added as an argument:
(burpsuite.override { proVersion = true; })

i tried other methods but many of them clobber the fhsenv that is created, and i didn't want to go too heavy on obscure substitutions. ultimately the only thing that changes is the jarfile. everything else is the same - license activation happens at first-runtime.

confirmed that the argument swapping switches versions correctly on my install.

would supersede #168414, which would need updating anyway.

[AkechiShiro]

Following, the NixCon 2023, using nix-shell -p --pure burpsuite, makes BurpSuite work on any Linux distro using Nix, I believe I should document this workaround, should I create another PR ? @acairncross @RaitoBezarius

[RaitoBezarius]

This can be documented in the NixOS wiki, but I am not sure if it has any place in nixpkgs.

More generally, this seems to hint at the fact more purity is necessary in the wrapper or there's a polluting external environment in the non-NixOS system.

It is hardly actionable on our side unless the pollution in question can be isolated.

[AkechiShiro]

I will see if there is a way I can find out what is polluting the pureness of the impure nix-shell narrowing this down, I'll then try and PR a fix.

[Arcayr]

Bumps burpsuite from 2023.9.4 to 2023.10.1.1; the latest stable version.

• 2023.10.1.1: This release includes the introduction of user activity logging, and a number of other improvements.

9f19a00 contained invalid hashes due to an early adopter release also being published upstream.

Result of nixpkgs-review run on x86_64-linux 1

1 package built:

• burpsuite

[Arcayr]

stepech revoked their maintainership in the last 48h (#255533). The latest push is a rebase on top of those changes with their maintainership removed.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/1016/73

[Artturin]

Dropped the (clean) merge commit.

And did a name cleanup which required a rebase because the changes required were recently merged.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-already-reviewed/2617/1200

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-already-reviewed/2617/1200

[Arcayr]

1 package updated:
burpsuite (2023.7.2 → 2023.10.2.4)

Link to currently reviewing PR:
https://github.com/NixOS/nixpkgs/pull/251397

1 package built:
burpsuite

[bjornfor]

Why does this version bump commit revert the pname/version change from an earlier commit in this PR?

[Arcayr]

i... don't know actually. both of my local copies have the 'correct' version. i guess i rebased wrong somehow? force pushing shortly.

[Arcayr]

remedied in 6ce7f67.