private boolean checkRequestBody(IHttpRequestResponse messageInfo) { IRequestInfo analyzedRequest = BurpExtender.getHelpers().analyzeRequest(messageInfo); byte[] request = messageInfo.getRequest(); String bodyString = new String( Arrays.copyOfRange(request, analyzedRequest.getBodyOffset(), request.length)); switch (this.matchRelationship) { case ("Matches"): return bodyString.matches(this.matchCondition); default: return !bodyString.matches(this.matchCondition); } }
public static ArrayList<IParameter> getMultipartParameters(byte[] request) { IExtensionHelpers helpers = BurpExtender.getHelpers(); IRequestInfo analyzedRequest = helpers.analyzeRequest(request); ArrayList<IParameter> parameters = new ArrayList<>(); String boundary = getMultipartBoundary(request); String requestBodyString = new String(Arrays.copyOfRange(request, analyzedRequest.getBodyOffset(), request.length)); int index = requestBodyString.indexOf(boundary); while (index >= 0) { //BurpExtender.getCallbacks().printOutput(Integer.toString(index)); int nextNewLineIndex = requestBodyString.indexOf('\n', index); index = requestBodyString.indexOf(boundary, index+1); } return parameters; }
private byte[] addHeader(byte[] request) { IExtensionHelpers helpers = BurpExtender.getHelpers(); IRequestInfo analyzedRequest = helpers.analyzeRequest(request); List<String> headers = analyzedRequest.getHeaders(); // Strip content-length to make sure it's the last param if (headers.get(headers.size()-1).startsWith("Content-Length:")) { headers.remove(headers.size()-1); } byte[] body = Arrays.copyOfRange(request, analyzedRequest.getBodyOffset(), request.length); headers.add(this.replace); return helpers.buildHttpMessage(headers, body); }
byte[] getRequestWithIdentity() { uniqueId = Long.toHexString(new Random().nextLong()); IRequestInfo requestInfo = BurpExtender.callbacks.getHelpers().analyzeRequest(request); List<String> headers = requestInfo.getHeaders(); byte[] body = Arrays.copyOfRange(request, requestInfo.getBodyOffset(), request.length); headers.add(IDENTITY_HEADER + uniqueId); return BurpExtender.callbacks.getHelpers().buildHttpMessage(headers, body); } }
private byte[] updateRequestFirstLine(byte[] request) { IExtensionHelpers helpers = BurpExtender.getHelpers(); IRequestInfo analyzedRequest = helpers.analyzeRequest(request); List<String> headers = analyzedRequest.getHeaders(); byte[] body = Arrays.copyOfRange(request, analyzedRequest.getBodyOffset(), request.length); String firstRequestString = headers.get(0); if (replaceFirst()) { headers.set(0, firstRequestString.replaceFirst(this.match, this.replace)); } else { headers.set(0, firstRequestString.replaceAll(this.match, this.replace)); } return helpers.buildHttpMessage(headers, body); }
/** * Get the body of the http message. * @param content The http message as bytes. * @param isRequest True if request, false if response. * @return JSON as a string. */ private String getJSON(byte[] content, boolean isRequest){ if(isRequest){ IRequestInfo iri = helpers.analyzeRequest(content); String body = (new String(content)).substring(iri.getBodyOffset()); return body; } else { IResponseInfo iri = helpers.analyzeResponse(content); String body = (new String(content)).substring(iri.getBodyOffset()); return body; } }
static byte[] changeHost(byte[] request, String host, int port) { IRequestInfo requestInfo = BurpExtender.callbacks.getHelpers().analyzeRequest(request); List<String> headers = requestInfo.getHeaders(); byte[] body = Arrays.copyOfRange(request, requestInfo.getBodyOffset(), request.length); for (int i = 0; i < headers.size(); i++) { if (headers.get(i).startsWith("Host:")) { headers.set(i, String.format("Host: %s:%d", host, port)); break; } } return BurpExtender.callbacks.getHelpers().buildHttpMessage(headers, body); } }
protected int getBodyOffset() { if (isRequest) { IRequestInfo requestInfo = helpers.analyzeRequest(message); return requestInfo.getBodyOffset(); } else { IResponseInfo responseInfo = helpers.analyzeResponse(message); return responseInfo.getBodyOffset(); } }
private byte[] removeHeaderByName(byte[] request) { IExtensionHelpers helpers = BurpExtender.getHelpers(); IRequestInfo analyzedRequest = helpers.analyzeRequest(request); byte[] body = Arrays.copyOfRange(request, analyzedRequest.getBodyOffset(), request.length); List<String> headers; if(replaceFirst()) { AtomicInteger index = new AtomicInteger(0); if(isRegexMatch()) { headers = analyzedRequest.getHeaders().stream() .filter((x -> !(x.split(":")[0].matches(getMatch()) && index.getAndIncrement() < 1))) .collect(Collectors.toCollection(ArrayList::new)); } else { headers = analyzedRequest.getHeaders().stream() .filter(x -> !(x.split(":")[0].equals(getMatch()) && index.getAndIncrement() < 1)) .collect(Collectors.toCollection(ArrayList::new)); } } else { if(isRegexMatch()) { headers = analyzedRequest.getHeaders().stream() .filter(x -> !(x.split(":")[0].matches(getMatch()))) .collect(Collectors.toCollection(ArrayList::new)); } else { headers = analyzedRequest.getHeaders().stream() .filter(x -> !(x.split(":")[0].equals(getMatch()))) .collect(Collectors.toCollection(ArrayList::new)); } } return helpers.buildHttpMessage(headers, body); }
public void cleanJWTHeaders() { List<String> headers; List<String> toOverwriteHeaders = new ArrayList<String>(); int offset; if (isRequest) { IRequestInfo requestInfo = helpers.analyzeRequest(message); headers = requestInfo.getHeaders(); offset = requestInfo.getBodyOffset(); } else { IResponseInfo responseInfo = helpers.analyzeResponse(message); headers = responseInfo.getHeaders(); offset = responseInfo.getBodyOffset(); } for (String header : headers) { if (header.startsWith(Strings.JWTHeaderPrefix)) { toOverwriteHeaders.add(header); } } headers.removeAll(toOverwriteHeaders); this.message = helpers.buildHttpMessage(headers, Arrays.copyOfRange(message, offset, message.length)); }
private void runRequest(IHttpRequestResponse req) { try { byte[] rawRequest = req.getRequest(); IRequestInfo reqInfo = burpCallback.getHelpers().analyzeRequest(rawRequest); // header of request should be a string List<String> headers = reqInfo.getHeaders(); for(int h=0; h<headers.size(); h++){ if(headers.get(h).toLowerCase().startsWith(headerName)){ headers.set(h, newHeader); break; } } byte message[] = burpCallback.getHelpers().buildHttpMessage(headers, Arrays.copyOfRange(rawRequest, reqInfo.getBodyOffset(), rawRequest.length)); IHttpRequestResponse resp = burpCallback.makeHttpRequest(req.getHttpService(), message); addResponse(req, resp); } catch (Throwable e) { PrintWriter writer = new PrintWriter(burpCallback.getStderr()); writer.write(e.getMessage()); writer.write("\n"); e.printStackTrace(writer); } }
public boolean doAuth(IHttpRequestResponse messageInfo) { if (messageInfo == null) return true; IRequestInfo requestInfo = helpers.analyzeRequest(messageInfo.getRequest()); List<String> reqHeaders = requestInfo.getHeaders(); List<String> newHeaders = new ArrayList<String>(); for (String h : reqHeaders) { if (!h.toUpperCase().startsWith("AUTHORIZATION:")) newHeaders.add(h); } newHeaders.add("Authorization: " + authConfig.getAuthPassword()); byte[] body; byte[] modifiedReq; if (helpers.bytesToString(messageInfo.getRequest()).length() > requestInfo.getBodyOffset()) { body = helpers.stringToBytes(helpers.bytesToString(messageInfo.getRequest()).substring(requestInfo.getBodyOffset())); modifiedReq = helpers.buildHttpMessage(newHeaders, body); } else { modifiedReq = helpers.buildHttpMessage(newHeaders, "".getBytes()); } messageInfo.setRequest(modifiedReq); return true; }
public void addHeader(String headerToAdd) { List<String> headers; int offset; if (isRequest) { IRequestInfo requestInfo = helpers.analyzeRequest(message); headers = requestInfo.getHeaders(); offset = requestInfo.getBodyOffset(); } else { IResponseInfo responseInfo = helpers.analyzeResponse(message); headers = responseInfo.getHeaders(); offset = responseInfo.getBodyOffset(); } headers.add(headerToAdd); this.message = helpers.buildHttpMessage(headers, Arrays.copyOfRange(message, offset, message.length)); }
public byte[] getBody(boolean messageIsRequest,IHttpRequestResponse messageInfo) { if(messageIsRequest) { IRequestInfo analyzeRequest = helpers.analyzeRequest(messageInfo); int bodyOffset = analyzeRequest.getBodyOffset(); byte[] byte_Request = messageInfo.getRequest(); byte[] byte_body = Arrays.copyOfRange(byte_Request, bodyOffset, byte_Request.length);//not length-1 //String body = new String(byte_body); //byte[] to String return byte_body; }else { IResponseInfo analyzeResponse = helpers.analyzeResponse(messageInfo.getResponse()); int bodyOffset = analyzeResponse.getBodyOffset(); byte[] byte_Request = messageInfo.getResponse(); byte[] byte_body = Arrays.copyOfRange(byte_Request, bodyOffset, byte_Request.length);//not length-1 return byte_body; } }
public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { if (insertionPoint.getInsertionPointType() != INS_HEADER) return null; IBurpCollaboratorClientContext collaboratorContext = callbacks.createBurpCollaboratorClientContext(); String payload = collaboratorContext.generatePayload(true); String httpPrefixedPayload = "Proxy: http://" + payload; IRequestInfo requestInfo = helpers.analyzeRequest(baseRequestResponse); List<String> headers = requestInfo.getHeaders(); headers.removeIf(header -> header != null && header.toLowerCase().startsWith("proxy:")); headers.add(httpPrefixedPayload); byte[] request = helpers.buildHttpMessage(headers, substring(baseRequestResponse.getRequest(), requestInfo.getBodyOffset())); IHttpRequestResponse scanCheckRequestResponse = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), request); List<IBurpCollaboratorInteraction> collaboratorInteractions = collaboratorContext.fetchCollaboratorInteractionsFor(payload); if (collaboratorInteractions.isEmpty()) return null; List<IScanIssue> issues = new ArrayList<>(); IScanIssue issue = reportIssue(httpPrefixedPayload, scanCheckRequestResponse, collaboratorInteractions.get(0)); issues.add(issue); return issues; }
void scrubCookies(Collection<String> cookieNames) { IExtensionHelpers helpers = BurpExtender.callbacks.getHelpers(); for (String cookieName : cookieNames) { IParameter cookie = helpers.buildParameter(cookieName, "", IParameter.PARAM_COOKIE); request = helpers.removeParameter(request, cookie); } // If Cookie: header is empty, remove IRequestInfo requestInfo = BurpExtender.callbacks.getHelpers().analyzeRequest(request); byte[] body = Arrays.copyOfRange(request, requestInfo.getBodyOffset(), request.length); List<String> headers = requestInfo.getHeaders(); for (int i = 0; i < headers.size(); i++) { if (headers.get(i).equals("Cookie: ")) { headers.remove(i); request = BurpExtender.callbacks.getHelpers().buildHttpMessage(headers, body); } } }
public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { IResponseInfo resp = helpers.analyzeResponse(baseRequestResponse.getResponse()); IRequestInfo req = helpers.analyzeRequest(baseRequestResponse.getRequest()); if (resp == null | req == null) return null; URL url = helpers.analyzeRequest(baseRequestResponse).getUrl(); if (flags.contains(url.toString())) return null; else flags.add(url.toString()); List<IScanIssue> issues = new ArrayList<>(); IHttpService httpService = baseRequestResponse.getHttpService(); List<String> headers = req.getHeaders(); for (String i : Payloads) { String finalPayload = req.getMethod() + " " + url.getPath() + i + " HTTP/1.1"; headers.set(0, finalPayload); byte[] body = helpers.stringToBytes(helpers.bytesToString(baseRequestResponse.getRequest()).substring(req.getBodyOffset())); byte[] modifiedReq = helpers.buildHttpMessage(headers, body); IHttpRequestResponse attack = this.callbacks.makeHttpRequest(httpService, modifiedReq); IScanIssue res = analyzeResponse(attack); if (res != null) issues.add(res); } if (issues.size() > 0) return issues; return issues; }
private byte[] buildRequest( IHttpRequestResponse baseRequestResponse, String proxyPrefixedPayload) { // figure out what headers are already on the request IRequestInfo requestInfo = helpers.analyzeRequest(baseRequestResponse); List<String> headers = requestInfo.getHeaders(); // remove any existing proxy headers stripProxyHeaders(headers); // and add our own headers.add(proxyPrefixedPayload); return helpers.buildHttpMessage( headers, substring(baseRequestResponse.getRequest(), requestInfo.getBodyOffset())); }
public IScanIssue scanRootDirectory(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { IRequestInfo req = helpers.analyzeRequest(baseRequestResponse.getRequest()); IHttpService httpService = baseRequestResponse.getHttpService(); String uuid = UUID.randomUUID().toString().replaceAll("-", ""); String uuidPayload = req.getMethod() + " /" + uuid + " HTTP/1.1"; List<String> reqHeaders = req.getHeaders(); reqHeaders.set(0, uuidPayload); byte[] body = helpers.stringToBytes(helpers.bytesToString(baseRequestResponse.getRequest()).substring(req.getBodyOffset())); byte[] modifiedReq = helpers.buildHttpMessage(reqHeaders, body); IHttpRequestResponse checkUUID = this.callbacks.makeHttpRequest(httpService, modifiedReq); if (checkUUID == null || checkUUID.getResponse() == null) return null; String respHeaders = String.join("\n", this.helpers.analyzeResponse(checkUUID.getResponse()).getHeaders()); if (respHeaders.contains(uuid)) { for (String payload : CRLFSplitters) { String finalPayload = uuid.substring(0, 5) + payload + CRLFHeader + uuid.substring(6); String finalRequestUriBuilder = req.getMethod() + " /" + finalPayload + " HTTP/1.1"; reqHeaders.set(0, finalRequestUriBuilder); body = helpers.stringToBytes(helpers.bytesToString(baseRequestResponse.getRequest()).substring(req.getBodyOffset())); modifiedReq = helpers.buildHttpMessage(reqHeaders, body); IHttpRequestResponse attack = this.callbacks.makeHttpRequest(httpService, modifiedReq); IScanIssue res = analyzeResponse(attack, insertionPoint, finalPayload); if (res != null) return res; } } return null; }
public static void scanVulnerabilities(IHttpRequestResponse baseRequestResponse, IBurpExtenderCallbacks callbacks) { IExtensionHelpers helpers = callbacks.getHelpers(); byte[] rawRequest = baseRequestResponse.getRequest(); byte[] rawResponse = baseRequestResponse.getResponse(); IRequestInfo reqInfo = helpers.analyzeRequest(baseRequestResponse); IResponseInfo respInfo = helpers.analyzeResponse(rawResponse); //Body (without the headers) String reqBody = getBodySection(rawRequest, reqInfo.getBodyOffset()); String respBody = getBodySection(rawResponse, respInfo.getBodyOffset()); String httpServerHeader = HTTPParser.getResponseHeaderValue(respInfo, "Server"); String contentTypeResponse = HTTPParser.getResponseHeaderValue(respInfo, "Content-Type"); String xPoweredByHeader = HTTPParser.getResponseHeaderValue(respInfo, "X-Powered-By"); for(PassiveRule scanner : PASSIVE_RULES) { scanner.scan(callbacks,baseRequestResponse,reqBody,respBody,reqInfo,respInfo, httpServerHeader,contentTypeResponse, xPoweredByHeader); } }