static boolean isResponse(byte[] data) { byte[] start = Arrays.copyOfRange(data, 0, 4); return (helpers.bytesToString(start).equals("HTTP/")); }
public JsonParamNameInsertionPoint(byte[] request, String name, String value, byte type, String attackID) { super(request, name, value, type); // Utilities.encodeJSON(value) int start = Utilities.getBodyStart(request); this.attackID = attackID; headers = Arrays.copyOfRange(request, 0, start); body = Arrays.copyOfRange(request, start, request.length); baseInput = Utilities.helpers.bytesToString(body); root = new JsonParser().parse(baseInput); }
static String getBody(byte[] response) { if (response == null) { return ""; } int bodyStart = Utilities.getBodyStart(response); String body = Utilities.helpers.bytesToString(Arrays.copyOfRange(response, bodyStart, response.length)); return body; }
public static String getHeader(byte[] request, String header) { int[] offsets = getHeaderOffsets(request, header); String value = helpers.bytesToString(Arrays.copyOfRange(request, offsets[1], offsets[2])); return value; }
public static String getHeader(byte[] request, String header) { int[] offsets = getHeaderOffsets(request, header); String value = helpers.bytesToString(Arrays.copyOfRange(request, offsets[1], offsets[2])); return value; }
@Override public String getIssueDetail() { StringBuilder details = new StringBuilder() .append("CSRF attack possible in this form. Please read more completely about this in OWASP TOP-10"); String stringResponse = callbacks.getHelpers().bytesToString(requestResponse.getResponse()); List<int[]> markers = ((IHttpRequestResponseWithMarkers) requestResponse).getResponseMarkers(); markers.forEach(marker -> { details.append("<br/>"); details.append( StringEscapeUtils.escapeHtml4(stringResponse.substring(marker[0], marker[1])) ); }); details.append("<br/><img src=\"http://www.terrariaonline.com/attachments/small-trollface-jpg.9747/\">"); return details.toString(); }
private HashSet<String> getTransformationResults(String leftAnchor, String rightAnchor, byte[] response) { List<int[]> leftAnchorReflections = Utilities.getMatches(response, leftAnchor.getBytes(), -1); HashSet<String> results = new HashSet<>(); for (int[] reflection_location : leftAnchorReflections) { byte[] reflection = Arrays.copyOfRange(response, reflection_location[1], reflection_location[1] + 20); List<int[]> matches = Utilities.getMatches(reflection, rightAnchor.getBytes(), -1); int reflection_end; if (matches.isEmpty()) { results.add("Truncated"); //+StringEscapeUtils.unescapeHtml4(helpers.bytesToString(Arrays.copyOfRange(reflection, 0, 8)))); } else { reflection_end = matches.get(0)[0]; results.add(StringEscapeUtils.unescapeHtml4(helpers.bytesToString(Arrays.copyOfRange(reflection, 0, reflection_end)))); } } if (leftAnchorReflections.isEmpty()) { results.add("Reflection disappeared"); } return results; }
public static byte[] setHeader(byte[] request, String header, String value) { int[] offsets = getHeaderOffsets(request, header); ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); try { outputStream.write( Arrays.copyOfRange(request, 0, offsets[1])); outputStream.write(helpers.stringToBytes(value)); outputStream.write(Arrays.copyOfRange(request, offsets[2], request.length)); return outputStream.toByteArray(); } catch (IOException e) { throw new RuntimeException("Request creation unexpectedly failed"); } catch (NullPointerException e) { Utilities.out("header locating fail: "+header); Utilities.out("'"+helpers.bytesToString(request)+"'"); throw new RuntimeException("Can't find the header"); } }
public static byte[] setHeader(byte[] request, String header, String value) { int[] offsets = getHeaderOffsets(request, header); ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); try { outputStream.write( Arrays.copyOfRange(request, 0, offsets[1])); outputStream.write(helpers.stringToBytes(value)); outputStream.write(Arrays.copyOfRange(request, offsets[2], request.length)); return outputStream.toByteArray(); } catch (IOException e) { throw new RuntimeException("Request creation unexpectedly failed"); } catch (NullPointerException e) { Utilities.out("header locating fail: "+header); Utilities.out("'"+helpers.bytesToString(request)+"'"); throw new RuntimeException("Can't find the header"); } }
@Override public byte[] buildRequest(byte[] payload) { String bulk = Utilities.helpers.bytesToString(payload); String[] params = bulk.split("[|]"); ArrayList<String> preppedParams = new ArrayList<>(); for(String key: params) { if (defaultPrefix != null && !key.contains(":")) { key = defaultPrefix + ":" + key; } preppedParams.add(Keysmith.unparseParam(key)); } if(type == IParameter.PARAM_URL || type == IParameter.PARAM_BODY || type == IParameter.PARAM_COOKIE || type == Utilities.PARAM_HEADER) { return buildBulkRequest(preppedParams); } return buildBasicRequest(preppedParams); }
void saveParams(IHttpRequestResponse baseRequestResponse) { // todo also use observed requests String body = Utilities.getBody(baseRequestResponse.getResponse()); if (!body.equals("")) { savedWords.addAll(getWords(Utilities.helpers.bytesToString(baseRequestResponse.getResponse()))); savedGET.addAll(getHtmlKeys(body)); try { JsonParser parser = new JsonParser(); JsonElement json = parser.parse(body); ArrayList<String> keys = Keysmith.getJsonKeys(json, new HashMap<>()); if (!done.contains(keys)) { //Utilities.out("Importing observed data..."); done.add(keys); savedJson.add(Utilities.callbacks.saveBuffersToTempFiles(baseRequestResponse)); } } catch (JsonParseException e) { } } }
@Override public byte[] buildRequest(byte[] payload) { IParameter newParam = Utilities.helpers.buildParameter(name, Utilities.encodeParam(Utilities.helpers.bytesToString(payload)), type); return Utilities.helpers.updateParameter(request, newParam); }
public LaudanumResponse(IBurpExtenderCallbacks callbacks, byte[] responseBytes) { IResponseInfo responseInfo = callbacks.getHelpers().analyzeResponse(responseBytes); byte[] body = Arrays.copyOfRange(responseBytes, responseInfo.getBodyOffset(), responseBytes.length); String[] outputParts = callbacks.getHelpers().bytesToString(body).split("&"); for (String part : outputParts) { String[] split = part.split("="); if (split.length == 2) { params.put(split[0].trim(), callbacks.getHelpers().urlDecode(split[1])); //callbacks.printOutput("Setting: " + part); //callbacks.printOutput("*** NAME = '" + split[0] + "'"); //callbacks.printOutput("*** VALUE = "+split[1]); //callbacks.printOutput("*** DECODED VALUE = "+callbacks.getHelpers().urlDecode(split[1])); } } if (params.size() < 2) { params.put("stderr", callbacks.getHelpers().urlDecode(callbacks.getHelpers().bytesToString(body))); // if we can't process the response, spit out what we got. } }
@Override public byte[] buildRequest(byte[] payload) { IParameter newParam = Utilities.helpers.buildParameter(name, Utilities.encodeParam(Utilities.helpers.bytesToString(payload)), type); return Utilities.helpers.updateParameter(request, newParam); }
public IScanIssue analyzeResponse(IHttpRequestResponse requestResponse) { if (requestResponse.getResponse() == null) return null; IResponseInfo resp = helpers.analyzeResponse(requestResponse.getResponse()); String contentTypeHeader = Utils.getContentType(resp); if (contentTypeHeader.toUpperCase().contains("JAVASCRIPT")) return null; for (String i : Signatures) { if (helpers.bytesToString(requestResponse.getResponse()).contains(i)) { List responseMarkers = new ArrayList(1); responseMarkers.add(new int[]{helpers.bytesToString(requestResponse.getResponse()).indexOf(i), helpers.bytesToString(requestResponse.getResponse()).indexOf(i) + i.length()}); String attackDetails = "A exception with information disclosure was found at: <b>" + helpers.analyzeRequest(requestResponse).getUrl().toString() + "</b>\n"; return new CustomScanIssue(requestResponse.getHttpService(), this.helpers.analyzeRequest(requestResponse).getUrl(), new IHttpRequestResponse[]{this.callbacks.applyMarkers(requestResponse, null, responseMarkers)}, attackDetails, ISSUE_TYPE, ISSUE_NAME, SEVERITY, CONFIDENCE, "", "", ""); } } return null; } }
public boolean isFullDuplicate(IHttpRequestResponse messageInfo) { PrintWriter stdout = new PrintWriter(callbacks.getStdout(), true); IResponseInfo respInfo = helpers.analyzeResponse(messageInfo.getResponse()); if (dubBloomFilter == null) return false; HashFunction m_hash = Hashing.murmur3_32(); if (helpers.bytesToString(messageInfo.getResponse()).length() > respInfo.getBodyOffset()) { String body = helpers.bytesToString(messageInfo.getResponse()).substring(respInfo.getBodyOffset()); /* full-dub detection */ String dedupHashValue = m_hash.hashBytes(helpers.stringToBytes(body)).toString(); if (dubBloomFilter.mightContain(dedupHashValue)) { return true; } dubBloomFilter.put(dedupHashValue); } return false; }
private HashSet<String> recordHandling(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint, String probe) { String leftAnchor = Utilities.randomString(3); String middleAnchor = "z"+Integer.toString(Utilities.rnd.nextInt(9)); String rightAnchor = "z"+Utilities.randomString(3); String payload = leftAnchor + "\\\\" + middleAnchor + probe + rightAnchor; IHttpRequestResponse attack = callbacks.makeHttpRequest( baseRequestResponse.getHttpService(), insertionPoint.buildRequest(payload.getBytes())); // Utilities.buildRequest(baseRequestResponse, insertionPoint, payload) return getTransformationResults(leftAnchor + "\\" + middleAnchor, rightAnchor, helpers.stringToBytes(helpers.bytesToString(Utilities.filterResponse(attack.getResponse())))); }
/** * Find the token associated to the request/response. * @return The token. */ @Override public String findToken() { IRequestInfo iri = super.getCallbacks().getHelpers().analyzeRequest(getMessage()); List<IParameter> list = iri.getParameters(); for(IParameter p : list){ if(p.getName().equals(ID)){ return decode(p.getValue()); } } String response = super.getCallbacks().getHelpers().bytesToString(getMessage().getResponse()); Pattern p = Pattern.compile("client_id=(.*?)\\\\u0026"); Matcher m = p.matcher(response); if(m.find()){ return m.group(1); } return "Not Found!"; }
/** * Decode the JSON String. * @param input The data to decode. * @return The decoded String. */ public String decode(String input){ if(Encoding.isURLEncoded(input)){ input = helpers.urlDecode(input); } if(Encoding.isBase64Encoded(input)){ input = helpers.bytesToString(helpers.base64Decode(input)); } if(Encoding.isJSON(input)){ return input; } return null; } }
@Test public void testPassiveScan() throws MalformedURLException { IBurpExtenderCallbacks callbacks = mock(IBurpExtenderCallbacks.class); IExtensionHelpers helpers = mock(IExtensionHelpersBase.class); IRequestInfo requestInfo = mock(IRequestInfo.class); IHttpRequestResponse baseRequestResponse = mock(IHttpRequestResponse.class); when(helpers.base64Encode(any(String.class))).thenCallRealMethod(); when(helpers.base64Encode(any(byte[].class))).thenCallRealMethod(); when(helpers.base64Decode(any(byte[].class))).thenCallRealMethod(); when(helpers.base64Decode(any(String.class))).thenCallRealMethod(); when(helpers.bytesToString(any(byte[].class))).thenCallRealMethod(); URL url = new URL("http://www.example.com/index.jsp"); when(callbacks.getHelpers()).thenReturn(helpers); when(helpers.analyzeRequest(baseRequestResponse)).thenReturn(requestInfo); when(requestInfo.getUrl()).thenReturn(url); String baseRequest = "GET / HTTP/1.0"; String baseResponse = "200 OK"; when(baseRequestResponse.getRequest()).thenReturn(baseRequest.getBytes()); when(baseRequestResponse.getResponse()).thenReturn(baseResponse.getBytes()); freddy.initialise(callbacks); freddy.doPassiveScan(baseRequestResponse); } }