@Override public void onFail(JSONObject error) { // update gui component tabComponent.getSoftwareTable().refreshTable(domains, tabComponent.getCbxSoftwareShowVuln().isSelected()); callbacks.addScanIssue(new SoftwareIssue( baseRequestResponse, helpers, callbacks, startStop, domains.get(domainName).getSoftware().get(software.getKey()) )); } });
@Override public void onScannerSuccess(Set<Vulnerability> vulnerabilities) { for (Vulnerability vulnerability : vulnerabilities) { // update cache domains.get(domainName) .getSoftware() .get(software.getKey()) .getVulnerabilities() .add(vulnerability); } // update gui component tabComponent.getSoftwareTable().refreshTable(domains, tabComponent.getCbxSoftwareShowVuln().isSelected()); // add Burp issue callbacks.addScanIssue(new SoftwareIssue( baseRequestResponse, helpers, callbacks, startStop, domains.get(domainName).getSoftware().get(software.getKey()) )); }
@Override public void onScannerSuccess(Set<Vulnerability> vulnerabilities) { // update cache domains.get(domainName) .getPaths() .put(path, vulnerabilities); // update gui component tabComponent.getPathsTable().getDefaultModel().addRow(new Object[]{ domainName, path, Utils.getMaxScore(vulnerabilities), Utils.getVulnersList(vulnerabilities) }); // add Burp issue callbacks.addScanIssue(new PathIssue( baseRequestResponse, helpers, callbacks, path, vulnerabilities )); } });
private void check() throws IOException { log.info("Trying check SSRF hashes"); if (requestedInsertionPoints.isEmpty()) { return; } /** * Make request for DNS logs */ URL url = new URL(DNS_LOOKUP_SERVER_LOGS); byte[] response = callbacks.makeHttpRequest(url.getHost(), 80, false, helpers.buildHttpRequest(url)); String dnsResponseString = helpers.bytesToString(response); /** * Remove all insertion points * and add Issue to scanner for insertion points which contains in DNS Logs */ requestedInsertionPoints.entrySet().removeIf(entry -> { boolean contains = dnsResponseString.contains(entry.getKey()); if (contains) { log.warn("SSRF Found: " + entry.getKey()); callbacks.addScanIssue(new SSRFScanIssue(callbacks, entry.getKey(), entry.getValue())); return true; } return false; }); }
callbacks.addScanIssue(new CustomScanIssue( baseRequestResponse.getHttpService(), reqInfo.getUrl(),
/******************* * Handle Collaborator server interactions for this module. * * @param interaction The Collaborator interaction object. * @return True if the interaction was generated and handled by this module. ******************/ public boolean handleCollaboratorInteraction(IBurpCollaboratorInteraction interaction) { String interactionId = interaction.getProperty("interaction_id"); for (CollaboratorRecord record : _collabRecords) { if (record.getCollaboratorId().equals(interactionId)) { try { _callbacks.addScanIssue(createCollaboratorIssue(record, interaction)); } catch (Exception ex) { dbgLog("FreddyModuleBase[" + _targetName + "]::handleCollaboratorInteraction() exception: " + ex.getMessage()); } return true; } } return false; }
@Override public void scan(IBurpExtenderCallbacks callbacks, IHttpRequestResponse baseRequestResponse, String reqBody, String respBody, IRequestInfo reqInfo, IResponseInfo respInfo, String httpServerHeader, String contentTypeResponse, String xPoweredByHeader) { //IExtensionHelpers helpers = callbacks.getHelpers(); Matcher m = TOKEN_FIELD_PATTERN.matcher(respBody); if(m.find()) { String tokenValue = m.group(1); boolean isVulnerable = StrutsTokenCracker.testToken(tokenValue); if(isVulnerable) { callbacks.addScanIssue(new CustomScanIssue( baseRequestResponse.getHttpService(), reqInfo.getUrl(), baseRequestResponse, "Apache Struts S2-023 Predictable CSRF Token", "The CSRF tokens of the Struts application can be predicted. " + "The attacker make a specially craft form using the predicted token that force an action to a logged-in user (CSRF).\n" + "<br/><br/>" + "<b>References</b>:<br /><br />" + "http://struts.apache.org/docs/s2-023.html<br />" + "http://blog.h3xstream.com/2014/12/predicting-struts-csrf-token-cve-2014.html<br />", "Update the remote Struts vulnerable library", Risk.Medium, Confidence.Certain )); } } }
List<int[]> matches = getMatches(httpResponse, GREP_STRING_CVE20101871, helpers); if (matches.size() > 0) { callbacks.addScanIssue(new CustomScanIssue( baseRequestResponse.getHttpService(), new URL(url.getProtocol(), url.getHost(), url.getPort(), "/admin-console/login.seam"),
callbacks.addScanIssue(new CustomScanIssue( baseRequestResponse.getHttpService(), new URL(protocol, url.getHost(), url.getPort(), JBOSS_PATH),
callbacks.addScanIssue(new CustomScanIssue( baseRequestResponse.getHttpService(), reqInfo.getUrl(), callbacks.addScanIssue(new CustomScanIssue( baseRequestResponse.getHttpService(), reqInfo.getUrl(),
callbacks.addScanIssue(new CustomScanIssue( baseRequestResponse.getHttpService(), new URL(protocol, url.getHost(), url.getPort(), JBOSS_jBPM_PATH),
if (!existingIssues.contains(newIssue)) { callbacks.printOutput("Adding NEW scan issue: " + newIssue); callbacks.addScanIssue(newIssue);
callbacks.addScanIssue(new CustomScanIssue( baseRequestResponse.getHttpService(), urlToTest,
callbacks.addScanIssue(new CustomScanIssue( baseRequestResponse.getHttpService(), reqInfo.getUrl(),
public void run() { IRequestInfo info = Utilities.helpers.analyzeRequest(req); List<IParameter> params = info.getParameters(); for (IParameter param : params) { String key = null; String[] keys = {"%26zq=%253c", "!zq=%253c"}; for (String test: keys) { if (param.getValue().contains(test)) { key = test; break; } } if (key != null) { String originalValue = param.getValue().substring(0, param.getValue().indexOf(key)); ParamInsertionPoint insertionPoint = new ParamInsertionPoint(req.getRequest(), param.getName(), originalValue, param.getType()); ArrayList<Attack> paramGuesses = guessParams(req, insertionPoint); if (!paramGuesses.isEmpty()) { Utilities.callbacks.addScanIssue(Utilities.reportReflectionIssue(paramGuesses.toArray((new Attack[paramGuesses.size()])), req)); } break; } } }
private static boolean findPersistent(IHttpRequestResponse baseRequestResponse, Attack paramGuess, String attackID, CircularFifoQueue<String> recentParams, ArrayList<String> currentParams, HashSet<String> alreadyReported) { if (currentParams == null) { currentParams = new ArrayList<>(); } byte[] failResp = paramGuess.getFirstRequest().getResponse(); if (failResp == null) { return false; } if (!Utilities.containsBytes(failResp, "wrtqva".getBytes())) { return false; } byte[] req = paramGuess.getFirstRequest().getRequest(); for(Iterator<String> params = recentParams.iterator(); params.hasNext();) { String param = params.next(); if(currentParams.contains(param) || alreadyReported.contains(param)) { continue; } byte[] canary = Utilities.helpers.stringToBytes(Utilities.toCanary(param.split("~", 2)[0]) + attackID); if (Utilities.containsBytes(failResp, canary) && !Utilities.containsBytes(req, canary)){ Utilities.out("Identified persistent parameter on "+Utilities.getURL(baseRequestResponse) + ":" + param); params.remove(); Utilities.callbacks.addScanIssue(new CustomScanIssue(baseRequestResponse.getHttpService(), Utilities.getURL(baseRequestResponse), paramGuess.getFirstRequest(), "Secret parameter", "Found persistent parameter: '"+param+"'. Disregard the request and look for " + Utilities.helpers.bytesToString(canary) + " in the response", "High", "Firm", "Investigate")); alreadyReported.add(param); return true; } } return false; }
Utilities.callbacks.addScanIssue(Utilities.reportReflectionIssue(paramGuesses.toArray((new Attack[paramGuesses.size()])), req));
Utilities.callbacks.addScanIssue( new CustomScanIssue(req.getHttpService(), reqInfo.getUrl(), new IHttpRequestResponse[]{req}, "Collaborator Pingback ("+interaction.getProperty("type")+"): "+type, message+interaction.getProperties().toString(), severity, "Certain", "Panic"));
private boolean tryReflectCache(PayloadInjector injector, String param, IHttpRequestResponse base, int attackDedication, int i, String pathSuffix) { IHttpService service = injector.getService(); byte[] setPoisonReq = Utilities.appendToPath(injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(param)), pathSuffix); IParameter cacheBuster = Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); setPoisonReq = Utilities.helpers.addParameter(setPoisonReq, cacheBuster); for (int j = attackDedication - i; j < attackDedication; j++) { Utilities.attemptRequest(service, setPoisonReq); } for (int j = attackDedication - i; j < attackDedication; j += 3) { IHttpRequestResponse getPoison = Utilities.attemptRequest(service, Utilities.appendToPath(Utilities.helpers.addParameter(base.getRequest(), cacheBuster), pathSuffix)); if (Utilities.containsBytes(getPoison.getResponse(), "wrtqv".getBytes())) { Utilities.log("Successful cache poisoning check"); String title = "Cache poisoning"; byte[] headerSplitReq = Utilities.appendToPath(injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(param + "~zxcv\rvcz")), pathSuffix); cacheBuster = Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); byte[] headerSplitResp = Utilities.attemptRequest(service, Utilities.helpers.addParameter(headerSplitReq, cacheBuster)).getResponse(); if (Utilities.containsBytes(Arrays.copyOfRange(headerSplitResp, 0, Utilities.getBodyStart(headerSplitReq)), "zxcv\rvcz".getBytes())) { title = "Severe cache poisoning"; } title = title + " "+i; Utilities.callbacks.addScanIssue(new CustomScanIssue(getPoison.getHttpService(), Utilities.getURL(getPoison), getPoison, title, "Cache poisoning: '" + param + "'. Disregard the request and look for wrtqv in the response", "High", "Firm", "Investigate")); return true; } } return false; }
private boolean tryStatusCache(PayloadInjector injector, String param, int attackDedication, short get404Code) { String canary = Utilities.generateCanary()+".jpg"; byte[] setPoison200Req = injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(addStatusPayload(param))); setPoison200Req = Utilities.appendToPath(setPoison200Req, canary); byte[] getPoison200Req = injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(addStatusPayload("xyz"+param+"z"))); getPoison200Req = Utilities.appendToPath(getPoison200Req, canary); for(int j=0; j<attackDedication; j++) { Utilities.attemptRequest(injector.getService(), setPoison200Req); } for(int j=0; j<attackDedication; j+=3) { IHttpRequestResponse getPoison200 = Utilities.attemptRequest(injector.getService(), getPoison200Req); short getPoison200Code = Utilities.helpers.analyzeResponse(getPoison200.getResponse()).getStatusCode(); if (getPoison200Code != get404Code) { Utilities.callbacks.addScanIssue(new CustomScanIssue(getPoison200.getHttpService(), Utilities.getURL(getPoison200), getPoison200, "Dubious cache poisoning " + j, "Cache poisoning: '" + param + "'. Diff based cache poisoning. Good luck confirming", "High", "Tentative", "Investigate")); } return true; } return false; }