static String fuzzSuffix() { if(Utilities.globalSettings.getBoolean("fuzz detect")) { return "<a`'\"${{\\"; // <a } else { return ""; } }
static void log(String message) { if (Utilities.globalSettings.getBoolean("debug")) { stdout.println(message); } }
static String encodeParam(String payload) { boolean encodeEverything = globalSettings.getBoolean("encode everything"); StringBuilder encoded = new StringBuilder(); for (char c: payload.toCharArray()) { if (encodeEverything || badChars.contains(c)) { encoded.append("%"); encoded.append(Integer.toHexString(c)); } else { encoded.append(c); } } return encoded.toString(); }
@Override public List<IScanIssue> doPassiveScan(IHttpRequestResponse baseRequestResponse) { if (Utilities.globalSettings.getBoolean("learn observed words")) { paramGrabber.saveParams(baseRequestResponse); } return new ArrayList<>(); }
for (int i=0; i<max; i++) { String param = params.get(i); if (param.contains("-") && Utilities.globalSettings.getBoolean("try -_ bypass")) { params.add(param.replace("-", "_"));
private void addNewKeys(ArrayList<String> keys, ParamAttack state, int bucketSize, ParamHolder paramBuckets, ArrayList<String> candidates, Attack paramGuess) { if (!config.getBoolean("dynamic keyload")) { return; } ArrayList<String> discoveredParams = new ArrayList<>(); for (String key : keys) { String[] parsed = Keysmith.parseKey(key); if (!(state.valueParams.contains(key) || state.params.contains(key) || candidates.contains(parsed[1]) || candidates.contains(key))) { // || params.contains(parsed[1]) Utilities.log("Found new key: " + key); state.valueParams.add(key); discoveredParams.add(key); // fixme probably adds the key in the wrong format paramGrabber.saveParams(paramGuess.getFirstRequest()); } } paramBuckets.addParams(discoveredParams, true); }
private HashSet<String> getBlacklist(byte type) { HashSet<String> blacklist = new HashSet<>(); switch(type) { case IParameter.PARAM_COOKIE: blacklist.add("__cfduid"); blacklist.add("PHPSESSID"); blacklist.add("csrftoken"); blacklist.addAll(Keysmith.getParamKeys(baseRequestResponse.getRequest(), new HashSet<>(IParameter.PARAM_COOKIE))); break; case IParameter.PARAM_URL: blacklist.add("lang"); blacklist.addAll(Keysmith.getParamKeys(baseRequestResponse.getRequest(), new HashSet<>(IParameter.PARAM_URL, IParameter.PARAM_BODY))); case IParameter.PARAM_BODY: blacklist.addAll(Keysmith.getParamKeys(baseRequestResponse.getRequest(), new HashSet<>(IParameter.PARAM_URL, IParameter.PARAM_BODY))); case Utilities.PARAM_HEADER: if (Utilities.globalSettings.getBoolean("skip boring words")) { blacklist.addAll(Utilities.boringHeaders); } default: break; } if (Utilities.globalSettings.getBoolean("only report unique params")) { blacklist.addAll(Utilities.reportedParams); } return blacklist; }
if (Utilities.globalSettings.getBoolean("auto-nest params")) { int max = 0; for (Map.Entry<String, Integer> entry : freq.entrySet()) {
box.setSelected(getBoolean(key)); panel.add(box); configured.put(key, box);
if (globalSettings.getBoolean("scan path")) { params.add(new PartialParam("path", i, i)); if(globalSettings.getBoolean("scan headers")) { String[] to_poison = globalSettings.getString("target headers").split(","); while (i < end) {
box.setSelected(getBoolean(key)); panel.add(box); configured.put(key, box);
box.setSelected(getBoolean(key)); panel.add(box); configured.put(key, box);
private void launchScan(IHttpRequestResponse messageInfo) { if (!Utilities.globalSettings.getBoolean("enable auto-mine")) { return; if (!alreadyScanned.contains(broadCode)){ if (Utilities.globalSettings.getBoolean("auto-mine headers")) { taskEngine.execute(new ParamGuesser(Utilities.callbacks.saveBuffersToTempFiles(messageInfo), false, Utilities.PARAM_HEADER, this, taskEngine, Utilities.globalSettings.getInt("rotation interval"), Utilities.globalSettings)); if (Utilities.globalSettings.getBoolean("auto-mine cookies")) { taskEngine.execute(new ParamGuesser(Utilities.callbacks.saveBuffersToTempFiles(messageInfo), false, IParameter.PARAM_COOKIE, this, taskEngine, Utilities.globalSettings.getInt("rotation interval"), Utilities.globalSettings)); if (!Utilities.globalSettings.getBoolean("auto-mine params")) { return;
if (config.getBoolean("max one per host")) { cache_size = queueSize; boolean useKeyCache = config.getBoolean("max one per host+status"); if (config.getBoolean("skip uncacheable") && (type == IParameter.PARAM_COOKIE || type == Utilities.PARAM_HEADER)) { canSkip = true; if(config.getBoolean("max one per host")) { break;
public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { if(!(Utilities.globalSettings.getBoolean("try transformation scan") || Utilities.globalSettings.getBoolean("try diffing scan"))) { Utilities.out("Aborting scan - all scanner checks disabled"); return issues; if (Utilities.globalSettings.getBoolean("try transformation scan")) { issues.add(transformationScan.findTransformationIssues(baseRequestResponse, insertionPoint)); if (Utilities.globalSettings.getBoolean("try diffing scan")) { issues.add(diffingScan.findReflectionIssues(baseRequestResponse, insertionPoint)); IHttpRequestResponse newBase = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), arrayInsertionPoint.buildRequest(newParam.getValue().getBytes())); if (Utilities.globalSettings.getBoolean("try transformation scan")) { issues.add(transformationScan.findTransformationIssues(newBase, arrayInsertionPoint)); if (Utilities.globalSettings.getBoolean("try diffing scan")) { issues.add(diffingScan.findReflectionIssues(newBase, arrayInsertionPoint));
if (Utilities.globalSettings.getBoolean("enable auto-mine")) { tasks = new PriorityBlockingQueue<>(1000, new RandomComparator());
private void addCacheBusters(IHttpRequestResponse messageInfo) { byte[] placeHolder = Utilities.helpers.stringToBytes("$randomplz"); if (Utilities.countMatches(messageInfo.getRequest(), placeHolder) > 0) { messageInfo.setRequest( Utilities.fixContentLength(Utilities.replace(messageInfo.getRequest(), placeHolder, Utilities.helpers.stringToBytes(Utilities.generateCanary()))) ); } String cacheBusterName = null; if (Utilities.globalSettings.getBoolean("Add dynamic cachebuster")) { cacheBusterName = Utilities.generateCanary(); } else if (Utilities.globalSettings.getBoolean("Add 'fcbz' cachebuster")) { cacheBusterName = "fcbz"; } if (cacheBusterName != null) { IParameter cacheBuster = burp.Utilities.helpers.buildParameter(cacheBusterName, "1", IParameter.PARAM_URL); messageInfo.setRequest(Utilities.helpers.addParameter(messageInfo.getRequest(), cacheBuster)); } }
invertedBase = Utilities.helpers.toggleRequestMethod(baseRequestResponse.getRequest()); altBase = new Attack(Utilities.callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), invertedBase)); if(Utilities.helpers.analyzeResponse(altBase.getFirstRequest().getResponse()).getStatusCode() != 404 && Utilities.globalSettings.getBoolean("try method flip")) { altBase.addAttack(new Attack(Utilities.callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), invertedBase))); altBase.addAttack(new Attack(Utilities.callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), invertedBase))); paramBuckets.addParams(params, false); if (!config.getBoolean("dynamic keyload")) { params = null; valueParams = null;
private void scanParam(ParamInsertionPoint insertionPoint, PayloadInjector injector, String scanBasePayload) { if(!Utilities.globalSettings.getBoolean("scan identified params")) { return;
private boolean cachePoison(PayloadInjector injector, String param, IHttpRequestResponse baseResponse) { if (!Utilities.globalSettings.getBoolean("try cache poison")) { return false;