@Override public IHttpRequestResponse[] getHttpMessages() { return new IHttpRequestResponse[]{callbacks.applyMarkers(baseRequestResponse, null, startStop)}; }
@Override public IHttpRequestResponse[] getHttpMessages() { return new IHttpRequestResponse[]{callbacks.applyMarkers(baseRequestResponse, null, null)}; }
static IHttpRequestResponse highlightRequestResponse(IHttpRequestResponse attack, String responseHighlight, String requestHighlight, IScannerInsertionPoint insertionPoint) { List<int[]> requestMarkers = new ArrayList<>(1); if (requestHighlight != null && requestHighlight.length() > 2) { requestMarkers.add(insertionPoint.getPayloadOffsets(requestHighlight.getBytes())); } List<int[]> responseMarkers = new ArrayList<>(1); if (responseHighlight != null) { responseMarkers = getMatches(attack.getResponse(), responseHighlight.getBytes(), -1); } attack = callbacks.applyMarkers(attack, requestMarkers, responseMarkers); return attack; }
static IHttpRequestResponse highlightRequestResponse(IHttpRequestResponse attack, String responseHighlight, String requestHighlight, IScannerInsertionPoint insertionPoint) { List<int[]> requestMarkers = new ArrayList<>(1); if (requestHighlight != null && requestHighlight.length() > 2) { requestMarkers.add(insertionPoint.getPayloadOffsets(requestHighlight.getBytes())); } List<int[]> responseMarkers = new ArrayList<>(1); if (responseHighlight != null) { responseMarkers = getMatches(attack.getResponse(), responseHighlight.getBytes(), -1); } attack = callbacks.applyMarkers(attack, requestMarkers, responseMarkers); return attack; }
private IScanIssue analyseHeaders(IHttpRequestResponse baseRequestResponse, List<String> headers) { String xXssProtectionHeader = Utils.getHeaderValue(headers, "X-Xss-Protection"); // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection // X-XSS-Protection: 1 Enables XSS filtering (usually default in browsers). // If a cross-site scripting attack is detected, // the browser will sanitize the page (remove the unsafe parts). if (xXssProtectionHeader != null && xXssProtectionHeader.toUpperCase().contains("1")) return null; String issueDetails = "The URL <b> " + helpers.analyzeRequest(baseRequestResponse).getUrl().toString() + " </b>\n" + "returned an HTTP response without the recommended HTTP header <b>X-XSS-Protection: 1; mode=block</b>"; return new CustomScanIssue(baseRequestResponse.getHttpService(), helpers.analyzeRequest(baseRequestResponse).getUrl(), new IHttpRequestResponse[]{this.callbacks.applyMarkers(baseRequestResponse, null, null)}, issueDetails, ISSUE_TYPE, ISSUE_NAME, SEVERITY, CONFIDENCE, "", "", ""); } }
@Override public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { IResponseInfo resp = helpers.analyzeResponse(baseRequestResponse.getResponse()); if (resp == null) return null; URL url = helpers.analyzeRequest(baseRequestResponse).getUrl(); if (flags.contains(url.toString())) return null; else flags.add(url.toString()); List<IScanIssue> issues = new ArrayList<>(); for (ICookie c : resp.getCookies()) { if (!c.getValue().contains("--")) continue; String[] cookieVal = c.getValue().split("--"); if (cookieVal.length != 2) continue; if (isSignatureValid(cookieVal[0], cookieVal[1])) { String issueDetails = "Vulnerability detected at <b> " + helpers.analyzeRequest(baseRequestResponse).getUrl().toString() + "</b>\n" + "Default Ruby Session secret used - can lead to RCE during unmarshalling"; List responseMarkers = new ArrayList(1); String responseString = helpers.bytesToString(baseRequestResponse.getResponse()); responseMarkers.add(new int[]{responseString.toUpperCase().indexOf("SET-COOKIE:"), responseString.toUpperCase().indexOf("SET-COOKIE:") + "SET-COOKIE:".length()}); issues.add(new CustomScanIssue(baseRequestResponse.getHttpService(), helpers.analyzeRequest(baseRequestResponse).getUrl(), new IHttpRequestResponse[]{this.callbacks.applyMarkers(baseRequestResponse, null, responseMarkers)}, issueDetails, ISSUE_TYPE, ISSUE_NAME, SEVERITY, CONFIDENCE, "", "", "")); } } return issues.isEmpty() ? null : issues; }
@Override public IScanIssue grep(IHttpRequestResponse baseRequestResponse) { IResponseInfo resp = helpers.analyzeResponse(baseRequestResponse.getResponse()); if (resp == null) return null; short statusCode = resp.getStatusCode(); if (ignoreCodes != null && ignoreCodes.contains(new Integer(statusCode))) return null; List<String> contentTypes = Arrays.asList("application/javascript", "text/css", "image/gif", "text/html", "image/x-icon", "image/png", "image/jpg", "image/jpeg", "application/x-javascript"); List<String> headers = resp.getHeaders(); String xContentTypeOptionsHeader = Utils.getHeaderValue(headers, "X-Content-Type-Options"); if (xContentTypeOptionsHeader != null && xContentTypeOptionsHeader.toUpperCase().contains("NOSNIFF")) return null; String contentTypeHeader = Utils.getContentType(resp); if (contentTypeHeader != null && !contentTypes.contains(contentTypeHeader.toLowerCase())) return null; String issueDetails = "The URL <b> " + helpers.analyzeRequest(baseRequestResponse).getUrl().toString() + "</b>\n" + "returned an HTTP response without the recommended HTTP header X-Content-Type-Options"; return new CustomScanIssue(baseRequestResponse.getHttpService(), helpers.analyzeRequest(baseRequestResponse).getUrl(), new IHttpRequestResponse[]{this.callbacks.applyMarkers(baseRequestResponse, null, null)}, issueDetails, ISSUE_TYPE, ISSUE_NAME, SEVERITY, CONFIDENCE, "", "", ""); } }
private IScanIssue reportIssue(String payload, IHttpRequestResponse sentRequestResponse, IBurpCollaboratorInteraction collaboratorInteraction) { IHttpRequestResponse[] httpMessages = new IHttpRequestResponse[]{callbacks.applyMarkers(sentRequestResponse, buildRequestHighlights(payload, sentRequestResponse), Collections.emptyList())}; String issueDetail = buildIssueDetail(payload, collaboratorInteraction); return new CustomScanIssue(sentRequestResponse.getHttpService(), helpers.analyzeRequest(sentRequestResponse).getUrl(), httpMessages, issueDetail, ISSUE_TYPE, ISSUE_NAME, SEVERITY, CONFIDENCE, "", ISSUE_BACKGROUND, REMEDIATION_BACKGROUND); }
new IHttpRequestResponse[]{this.callbacks.applyMarkers(attack, null, null)}, issueDetails, ISSUE_TYPE, ISSUE_NAME, SEVERITY, CONFIDENCE, "", "", ""));
public IScanIssue analyzeResponse(IHttpRequestResponse requestResponse) { IResponseInfo resp = helpers.analyzeResponse(requestResponse.getResponse()); if (resp == null || resp.getStatusCode() < 300 || resp.getStatusCode() >= 400) return null; List<String> headers = resp.getHeaders(); String locationHeader = Utils.getHeaderValue(headers, "Location"); if (locationHeader == null) return null; Matcher redirectMatcher = REDIRECT_PATTERN.matcher(locationHeader.toUpperCase()); if (redirectMatcher.find()) { String attackDetails = "A open redirect vulnerability was found at: <b>" + helpers.analyzeRequest(requestResponse).getUrl().toString() + "</b>\n"; List responseMarkers = new ArrayList(1); responseMarkers.add(new int[]{helpers.bytesToString(requestResponse.getResponse()).toUpperCase().indexOf("LOCATION"), helpers.bytesToString(requestResponse.getResponse()).toUpperCase().indexOf("LOCATION") + "LOCATION".length()}); return new CustomScanIssue(requestResponse.getHttpService(), this.helpers.analyzeRequest(requestResponse).getUrl(), new IHttpRequestResponse[]{this.callbacks.applyMarkers(requestResponse, null, responseMarkers)}, attackDetails, ISSUE_TYPE, ISSUE_NAME, SEVERITY, CONFIDENCE, "", "", ""); } return null; } }
new IHttpRequestResponse[]{this.callbacks.applyMarkers(baseRequestResponse, null, null)}, issueDetails, ISSUE_TYPE, ISSUE_NAME, SEVERITY, CONFIDENCE, "", "", ""); new IHttpRequestResponse[]{this.callbacks.applyMarkers(baseRequestResponse, null, responseMarkers)}, issueDetails, ISSUE_TYPE, ISSUE_NAME, SEVERITY, CONFIDENCE, "", "", "");
new IHttpRequestResponse[]{this.callbacks.applyMarkers(attack, requestMarkers, responseMarkers)}, attackDetails, ISSUE_TYPE_CRLF, ISSUE_NAME_CRLF, SEVERITY_CRLF, CONFIDENCE_CRLF, "", ISSUE_BACKGROUND_CRLF, ""); new IHttpRequestResponse[]{this.callbacks.applyMarkers(attack, requestMarkers, responseMarkers)}, attackDetails, ISSUE_TYPE_CR, ISSUE_NAME_CR, SEVERITY_CR, CONFIDENCE_CR, "", ISSUE_BACKGROUND_CR, "");
new IHttpRequestResponse[]{callbacks.applyMarkers(attackRequestResponse, null, null)}, attackDetails, ISSUE_TYPE, ISSUE_NAME, SEVERITY, CONFIDENCE, "", "", ""));
public IScanIssue analyzeResponse(IHttpRequestResponse requestResponse) { IResponseInfo resp = helpers.analyzeResponse(requestResponse.getResponse()); if (resp == null || resp.getStatusCode() < 300 || resp.getStatusCode() >= 400) return null; List<String> headers = resp.getHeaders(); String locationHeader = Utils.getHeaderValue(headers, "Location"); if (locationHeader == null) return null; for (String redirect : REDIRECTS) { if (locationHeader.toUpperCase().startsWith(redirect)) { String attackDetails = "Open redirect vulnerability was found at: <b>" + helpers.analyzeRequest(requestResponse).getUrl().toString() + "</b>\n"; List responseMarkers = new ArrayList(1); responseMarkers.add(new int[]{helpers.bytesToString(requestResponse.getResponse()).toUpperCase().indexOf("LOCATION"), helpers.bytesToString(requestResponse.getResponse()).toUpperCase().indexOf("LOCATION") + "LOCATION".length()}); return new CustomScanIssue(requestResponse.getHttpService(), this.helpers.analyzeRequest(requestResponse).getUrl(), new IHttpRequestResponse[]{this.callbacks.applyMarkers(requestResponse, null, responseMarkers)}, attackDetails, ISSUE_TYPE, ISSUE_NAME, SEVERITY, CONFIDENCE, "", "", ""); } } return null; } }
public IScanIssue analyzeResponse(IHttpRequestResponse requestResponse) { if (requestResponse.getResponse() == null) return null; IResponseInfo resp = helpers.analyzeResponse(requestResponse.getResponse()); String contentTypeHeader = Utils.getContentType(resp); if (contentTypeHeader.toUpperCase().contains("JAVASCRIPT")) return null; for (String i : Signatures) { if (helpers.bytesToString(requestResponse.getResponse()).contains(i)) { List responseMarkers = new ArrayList(1); responseMarkers.add(new int[]{helpers.bytesToString(requestResponse.getResponse()).indexOf(i), helpers.bytesToString(requestResponse.getResponse()).indexOf(i) + i.length()}); String attackDetails = "A exception with information disclosure was found at: <b>" + helpers.analyzeRequest(requestResponse).getUrl().toString() + "</b>\n"; return new CustomScanIssue(requestResponse.getHttpService(), this.helpers.analyzeRequest(requestResponse).getUrl(), new IHttpRequestResponse[]{this.callbacks.applyMarkers(requestResponse, null, responseMarkers)}, attackDetails, ISSUE_TYPE, ISSUE_NAME, SEVERITY, CONFIDENCE, "", "", ""); } } return null; } }
private IScanIssue reportIssue( String payload, IHttpRequestResponse sentRequestResponse, IBurpCollaboratorInteraction collaboratorInteraction) { // highlight the request IHttpRequestResponse[] httpMessages = new IHttpRequestResponse[] { callbacks.applyMarkers( sentRequestResponse, buildRequestHighlights( payload, sentRequestResponse), emptyList()) }; // create a new issue return new HttPoxyIssue( sentRequestResponse.getHttpService(), helpers.analyzeRequest(sentRequestResponse).getUrl(), httpMessages, payload, collaboratorInteraction); }
new IHttpRequestResponse[]{callbacks.applyMarkers(attackRequestResponse, null, null)}, attackDetails, ISSUE_TYPE, ISSUE_NAME, SEVERITY, CONFIDENCE, "", "", ""));
Arrays.asList(heightMarker, widthMarker); return Collections.singletonList((IScanIssue)new ImageSizeIssue( callbacks.applyMarkers(baseRequestResponse, reqMarkers, null), ri.getUrl(), widthParam, heightParam));
private IScanIssue analyzeResponse(IHttpRequestResponse requestResponse, String payload) { IResponseInfo resp = helpers.analyzeResponse(requestResponse.getResponse()); if (resp == null || resp.getStatusCode() != 200) return null; String bodySample = extractPrefix(helpers.bytesToString(Arrays.copyOfRange( requestResponse.getResponse(), resp.getBodyOffset(), resp.getBodyOffset() + BODY_SAMPLE_LEN ))); int payloadIndex = bodySample.indexOf(payload); if (payloadIndex > -1) { String attackDetails = "JSONP callback injection was found at: <b>" + helpers.analyzeRequest(requestResponse).getUrl().toString() + "</b>\n"; List<int[]> responseMarkers = Arrays.asList(new int[]{ resp.getBodyOffset() + payloadIndex, resp.getBodyOffset() + payloadIndex + payload.length() }); return new CustomScanIssue(requestResponse.getHttpService(), helpers.analyzeRequest(requestResponse).getUrl(), new IHttpRequestResponse[]{callbacks.applyMarkers(requestResponse, null, responseMarkers)}, attackDetails, ISSUE_TYPE, ISSUE_NAME, SEVERITY, CONFIDENCE, "", "", ""); } return null; }
new IHttpRequestResponse[]{ baseReqRes, _callbacks.applyMarkers(newReqRes, reqMarkers, null)