Submitting URLs for Active Scan does not work.

[xeno6696]

I've traced the issue down to lines 158-164 in BurpService.java

Specifically, you're iterating through items that were entered into the sitemap, however this logic doesn't seem right. When initially submitting a URL to be spidered, you correctly add it to the scope, however, this does not also add it to the sitemap. This can't be done by the spidering code, so you'd likely have to extend the BurpExtender to also listen on proxy events in order to get items into the sitemap.

But this seems like you would have uncovered it in testing. I'm either missing a step in the use of this API or we shouldn't be relying on items in the sitemap to be submitted to the active scanner. Could someone here help me out?

[xeno6696]

On line 183 of BurpService.java, the URL that gets returned from the analyzeRequest() method appears to be forcefully appending the port #. I reconstructed the behavior with this unit test:

   @Test
   public void testStartsWith() throws Exception {
          String foo = "https://j2ee.dev.rms.ray.com/reference";
          URIBuilder urib = new URIBuilder(foo);
          urib.setPort(443);
          
          URI uri = urib.build();
          String externalForm = uri.toURL().toExternalForm();
          assertEquals(true, foo.startsWith(externalForm));
   }

So at some point in Burp code, we’re explicitly setting the port number when we prepare to return the URL back via the BurpExtender.getCallbacks().analyzeRequest() method. I've contacted portswigger support with a more detailed description of this bug, but the end result is that the logic here in BurpService.java is going to cause difficulties as the version of the URL stored in the "in scope sitemap" isn't going to align with the "baseUrl" that is being referenced here.

[xeno6696]

Pull request #40 resolves this problem.