Throttler() { instanceCacheBust = Utilities.generateCanary(); }
Attack buildAttack(String payload, boolean random) { String canary = ""; if (random) { canary = Utilities.generateCanary(); } return new Attack(buildRequest(canary+payload, !random), null, null, canary); }
Attack buildAttack(String payload, boolean random) { String canary = ""; if (random) { canary = Utilities.generateCanary(); } return new Attack(buildRequest(canary+payload, !random), null, null, canary); }
IHttpRequestResponse buildRequest(String payload, boolean needCacheBuster) { byte[] request = insertionPoint.buildRequest(payload.getBytes()); if (needCacheBuster) { IParameter cacheBuster = burp.Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); request = burp.Utilities.helpers.addParameter(request, cacheBuster); } IHttpRequestResponse requestResponse = burp.Utilities.attemptRequest(service, request); //Utilities.out("Payload: "+payload+"|"+baseRequestResponse.getHttpService().getHost()); return requestResponse;// Utilities.buildRequest(baseRequestResponse, insertionPoint, payload) }
Attack probeAttack(String payload) { byte[] request = insertionPoint.buildRequest(payload.getBytes()); //IParameter cacheBuster = burp.Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); //request = burp.Utilities.helpers.addParameter(request, cacheBuster); request = burp.Utilities.appendToQuery(request, Utilities.generateCanary()+"=1"); // todo replace with addCanary method IHttpRequestResponse requestResponse = burp.Utilities.attemptRequest(service, request); return new Attack(requestResponse, null, null, ""); }
IHttpRequestResponse buildRequest(String payload, boolean needCacheBuster) { byte[] request = insertionPoint.buildRequest(payload.getBytes()); if (needCacheBuster) { IParameter cacheBuster = burp.Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); request = burp.Utilities.helpers.addParameter(request, cacheBuster); } IHttpRequestResponse requestResponse = burp.Utilities.attemptRequest(baseRequestResponse.getHttpService(), request); return requestResponse;// Utilities.buildRequest(baseRequestResponse, insertionPoint, payload) }
if (injectionPoint.size() < index + 1) { for (int k = injectionPoint.size(); k < index; k++) { injectionPoint.add(Utilities.generateCanary());
PayloadInjector valueInjector = new PayloadInjector(injector.getBase(), valueInsertionPoint); Attack randBase = valueInjector.probeAttack(Utilities.generateCanary()); randBase.addAttack(valueInjector.probeAttack(Utilities.generateCanary())); randBase.addAttack(valueInjector.probeAttack(Utilities.generateCanary())); randBase.addAttack(valueInjector.probeAttack(Utilities.generateCanary()));
private void addCacheBusters(IHttpRequestResponse messageInfo) { byte[] placeHolder = Utilities.helpers.stringToBytes("$randomplz"); if (Utilities.countMatches(messageInfo.getRequest(), placeHolder) > 0) { messageInfo.setRequest( Utilities.fixContentLength(Utilities.replace(messageInfo.getRequest(), placeHolder, Utilities.helpers.stringToBytes(Utilities.generateCanary()))) ); } String cacheBusterName = null; if (Utilities.globalSettings.getBoolean("Add dynamic cachebuster")) { cacheBusterName = Utilities.generateCanary(); } else if (Utilities.globalSettings.getBoolean("Add 'fcbz' cachebuster")) { cacheBusterName = "fcbz"; } if (cacheBusterName != null) { IParameter cacheBuster = burp.Utilities.helpers.buildParameter(cacheBusterName, "1", IParameter.PARAM_URL); messageInfo.setRequest(Utilities.helpers.addParameter(messageInfo.getRequest(), cacheBuster)); } }
validParam.setPrefix(Probe.REPLACE); Attack paramBase = new Attack(); paramBase.addAttack(altInject.probeAttack(Utilities.generateCanary())); paramBase.addAttack(altInject.probeAttack(Utilities.generateCanary())); ArrayList<Attack> confirmed = altInject.fuzz(paramBase, validParam); if (!confirmed.isEmpty()) { String pathCacheBuster = Utilities.generateCanary() + ".jpg"; IParameter testCacheBuster = Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); testReq = Utilities.helpers.addParameter(testReq, testCacheBuster); IHttpRequestResponse testResp = Utilities.attemptRequest(injector.getService(), testReq);
private boolean tryReflectCache(PayloadInjector injector, String param, IHttpRequestResponse base, int attackDedication, int i, String pathSuffix) { IHttpService service = injector.getService(); byte[] setPoisonReq = Utilities.appendToPath(injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(param)), pathSuffix); IParameter cacheBuster = Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); setPoisonReq = Utilities.helpers.addParameter(setPoisonReq, cacheBuster); for (int j = attackDedication - i; j < attackDedication; j++) { Utilities.attemptRequest(service, setPoisonReq); } for (int j = attackDedication - i; j < attackDedication; j += 3) { IHttpRequestResponse getPoison = Utilities.attemptRequest(service, Utilities.appendToPath(Utilities.helpers.addParameter(base.getRequest(), cacheBuster), pathSuffix)); if (Utilities.containsBytes(getPoison.getResponse(), "wrtqv".getBytes())) { Utilities.log("Successful cache poisoning check"); String title = "Cache poisoning"; byte[] headerSplitReq = Utilities.appendToPath(injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(param + "~zxcv\rvcz")), pathSuffix); cacheBuster = Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); byte[] headerSplitResp = Utilities.attemptRequest(service, Utilities.helpers.addParameter(headerSplitReq, cacheBuster)).getResponse(); if (Utilities.containsBytes(Arrays.copyOfRange(headerSplitResp, 0, Utilities.getBodyStart(headerSplitReq)), "zxcv\rvcz".getBytes())) { title = "Severe cache poisoning"; } title = title + " "+i; Utilities.callbacks.addScanIssue(new CustomScanIssue(getPoison.getHttpService(), Utilities.getURL(getPoison), getPoison, title, "Cache poisoning: '" + param + "'. Disregard the request and look for wrtqv in the response", "High", "Firm", "Investigate")); return true; } } return false; }
private Attack buildAttackFromProbe(Probe probe, String payload) { boolean randomAnchor = probe.getRandomAnchor(); byte prefix = probe.getPrefix(); String anchor = ""; if (randomAnchor) { anchor = Utilities.generateCanary(); } //else { // payload = payload.replace("z", Utilities.generateCanary()); //} String base_payload = payload; if (prefix == Probe.PREPEND) { payload += insertionPoint.getBaseValue(); } else if (prefix == Probe.APPEND) { payload = insertionPoint.getBaseValue() + anchor + payload; } else if (prefix == Probe.REPLACE) { // payload = payload; } else { Utilities.err("Unknown payload position"); } IHttpRequestResponse req = buildRequest(payload, probe.useCacheBuster()); if(randomAnchor) { req = Utilities.highlightRequestResponse(req, anchor, anchor, insertionPoint); } return new Attack(req, probe, base_payload, anchor); }
private Attack buildAttackFromProbe(Probe probe, String payload) { boolean randomAnchor = probe.getRandomAnchor(); byte prefix = probe.getPrefix(); String anchor = ""; if (randomAnchor) { anchor = Utilities.generateCanary(); } //else { // payload = payload.replace("z", Utilities.generateCanary()); //} String base_payload = payload; if (prefix == Probe.PREPEND) { payload += insertionPoint.getBaseValue(); } else if (prefix == Probe.APPEND) { payload = insertionPoint.getBaseValue() + anchor + payload; } else if (prefix == Probe.REPLACE) { // payload = payload; } else { Utilities.err("Unknown payload position"); } IHttpRequestResponse req = buildRequest(payload, probe.useCacheBuster()); if(randomAnchor) { req = Utilities.highlightRequestResponse(req, anchor, anchor, insertionPoint); } return new Attack(req, probe, base_payload, anchor); }
private boolean tryStatusCache(PayloadInjector injector, String param, int attackDedication, short get404Code) { String canary = Utilities.generateCanary()+".jpg"; byte[] setPoison200Req = injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(addStatusPayload(param))); setPoison200Req = Utilities.appendToPath(setPoison200Req, canary); byte[] getPoison200Req = injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(addStatusPayload("xyz"+param+"z"))); getPoison200Req = Utilities.appendToPath(getPoison200Req, canary); for(int j=0; j<attackDedication; j++) { Utilities.attemptRequest(injector.getService(), setPoison200Req); } for(int j=0; j<attackDedication; j+=3) { IHttpRequestResponse getPoison200 = Utilities.attemptRequest(injector.getService(), getPoison200Req); short getPoison200Code = Utilities.helpers.analyzeResponse(getPoison200.getResponse()).getStatusCode(); if (getPoison200Code != get404Code) { Utilities.callbacks.addScanIssue(new CustomScanIssue(getPoison200.getHttpService(), Utilities.getURL(getPoison200), getPoison200, "Dubious cache poisoning " + j, "Cache poisoning: '" + param + "'. Diff based cache poisoning. Good luck confirming", "High", "Tentative", "Investigate")); } return true; } return false; }