Burp API Access
139 views
Skip to first unread message
John Woods
Oct 9, 2014, 3:23:51 PM10/9/14
to thre...@googlegroups.com
So I got it running on a Tomcat server. I got the plugin in burp, I got a scan done, I pointed the export to it and gave it a proper API, and it came back with a list of the applications and tries to upload the scan, but gets a 500 error. I'm so freaking close! Here is what I see in the catalina.out file when I try it:
INFO [http-bio-8443-exec-6] ApplicationRestController.uploadScan(232) | Received REST request to upload a scan to application 2.
INFO [http-bio-8443-exec-6] ApplicationRestController.checkKey(86) | API key with ID: 1 authenticated successfully on path: /rest/applications/2/upload for methodName: uploadScan
INFO [http-bio-8443-exec-6] BurpSuiteChannelImporter.testSAXInput(709) | Scan status: Valid Scan file.
INFO [http-bio-8443-exec-6] ScanMergeService.processScanFile(226) | Processing file scan-file-1-9 on channel Burp Suite.
INFO [http-bio-8443-exec-6] ScanMergerImpl.merge(58) | The Burp Suite import was successful and found 189 findings.
INFO [http-bio-8443-exec-6] PathGuesser.generateGuesses(43) | Starting HAM-based url and file path calculations.
INFO [http-bio-8443-exec-6] FindingProcessorFactory.getProcessor(53) | Determining proper FindingProcesser implementation for application Corp and new scan.
INFO [http-bio-8443-exec-6] FindingProcessorFactory.getRootFile(126) | Successfully found GitService.
INFO [http-bio-8443-exec-6] FindingProcessorFactory.getFrameworkType(159) | Initial frameworkType was DETECT
INFO [http-bio-8443-exec-6] FindingProcessorFactory.getFrameworkType(176) | Final frameworkType was NONE
INFO [http-bio-8443-exec-6] FindingProcessorFactory.getProcessor(72) | Got no source code access. Returning NoSourceFindingProcessor.
INFO [http-bio-8443-exec-6] NoSourceFindingProcessor.<init>(50) | NoSourceFindingProcessor with cleaner = [PathCleaner dynamicRoot=, staticRoot=null]
INFO [http-bio-8443-exec-6] ChannelMerger.performMerge(85) | Starting Application Channel-wide merging process with 189 findings.
INFO [http-bio-8443-exec-6] ChannelMerger.performMerge(90) | After filtering out duplicate native IDs, there are 189 findings.
WARN [http-bio-8443-exec-6] LoadContexts.cleanup(132) | fail-safe cleanup (collections) : org.hibernate.engine.loading.CollectionLoadContext@6f90a386<rs=com.mysql.jdbc.JDBC4ResultSet@48950383>
WARN [http-bio-8443-exec-6] CollectionLoadContext.cleanup(348) | On CollectionLoadContext#cleanup, localLoadingCollectionKeys contained [1] entries
A DB issue maybe? Anyone know what the deal is?
John Woods
Oct 10, 2014, 3:25:56 PM10/10/14
to thre...@googlegroups.com
Since I was forcing SSL I turned that off for a bit and tested this without SSL, same exact issue. I'm using the 2.1 version, Debian, my own Tomcat install with MySQL. I set it up so it is using the root account for MySQL (bad idea but testing is testing). So there is no MySQL rights issues. The API seems to work but for some reason fails to load the data using the Burp plugin. I think the second to last line below is the issue but I don't know enough about the app to know what that is or why. Maybe I ran into a bug with 2.1?
Bob Rich
Oct 11, 2014, 4:16:35 AM10/11/14
to thre...@googlegroups.com
It says it found 189 findings for application Corp so it seems to be getting past the parsing. Have you taken a look at the database to see if anything has been persisted?
John Woods
Oct 13, 2014, 4:14:51 PM10/13/14
to thre...@googlegroups.com
Well that is interesting. I don't know the DB well. But I do see 183 roles that map to findings of this scan in the Vulnerability table. I see nothing in the Scan table. I went to the website and the 183 (not sure why 183 not 189) items are there! I have no idea why, I didn't touch it for days. I'm totally confused now, I will try another one soon and see what happens.
Dan Cornell
Oct 13, 2014, 4:17:50 PM10/13/14
to thre...@googlegroups.com, Dan Cornell
Well that is interesting. I don't know the DB well. But I do see 183 roles that map to findings of this scan in the Vulnerability table. I see nothing in the Scan table. I went to the website and the 183 (not sure why 183 not 189) items are there! I have no idea why, I didn't touch it for days. I'm totally confused now, I will try another one soon and see what happens.
This is a little out of date, but here is a DB diagram of the vulnerability format:
It is very interesting that you didn't see any rows in the Scan table because that should be required before you can insert Finding records (I think). And
all of that should be happening behind the scenes during the import/merge process.
Please try another scan/upload. Love to hear the results.
Thanks,
Dan
John Woods
Oct 13, 2014, 4:25:08 PM10/13/14
to thre...@googlegroups.com, d...@denimgroup.com
Thank you! I'll scan another site and try it again. I found why the numbers don't match, 6 of them aren't mapped, they are newer DOM issues. I tried to map them to a CWE but it appears I can't just make a CWE up and I don't know what that is or where they are so I'm not sure how to map them yet. Something to figure out while the next site scans I guess. The site looks pretty cool with data in it. :-D
Dan Cornell
Oct 13, 2014, 4:27:13 PM10/13/14
to John Woods, thre...@googlegroups.com, Dan Cornell
Thank you! I'll scan another site and try it again. I found why the numbers don't match, 6 of them aren't mapped, they are newer DOM issues. I tried to map them to a CWE but it appears I can't just make a CWE up and I don't know what that is or where they are so I'm not sure how to map them yet. Something to figure out while the next site scans I guess. The site looks pretty cool with data in it. :-D
Excellent!
If you can send along the names of the vulnerability types we can get a ticket filed to create mappings and update the importer. We should be pretty up to date on the version of CWE that ThreadFix maps stuff to.
Thanks,
Dan
John Woods
Oct 13, 2014, 4:29:02 PM10/13/14
to thre...@googlegroups.com, zenba...@gmail.com, d...@denimgroup.com
The application may be vulnerable to DOM-based open redirection.
Scanner Vulnerability 5243152
Dan Cornell
Oct 13, 2014, 4:38:39 PM10/13/14
to John Woods, thre...@googlegroups.com, Dan Cornell
The application may be vulnerable to DOM-based open redirection.Scanner Vulnerability 5243152
That probably most closely maps to:
I'll submit a ticket so we can get the mainline importer updated.
Thanks,
Dan
John Woods
Oct 14, 2014, 2:53:53 PM10/14/14
to thre...@googlegroups.com, zenba...@gmail.com, d...@denimgroup.com
I'm going nuts, still get a 500 error. I tried turning SSL off again, that was something I tested before and I thought maybe that was it and I didn't notice it worked before. I'm still getting a 500 error in Burp. Here is what I get in catalina.out:
INFO [http-bio-8080-exec-7] PluginRestController.checkKey(86) | API key with ID: 1 authenticated successfully on path: /rest/code/applications for methodName: markers
INFO [http-bio-8080-exec-9] ApplicationRestController.uploadScan(232) | Received REST request to upload a scan to application 3.
INFO [http-bio-8080-exec-9] ApplicationRestController.checkKey(86) | API key with ID: 1 authenticated successfully on path: /rest/applications/3/upload for methodName: uploadScan
INFO [http-bio-8080-exec-9] BurpSuiteChannelImporter.testSAXInput(709) | Scan status: Valid Scan file.
INFO [http-bio-8080-exec-9] ScanMergeService.processScanFile(226) | Processing file scan-file-2-8 on channel Burp Suite.
Nothing bad, but no new data in the DB that I can see. I see the 500 error in the local access logs but it does't say why. I see no warnings like last time. Could this be a 2.1 bug?
Dan Cornell
Oct 14, 2014, 2:58:29 PM10/14/14
to John Woods, thre...@googlegroups.com, Dan Cornell
I'm going nuts, still get a 500 error. I tried turning SSL off again, that was something I tested before and I thought maybe that was it and I didn't notice it worked before. I'm still getting a 500 error in Burp. Here is what I get in catalina.out:INFO [http-bio-8080-exec-7] PluginRestController.checkKey(86) | API key with ID: 1 authenticated successfully on path: /rest/code/applications for methodName: markersINFO [http-bio-8080-exec-9] ApplicationRestController.uploadScan(232) | Received REST request to upload a scan to application 3.INFO [http-bio-8080-exec-9] ApplicationRestController.checkKey(86) | API key with ID: 1 authenticated successfully on path: /rest/applications/3/upload for methodName: uploadScanINFO [http-bio-8080-exec-9] BurpSuiteChannelImporter.testSAXInput(709) | Scan status: Valid Scan file.INFO [http-bio-8080-exec-9] ScanMergeService.processScanFile(226) | Processing file scan-file-2-8 on channel Burp Suite.
Nothing bad, but no new data in the DB that I can see. I see the 500 error in the local access logs but it does't say why. I see no warnings like last time. Could this be a 2.1 bug?
Hrm. . .
If you check the app-level error logs do you see any entries? You can access those by going to the gear at the upper-right of the screen and selecting the View Error Logs option:
Thanks,
Dan
John Woods
Oct 14, 2014, 3:02:42 PM10/14/14
to thre...@googlegroups.com, zenba...@gmail.com, d...@denimgroup.com
Oct 13, 2014 -- bdfa066e-b005-497f-a2bb-942e41c2c382 -- IllegalArgumentException
Oct 13, 2014 -- 5ba3186a-edc8-4d3f-808f-27741f9b9893 -- NullPointerException
Oct 7, 2014 -- 30abf865-9912-438e-9cc3-300c05f5ce35 -- RestIOException
That is what I see. The server knows it is 10/14 so two are from yesterday. I think I made those picking random stuff for the mapping of the Dom findings just to see what would happen.
Dan Cornell
Oct 14, 2014, 3:17:10 PM10/14/14
to John Woods, thre...@googlegroups.com, Dan Cornell
If you click on those you should get stack traces. Could you send those along?
Thanks
Dan
Sent from my iPhone
John Woods
Oct 14, 2014, 3:40:24 PM10/14/14
to thre...@googlegroups.com, zenba...@gmail.com, d...@denimgroup.com
I can't but I don't think they mean anything. But I have to get back in now. I tried downgrading to 2.0.1 wondering if using the beta was killing me. Now I can't login. Maybe something changed with how it hashes passwords? I see the accounts and password hashes in the DB still but nothing works. If this tool didn't look so good I would have given up by now. My lord.
John Woods
Oct 14, 2014, 3:48:55 PM10/14/14
to thre...@googlegroups.com, zenba...@gmail.com, d...@denimgroup.com
Oh duh, the DB access changes, I forgot, looking that up again.
John Woods
Oct 14, 2014, 4:02:03 PM10/14/14
to thre...@googlegroups.com, zenba...@gmail.com, d...@denimgroup.com
I downgraded, same results other than it seems slower. I did somehow generate a new error:
10/14/14 2:57:07 PM -- 41be0247-fd03-43d6-b7f9-81b39b9ca9f8 -- NullPointerException
10/13/14 3:12:59 PM -- 5ba3186a-edc8-4d3f-808f-27741f9b9893 -- NullPointerException
java.lang.NullPointerException at net.sf.jasperreports.repo.DefaultRepositoryService.revertContext(DefaultRepositoryService.java:91) at net.sf.jasperreports.repo.RepositoryUtil.revertRepositoryContext(RepositoryUtil.java:114) at net.sf.jasperreports.engine.fill.JRBaseFiller.fill(JRBaseFiller.java:871) at net.sf.jasperreports.engine.fill.JRFiller.fillReport(JRFiller.java:118) at net.sf.jasperreports.engine.JasperFillManager.fillReport(JasperFillManager.java:435) at com.denimgroup.threadfix.service.report.ReportsServiceImpl.getReport(ReportsServiceImpl.java:232) at com.denimgroup.threadfix.service.report.ReportsServiceImpl.generateReport(ReportsServiceImpl.java:121) at com.denimgroup.threadfix.webapp.controller.DashboardController.report(DashboardController.java:123) at com.denimgroup.threadfix.webapp.controller.DashboardController.rightReport(DashboardController.java:105) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:219) at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132) at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:100) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:604) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:565) at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:923) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:852) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882) at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:789) at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:690) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:477) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:402) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:329) at org.tuckey.web.filters.urlrewrite.NormalRewrittenUrl.doRewrite(NormalRewrittenUrl.java:195) at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:159) at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:141) at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:90) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:417) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.denimgroup.threadfix.webapp.filter.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:251) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.denimgroup.threadfix.webapp.filter.ClickjackHeaderFilter.doFilter(ClickjackHeaderFilter.java:42) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:65) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745)
10/13/14 3:17:31 PM -- bdfa066e-b005-497f-a2bb-942e41c2c382 -- IllegalArgumentExceptionjava.lang.IllegalArgumentException: Invalid Generic Vulnerability ID: DOM-based open redirection at com.denimgroup.threadfix.service.ChannelVulnerabilityServiceImpl.createMapping(ChannelVulnerabilityServiceImpl.java:74) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96) at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at com.sun.proxy.$Proxy116.createMapping(Unknown Source) at com.denimgroup.threadfix.webapp.controller.ScannerMappingUpdateController.addMappings(ScannerMappingUpdateController.java:50) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:215) at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132) at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:745) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:685) at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:919) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:851) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:953) at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:855) at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:829) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:690) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:477) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:402) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:329) at org.tuckey.web.filters.urlrewrite.NormalRewrittenUrl.doRewrite(NormalRewrittenUrl.java:195) at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:159) at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:141) at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:90) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:417) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:232) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.denimgroup.threadfix.webapp.filter.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:241) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.denimgroup.threadfix.webapp.filter.ClickjackHeaderFilter.doFilter(ClickjackHeaderFilter.java:42) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:129) at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:77) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.denimgroup.threadfix.webapp.filter.EnterpriseFilter.doFilter(EnterpriseFilter.java:71) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.denimgroup.threadfix.webapp.filter.CacheBustFilter.doFilter(CacheBustFilter.java:67) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:581) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745)
java.lang.NullPointerException at net.sf.jasperreports.repo.DefaultRepositoryService.revertContext(DefaultRepositoryService.java:91) at net.sf.jasperreports.repo.RepositoryUtil.revertRepositoryContext(RepositoryUtil.java:114) at net.sf.jasperreports.engine.fill.JRBaseFiller.fill(JRBaseFiller.java:871) at net.sf.jasperreports.engine.fill.JRFiller.fillReport(JRFiller.java:118) at net.sf.jasperreports.engine.JasperFillManager.fillReport(JasperFillManager.java:435) at com.denimgroup.threadfix.service.report.ReportsServiceImpl.getReport(ReportsServiceImpl.java:236) at com.denimgroup.threadfix.service.report.ReportsServiceImpl.generateReport(ReportsServiceImpl.java:123) at com.denimgroup.threadfix.webapp.controller.DashboardController.report(DashboardController.java:123) at com.denimgroup.threadfix.webapp.controller.DashboardController.rightReport(DashboardController.java:105) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:215) at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132) at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:745) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:685) at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:919) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:851) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:953) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:844) at javax.servlet.http.HttpServlet.service(HttpServlet.java:621) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:829) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:690) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:477) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:402) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:329) at org.tuckey.web.filters.urlrewrite.NormalRewrittenUrl.doRewrite(NormalRewrittenUrl.java:195) at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:159) at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:141) at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:90) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:417) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:232) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.denimgroup.threadfix.webapp.filter.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:241) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.denimgroup.threadfix.webapp.filter.ClickjackHeaderFilter.doFilter(ClickjackHeaderFilter.java:42) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:65) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.denimgroup.threadfix.webapp.filter.EnterpriseFilter.doFilter(EnterpriseFilter.java:71) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.denimgroup.threadfix.webapp.filter.CacheBustFilter.doFilter(CacheBustFilter.java:67) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:581) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745)
Dan Cornell
Oct 14, 2014, 4:14:41 PM10/14/14
to thre...@googlegroups.com, zenba...@gmail.com, Dan Cornell
I downgraded, same results other than it seems slower. I did somehow generate a new error:
That IllegalArgumentException is interesting. It looks like the import service is choking on the unknown generic vulnerability type and throwing an exception rather than the intended behavior of creating an unmapped finding for that particular entry. I
wonder if the Burp file format changed when they added the static analysis to find the DOM-based vulns. Or perhaps the file is being handled differently because it is coming in via the Burp plugin versus a normal file upload. That shouldn't be the case, but
. . . We also shouldn't be seeing this exception thrown.
Lemme run that down with our engineers.
Thanks,
Dan
John Woods
Oct 14, 2014, 4:28:17 PM10/14/14
to thre...@googlegroups.com, zenba...@gmail.com, d...@denimgroup.com
Ah, should I be able to upload .burp exports? I couldn't and I thought I had to use the plugin. If a typical burp export can be uploaded than there is some new finding screwing things up because I can't upload one either.
John Woods
Oct 14, 2014, 4:42:28 PM10/14/14
to thre...@googlegroups.com, zenba...@gmail.com, d...@denimgroup.com
This is what happens when I try to upload a burp scanner export:
NFO [http-bio-8080-exec-7] BurpSuiteChannelImporter.testSAXInput(633) | Scan status: Valid Scan file.
INFO [http-bio-8080-exec-7] QueueSenderImpl.addScanToQueue(103) | User infosec is adding a scan to the queue with the file name scan-file-2-14.
INFO [QueueListener-1] QueueListener.processScanRequest(265) | User infosec added a Burp Suite scan to the Application MRT (filename scan-file-2-14).
INFO [QueueListener-1] ScanMergeService.processScanFile(226) | Processing file scan-file-2-14 on channel Burp Suite.
INFO [http-bio-8080-exec-6] ScanRefreshController.uploadIndex(61) | Hit scan refresh controller.
WARN [QueueListener-1] QueueListener.processScanRequest(278) | Encountered out of memory error. Closing job status and rethrowing exception.
java.lang.OutOfMemoryError: Java heap space
INFO [QueueListener-1] QueueListener.processScanRequest(296) | The Burp Suite scan from User infosec on Application MRT (filename scan-file-2-14) did not complete successfully.
WARN [QueueListener-1] DefaultMessageListenerContainer.invokeErrorHandler(696) | Execution of JMS message listener failed, and no ErrorHandler has been set.
java.lang.OutOfMemoryError: Java heap space
John Woods
Oct 14, 2014, 4:54:06 PM10/14/14
to thre...@googlegroups.com, d...@denimgroup.com
Holy crap! I added more memory to tomcat editing the /etc/default/tomcat7 file and it worked! File upload worked. I think something Burp did is messing up the plugin, but being able to upload files works well enough for me.
Dan Cornell
Oct 14, 2014, 5:09:17 PM10/14/14
to John Woods, thre...@googlegroups.com, Dan Cornell
Holy crap! I added more memory to tomcat editing the /etc/default/tomcat7 file and it worked! File upload worked. I think something Burp did is messing up the plugin, but being able to upload files works well enough for me.
Ok so at least you have a workaround for now. We've upgraded the version of Burp that we're using internally for testing and will work to see if we can replicate (and fix) the problems you had using the plugin. We've added two new bugs to GitHub that should
make it easier to prevent and/or diagnose the issues you've run into so far:
Also you may want to retry the upload from the Burp plugin – the memory condition might have caused similar behavior to the problems you were seeing a couple of minutes ago with the manual upload.
Really appreciate you working with us on this.
Thanks,
Dan
John Woods
Oct 15, 2014, 1:39:42 PM10/15/14
to thre...@googlegroups.com, zenba...@gmail.com, d...@denimgroup.com
That did it, the plugin worked. At least on another site that doesn't have those new DOM issues, I didn't retest that. So to get this working on Debian what I had to do was:
Install Debian's Tomcat7 and MySQL (no idea why the default pack doesn't work on Debian but it doesn't at all)
Put the war file found in the Threadfix/tomcat/webapps fir in the zip to /var/lib/tomcat7/webapps dir (that seems to auto deploy it, otherwise go to the manager page and deploy the app pointing to the war file on your system where ever it is and giving it the context of /threadfix, I think the /threadfix is hard coded in some places picking a different name didn't work out so well for me to stick to that one)
Follow the MySQL directions https://code.google.com/p/threadfix/wiki/UsingMySQL (which are not step by step and requires some MySQL googling if you don't know it)
Edit the /etc/defaults/tomcat7 file and replace JAVA_OPTS="-Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC" with JAVA_OPTS="-Djava.awt.headless=true -Xms512m -Xmx1024m -XX:+UseConcMarkSweepGC"
Restart tomcat /etc/init.d/tomcat7 start
John Woods
Oct 15, 2014, 1:41:36 PM10/15/14
to thre...@googlegroups.com, zenba...@gmail.com, d...@denimgroup.com
I noticed the typos after I post of course the last line is restart not start at the end and I give up on the other typos.
Dan Cornell
Oct 16, 2014, 12:30:11 PM10/16/14
to thre...@googlegroups.com, zenba...@gmail.com, d...@denimgroup.com
That's great stuff - thanks for writing it up. We'll get that info into a GitHub wiki page. Also we'll take a pass over the MySQL instructions to try close up any gaps.
Really appreciate the feedback. Glad you're up and running. Let us know if you run into any other issues.
Thanks,
Dan
Reply all
Reply to author
Forward
0 new messages