Payloads are not sent with the plugin

[isrtest]

ENV

Burp: v2021.12.1

docker run --name vulnerable-app --rm -p 8000:8080 ghcr.io/christophetd/log4shell-vulnerable-app

Easy Scan

0 Request was sent.

Scan from intruder

2 identical requests were sent. Neither has the payloads.

[v-p-b]

Does not conform issue template, closing.

[isrtest]

Hi there
I cant find the issue template. The rest of the issues dont seem to follow any pattern.
Did I miss anything? Thanks.

[v-p-b]

When you click the New issue button there is a large Bug report box. When you click the Get started button you get a prefilled template with the desired structure.

While at it please do a test with another scanner extension and the extension-only config too so we can see if your problem is specific to this extension or related to your configuration!

[isrtest]

Describe the bug
Payloads are not sent with the plugin.

To Reproduce - Easy Scan
Steps to reproduce the behavior:

1. Start a vul app

   docker run --name vulnerable-app --rm -p 8000:8080 ghcr.io/christophetd/log4shell-vulnerable-app
   

2. Install Log4Shell Scanner in BApp Store
3. Import Extension Only as per guidance in README
4. Send a request to vul app
5. Right-click on request panel under history tab - Select Scan - Open scan launcher
6. Configuration - Select from Library - Extension Only
7. 0 Request was sent.
8. In Logger tab, no request was found.

To Reproduce - Initiate scan from Intruder
Steps to reproduce the behavior:

1. Start a vul app

   docker run --name vulnerable-app --rm -p 8000:8080 ghcr.io/christophetd/log4shell-vulnerable-app
   

2. Install Log4Shell Scanner in BApp Store

   

3. Import Extension Only as per guidance in README

4. Send a request to vul app

5. Right-click on request panel under history tab - Send to Intruder

6. Add injection points

7. Right click on request panel under Intruder tab - Scan defined insertion point - Open scan launcher

8. Configuration - Select from Library - Extension Only

9. 2 Request was sent.

10. In Logger Tab, 2 requests were found. But neither has the payload.

Expected behavior
The scanner should send out requests with payloads in injection points.

Screenshots

1. Easy Scan
   
   
   
   

2. Initiate Scan from Intruder
   
   
   

Environment (please complete the following information):

• OS: Mac OS 11.6.2
• Burp version: v2021.12.1

Additional context
No issues with Another Scanner

Sanity Check

• I'm not trying to blindly scan random hosts without any configuration and wait for free money from their bug bounty programs.

[v-p-b]

Thanks for the proper bug report, repoening!

[v-p-b]

So I don't see anything obviously wrong with your setup. The two requests are sent by the Scanner (but not the Extender!) by default.

I upgraded Burp to 2021.12.1 and couldn't repro the issue either.

Is there anything displayed on the Output and Errors tabs when you select Log4Shell Scanner in Extender?

[isrtest]

Hi
I dont see any errors.
https://imgur.com/a/jq7j2Ly

[v-p-b]

The Output and Errors tabs are not visible on either of the screenshots unfortunately, you should at least see a "Log4Shell scanner loaded" message in the Output.

Do you use the extension version from the BApp store?

Please select a request, where standard GET parameters are included (/?=nino does not contain a parameter name, /?foo=nino is better) and use the "Do Active Scan" option from the right click menu so a default scan configuration will run, then verify in Logger if any payloads containing the "jndi" string are sent out!

[isrtest]

It turned out I have burp collaborator disabled in Project Options. After enabling it, I could now see the requests with payloads.

Currently, the plugin doesnt identify X-Api-Version as an injection point.

If I may, can i suggest updating the README with additional troubleshooting guidance?

1. After loading the plugin, check if any errors in plugin tab. Extender - Burp Extension - Log4jShell Scanner - Error Tab.
2. Ensure Burp Collaborator server option is on. Project Options - Misc - Burp Collaborator Server
3. After a quick scan, visit logger tab to see if every injection point is scanned. If not, try to define the missing injection point, and launch the scan in Intruder Tab - Scan defined injection points

[v-p-b]

Glad this got resolved! We will definitely consider adding a troubleshooting section somewhere, as this is not the first similar error we have to deal with!

As for detecting insertion points: this is done by Burp, and is beyond the control of simple scanner extensions, but can be controlled by insertion point providers, see: #3 (comment) .