Burp Extension Settings

Menu item After installing and loading the extension, there should be a menu item called BeanStack. You can open the settings from that menu.

Contents

Enable Lookups

Default: enabled

This toggles whether the extension is currently active, so that you do not have to unload or remove it to temporarily disable it.

API Key

Default: none

This text field contains your API key, if any. For the benefits of an API key, see the introduction page. Your key should look something like 2wiEUvnVU-lJhbgJz5B_OdJB.

API key field

Blacklisted Class Prefixes

Default: empty

This is a comma-separated list of strings that will be matched anywhere in a stack trace line.

To avoid submitting confidential information, it is possible to blacklist class prefixes. For example, a trace might contain lines like these:

 com.customerName.newProduct.run(newProduct.java:9001)
 com.customerName.knownProduct.run(newProduct.java:9001)

While it is possible to submit hashed stack traces to avoid revealing their contents, we might theoretically (and illegally, as it is not in our privacy policy) brute force the hashes. To address the concern, you can choose to avoid sending certain names altogether. To remove any classes containing com.customerName. and net.customerName., configure the following value:

com.customerName.,net.customerName.

Note that if you omit the trailing dots, i.e. com.customerName,net.customerName, it would also match a line such as:

com.customerNameTest.example(file.java:9001)

Hash traces before submission

Default: disabled
Note: This feature requires an API key.

When enabled, the Burp extension hashes the stack trace in parts before submitting it to the API. For example, the following trace:

 com.customerName.newProduct.run(newProduct.java:9001)
 com.customerName.knownProduct.run(newProduct.java:9002)

Would be hashed into something like this:

 9f0db2f1d105a8c053b3d1da:b74fc8774c5d17995175ffd7:76664d3cf7e1c799e5d1a2d3:9001
 b2644e58aa339505443e2690:b9913fd5866202a2153b2e89:70946918ade0d410eaf6191a:9002

It can still work because we hashed the entries in our database with the same algorithm, so we can match them. We cannot learn the contents of any part that is not already in our database.

Create an issue for each CVE

Default: disabled
Note: CVEs are only shown when you use an API key.

This toggles whether the extension creates an issue for each CVE it finds. For example, if two products are identified in a stack trace and each have two CVEs with varying CVSS scores, the default is to log one issue for the URL with the CVEs listed. The issue severity depends on the highest CVSS score (because, presumably, you can choose to exploit the most severe one). When enabling this setting, it will instead log four issues for that stack trace: one for each CVE found. The issues will then have appropriate severities in Burp.

One major downside is that there is no deduplication implemented: every time the CVE is encountered, it will log a new issue. It may therefore create a large number of issues, depending on the number of CVEs found in a stack trace.

Print Debug Messages

Default: disabled
It is not generally needed to change this setting.

This toggles whether messages are logged to standard out. These messages can be viewed in the terminal from which Burp Suite was launched, if any.

Log Duplicates

Default: disabled
It is not generally needed to change this setting.

This toggles whether the extension avoids creating duplicate issues. It does not log an issue if it already exists for the same URL and with the same contents. It will log the same information again for a new URL if it was found there as well, or log new information for the same URL if a different stack trace was found (or if the server's database has been updated in the meantime and the response now contains new information).

Issue Title

Default: Stack Trace Fingerprint Found
It is not generally needed to change this setting.

This setting can be used to customize how BeanStack issues appear in the list.

API URL

Default: https://beanstack.io/api/
It is not generally needed to change this setting.

In case the API URL needs to be changed, for example to pass a corporate proxy, this setting can be used. Note that a trailing slash is automatically appended.