responseMarkers.add(new int[]{body.indexOf(CRLFHeader), body.indexOf(CRLFHeader) + CRLFHeader.length()}); String attackDetails = "Vulnerability detected at <b>" + insertionPoint.getInsertionPointName() + "</b>, " + "payload was set to <b>" + this.helpers.urlEncode(finalPayload) + "</b><br/>" + "Found response: " + crlfMatcher.group(); responseMarkers.add(new int[]{body.indexOf(CRLFHeader), body.indexOf(CRLFHeader) + CRLFHeader.length()}); String attackDetails = "Vulnerability detected at <b>" + insertionPoint.getInsertionPointName() + "</b>, " + "payload was set to <b>" + this.helpers.urlEncode(finalPayload) + "</b><br/>" + "Found response: " + crMatcher.group();
Boolean isSSL = (protocol.equals("https")); stderr.println(insertionPoint.getInsertionPointName());
return (new InputTransformation(interesting, boring, basicAttack.getFirstRequest(), helpers.analyzeRequest(baseRequestResponse).getUrl(), insertionPoint.getInsertionPointName()));
return null; if (!callbackNames.contains(insertionPoint.getInsertionPointName())) return null;
@Override public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { final byte[] baseValue = helpers.stringToBytes(insertionPoint.getBaseValue()); int[] d = SimpleImageSizeReader.getImageSize(baseValue, 0, baseValue.length); if (d == null) return null; final IHttpService hs = baseRequestResponse.getHttpService(); IBurpCollaboratorClientContext ccc = callbacks.createBurpCollaboratorClientContext(); String host = ccc.generatePayload(true); IHttpRequestResponse response = callbacks.makeHttpRequest(hs, insertionPoint.buildRequest((IMAGETRAGICK_HEAD + "http://" + host + "/a.jpg" + IMAGETRAGICK_TAIL).getBytes())); List<IBurpCollaboratorInteraction> events = ccc.fetchCollaboratorInteractionsFor(host); if (!events.isEmpty()) { return ImageTragickIssue.reportOnCollaborator(response, hrrToUrl(baseRequestResponse), insertionPoint.getInsertionPointName(), host, events); } long baseTime = measureRequest(hs, baseRequestResponse.getRequest()).getKey(); Map.Entry<Long, IHttpRequestResponse> sleepMeasurement = measureRequest(hs, insertionPoint.buildRequest(IMAGETRAGICK_PAYLOAD)); long sleepTime = sleepMeasurement.getKey(); if (Math.abs(sleepTime - baseTime - IMAGETRAGICK_SLEEP_NS) > IMAGETRAGICK_TRESHOLD_NS) return null; return ImageTragickIssue.reportOnTiming( sleepMeasurement.getValue(), hrrToUrl(baseRequestResponse), insertionPoint.getInsertionPointName(), baseTime, sleepTime); }
if (!"Referer".equals(insertionPoint.getInsertionPointName())) { return issues;
if (type.equalsIgnoreCase("http")) { String attackDetails = "The web server receives a URL <b> " + payload + " </b> " + " at <b>" + insertionPoint.getInsertionPointName().toString() + " </b> or similar request from an upstream component and" + " retrieves the contents of this URL, but it does not sufficiently ensure that the HTTP request is being" + " sent to the expected destination."; " at <b>" + insertionPoint.getInsertionPointName().toString() + " </b> " + " and made DNS request. Please check for SSRF Vulnerability"; issues.add(new CustomScanIssue(baseRequestResponse.getHttpService(), String type = collaboratorInteraction.getProperty("type"); if (type.equalsIgnoreCase("http")) { String attackDetails = "The web server receives a URL at <b> " + insertionPoint.getInsertionPointName().toString() + "</b> or similar request from an upstream component and" + " retrieves the contents of this URL, but it does not sufficiently ensure that the HHTP request is being" + String attackDetails = "The web server receives a URL at <b> " + insertionPoint.getInsertionPointName().toString() + "</b> and made DNS request. Please check for SSRF Vulnerability"; issues.add(new CustomScanIssue(baseRequestResponse.getHttpService(),
if (Utilities.mightBeOrderBy(insertionPoint.getInsertionPointName(), baseValue)) { Probe comment = new Probe("Comment injection", 3, "/'z*/**/", "/*/*/z'*/", "/*z'/"); comment.setEscapeStrings("/*'z*/", "/**z'*/","/*//z'//*/");