In my application logs, param-miner (using "guess headers") causes the following exception:

java.lang.IllegalStateException: More than the maximum allowed number of header s, [100], were detected.

I can't seem to find a setting that will prevent this from happening. It would be good to have a way to do this to make the extension quieter.

Is there any way to make the param-miner automated?
I'm using param-miner to find unkeyed input on some of the websites. My intention is to make it automated. Is there any way that I can pass some website URLs from a file by writing a script and find the unkeyed inputs and store them in a .csv file. It is for my master's project and a quick response is much appreciated. TIA.

portswigger LAB：https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-unkeyed-query

My Setting:

Obvious result：

But no report。
plugin version: V1.27， burpsuite pro: 2012.2

👋 Hello, @albinowax, @PortSwiggerSupport, @pajswigger - a potential high severity Improper Access Control vulnerability in your repository has been disclosed to us.

Next Steps

1️⃣ Visit https://huntr.dev/bounties/1-other-PortSwigger/param-miner for more advisory information.

2️⃣ Sign-up to validate or speak to the researcher for more assistance.

3️⃣ Propose a patch or outsource it to our community - whoever fixes it gets paid.

Confused or need more help?

• Join us on our Discord and a member of our team will be happy to help! 🤗

• Speak to a member of our team: @JamieSlome

This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.

My experience is that when I don't select any cachebuster option, I get a default dynamic one in my application's access logs:
"GET /threadfix/about?h07f4k0=1 HTTP/1.1" 200 22684

If I select "fcbz", I get the default one in addition to two fcbz parameters.
"GET /threadfix/login.jsp?fcbz=1&illliqv90=1&fcbz=1 HTTP/1.1" 200 6501

If I select "dynamic", then i get three dynamic cachebusting parameters (the default one plus two others):

"GET /threadfix/login.jsp?itkebapv41=1&xg94h4uct2=1&hhwrc5=1 HTTP/1.1" 200 6501
"GET /threadfix/login.jsp?itkebapv41=1&g1gpeaa6=1&s0v5v60g2=1 HTTP/1.1" 200 6501
"GET /threadfix/login.jsp?itkebapv41=1&vxju2=1&lt4anqlb1=1 HTTP/1.1" 200 6501

Is the dynamic option necessary, then?

Hi,

Based on this research: https://telekomsecurity.github.io/2020/05/smuggling-http-headers-through-reverse-proxies.html

I was wondering if it is useful to convert and append the headers which are currently using hyphens to underscores.

It significantly increases the headers list size, so I am curious about your opinion if this is worth the effort or not.

It would be nice if you could pass arbitrary param value instead using just wrtqva<random>.
The idea is that I would like to fuzz for blind SSRF during header discovery so I would like to pass <random>.brp.mmquant.net as the header value.

I tried to modify code in

ParamGuesser.java:249
ParamGuesser.java:587
Attack.java:31
Utilities.java:771

Compiled and then copied

ParamGuesser.class
Attack.class
Utilities.class

to /root/.BurpSuite/bapps/<appId>/build/libs/burp/<classFile>
but I'm unable to get it to work as param-miner still fuzzes with wrtqva<random> string.
*( I'm not JAVA dev :) )

When I load the App through the store, Burp says that it's loaded successfully but I get the following error message and I can't see it the extension when right clicking requests.

java.lang.NoSuchMethodError
	at burp.BurpExtender.registerExtenderCallbacks(BurpExtender.java:49)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at burp.cke.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)

I tried using this extension on multiple sites, I keep getting the same message, for example:

Initiating header bruteforce on hackxor.net

No other output is shown after that. Am I doing something wrong?

Hi,
After I've updated to the newest version, and trying to run Param Miner on host which supports HTTP/2, the extension takes all the memory and doesn't release it at all, unless Burp is restarted. I've disabled Logger, and all other extensions so I'm quite certain the problem is in this one. I've tried both HTTP/1.1 as well as HTTP/2, but it still persists.

My settings are following:

When I start guessing Headers, I can see memory is consumed and once finished, it is still retained (I need to restart Burp). When I try to bruteforce GET parameters, the problem is much worse as I have no idea when it finishes.

Hello
I've an application with following base request:

POST /login/ HTTP/1.1
Host: atseashop.com
Connection: close
Content-Length: 46
Accept: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: application/json
Origin: https://atseashop.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://atseashop.com/index.html
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7

{"username":"chmiels","password":"Test123&"
}

and response

HTTP/1.1 200 
Server: nginx/1.17.6
Date: Wed, 16 Sep 2020 18:10:27 GMT
Content-Type: application/json;charset=UTF-8
Connection: close
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Length: 169

{"token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjaG1pZWxzIiwicm9sZXMiOiJjaG1pZWxzIiwiYXVkIjoiY3VzdG9tZXIiLCJpYXQiOjE2MDAyNzk4Mjd9.AZD3hjEwqeVFQMI7TFmBNemuy-YJ6FY5jd_hBTesZA8"}

This request contains hidden parameter admin which is included in basic wordlist, however it's not detected.

Adding this parameter clearly returns different values:

POST /login/ HTTP/1.1
Host: atseashop.com
Connection: close
Content-Length: 64
Accept: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: application/json
Origin: https://atseashop.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://atseashop.com/index.html
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7

{"username":"chmiels","password":"Test123&",
"admin" :"true"
}

Response

HTTP/1.1 200 
Server: nginx/1.17.6
Date: Wed, 16 Sep 2020 19:49:26 GMT
Content-Type: application/json;charset=UTF-8
Connection: close
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Length: 178

{"admin":true,"token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjaG1pZWxzIiwiYXVkIjoiYWRtaW4iLCJyb2xlcyI6ImNobWllbHMiLCJpYXQiOjE2MDAyODU3NjZ9.P2Bik3nzBYgR6-sc-R89_cgIUxqumP3BPGNFuQSdlnw"}

and with invalid boolean value return value is different (exception):

POST /login/ HTTP/1.1
Host: atseashop.com
Connection: close
Content-Length: 71
Accept: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: application/json
Origin: https://atseashop.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://atseashop.com/index.html
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7

{"username":"chmiels","password":"Test123&",
"admin" :"jafkajfjsaf"
}

Response

HTTP/1.1 400 
Server: nginx/1.17.6
Date: Thu, 17 Sep 2020 04:46:44 GMT
Content-Type: application/json;charset=UTF-8
Connection: close
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Length: 559

{"timestamp":1600318004379,"status":400,"error":"Bad Request","message":"JSON parse error: Cannot deserialize value of type `boolean` from String \"jafkajfjsaf\": only \"true\" or \"false\" recognized; nested exception is com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot deserialize value of type `boolean` from String \"jafkajfjsaf\": only \"true\" or \"false\" recognized\n at [Source: (PushbackInputStream); line: 2, column: 10] (through reference chain: com.docker.atsea.controller.LoginController$UserLogin[\"admin\"])","path":"/login/"}

Request with word admin was sent by Param Miner (not attached due to big size).
Part of request:

"update":"wrtqvapbefqy5fwd","admin":"wrtqvagc6e8ilywd","purge":"wrtqval311xbx7wd","Control":"wrtqvaqykq3vikwd",

Response to request sent by Param Miner with admin word is:

HTTP/1.1 400 
Server: nginx/1.17.6
Date: Thu, 17 Sep 2020 04:46:45 GMT
Content-Type: application/json;charset=UTF-8
Connection: close
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Length: 572

{"timestamp":1600318005432,"status":400,"error":"Bad Request","message":"JSON parse error: Cannot deserialize value of type `boolean` from String \"wrtqvagc6e8ilywd\": only \"true\" or \"false\" recognized; nested exception is com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot deserialize value of type `boolean` from String \"wrtqvagc6e8ilywd\": only \"true\" or \"false\" recognized\n at [Source: (PushbackInputStream); line: 1, column: 23823] (through reference chain: com.docker.atsea.controller.LoginController$UserLogin[\"admin\"])","path":"/login/"}

Param miner log:

Add 'fcbz' cachebuster: false
Add dynamic cachebuster: false
Add header cachebuster: false
include origin in cachebusters: true
learn observed words: false
skip boring words: true
only report unique params: false
response: true
request: true
use basic wordlist: true
use bonus wordlist: false
use custom wordlist: false
custom wordlist path: "/usr/share/dict/words"
bruteforce: false
skip uncacheable: false
dynamic keyload: false
max one per host: false
max one per host+status: false
probe identified params: true
scan identified params: false
enable auto-mine: false
auto-mine headers: false
auto-mine cookies: false
auto-mine params: false
auto-nest params: false
fuzz detect: true
carpet bomb: false
try cache poison: true
twitchy cache poison: false
try method flip: false
try -_ bypass: false
thread pool size: 8
rotation interval: 200
rotation increment: 4
force bucketsize: -1
max bucketsize: 65536
max param length: 32
lowercase headers: true
name in issue: false
canary: "zwrtxqva"
Loaded Param Miner v1.21
    CACHE_ONLY false
Updating active thread pool size to 8
Queued 1 attacks
Setting bucketSize to 2048 due to slow response
Unrecognised type: 6
Initiating json bruteforce on atseashop.com
Identified parameter on atseashop.com: username

No more requests are issued (shouldn't be there message about finishing the search?).

Link to application source: https://github.com/skirge/atsea-sample-shop-app.
This application can be run as set of docker containers, using docker-compose. Instructions are in README file.

What setting should be used to stop param miner messing with the Origin header when guessing GET or POST parameters?
I have used the following settings but it still changes the Origin header which breaks my test (API does not work without the right Origin header):

Hello James,

A small observation I came across in Param-miner. I am testing a legacy app, after my initial login post request with credentials I was getting an invalid parameter error and was redirected to the login page.

The app worked fine without burp and the moment I went through burp, I was redirected to the login page. After lots of digging around I found out that its because of param-miner introducing fcbz=1 at the end of the URL. I understand that's the way the plugin works to find hidden params but as its not shown in burp proxy, it was difficult to find what was causing the issue.

As the HTTP trace with and without Burp seemed similar but the app was breaking, the fact that fcbz=1 was added can be seen through Wireshark.

May be it would be useful to indicate where the injection is happening so that its easy to trouble shoot if something breaks. Particularly when running legacy apps with hardware connected , Param-Miner was the last place I thought about for trouble shooting :)

Just mentioning it here as it might be useful for someone having similar issues.

I use cmd to excute burp pro V2.0.0.11( jre 1.8) ,and it output these thing ,I can't find something available,


what should I do？
thks

Hi,
After having upgraded param miner, i observed that ACAO header were removed from OPTIONS request, causing application i tested to fail login. I suspect param miner to be the cause of that problem, because it only occurs when param miner is loaded, but i don't understand why parma miner would do that, neither how i could potentially change it via a setting. Could you help me ?

And thank you for your awesome research and tools !

Is there a standalone version of this, or some way to run it without checking for all the other things burp scans for?

It fails when server works on HTTP/2

...
xl81kpe5e5o9jpqrkbk100d63nikjllt=wrtqvaisepy1cikq; v4x3wk20ccumtpjkuyl7pohld5xs5h3v=wrtqvaxpzh7efjkq; iw32dfo7giveam3xfhvdaj6m0ndt68ug=wrtqvawmai2mnqkq; yasnbucb9tzgpsjsbqcyjv7gtu5mctzh=wrtqvarx1lwlmtkq; ysbhqcjel7dpmyqzhzxq201p3ozvyx28=wrtqvaxsrwubnkkq; s8003uthqnn0ax1jaeeqhn78ljalwg2e=wrtqvakovpsonckq; idudlblspt49gto8qtop702sa6a3y1b7=wrtqvaifku6i4pkq; tjj709gf1m49sxtmd7lvwj6az9b19uq7=wrtqvao249g7pbkq; wmufpmxikkz7q6vxvgu9ljpf0o1gsgzy=wrtqvaxlidl7cekq; tur026wwwdx7vnodndci91mpwzov86t0=wrtqvag4l47ovzkq; mz2396r3q8q6myo12k9jgh39hi4bfqps=wrtqvak5hjxpezkq; su7vuubt2l6sjxwbs3rvf2079i5z3pmk=wrtqvaszwuevsgkq; rqegjencj8es38cu8twf0hynh6koru16=wrtqvayy8f27q2kq; q77vmdwmjdsidsz98eyexlhwdt75wyd4=wrtqvapftvxkznkq; m56rqkdwgxhvxhp1i6r06vo8s6bedtbs=wrtqvaz114tyyckq; zsz8sawmvuh2f7srf5xit7km8msweybb=wrtqvaxk4zlz5bkq; l0mfj8xh36kjs1l13fzbslkp3qa6rak1=
....
param miner will add this random param to cookie and header mybe param guess too, what is the purpose to do this, is there any way to avoid this?

Would it be possible to add a new menu item with user-specified blacklist? I found a unique parameter, which poisons the cache for 15 minutes and it does so every time I'm running Param Miner for discovering another unlinked inputs. With such blacklist, I could simply add it there and not DoS the platform during test:)
Like "custom blacklist path" would be amazing:)

Description
paramMiner freezes after issuing an attack.

Steps to reproduce

1. Select Guess GET parameters
   
2. Set attack config as follows and click OK
   
3. Inspect Logger
   
4. Inspect paramMiner's log and error outputs
   
   

Additional info
Connection to target server runs over SOCKS proxy on localhost.
Target URL is reachable with other tools (intruder, scanner, repeater, ...)
Even that no requests are made/visible in the Logger, Burp still heavily loads the CPU

Under Burp 2021.6.2 paramMiner works perfectly.

Versions
Burp version 2021.8
paramMiner version v1.31
albinowaxUtils v0.5

Suppose we have following JSON

{
    "a": 1,
    "b": {
        "c": 2,
        "hiddenName": "value" <---- I want to discover nested params
    }
}

Can I fuzz params in b JSON object?

in burp community edition v2020.8:
param miner v1.20

java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:189)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:189)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:189)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:189)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:210)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:210)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:210)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:189)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:210)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.IllegalArgumentException: Invalid to offset
at burp.ap3.indexOf(Unknown Source)
at burp.cg7.indexOf(Unknown Source)
at burp.Utilities.containsBytes(Utilities.java:829)
at burp.ParamGuesser.findPersistent(ParamGuesser.java:657)
at burp.ParamGuesser.guessParams(ParamGuesser.java:189)
at burp.ParamGuesser.run(ParamGuesser.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)

I have used logger++ together with param miner in order to determine if it's even working, and at times it does, at times it doesn't.
Issuing Guess GET headers on lab: Web cache poisoning via an unkeyed query string
results in around 15-16 requests judging from logger++ and filtering only for extender requests and then nothing,
adding the lab url to the target list, having param miner enabled, and refreshing the page results in a lot more requests, so far got 1319, and then the above error.
Issuing the Bulk Scan -> Unkeyed param results in nothing other than Attack Qued.

I don't know what's going on, I had the same issue yesterday, but upon reinstalling param miner it worked fine, until today, I have reinstalled it, but still same issues.

Hopefully there is a simple explanation/fix, in the meantime I guess I'll try to figure out the code and convert it into python unless if someone had already done that.

Thanks for looking into this.

Sincerely,
musashi42

Hi--first of all, thank you for the work that has gone into this very useful extension!

I'm getting a RuntimeException saying "can't find header" when using Guess Headers; apologies if I'm just doing something wrong here, but would greatly appreciate any help! Please let me know if I can provide any other information.

Steps to replicate

1. Set up the following request in the Repeater tab to portswigger.net:443

   GET /content/images/logos/portswigger-logo.svg HTTP/2
   Host: portswigger.net
   Accept: */*
   

2. Right-click and select Extensions > Guess headers
3. Leave default options and click OK
4. Go to Extender tab and see the following output:

   Using albinowaxUtils v0.22
   Loaded Param Miner v1.28
   CACHE_ONLY false
   Updating active thread pool size to 8
   Queued 1 attacks
   header locating fail: TCZqBcS13SA8QRCpW
   'GET /content/images/logos/portswigger-logo.svg HTTP/2
   Host: portswigger.net
   Accept: */*'
   Attack aborted by exception
   Error in thread: Can't find the header: TCZqBcS13SA8QRCpW. See error pane for stack trace.
   

   and the following in the Errors tab:

   java.lang.RuntimeException: Can't find the header: TCZqBcS13SA8QRCpW
   at burp.Utilities.setHeader(Utilities.java:949)
   at burp.HeaderNameInsertionPoint.buildBulkRequest(BurpExtender.java:407)
   at burp.ParamNameInsertionPoint.buildRequest(BurpExtender.java:306)
   at burp.PayloadInjector.probeAttack(PayloadInjector.java:152)
   at burp.ParamAttack.updateBaseline(ParamAttack.java:278)
   at burp.ParamAttack.<init>(ParamAttack.java:135)
   at burp.ParamGuesser.run(ParamGuesser.java:75)
   at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
   at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
   at java.base/java.lang.Thread.run(Thread.java:832)
   

Environment

• Mac OS 10.15.7 (Catalina)
• Burp Suite Community Edition v2021.6.2
• Param Miner v1.28

When I send a request through Burp Repeater without the Param Miner, I see a regular website; when I activate the Param Miner and replay the same request, I see a JBoss admin page.

I am very interested in how the Param Miner is making me see a JBoss page, but I cannot find what it is inserting in the request.

I am using it in the Burp beta version (probably 2.03beta).

Burp version -- burp suite community edition v2020.8
Param miner -- version 1.20

running gradle build results in a param-miner.jar that gives the following error when added to Burp:

Failed to import the Apache Commons Lang library. You can get it from http://commons.apache.org/proper/commons-lang/

running gradle fatJar results in a param-miner-all.jar that works

version = Burp Suite Community Edition v2.1.04

could you tell me how to handle the problem? pelase

java.lang.NullPointerException
at burp.Utilities.countMatches(Utilities.java:610)
at burp.OfferParamGuess.createMenuItems(OfferParamGuess.java:45)
at burp.cg.a(Unknown Source)
at burp.bb.a(Unknown Source)
at burp.egq.a(Unknown Source)
at burp.fo7.a(Unknown Source)
at burp.fo7.b(Unknown Source)
at burp.fo7.mouseReleased(Unknown Source)
at java.awt.AWTEventMulticaster.mouseReleased(Unknown Source)
at java.awt.AWTEventMulticaster.mouseReleased(Unknown Source)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Window.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
at java.awt.EventQueue.access$500(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue$4.run(Unknown Source)
at java.awt.EventQueue$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)

Hello.
The problem is that when I installed extension Param Miner and ran it, it doesn't send any requests to selected request(I installed logger++ and Flow extensions to test it).

Burp version: 1.7.37
OS: Windows 10
java --version output:
java version "1.8.0_172" Java(TM) SE Runtime Environment (build 1.8.0_172-b11) Java HotSpot(TM) 64-Bit Server VM (build 25.172-b11, mixed mode)

Steps to reproduce:

1. Install burp 1.7.37
2. Install Param Miner from bapp store
3. Select the request -> Right click ->Guess GET Parameters-> OK
4. Nothing happens

Extension output in Extender tab contain only:
Add fixed cachebuster: true Add dynamic cachebuster: false learn observed words: false skip boring words: true only report unique params: false response: true use basic wordlist: true use bonus wordlist: true bruteforce: true skip uncacheable: false dynamic keyload: false max one per host: false max one per host+status: false scan identified params: false auto-mine proxy traffic: false auto-nest params: false try cache poison: true try method flip: false thread pool size: 8 rotation interval: 200 rotation increment: 4 force bucketsize: -1 max bucketsize: 65536 max param length: 32 Loaded Param Miner v1.04 CACHE_ONLY false

Some caches do not include any GET parameters nor the headers that get modified automatically by ParamMiner in their keyed input. Instead they only see some particular headers as a keyed input that aren't accounted for by the current functionality. Therefore it would be convenient to have an option to add custom headers as a cache buster.

One example could be some configurations of CloudFlare that disable keyed input in GET parameters or any headers except for x-http-method-override which is always considered a keyed input by the CloudFlare and requests containing it are guaranteed to be passed to the back-end for further processing.

I tried these input

filter

png
.png
html

mime-type filter

html
png
text/html
image

but .png url still be queued

Hi,
I've iterated through many POST only requests (there was no GET) in the Intruder, and I'd like to select all and guess body parameter values on all of them with Param Miner. The the moment, that option is not present, when I select multiple requests. Could you please add it?
Thanks

Hi,
I'm testing case-insensitive IIS 10.0. I ran Param Miner, and I see it found parameters "id", "ID", "iD". Could it be possible to set case insensitivity, so that only lowercase parameter names are tried? I have "learn observed words", and "use bonus wordlist" enabled, so most likely there are tons of the same parameters in different case involved.
Thanks:)

Is there a proper way to pause param-miner? It is my understanding that hitting the big 'Pause All' button on the main dashboard is intended to pause all automated scanning. Param-miner is not paused by this functionality and in order for me to stop it I'm forced to shut down burp or disable the param-miner plugin.

Hello,

To begin with, thank you for that awesome burp extension, I rely on it a lot!

What do you think about adding the discovered parameters to the site map upon discovery?

For now, I do it manually but imo that small improvement would be nice and appreciated.

I recently browsed a rails site that would throw a session expired error every time I tried to use a web form.

I tracked the problem down to the dynamic cachebuster being turned on in param miner, every time I sent a request to the site with dynamic cachebuster turned on it would be caught by the following rails error:

rescue_from ActionController::InvalidAuthenticityToken, with: :session_expired

Would this be a bug in param miner itself or is it likely to be a bug in the site/cache?

Description

I'm testing a website vulnerable to Web Cache Poisoning.
The target is behind Akamai and the cache implementation is handled by Akamai (I can get the cache key with “Pragma: akamai-x-get-cache-key”).
During a "Guess Headers" scan the extension throw and exception

Burp Suite Professional Version: v2021.6-8007
Param Miner Version: v1.28

Cannot read the array length because "request" is null

 burp.Utilities.getHeaderOffsets(Utilities.java:961)
java.lang.NullPointerException: Cannot read the array length because "request" is null
                at burp.Utilities.getHeaderOffsets(Utilities.java:961)
                at burp.ParamGuesser.canSeeCache(ParamGuesser.java:595)
                at burp.ParamGuesser.guessParams(ParamGuesser.java:259)
                at burp.ParamGuesser.run(ParamGuesser.java:77)
                at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
                at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
                at java.base/java.lang.Thread.run(Thread.java:832)

Step to reproduce

Baseline Request (I have tried also with HTTP/1.0 and HTTP/1.1:

GET /playsets HTTP/2
Host: website.host.local

The response is pretty standard but when I add this header: Proxy-connection burp shows me this error:

Launching param miner against this URL, when It will try to inject this header in the request, it will throw an exception and it will block itself.

If you try to inject the same header inside an original Akamai request you will obtain the same result:

GET / HTTP/1.1
Host: www.akamai.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Connection: close
proxy-connection: kkk

This is the extension log

Using albinowaxUtils v0.22
Loaded Param Miner v1.28
    CACHE_ONLY false
Updating active thread pool size to 8
Queued 1 attacks
Initiating header bruteforce on www.akamai.com
Identified parameter on www.akamai.com: origin~https://%s.%h
Identified parameter on www.akamai.com: proxy-connection
Attack aborted by exception
Error in thread: Cannot read the array length because "request" is null. See error pane for stack trace.

And the stack trace:

Cannot read the array length because "request" is null
 
burp.Utilities.getHeaderOffsets(Utilities.java:961)
java.lang.NullPointerException: Cannot read the array length because "request" is null
                at burp.Utilities.getHeaderOffsets(Utilities.java:961)
                at burp.ParamGuesser.canSeeCache(ParamGuesser.java:595)
                at burp.ParamGuesser.guessParams(ParamGuesser.java:259)
                at burp.ParamGuesser.run(ParamGuesser.java:77)
                at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
                at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
                at java.base/java.lang.Thread.run(Thread.java:832)

Additional Info

If you need further details or debugging, don't hesitate to contact me on Twitter

I have a request of "Content-Type: application/soap+xml;charset=UTF-8"
When I try "Guess XML parameter", "" I receive this error:

java.lang.UnsupportedOperationException: Action is not supported for this parameter type
	at burp.t5b.a(Unknown Source)
	at burp.t5b.removeParameter(Unknown Source)
	at burp.t5b.updateParameter(Unknown Source)
	at burp.zjb.updateParameter(Unknown Source)
	at burp.ParamNameInsertionPoint.buildBasicRequest(BurpExtender.java:427)
	at burp.ParamNameInsertionPoint.buildRequest(BurpExtender.java:365)
	at burp.PayloadInjector.probeAttack(PayloadInjector.java:153)
	at burp.ParamAttack.updateBaseline(ParamAttack.java:264)
	at burp.ParamAttack.<init>(ParamAttack.java:135)
	at burp.ParamGuesser.run(ParamGuesser.java:70)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

Kali Linux
BurpSuite Professional v2020.9.1
Param-Miner 1.24

Right Click on GET-Request in Proxy-History > Guess headers > Attack-Config (not modified) > Button OK

Output:
Updating active thread pool size to 8
Queued 1 attacks
Setting bucketSize to 2048 due to slow response
Initiating header bruteforce on **************************************************.web-security-academy.net
Attack aborted by exception
Error in thread: String index out of range: 0. See error pane for stack trace.

Errors:
java.lang.StringIndexOutOfBoundsException: String index out of range: 0
at java.base/java.lang.StringLatin1.charAt(StringLatin1.java:48)
at java.base/java.lang.String.charAt(String.java:711)
at burp.ParamHolder.lambda$removeBadEntries$0(ParamHolder.java:85)
at java.base/java.util.ArrayList.removeIf(ArrayList.java:1681)
at java.base/java.util.ArrayList.removeIf(ArrayList.java:1659)
at burp.ParamHolder.removeBadEntries(ParamHolder.java:85)
at burp.ParamHolder.addParams(ParamHolder.java:31)
at burp.ParamGuesser.guessParams(ParamGuesser.java:172)
at burp.ParamGuesser.run(ParamGuesser.java:77)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.StringIndexOutOfBoundsException: String index out of range: 0
at java.base/java.lang.StringLatin1.charAt(StringLatin1.java:48)
at java.base/java.lang.String.charAt(String.java:711)
at burp.ParamHolder.lambda$removeBadEntries$0(ParamHolder.java:85)
at java.base/java.util.ArrayList.removeIf(ArrayList.java:1681)
at java.base/java.util.ArrayList.removeIf(ArrayList.java:1659)
at burp.ParamHolder.removeBadEntries(ParamHolder.java:85)
at burp.ParamHolder.addParams(ParamHolder.java:31)
at burp.ParamGuesser.guessParams(ParamGuesser.java:172)
at burp.ParamGuesser.run(ParamGuesser.java:77)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)

"X-Forwarded-Prefix" may also be used to rewrite the path of URL in Nginx. It should be added into headers list in resources

Hi,

I followed the online guide on how to go about executing it which is to use right click > Guess header/cookie/param. However, when I did that, there is no activity on my Burp.
Burp version tested:
2.0.13beta Pro
1.7.37 Pro
1.7.27 Pro
OS: Windows 10
Java:
Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.191-b12, mixed mode)

Steps to reproduce:

1. Used Burp versions mentioned above
2. Install Param Miner from BApp store
3. Select the request -> Right click ->Guess GET Header -> OK

Nothing happens.
Extension output in Extender tab contains the usual stuff, no output in Errors tab.
There is an error that appeared in command prompt when running Burp through it, shown below:
java.lang.StringIndexOutOfBoundsException: String index out of range: -1 at java.lang.String.substring(Unknown Source) at burp.Keysmith.parseParam(Keysmith.java:74) at burp.Keysmith.getParamKeys(Keysmith.java:57) at burp.Keysmith.getAllKeys(Keysmith.java:46) at burp.ParamAttack.calculatePayloads(ParamAttack.java:298) at burp.ParamAttack.<init>(ParamAttack.java:107) at burp.ParamGuesser.run(ParamGuesser.java:70) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source)
I have tried changing the max bucket size and forced bucket size to other values knowing the comma and space cause problems but to no avail.
All values of Param Miner are left at default. I have also tried disabling every checkbox, same result.
No result in the scan result or anywhere.

Please advise, thank you!

The default wordlist points to a Linux path: /usr/share/dict/words
I've tried changing this thinking that it was a path issue but the following formats fail:

C:/my/path/file.txt
C:\my\path\file.txt
C:\my\path\file.txt

I'd love to be able to use this tool, it seems really useful but I am having difficulty even getting it to run once at all

I'm trying to test custom header with the custom wordlist option, but it's not working, what is the problem

Hello.

Do you have an item in the menu that would add the found parameter to the sitemap? Those. I always send the found parameter from the scanner to the Repeater, and from there I add it to the sitemap. Maybe this function is, but I could not find it.

Thanks.

Hello, I was trying to use the extension for the following request:

GET /hs-fs/hubfs/Blueboard_Logo_Blue-2.png?c4qkjwjs9i=1rrreee HTTP/1.1
Host: marketing.blueboard.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: _gcl_au=1.1.327448918.1607540406; _ga=GA1.2.1127951270.1607540406; _gid=GA1.2.280373672.1607540406; _fbp=fb.1.1607540406506.687770539; _hjid=ba025696-0345-468d-98da-21dd91c38cff; hubspotutk=1db8f5d7f6f652baae7fa5f2d194ca73; intercom-id-bzgics79=702cb921-98bd-453c-af38-d675ba3e29a3; intercom-session-bzgics79=; __cfduid=d4d82eb38e02929b7563e3f0033dff8ea1607578100; _hjTLDTest=1; __hstc=187070263.1db8f5d7f6f652baae7fa5f2d194ca73.1607540419678.1607545398113.1607578102061.3; __hssrc=1; _smb_session=7581582daf8a45fb094f11a06a4de8e5; ajs_anonymous_id=%22b08866da-090f-4afb-8dfc-c82b9e04fc11%22; mp_ca5c2eaacf5bb0d600decfabb180cb9e_mixpanel=%7B%22distinct_id%22%3A%20%221764b2e927d9-0462ee6adfec87-c791039-cc538-1764b2e927e3ab%22%2C%22%24device_id%22%3A%20%221764b2e927d9-0462ee6adfec87-c791039-cc538-1764b2e927e3ab%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%7D; _cio=f87fe848-b6a5-0ceb-95a5-277cd2d77a88; intercom-session-APP_ID=; intercom-id-APP_ID=9f96d69a-1de8-4a4f-b5bc-4369f510e4b3; __cfruid=06dc1e15813f37c271ff9a1445f39dca51bc2326-1607580250; _uetsid=c02540f03a5011eb9ad71d46d88ab281; _uetvid=c02616903a5011eba4f925c56e3a6d98; _hp2_id.3191608938=%7B%22userId%22%3A%228870436512098155%22%2C%22pageviewId%22%3A%228260361896611674%22%2C%22sessionId%22%3A%226911717111787163%22%2C%22identity%22%3Anull%2C%22trackerVersion%22%3A%224.0%22%7D

The endpoint is the following:
https://marketing.blueboard.com/hs-fs/hubfs/Blueboard_Logo_Blue-2.png?c4qkjwjs9i=1rrreee

The extension gives the following error:

Using albinowaxUtils v0.16
Loaded Param Miner v1.26
   CACHE_ONLY false
Updating active thread pool size to 8
Queued 1 attacks
Attack aborted by exception
Error in thread: begin 1, end 0, length 0. See error pane for stack trace.

Param Miner version: 1.26
OS : Windows 10 Pro
Burp Suite Professional version: v2020.11.3

Setting bucketSize to 2048 due to slow response
Initiating header bruteforce on ac651f331e165c6f809c001e00ea0057.web-security-academy.net
Attack aborted by exception
Error in thread: entry name too long. See error pane for stack trace.

Add X-HTTP-Status-Code-Override to the list.
Reference: https://docs.oracle.com/en/cloud/saas/marketing/eloqua-develop/Developers/GettingStarted/APIRequests/http-request-headers.htm

Why spend time putting together a Burp extension and offering it up publicly if you're not going to put together even the most basic of documentation to explain the options in the Attack Configuration file so people can use the full functionality provided by the extension?
I mean what's the point of even adding functionality without explaining how to use it? Carpet bomb? Twitchy cache poison? btr-_ bypass? Also there's a 'bruteforce' option that's only referred to once in the source code so that's really curious. I'm just saying throw us a bone here.

Suppose I have a GET request which I'm inspecting from the Target tab

GET /error/HTTP_VARIANT_ALSO_VARIES.html.var HTTP/1.1
Host: 111.222.22.107

when I want to guess body parameters I have to send it to Repeater, change request method and add a dummy parameter to the request body.

POST /error/HTTP_VARIANT_ALSO_VARIES.html.var HTTP/1.1
Host: 193.33.22.107
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

a=1

Now right-click context menu offers Guess body parameters.

Wouldn't be handy if I could choose Guess body parameters directly from Target tab even on GET requests?

Hi,
When I click on Guess Headers + OK, I receive following trace:

java.lang.NullPointerException
	at burp.OfferParamGuess.createMenuItems(OfferParamGuess.java:25)
	at burp.g6f.a(Unknown Source)
	at burp.gre.a(Unknown Source)
	at burp.k9c.b(Unknown Source)
	at burp.k9c.a(Unknown Source)
	at burp.e8h.a(Unknown Source)
	at burp.e8h.mouseReleased(Unknown Source)
	at java.awt.AWTEventMulticaster.mouseReleased(AWTEventMulticaster.java:290)
	at java.awt.Component.processMouseEvent(Component.java:6533)
	at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
	at java.awt.Component.processEvent(Component.java:6298)
	at java.awt.Container.processEvent(Container.java:2236)
	at java.awt.Component.dispatchEventImpl(Component.java:4889)
	at java.awt.Container.dispatchEventImpl(Container.java:2294)
	at java.awt.Component.dispatchEvent(Component.java:4711)
	at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4888)
	at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4525)
	at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4466)
	at java.awt.Container.dispatchEventImpl(Container.java:2280)
	at java.awt.Window.dispatchEventImpl(Window.java:2746)
	at java.awt.Component.dispatchEvent(Component.java:4711)
	at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
	at java.awt.EventQueue.access$500(EventQueue.java:97)
	at java.awt.EventQueue$3.run(EventQueue.java:709)
	at java.awt.EventQueue$3.run(EventQueue.java:703)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90)
	at java.awt.EventQueue$4.run(EventQueue.java:731)
	at java.awt.EventQueue$4.run(EventQueue.java:729)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
	at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
	at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
	at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
	at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)