private byte[] addHeader(byte[] request) { IExtensionHelpers helpers = BurpExtender.getHelpers(); IRequestInfo analyzedRequest = helpers.analyzeRequest(request); List<String> headers = analyzedRequest.getHeaders(); // Strip content-length to make sure it's the last param if (headers.get(headers.size()-1).startsWith("Content-Length:")) { headers.remove(headers.size()-1); } byte[] body = Arrays.copyOfRange(request, analyzedRequest.getBodyOffset(), request.length); headers.add(this.replace); return helpers.buildHttpMessage(headers, body); }
static void runMacro(MacrosMarshaller.Macro macro, ReplicatorPanel replicatorPanel) throws Exception { // TBD: this will trigger the session rule, then cause an unwanted request to /replicator-login IExtensionHelpers helpers = BurpExtender.callbacks.getHelpers(); URL url = macro.getURL(); IHttpService httpService = helpers.buildHttpService(url.getHost(), url.getPort(), url.getProtocol()); List<String> headers = Arrays.asList("GET /replicator-login HTTP/1.0", "Host: " + url.getHost()); byte[] request = helpers.buildHttpMessage(headers, new byte[0]); IHttpRequestResponse response = BurpExtender.callbacks.makeHttpRequest(httpService, request); } }
byte[] getRequestWithIdentity() { uniqueId = Long.toHexString(new Random().nextLong()); IRequestInfo requestInfo = BurpExtender.callbacks.getHelpers().analyzeRequest(request); List<String> headers = requestInfo.getHeaders(); byte[] body = Arrays.copyOfRange(request, requestInfo.getBodyOffset(), request.length); headers.add(IDENTITY_HEADER + uniqueId); return BurpExtender.callbacks.getHelpers().buildHttpMessage(headers, body); } }
private byte[] updateRequestFirstLine(byte[] request) { IExtensionHelpers helpers = BurpExtender.getHelpers(); IRequestInfo analyzedRequest = helpers.analyzeRequest(request); List<String> headers = analyzedRequest.getHeaders(); byte[] body = Arrays.copyOfRange(request, analyzedRequest.getBodyOffset(), request.length); String firstRequestString = headers.get(0); if (replaceFirst()) { headers.set(0, firstRequestString.replaceFirst(this.match, this.replace)); } else { headers.set(0, firstRequestString.replaceAll(this.match, this.replace)); } return helpers.buildHttpMessage(headers, body); }
@Override public byte[] replaceToken(String newToken) { body = replaceTokenImpl(newToken, body); return getHelpers().buildHttpMessage(getHeaders(), body.getBytes()); }
@Override public byte[] replaceToken(String newToken) { body = replaceTokenImpl(newToken,body); return getHelpers().buildHttpMessage(getHeaders(), body.getBytes()); }
public byte[] replaceToken(String newToken) { if(positionFound()){ // updating headerIndex headers.set(this.headerIndex, this.selectedKeyword + " " + newToken); } return getHelpers().buildHttpMessage(headers, getBody()); } }
static byte[] changeHost(byte[] request, String host, int port) { IRequestInfo requestInfo = BurpExtender.callbacks.getHelpers().analyzeRequest(request); List<String> headers = requestInfo.getHeaders(); byte[] body = Arrays.copyOfRange(request, requestInfo.getBodyOffset(), request.length); for (int i = 0; i < headers.size(); i++) { if (headers.get(i).startsWith("Host:")) { headers.set(i, String.format("Host: %s:%d", host, port)); break; } } return BurpExtender.callbacks.getHelpers().buildHttpMessage(headers, body); } }
@Override public byte[] replaceToken(String newToken) { headers = replaceTokenInHeader(newToken, headers); return getHelpers().buildHttpMessage(headers, getBody()); }
private byte[] removeHeaderByName(byte[] request) { IExtensionHelpers helpers = BurpExtender.getHelpers(); IRequestInfo analyzedRequest = helpers.analyzeRequest(request); byte[] body = Arrays.copyOfRange(request, analyzedRequest.getBodyOffset(), request.length); List<String> headers; if(replaceFirst()) { AtomicInteger index = new AtomicInteger(0); if(isRegexMatch()) { headers = analyzedRequest.getHeaders().stream() .filter((x -> !(x.split(":")[0].matches(getMatch()) && index.getAndIncrement() < 1))) .collect(Collectors.toCollection(ArrayList::new)); } else { headers = analyzedRequest.getHeaders().stream() .filter(x -> !(x.split(":")[0].equals(getMatch()) && index.getAndIncrement() < 1)) .collect(Collectors.toCollection(ArrayList::new)); } } else { if(isRegexMatch()) { headers = analyzedRequest.getHeaders().stream() .filter(x -> !(x.split(":")[0].matches(getMatch()))) .collect(Collectors.toCollection(ArrayList::new)); } else { headers = analyzedRequest.getHeaders().stream() .filter(x -> !(x.split(":")[0].equals(getMatch()))) .collect(Collectors.toCollection(ArrayList::new)); } } return helpers.buildHttpMessage(headers, body); }
public void cleanJWTHeaders() { List<String> headers; List<String> toOverwriteHeaders = new ArrayList<String>(); int offset; if (isRequest) { IRequestInfo requestInfo = helpers.analyzeRequest(message); headers = requestInfo.getHeaders(); offset = requestInfo.getBodyOffset(); } else { IResponseInfo responseInfo = helpers.analyzeResponse(message); headers = responseInfo.getHeaders(); offset = responseInfo.getBodyOffset(); } for (String header : headers) { if (header.startsWith(Strings.JWTHeaderPrefix)) { toOverwriteHeaders.add(header); } } headers.removeAll(toOverwriteHeaders); this.message = helpers.buildHttpMessage(headers, Arrays.copyOfRange(message, offset, message.length)); }
private byte[] updateHeader(byte[] request) { IExtensionHelpers helpers = BurpExtender.getHelpers(); IRequestInfo analyzedRequest = helpers.analyzeRequest(request); List<String> headers = analyzedRequest.getHeaders(); byte[] body = Arrays.copyOfRange(request, analyzedRequest.getBodyOffset(), request.length); ArrayList<String> newHeaders = new ArrayList<>(); boolean wasChanged = false; for (String header : headers) { if (!replaceFirst() || (replaceFirst() && !wasChanged)) { if (this.isRegexMatch) { if (header.matches(this.match)) { header = this.replace; wasChanged = true; } } else { if (header.equals(this.match)) { header = this.replace; wasChanged = true; } } } // Don't add empty headers, they mess things up if (!header.equals("")) { newHeaders.add(header); } } return helpers.buildHttpMessage(newHeaders, body); }
private void runRequest(IHttpRequestResponse req) { try { byte[] rawRequest = req.getRequest(); IRequestInfo reqInfo = burpCallback.getHelpers().analyzeRequest(rawRequest); // header of request should be a string List<String> headers = reqInfo.getHeaders(); for(int h=0; h<headers.size(); h++){ if(headers.get(h).toLowerCase().startsWith(headerName)){ headers.set(h, newHeader); break; } } byte message[] = burpCallback.getHelpers().buildHttpMessage(headers, Arrays.copyOfRange(rawRequest, reqInfo.getBodyOffset(), rawRequest.length)); IHttpRequestResponse resp = burpCallback.makeHttpRequest(req.getHttpService(), message); addResponse(req, resp); } catch (Throwable e) { PrintWriter writer = new PrintWriter(burpCallback.getStderr()); writer.write(e.getMessage()); writer.write("\n"); e.printStackTrace(writer); } }
public boolean doAuth(IHttpRequestResponse messageInfo) { if (messageInfo == null) return true; IRequestInfo requestInfo = helpers.analyzeRequest(messageInfo.getRequest()); List<String> reqHeaders = requestInfo.getHeaders(); List<String> newHeaders = new ArrayList<String>(); for (String h : reqHeaders) { if (!h.toUpperCase().startsWith("AUTHORIZATION:")) newHeaders.add(h); } newHeaders.add("Authorization: " + authConfig.getAuthPassword()); byte[] body; byte[] modifiedReq; if (helpers.bytesToString(messageInfo.getRequest()).length() > requestInfo.getBodyOffset()) { body = helpers.stringToBytes(helpers.bytesToString(messageInfo.getRequest()).substring(requestInfo.getBodyOffset())); modifiedReq = helpers.buildHttpMessage(newHeaders, body); } else { modifiedReq = helpers.buildHttpMessage(newHeaders, "".getBytes()); } messageInfo.setRequest(modifiedReq); return true; }
public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { if (insertionPoint.getInsertionPointType() != INS_HEADER) return null; IBurpCollaboratorClientContext collaboratorContext = callbacks.createBurpCollaboratorClientContext(); String payload = collaboratorContext.generatePayload(true); String httpPrefixedPayload = "Proxy: http://" + payload; IRequestInfo requestInfo = helpers.analyzeRequest(baseRequestResponse); List<String> headers = requestInfo.getHeaders(); headers.removeIf(header -> header != null && header.toLowerCase().startsWith("proxy:")); headers.add(httpPrefixedPayload); byte[] request = helpers.buildHttpMessage(headers, substring(baseRequestResponse.getRequest(), requestInfo.getBodyOffset())); IHttpRequestResponse scanCheckRequestResponse = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), request); List<IBurpCollaboratorInteraction> collaboratorInteractions = collaboratorContext.fetchCollaboratorInteractionsFor(payload); if (collaboratorInteractions.isEmpty()) return null; List<IScanIssue> issues = new ArrayList<>(); IScanIssue issue = reportIssue(httpPrefixedPayload, scanCheckRequestResponse, collaboratorInteractions.get(0)); issues.add(issue); return issues; }
public void addHeader(String headerToAdd) { List<String> headers; int offset; if (isRequest) { IRequestInfo requestInfo = helpers.analyzeRequest(message); headers = requestInfo.getHeaders(); offset = requestInfo.getBodyOffset(); } else { IResponseInfo responseInfo = helpers.analyzeResponse(message); headers = responseInfo.getHeaders(); offset = responseInfo.getBodyOffset(); } headers.add(headerToAdd); this.message = helpers.buildHttpMessage(headers, Arrays.copyOfRange(message, offset, message.length)); }
void scrubCookies(Collection<String> cookieNames) { IExtensionHelpers helpers = BurpExtender.callbacks.getHelpers(); for (String cookieName : cookieNames) { IParameter cookie = helpers.buildParameter(cookieName, "", IParameter.PARAM_COOKIE); request = helpers.removeParameter(request, cookie); } // If Cookie: header is empty, remove IRequestInfo requestInfo = BurpExtender.callbacks.getHelpers().analyzeRequest(request); byte[] body = Arrays.copyOfRange(request, requestInfo.getBodyOffset(), request.length); List<String> headers = requestInfo.getHeaders(); for (int i = 0; i < headers.size(); i++) { if (headers.get(i).equals("Cookie: ")) { headers.remove(i); request = BurpExtender.callbacks.getHelpers().buildHttpMessage(headers, body); } } }
public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { IResponseInfo resp = helpers.analyzeResponse(baseRequestResponse.getResponse()); IRequestInfo req = helpers.analyzeRequest(baseRequestResponse.getRequest()); if (resp == null | req == null) return null; URL url = helpers.analyzeRequest(baseRequestResponse).getUrl(); if (flags.contains(url.toString())) return null; else flags.add(url.toString()); List<IScanIssue> issues = new ArrayList<>(); IHttpService httpService = baseRequestResponse.getHttpService(); List<String> headers = req.getHeaders(); for (String i : Payloads) { String finalPayload = req.getMethod() + " " + url.getPath() + i + " HTTP/1.1"; headers.set(0, finalPayload); byte[] body = helpers.stringToBytes(helpers.bytesToString(baseRequestResponse.getRequest()).substring(req.getBodyOffset())); byte[] modifiedReq = helpers.buildHttpMessage(headers, body); IHttpRequestResponse attack = this.callbacks.makeHttpRequest(httpService, modifiedReq); IScanIssue res = analyzeResponse(attack); if (res != null) issues.add(res); } if (issues.size() > 0) return issues; return issues; }
private byte[] buildRequest( IHttpRequestResponse baseRequestResponse, String proxyPrefixedPayload) { // figure out what headers are already on the request IRequestInfo requestInfo = helpers.analyzeRequest(baseRequestResponse); List<String> headers = requestInfo.getHeaders(); // remove any existing proxy headers stripProxyHeaders(headers); // and add our own headers.add(proxyPrefixedPayload); return helpers.buildHttpMessage( headers, substring(baseRequestResponse.getRequest(), requestInfo.getBodyOffset())); }
public IScanIssue scanRootDirectory(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { IRequestInfo req = helpers.analyzeRequest(baseRequestResponse.getRequest()); IHttpService httpService = baseRequestResponse.getHttpService(); String uuid = UUID.randomUUID().toString().replaceAll("-", ""); String uuidPayload = req.getMethod() + " /" + uuid + " HTTP/1.1"; List<String> reqHeaders = req.getHeaders(); reqHeaders.set(0, uuidPayload); byte[] body = helpers.stringToBytes(helpers.bytesToString(baseRequestResponse.getRequest()).substring(req.getBodyOffset())); byte[] modifiedReq = helpers.buildHttpMessage(reqHeaders, body); IHttpRequestResponse checkUUID = this.callbacks.makeHttpRequest(httpService, modifiedReq); if (checkUUID == null || checkUUID.getResponse() == null) return null; String respHeaders = String.join("\n", this.helpers.analyzeResponse(checkUUID.getResponse()).getHeaders()); if (respHeaders.contains(uuid)) { for (String payload : CRLFSplitters) { String finalPayload = uuid.substring(0, 5) + payload + CRLFHeader + uuid.substring(6); String finalRequestUriBuilder = req.getMethod() + " /" + finalPayload + " HTTP/1.1"; reqHeaders.set(0, finalRequestUriBuilder); body = helpers.stringToBytes(helpers.bytesToString(baseRequestResponse.getRequest()).substring(req.getBodyOffset())); modifiedReq = helpers.buildHttpMessage(reqHeaders, body); IHttpRequestResponse attack = this.callbacks.makeHttpRequest(httpService, modifiedReq); IScanIssue res = analyzeResponse(attack, insertionPoint, finalPayload); if (res != null) return res; } } return null; }