Migrate to 0.6.5 by default #15
Comments
|
I have identified some error with burp binary path, but after changed it got: |
|
Maybe it is something incompatible with current tested burp version? |
|
could be related to this? |
pablodav
added a commit
that referenced
this issue
Mar 28, 2019
|
confirmed, if I use 0.6.5 with burp previous to 2.2.12 it breaks. |
|
just adding notification to @deajan because I have started this conversation in another issue from burpui issue. |
|
Hello, The main issue is here: I thought I had published a fix for this problem (by silently ignoring this failure), but maybe I only fixed the master branch and not the stable one. |
|
FYI, I have checked and this is indeed fixed in master :-/ The workaround here is to have your burp-server running prior running your agent/burp-ui server. |
|
Looks like something changed on burp 2.2.18 or my changes in the role changed something with the bin paths for burp: which burp
/usr/local/sbin/burp
root@ansible_test-01:/# which vss_strip
/usr/local/bin/vss_stripI have performed a fix for that. But still getting error with burp-ui 0.6.5 even with upgraded roles and using burp 2.2.18 |
|
Something was breaked since 0.6.2 as I have tested all versions and now only getting to work with 0.6.1 root@ansible_test-01:/# pip install -U burp-ui==0.6.1
root@ansible_test-01:/# burp-ui -c /etc/burp/burpui.cfg -v
* Serving Flask app "burpui.cli"
* Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)What should I do? I don't undertand exactly what's going on here, I have upgraded burp server, all the configs, the listen directives, etc, etc. |
|
The server is running, if I get the vars from pdb.set_trace(): |
|
Config # Burp-UI configuration file
# @version@ - 0.6.0
# @release@ - stable
[Global]
# burp server version 1 or 2
version = 2
# Handle multiple bui-servers or not
# If set to 'false', you will need to declare at least one 'Agent' section (see
# bellow)
single = true
# authentication plugin (mandatory)
# list the misc/auth directory to see the available backends
# to disable authentication you can set "auth = none"
# you can also chain multiple backends. Example: "auth = ldap,basic"
# the order will be respected unless you manually set a higher backend priority
auth = basic
# acl plugin
# list misc/acl directory to see the available backends
# default is no ACL
acl = basic
# You can change the prefix if you are behind a reverse-proxy under a custom
# root path. For example: /burpui
# You can also configure your reverse-proxy to announce the prefix through the
# 'X-Script-Name' header. In this case, the bellow prefix will be ignored in
# favour of the one announced by your reverse-proxy
prefix = none
plugins = none
[UI]
# refresh interval of the pages in seconds
refresh = 180
# refresh interval of the live-monitoring page in seconds
liverefresh = 60
[Production]
# storage backend for session and cache
# may be either 'default' or 'redis'
storage = redis
# session database to use
# may also be a backend url like: redis://localhost:6379/0
# if set to 'redis', the backend url defaults to:
# redis://<redis_host>:<redis_port>/0
# where <redis_host> is the host part, and <redis_port> is the port part of
# the below "redis" setting
session = redis://localhost:6379/0
# cache database to use
# may also be a backend url like: redis://localhost:6379/0
# if set to 'redis', the backend url defaults to:
# redis://<redis_host>:<redis_port>/1
# where <redis_host> is the host part, and <redis_port> is the port part of
# the below "redis" setting
cache = redis
# redis server to connect to
redis = localhost:6379
# whether to use celery or not
# may also be a broker url like: redis://localhost:6379/0
# if set to "true", the broker url defaults to:
# redis://<redis_host>:<redis_port>/2
# where <redis_host> is the host part, and <redis_port> is the port part of
# the above "redis" setting
celery = true
# database url to store some persistent data
# none or a connect string supported by SQLAlchemy:
# http://docs.sqlalchemy.org/en/latest/core/engines.html#database-urls
# example: sqlite:////var/lib/burpui/store.db
database = sqlite:////var/spool/burpui/celery.db
# whether to rate limit the API or not
# may also be a redis url like: redis://localhost:6379/0
# if set to "true" or "redis" or "default", the url defaults to:
# redis://<redis_host>:<redis_port>/3
# where <redis_host> is the host part, and <redis_port> is the port part of
# the above "redis" setting
# Note: the limiter only applies to the API routes
limiter = False
# limiter ratio
# see https://flask-limiter.readthedocs.io/en/stable/#ratelimit-string
ratio = 60/minute
[Security]
## This section contains some security options. Make sure you understand the
## security implications before changing these.
# list of 'root' paths allowed when sourcing files in the configuration.
# Set this to 'none' if you don't want any restrictions, keeping in mind this
# can lead to accessing sensible files. Defaults to '/etc/burp'.
# Note: you can have several paths separated by comas.
# Example: /etc/burp,/etc/burp.d
includes = /etc/burp
# if files already included in config do not respect the above restriction, we
# prune them
enforce = false
# enable certificates revocation
revoke = true
# remember_cookie duration in days
cookietime = 14
# whether to use a secure cookie for https or not. If set to false, cookies
# won't have the 'secure' flag.
# This setting is only useful when HTTPS is detected
scookie = true
# application secret to secure cookies. If you don't set anything, the default
# value is 'random' which will generate a new secret after every restart of your
# application. You can also set it to 'none' although this is not recommended.
# /!\ YOU CANNOT USE THE MAGIC 'random' VALUE WHEN USING GUNICORN /!\
appsecret = ChangeYourSecretapp
## http://burp-ui.readthedocs.io/en/latest/advanced_usage.html#websocket
[WebSocket]
## This section contains WebSocket server specific options.
# whether to enable websocket or not
enabled = true
# whether to embed the websocket server or not
# if set to "true", you should have only *one* gunicorn worker
# see here for details:
# https://flask-socketio.readthedocs.io/en/latest/#gunicorn-web-server
embedded = false
# what broker to use to interact between websocket servers
# may be a redis url like: redis://localhost:6379/0
# if set to "true" or "redis" or "default", the url defaults to:
# redis://<redis_host>:<redis_port>/4
# where <redis_host> is the host part, and <redis_port> is the port part of
# the above "redis" setting
# set this to none to disable the broker
broker = redis
# if you choose to run a dedicated websocket server (with embedded = false)
# you can specify here the websocket url. You'll need to double quote your
# string though.
# example:
# url = "document.domain + ':5001'"
url = none
# whether to enable verbose websocket server logs or not (for development)
debug = false
[Experimental]
## This section contains some experimental features that have not been deeply
## tested yet
# enable zip64 feature. Python doc says:
# « ZIP64 extensions are disabled by default because the default zip and unzip
# commands on Unix (the InfoZIP utilities) don’t support these extensions. »
zip64 = false
## burp specific options
[Burp]
# burp status address (can only be '127.0.0.1' or '::1')
bhost = ::1
# burp status port
bport = 4972
## burp binary
burpbin = /usr/local/sbin/burp
## vss_strip binary
stripbin = /usr/local/bin/vss_strip
## burp client configuration file used for the restoration (Default: None)
bconfcli = /etc/burp/burp.conf
## burp server configuration file used for the setting page
bconfsrv = /etc/burp/burp-server.conf
## temporary directory to use for restoration
tmpdir = /tmp
## how many time to wait for the monitor to answer (in seconds)
timeout = 60
# since burp-2.1.10, timestamps have local offsets, if we detect a burp-server
# version greater than 2.1.10 we'll suppose every backup was made with that
# version. If this is not the case, you may end-up with wrongly computed backup
# dates in the clients overview. For that reason, you can enable the
# 'deep_inspection' option which will check every backup logs in order to
# find out which server version was used.
# The drawback is this process requires some extra work that may slow-down
# burp-ui.
deep_inspection = true |
|
I will build new stable packages (0.6.6) but won't publish them on pypi.org yet (I'll wait your tests). |
|
Yes ofcourse! |
|
here it is! |
|
running! Currently I will test directly the stable branch from git :) and if I can't, will use the tar.gz generated. to do it I'm just changing these vars during my tests: from default: To running tests: burpui_pip_burpui_dev: "git+https://git.ziirish.me/ziirish/burp-ui.git#egg=burp-ui"
burpui_version_dev: stable
burpui_use_dev: True |
|
An important note: I'm testing the server, not only the agent. |
|
Finally got correct test, and the gunicorn started fine but web is not working. Then if I start with root@ansible_test-01:/# burp-ui -c /etc/burp/burpui.cfg -v
* Serving Flask app "burpui.cli"
* Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
127.0.0.1 - - [01/Apr/2019 21:40:17] "GET / HTTP/1.0" 302 -
[2019-04-01 21:40:17,789] ERROR in app.log_exception: Exception on /login [GET]
Traceback (most recent call last):
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1982, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1614, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/lib/python3.5/dist-packages/flask_restplus/api.py", line 557, in error_router
return original_handler(e)
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1517, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python3.5/dist-packages/flask/_compat.py", line 33, in reraise
raise value
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1612, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1598, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/usr/local/lib/python3.5/dist-packages/burpui/routes.py", line 523, in login
return render_template('login.html', form=form, login=True)
File "/usr/local/lib/python3.5/dist-packages/flask/templating.py", line 134, in render_template
context, ctx.app)
File "/usr/local/lib/python3.5/dist-packages/flask/templating.py", line 116, in _render
rv = template.render(context)
File "/usr/local/lib/python3.5/dist-packages/jinja2/environment.py", line 1008, in render
return self.environment.handle_exception(exc_info, True)
File "/usr/local/lib/python3.5/dist-packages/jinja2/environment.py", line 780, in handle_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python3.5/dist-packages/jinja2/_compat.py", line 37, in reraise
raise value.with_traceback(tb)
File "/usr/local/lib/python3.5/dist-packages/burpui/templates/login.html", line 2, in top-level template code
{% import 'macros.html' as macros %}
File "/usr/local/lib/python3.5/dist-packages/burpui/templates/layout.html", line 16, in top-level template code
<link href="{{ url_for('bower.static', filename='bootswatch/slate/bootstrap.min.css') }}" rel="stylesheet">
File "/usr/local/lib/python3.5/dist-packages/flask_bower/__init__.py", line 53, in replaced_url_for
return url_for(endpoint, filename=filename, **values)
File "/usr/local/lib/python3.5/dist-packages/flask/helpers.py", line 333, in url_for
return appctx.app.handle_url_build_error(error, endpoint, values)
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1805, in handle_url_build_error
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python3.5/dist-packages/flask/_compat.py", line 32, in reraise
raise value.with_traceback(tb)
File "/usr/local/lib/python3.5/dist-packages/flask/helpers.py", line 323, in url_for
force_external=external)
File "/usr/local/lib/python3.5/dist-packages/werkzeug/routing.py", line 1776, in build
raise BuildError(endpoint, values, method, self)
werkzeug.routing.BuildError: Could not build url for endpoint 'bower.static' with values ['filename']. Did you mean 'static' instead?
127.0.0.1 - - [01/Apr/2019 21:40:17] "GET /login?next=%2F HTTP/1.0" 500 - |
|
from pip freeze: Werkzeug==0.14.1 |
|
Finally the changes added will help to test burp-ui stable branch. but still same error as above appears. branch test/stable is the one in testing with burp-ui stable branch. https://travis-ci.org/CoffeeITWorks/ansible_burpui_server/branches Main difference than installing from pypi: it will install directly from the .tar.gz Instead of installing from multiple pypi package calls: |
|
The bower error you see is because the js/css dependencies are not stored in the burp-ui repo but are stored instead in the burp-ui-externals repo which is linked as a subrepo inside burpui/static/vendor. Do you want me to provide you with the 0.6.6 package? Note: An incompatibility issue with python 3.7+ has been raised against the current stable version of burp-ui, so I may ship this additional fix before officially releasing 0.6.6. |
|
I think that could be the reason why I was testing with git+https://... link before on git install and not with tar.gz file directly. Ok, I think it's fine to release 0.6.6 as looks better than 0.6.2-0.6.5. I will try to also test the stable branch with git+https with pip install. |
|
Confirmed, you can go ahead with 0.6.6 package. |
|
Thanks for your tests! 👍 I'll let you know when I have implemented the pending changes on the 0.6 branch. So far they are:
|
|
After resolving some issues with ubuntu tests (due to some temporal problem with their repositories) and some other fixes with cryptography library, I have success test on travis: https://travis-ci.org/CoffeeITWorks/ansible_burpui_server/builds/514852601 Also enabled a daily run on travis to test the burpui stable branch with this role:
Now only waiting for 0.6.6 for release. and I'm planning to add more of these cron jobs for other branches to test, also to test development (master) branch of burp with ansible-burp2-role. |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi @ziirish
Do you see anything known here?
Looks like since I'm trying to use burpui server on python3 I'm not able to pass the tests
https://travis-ci.org/CoffeeITWorks/ansible_burpui_server/builds
But I'm not completely sure what is the main difference from previous deploys...
My config file for burpui is:
https://github.com/CoffeeITWorks/ansible_burpui_server/blob/develop/templates/burpui.cfg.j2
and the vars are those in defaults/main.yml
I'm checking what's going on here still.
burpui-agent deploys worked perfectly.
The text was updated successfully, but these errors were encountered: