Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exception during "Guess Headers" #55

Open
electroxero opened this issue Jun 2, 2021 · 0 comments
Open

Exception during "Guess Headers" #55

electroxero opened this issue Jun 2, 2021 · 0 comments

Comments

@electroxero
Copy link

Description

I'm testing a website vulnerable to Web Cache Poisoning.
The target is behind Akamai and the cache implementation is handled by Akamai (I can get the cache key with “Pragma: akamai-x-get-cache-key”).
During a "Guess Headers" scan the extension throw and exception

Burp Suite Professional Version: v2021.6-8007
Param Miner Version: v1.28

Cannot read the array length because "request" is null

 burp.Utilities.getHeaderOffsets(Utilities.java:961)
java.lang.NullPointerException: Cannot read the array length because "request" is null
                at burp.Utilities.getHeaderOffsets(Utilities.java:961)
                at burp.ParamGuesser.canSeeCache(ParamGuesser.java:595)
                at burp.ParamGuesser.guessParams(ParamGuesser.java:259)
                at burp.ParamGuesser.run(ParamGuesser.java:77)
                at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
                at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
                at java.base/java.lang.Thread.run(Thread.java:832)

Step to reproduce

Baseline Request (I have tried also with HTTP/1.0 and HTTP/1.1:

GET /playsets HTTP/2
Host: website.host.local

The response is pretty standard but when I add this header: Proxy-connection burp shows me this error:
image

Launching param miner against this URL, when It will try to inject this header in the request, it will throw an exception and it will block itself.

If you try to inject the same header inside an original Akamai request you will obtain the same result:

GET / HTTP/1.1
Host: www.akamai.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Connection: close
proxy-connection: kkk

image

This is the extension log

Using albinowaxUtils v0.22
Loaded Param Miner v1.28
    CACHE_ONLY false
Updating active thread pool size to 8
Queued 1 attacks
Initiating header bruteforce on www.akamai.com
Identified parameter on www.akamai.com: origin~https://%s.%h
Identified parameter on www.akamai.com: proxy-connection
Attack aborted by exception
Error in thread: Cannot read the array length because "request" is null. See error pane for stack trace.

And the stack trace:

Cannot read the array length because "request" is null
 
burp.Utilities.getHeaderOffsets(Utilities.java:961)
java.lang.NullPointerException: Cannot read the array length because "request" is null
                at burp.Utilities.getHeaderOffsets(Utilities.java:961)
                at burp.ParamGuesser.canSeeCache(ParamGuesser.java:595)
                at burp.ParamGuesser.guessParams(ParamGuesser.java:259)
                at burp.ParamGuesser.run(ParamGuesser.java:77)
                at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
                at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
                at java.base/java.lang.Thread.run(Thread.java:832)

Additional Info

If you need further details or debugging, don't hesitate to contact me on Twitter
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@electroxero