Error 500 for login page
Hi,
First I want to thank you a lot for the great work! I have been using Burp-UI for a while but recently came across problems after upgrading to Python 3.7. Seeing that you have already fixed these in ea2d374d, I wanted to try the current version. However, this wouldn't work either and just responds with a error 500 after redirecting to the login page. Here's my pip log so you have the versions of all dependencies:
# pip install --upgrade "https://git.ziirish.me/ziirish/burp-ui/-/archive/master/burp-ui-master.zip"
Collecting https://git.ziirish.me/ziirish/burp-ui/-/archive/master/burp-ui-master.zip
Downloading https://git.ziirish.me/ziirish/burp-ui/-/archive/master/burp-ui-master.zip (1.9MB)
100% |████████████████████████████████| 1.9MB 6.4MB/s
Requirement already satisfied, skipping upgrade: trio==0.7.0 in /usr/lib/python3.7/site-packages (from burp-ui==0.7.0.dev0) (0.7.0)
Requirement already satisfied, skipping upgrade: Flask==1.0.2 in /usr/lib/python3.7/site-packages (from burp-ui==0.7.0.dev0) (1.0.2)
Requirement already satisfied, skipping upgrade: Flask-Login==0.4.1 in /usr/lib/python3.7/site-packages (from burp-ui==0.7.0.dev0) (0.4.1)
Requirement already satisfied, skipping upgrade: Flask-Bower==1.3.0 in /usr/lib/python3.7/site-packages (from burp-ui==0.7.0.dev0) (1.3.0)
Requirement already satisfied, skipping upgrade: Flask-Babel==0.11.2 in /usr/lib/python3.7/site-packages (from burp-ui==0.7.0.dev0) (0.11.2)
Requirement already satisfied, skipping upgrade: Flask-WTF==0.14.2 in /usr/lib/python3.7/site-packages (from burp-ui==0.7.0.dev0) (0.14.2)
Requirement already satisfied, skipping upgrade: flask-restplus==0.11.0 in /usr/lib/python3.7/site-packages (from burp-ui==0.7.0.dev0) (0.11.0)
Requirement already satisfied, skipping upgrade: Flask-Caching==1.4.0 in /usr/lib/python3.7/site-packages (from burp-ui==0.7.0.dev0) (1.4.0)
Requirement already satisfied, skipping upgrade: WTForms==2.1 in /usr/lib/python3.7/site-packages (from burp-ui==0.7.0.dev0) (2.1)
Requirement already satisfied, skipping upgrade: arrow==0.12.1 in /usr/lib/python3.7/site-packages (from burp-ui==0.7.0.dev0) (0.12.1)
Requirement already satisfied, skipping upgrade: pluginbase==0.5 in /usr/lib/python3.7/site-packages (from burp-ui==0.7.0.dev0) (0.5)
Requirement already satisfied, skipping upgrade: tzlocal==1.5.1 in /usr/lib/python3.7/site-packages (from burp-ui==0.7.0.dev0) (1.5.1)
Requirement already satisfied, skipping upgrade: pyOpenSSL>=17.5.0 in /usr/lib/python3.7/site-packages (from burp-ui==0.7.0.dev0) (18.0.0)
Requirement already satisfied, skipping upgrade: configobj==5.0.6 in /usr/lib/python3.7/site-packages (from burp-ui==0.7.0.dev0) (5.0.6)
Requirement already satisfied, skipping upgrade: pyasn1>=0.2.3 in /usr/lib/python3.7/site-packages (from burp-ui==0.7.0.dev0) (0.4.4)
Requirement already satisfied, skipping upgrade: cffi>=1.10.0 in /usr/lib/python3.7/site-packages (from burp-ui==0.7.0.dev0) (1.11.5)
Requirement already satisfied, skipping upgrade: async_generator in /usr/lib/python3.7/site-packages (from burp-ui==0.7.0.dev0) (1.10)
Requirement already satisfied, skipping upgrade: attrs in /usr/lib/python3.7/site-packages (from trio==0.7.0->burp-ui==0.7.0.dev0) (18.2.0)
Requirement already satisfied, skipping upgrade: sortedcontainers in /usr/lib/python3.7/site-packages (from trio==0.7.0->burp-ui==0.7.0.dev0) (2.0.5)
Requirement already satisfied, skipping upgrade: idna in /usr/lib/python3.7/site-packages (from trio==0.7.0->burp-ui==0.7.0.dev0) (2.7)
Requirement already satisfied, skipping upgrade: sniffio in /usr/lib/python3.7/site-packages (from trio==0.7.0->burp-ui==0.7.0.dev0) (1.0.0)
Requirement already satisfied, skipping upgrade: outcome in /usr/lib/python3.7/site-packages (from trio==0.7.0->burp-ui==0.7.0.dev0) (1.0.0)
Requirement already satisfied, skipping upgrade: click>=5.1 in /usr/lib/python3.7/site-packages (from Flask==1.0.2->burp-ui==0.7.0.dev0) (7.0)
Requirement already satisfied, skipping upgrade: itsdangerous>=0.24 in /usr/lib/python3.7/site-packages (from Flask==1.0.2->burp-ui==0.7.0.dev0) (0.24)
Requirement already satisfied, skipping upgrade: Jinja2>=2.10 in /usr/lib/python3.7/site-packages (from Flask==1.0.2->burp-ui==0.7.0.dev0) (2.10)
Requirement already satisfied, skipping upgrade: Werkzeug>=0.14 in /usr/lib/python3.7/site-packages (from Flask==1.0.2->burp-ui==0.7.0.dev0) (0.14.1)
Requirement already satisfied, skipping upgrade: Babel>=2.3 in /usr/lib/python3.7/site-packages (from Flask-Babel==0.11.2->burp-ui==0.7.0.dev0) (2.6.0)
Requirement already satisfied, skipping upgrade: six>=1.3.0 in /usr/lib/python3.7/site-packages (from flask-restplus==0.11.0->burp-ui==0.7.0.dev0) (1.11.0)
Requirement already satisfied, skipping upgrade: pytz in /usr/lib/python3.7/site-packages (from flask-restplus==0.11.0->burp-ui==0.7.0.dev0) (2018.5)
Requirement already satisfied, skipping upgrade: jsonschema in /usr/lib/python3.7/site-packages (from flask-restplus==0.11.0->burp-ui==0.7.0.dev0) (2.6.0)
Requirement already satisfied, skipping upgrade: aniso8601>=0.82 in /usr/lib/python3.7/site-packages (from flask-restplus==0.11.0->burp-ui==0.7.0.dev0) (3.0.2)
Requirement already satisfied, skipping upgrade: python-dateutil in /usr/lib/python3.7/site-packages (from arrow==0.12.1->burp-ui==0.7.0.dev0) (2.7.3)
Requirement already satisfied, skipping upgrade: cryptography>=2.2.1 in /usr/lib/python3.7/site-packages (from pyOpenSSL>=17.5.0->burp-ui==0.7.0.dev0) (2.3.1)
Requirement already satisfied, skipping upgrade: pycparser in /usr/lib/python3.7/site-packages (from cffi>=1.10.0->burp-ui==0.7.0.dev0) (2.19)
Requirement already satisfied, skipping upgrade: MarkupSafe>=0.23 in /usr/lib/python3.7/site-packages (from Jinja2>=2.10->Flask==1.0.2->burp-ui==0.7.0.dev0) (1.0)
Requirement already satisfied, skipping upgrade: asn1crypto>=0.21.0 in /usr/lib/python3.7/site-packages (from cryptography>=2.2.1->pyOpenSSL>=17.5.0->burp-ui==0.7.0.dev0) (0.24.0)
Installing collected packages: burp-ui
Found existing installation: burp-ui 0.7.0.dev0
Uninstalling burp-ui-0.7.0.dev0:
Successfully uninstalled burp-ui-0.7.0.dev0
Running setup.py install for burp-ui ... done
Successfully installed burp-ui-0.7.0.dev0
Bug summary
Unable to open Burp-UI frontend because of error 500.
Burp
$ burp -v
burp-2.1.32
Sysinfo
$ bui-manage sysinfo
Python version: 3.7.0
Burp-UI version: 0.7.0.dev0 (unknown)
OS: Linux:4.18.12-arch1-1-ARCH (posix)
Distribution: arch
Single mode: True
Backend: burp2
WebSocket embedded: False
WebSocket available: False
Config file: /etc/burp/burpui.cfg
Steps to reproduce
- Go to the login page
- Burp-UI redirects to
/login?next=%2F
- Loading fails with error 500
Logs
$ burp-ui -d -v -- -h 0.0.0.0
* Serving Flask app "burpui.cli" (lazy loading)
* Environment: production
WARNING: Do not use the development server in a production environment.
Use a production WSGI server instead.
* Debug mode: on
* Running on http://0.0.0.0:5000/ (Press CTRL+C to quit)
* Restarting with stat
/usr/bin/burp: invalid option -- 'V'
* Debugger is active!
* Debugger PIN: 405-915-500
/usr/bin/burp: invalid option -- 'V'
xxx.xxx.xxx.xxx - - [09/Oct/2018 17:59:36] "GET / HTTP/1.1" 302 -
xxx.xxx.xxx.xxx - - [09/Oct/2018 17:59:36] "GET /login?next=%2F HTTP/1.1" 500 -
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/flask/app.py", line 2309, in __call__
return self.wsgi_app(environ, start_response)
File "/usr/lib/python3.7/site-packages/burpui/utils.py", line 250, in __call__
return self.wsgi_app(environ, start_response)
File "/usr/lib/python3.7/site-packages/flask/app.py", line 2295, in wsgi_app
response = self.handle_exception(e)
File "/usr/lib/python3.7/site-packages/flask_restplus/api.py", line 577, in error_router
return original_handler(e)
File "/usr/lib/python3.7/site-packages/flask/app.py", line 1741, in handle_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python3.7/site-packages/flask/_compat.py", line 35, in reraise
raise value
File "/usr/lib/python3.7/site-packages/flask/app.py", line 2292, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/python3.7/site-packages/flask/app.py", line 1815, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/python3.7/site-packages/flask_restplus/api.py", line 577, in error_router
return original_handler(e)
File "/usr/lib/python3.7/site-packages/flask/app.py", line 1718, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python3.7/site-packages/flask/_compat.py", line 35, in reraise
raise value
File "/usr/lib/python3.7/site-packages/flask/app.py", line 1813, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/python3.7/site-packages/flask/app.py", line 1799, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/usr/lib/python3.7/site-packages/burpui/routes.py", line 515, in login
return render_template('login.html', form=form, login=True)
File "/usr/lib/python3.7/site-packages/flask/templating.py", line 135, in render_template
context, ctx.app)
File "/usr/lib/python3.7/site-packages/flask/templating.py", line 117, in _render
rv = template.render(context)
File "/usr/lib/python3.7/site-packages/jinja2/asyncsupport.py", line 76, in render
return original_render(self, *args, **kwargs)
File "/usr/lib/python3.7/site-packages/jinja2/environment.py", line 1008, in render
return self.environment.handle_exception(exc_info, True)
File "/usr/lib/python3.7/site-packages/jinja2/environment.py", line 780, in handle_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python3.7/site-packages/jinja2/_compat.py", line 37, in reraise
raise value.with_traceback(tb)
File "/usr/lib/python3.7/site-packages/burpui/templates/login.html", line 2, in top-level template code
{% import 'macros.html' as macros %}
File "/usr/lib/python3.7/site-packages/burpui/templates/layout.html", line 16, in top-level template code
<link href="{{ url_for('bower.static', filename='bootswatch/slate/bootstrap.min.css') }}" rel="stylesheet">
File "/usr/lib/python3.7/site-packages/flask_bower/__init__.py", line 53, in replaced_url_for
return url_for(endpoint, filename=filename, **values)
File "/usr/lib/python3.7/site-packages/flask/helpers.py", line 356, in url_for
return appctx.app.handle_url_build_error(error, endpoint, values)
File "/usr/lib/python3.7/site-packages/flask/app.py", line 2061, in handle_url_build_error
reraise(exc_type, exc_value, tb)
File "/usr/lib/python3.7/site-packages/flask/_compat.py", line 34, in reraise
raise value.with_traceback(tb)
File "/usr/lib/python3.7/site-packages/flask/helpers.py", line 345, in url_for
force_external=external)
File "/usr/lib/python3.7/site-packages/werkzeug/routing.py", line 1776, in build
raise BuildError(endpoint, values, method, self)
werkzeug.routing.BuildError: Could not build url for endpoint 'bower.static' with values ['filename']. Did you mean 'static' instead?
xxx.xxx.xxx.xxx - - [09/Oct/2018 17:59:36] "GET /login?__debugger__=yes&cmd=resource&f=debugger.js HTTP/1.1" 200 -
xxx.xxx.xxx.xxx - - [09/Oct/2018 17:59:36] "GET /login?__debugger__=yes&cmd=resource&f=style.css HTTP/1.1" 200 -
xxx.xxx.xxx.xxx - - [09/Oct/2018 17:59:36] "GET /login?__debugger__=yes&cmd=resource&f=jquery.js HTTP/1.1" 200 -
Error on request:
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/werkzeug/serving.py", line 270, in run_wsgi
execute(self.server.app)
File "/usr/lib/python3.7/site-packages/werkzeug/serving.py", line 261, in execute
write(data)
File "/usr/lib/python3.7/site-packages/werkzeug/serving.py", line 242, in write
self.wfile.write(data)
File "/usr/lib/python3.7/socketserver.py", line 796, in write
self._sock.sendall(b)
File "/usr/lib/python3.7/site-packages/gevent/_socket3.py", line 458, in sendall
return _socketcommon._sendall(self, data_memory, flags)
File "/usr/lib/python3.7/site-packages/gevent/_socketcommon.py", line 355, in _sendall
timeleft = __send_chunk(socket, chunk, flags, timeleft, end)
File "/usr/lib/python3.7/site-packages/gevent/_socketcommon.py", line 284, in __send_chunk
data_sent += socket.send(chunk, flags)
File "/usr/lib/python3.7/site-packages/gevent/_socket3.py", line 443, in send
self._wait(self._write_event)
File "src/gevent/_hub_primitives.py", line 265, in gevent.__hub_primitives.wait_on_socket
File "src/gevent/_hub_primitives.py", line 266, in gevent.__hub_primitives.wait_on_socket
File "src/gevent/_hub_primitives.py", line 252, in gevent.__hub_primitives._primitive_wait
File "src/gevent/_hub_primitives.py", line 46, in gevent.__hub_primitives.WaitOperationsGreenlet.wait
File "src/gevent/_hub_primitives.py", line 46, in gevent.__hub_primitives.WaitOperationsGreenlet.wait
File "src/gevent/_hub_primitives.py", line 55, in gevent.__hub_primitives.WaitOperationsGreenlet.wait
File "src/gevent/_waiter.py", line 151, in gevent.__waiter.Waiter.get
File "src/gevent/_greenlet_primitives.py", line 59, in gevent.__greenlet_primitives.SwitchOutGreenletWithLoop.switch
File "src/gevent/_greenlet_primitives.py", line 59, in gevent.__greenlet_primitives.SwitchOutGreenletWithLoop.switch
File "src/gevent/_greenlet_primitives.py", line 63, in gevent.__greenlet_primitives.SwitchOutGreenletWithLoop.switch
File "src/gevent/__greenlet_primitives.pxd", line 35, in gevent.__greenlet_primitives._greenlet_switch
greenlet.error: cannot switch to a different thread
xxx.xxx.xxx.xxx - - [09/Oct/2018 17:59:36] "GET /login?__debugger__=yes&cmd=resource&f=console.png HTTP/1.1" 200 -
I know too little about the inner workings or Flask in general to find the exact cause quickly. The second Error on request
does not occur every time, so I'd think the root cause is the bower.static
problem.
Configuration
My configuration is basically the example configuration (since my older configuration did have the same problem, I tried replacing the configuration first):
$ cat /etc/burp/burpui.cfg | grep -v "^#"
[Global]
backend = burp2
single = true
auth = basic
acl = basic
audit = basic
prefix = none
plugins = none
[UI]
refresh = 180
liverefresh = 5
ignore_labels = "color:.*", "custom:.*"
format_labels = "s/^os:\s*//"
default_strip = 0
[Production]
storage = default
session = default
cache = default
redis = localhost:6379
celery = false
database = none
limiter = false
ratio = 60/minute
[WebSocket]
enabled = true
embedded = false
broker = redis
url = none
debug = false
[Security]
includes = /etc/burp
enforce = false
revoke = true
cookietime = 14
sessiontime = 5
scookie = true
appsecret = [removed]
[Experimental]
zip64 = true
noserverrestore = false
[Burp]
burpbin = /usr/bin/burp
stripbin = /usr/bin/vss_strip
bconfcli = /etc/burp/burp.conf
bconfsrv = /etc/burp/burp-server.conf
tmpdir = /tmp/bui
timeout = 15
[Parallel]
host = ::1
port = 11111
timeout = 15
password = password123456
ssl = true
concurrency = 2
[BASIC:AUDIT]
priority = 100
level = WARNING
logfile = none
max_bytes = 30 * 1024 * 1024
rotate = 5
Thanks!