private boolean isRelevantInsertionPoint(IScannerInsertionPoint insertionPoint) { return insertionPoint.getInsertionPointType() == IScannerInsertionPoint.INS_HEADER; }
static boolean isInPath(IScannerInsertionPoint insertionPoint) { byte type = insertionPoint.getInsertionPointType(); boolean isInPath = (type == IScannerInsertionPoint.INS_URL_PATH_FILENAME || type == IScannerInsertionPoint.INS_URL_PATH_FOLDER); if (!isInPath && type == IScannerInsertionPoint.INS_USER_PROVIDED) { final String injectionCanary = "zxcvcxz"; String path = Utilities.getPathFromRequest(insertionPoint.buildRequest(injectionCanary.getBytes())); if (path.contains(injectionCanary)) { if (path.contains("?")) { if (path.indexOf(injectionCanary) < path.indexOf("?")) { isInPath = true; } } else { isInPath = true; } } } return isInPath; }
public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { if (insertionPoint.getInsertionPointType() != INS_HEADER) return null; IBurpCollaboratorClientContext collaboratorContext = callbacks.createBurpCollaboratorClientContext(); String payload = collaboratorContext.generatePayload(true); String httpPrefixedPayload = "Proxy: http://" + payload; IRequestInfo requestInfo = helpers.analyzeRequest(baseRequestResponse); List<String> headers = requestInfo.getHeaders(); headers.removeIf(header -> header != null && header.toLowerCase().startsWith("proxy:")); headers.add(httpPrefixedPayload); byte[] request = helpers.buildHttpMessage(headers, substring(baseRequestResponse.getRequest(), requestInfo.getBodyOffset())); IHttpRequestResponse scanCheckRequestResponse = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), request); List<IBurpCollaboratorInteraction> collaboratorInteractions = collaboratorContext.fetchCollaboratorInteractionsFor(payload); if (collaboratorInteractions.isEmpty()) return null; List<IScanIssue> issues = new ArrayList<>(); IScanIssue issue = reportIssue(httpPrefixedPayload, scanCheckRequestResponse, collaboratorInteractions.get(0)); issues.add(issue); return issues; }
@Override public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { if (insertionPoint.getInsertionPointType() != IScannerInsertionPoint.INS_PARAM_URL) return null; IResponseInfo resp = helpers.analyzeResponse(baseRequestResponse.getResponse()); IRequestInfo req = helpers.analyzeRequest(baseRequestResponse.getRequest()); if (resp == null | req == null) return null; List<IScanIssue> issues = new ArrayList<>(); IHttpService httpService = baseRequestResponse.getHttpService(); for (String payload : Payloads) { IHttpRequestResponse attack = this.callbacks.makeHttpRequest(httpService, insertionPoint.buildRequest(this.helpers.stringToBytes(payload))); IScanIssue res = analyzeResponse(attack); if (res != null) issues.add(res); } if (issues.size() > 0) return issues; return issues; }
@Override public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { if (insertionPoint.getInsertionPointType() != IScannerInsertionPoint.INS_PARAM_URL) return null;