ActiveScan++ extends Burp Suite's active and passive scanning capabilities.
2 | Designed to add minimal network overhead, it identifies application behaviour that may be of interest to advanced testers:
Passive-scanner issues that only occur during fuzzing (install the 'Error Message Checks' extension for maximum effectiveness)
10 |
11 |
12 |
It also adds checks for the following issues:
13 |
14 |
15 |
Blind code injection via expression language, Ruby's open() and Perl's open()
16 |
CVE-2014-6271/CVE-2014-6278 'shellshock' and CVE-2015-2080, CVE-2017-5638, CVE-2017-12629, CVE-2018-11776
17 |
18 |
19 |
It also provides insertion points for HTTP basic authentication.
20 |
21 |
To invoke these checks, just run a normal active scan.
22 |
23 |
The host header checks tamper with the host header, which may result in requests being routed to different applications on the same host.
24 | Exercise caution when running this scanner against applications in a shared hosting environment.
27 |
--------------------------------------------------------------------------------
/BappManifest.bmf:
--------------------------------------------------------------------------------
1 | Uuid: 3123d5b5f25c4128894d97ea1acc4976
2 | ExtensionType: 1
3 | Name: Active Scan++
4 | RepoName: active-scan-plus-plus
5 | ScreenVersion: 2.0.6
6 | SerialVersion: 44
7 | MinPlatformVersion: 19
8 | ProOnly: True
9 | Author: James Kettle, PortSwigger
10 | ShortDescription: Extends Burp's active and passive scanning capabilities.
11 | EntryPoint: active-scan-plus-plus-all.jar
12 | BuildCommand: ./gradlew fatJar
13 | SupportedProducts: Pro, Enterprise
14 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
178 | APPENDIX: How to apply the Apache License to your work.
179 |
180 | To apply the Apache License to your work, attach the following
181 | boilerplate notice, with the fields enclosed by brackets "{}"
182 | replaced with your own identifying information. (Don't include
183 | the brackets!) The text should be enclosed in the appropriate
184 | comment syntax for the file format. We also recommend that a
185 | file or class name and description of purpose be included on the
186 | same "printed page" as the copyright notice for easier
187 | identification within third-party archives.
188 |
189 | Copyright 2014 Context Information Security
190 |
191 | Licensed under the Apache License, Version 2.0 (the "License");
192 | you may not use this file except in compliance with the License.
193 | You may obtain a copy of the License at
194 |
195 | http://www.apache.org/licenses/LICENSE-2.0
196 |
197 | Unless required by applicable law or agreed to in writing, software
198 | distributed under the License is distributed on an "AS IS" BASIS,
199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 | See the License for the specific language governing permissions and
201 | limitations under the License.
202 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ActiveScan++
2 | ==================
3 |
4 | ActiveScan++ extends Burp Suite's active and passive scanning capabilities. Designed to add minimal network overhead, it identifies application behaviour that may be of interest to advanced testers:
5 |
6 | - Potential host header attacks (password reset poisoning, cache poisoning, DNS rebinding)
7 | - Edge Side Includes
8 | - XML input handling
9 | - Suspicious input transformation (eg 7*7 => '49', \\\\ => '\\' )
10 | - Passive-scanner issues that only occur during fuzzing (install the 'Error Message Checks' extension for maximum effectiveness)
11 |
12 | It also adds checks for the following issues:
13 |
14 | - Blind code injection via expression language, Ruby's open() and Perl's open()
15 | - CVE-2014-6271/CVE-2014-6278 'shellshock' and CVE-2015-2080, CVE-2017-5638, CVE-2017-12629, CVE-2018-11776, etc
16 |
17 | #### Requirements:
18 | Burp Suite Professional or Enterprise (latest stable version)
19 |
20 | #### Manual installation:
21 |
22 | 1. 'Extensions'->'Installed'->'Add
23 | 2. Click 'Select file'
24 | 3. Choose build/libs/active-scan-plus-plus-all.jar
25 |
26 | #### Usage notes:
27 | To invoke these checks, just run a normal active scan.
28 |
29 | #### Changelog:
30 | **2.0.3 20250123**
31 | - Unicode processing issues (refer to [Bypassing character blocklists with unicode overflows](https://portswigger.net/research/bypassing-character-blocklists-with-unicode-overflows))
32 |
33 | **2.0.1 20241210**
34 | - Resolve some long-standing false positives
35 |
36 | **2.0.0 20241202**
37 | - Rewrite in Java!
38 |
39 | **1.0.24 20230801**
40 | - Devise (no CVE, refer to [Smashing the State Machine](https://portswigger.net/research/smashing-the-state-machine))
41 |
42 | **1.0.23 20211210**
43 | - Log4Shell (CVE-2021-44228)
44 |
45 | **1.0.22 20210325**
46 | - Detect interesting OAuth endpoints.
47 | - For further details, please refer to [Hidden OAuth Attack Vectors](https://portswigger.net/research/hidden-oauth-attack-vectors)
48 |
49 | **1.0.21 20190322**
50 | - Detect Rails file disclosure (CVE-2019-5418)
51 |
52 | **1.0.20 20180903**
53 | - Detect new Struts RCE (CVE-2018-11776)
54 |
55 | **1.0.19 20180815**
56 | - Detect Razor template injection with @(7*7)
57 |
58 | **1.0.18 20180804**
59 | - Try converting requests to XML for XXE
60 | - Detect CVE-2017-12611, CVE-2017-9805
61 | - Improve robustness
62 |
63 | **1.0.17 20180411**
64 | - Detect interesting files: /.git/config and /server-status
65 | - This can be easily extended with your own checks
66 |
67 | **1.0.16 20180404**
68 | - Detect Edge Side Includes
69 |
70 | **1.0.15 20171026**
71 | - Detect RCE via Solr/Lucene injection using XXE - [CVE-2017-12629](https://mail-archives.apache.org/mod_mbox/lucene-dev/201710.mbox/%3CCAJEmKoC%2BeQdP-E6BKBVDaR_43fRs1A-hOLO3JYuemmUcr1R%2BTA%40mail.gmail.com%3E)
72 |
73 | **1.0.14 20170309**
74 | - Detect the latest Struts2 RCE - CVE-2017-5638 / S2-045
75 |
76 | **1.0.13 20160411**
77 | - Detect shell command injection via Perl open() calls
78 | - Fix bug that reduced efficiency by creating useless insertion points
79 | - Sadly remove the 'NullPointerException' feature
80 | - Fix bug that caused passive scanner issues to appear on HTTP instead of HTTPS
81 | - Reduce time-delay based check false positives
82 |
83 | **1.0.12 - 20151118**
84 | - Trigger a fresh passive scan when an alternative code path is identified (combines well with the 'Error Message Checks' extension)
85 |
86 | **1.0.11 - 20150327**
87 | - Detect misc code injection via suspicious input transformation (eg \x41->A)
88 | - Report when applications appear to handle XML input
89 | - Set Connection: close on outgoing requests for speed
90 |
91 | **1.0.10 - 20150327**
92 | - Add test for ruby open() exploit - see http://sakurity.com/blog/2015/02/28/openuri.html
93 | - Assorted minor tweaks and fixes
94 |
95 | **1.0.9 - 20150225**
96 | - Add tentative test for CVE-2015-2080
97 | - Remove dynamic code injection and RPO checks - these are now implemented in core Burp
98 | - Provide a useful error message when someone foolishly tries using Jython 2.7 beta
99 |
100 | **1.0.8 - 20141001**
101 | - Add tentative test for CVE-2014-6278
102 |
103 | **1.0.7 - 20140926**
104 | - Tweak test for CVE-2014-6271 for better coverage
105 |
106 | **1.0.6 - 20140925**
107 | - Add a test for CVE-2014-6271
108 |
109 | **1.0.5 - 20140708**
110 | - Add compatibility for Jython 2.5 (stable)
111 | - Improve cache poisoning detection
112 | - Add a cachebust parameter to prevent accidental cache poisoning
113 | - Misc. bugfixes
114 |
115 | **1.0.4 - 20140616**
116 | - Prevent RPO false positives by checking page's DOCTYPE
117 | - Reduce host header poisoning false negatives
118 |
119 | **1.0.3 - 20140523**
120 | - Prevent duplicate issues when saving/restoring state
121 | - Refactor: the passive scanner is now almost extensible
122 | - Improve expression language injection detection
123 | - Improve RPO regex
124 |
125 | **1.0.2 - 20140424**
126 | - Thread safety related bugfixes
127 |
128 | **1.0.1 - 20140422**
129 | - Minor bugfixes
130 |
131 | **1.0:**
132 | - Release
133 |
--------------------------------------------------------------------------------
/build.gradle:
--------------------------------------------------------------------------------
1 | apply plugin: 'java'
2 |
3 | sourceCompatibility = 21
4 | targetCompatibility = 21
5 |
6 | repositories {
7 | mavenCentral()
8 | }
9 |
10 | dependencies {
11 | //compile 'net.portswigger.burp.extender:burp-extender-api:1.7.13'
12 | implementation 'org.apache.commons:commons-text:1.9'
13 | implementation files('bulkScan-all.jar') // this contains albinowaxUtils
14 | }
15 |
16 | sourceSets {
17 | main {
18 | java {
19 | srcDir 'src'
20 | }
21 | resources {
22 | srcDir 'resources'
23 | }
24 | }
25 | }
26 |
27 | archivesBaseName = ('active-scan-plus-plus-all')
28 |
29 | task fatJar(type: Jar) {
30 | duplicatesStrategy = DuplicatesStrategy.INCLUDE
31 | from { configurations.compileClasspath.collect { it.isDirectory() ? it : zipTree(it) } }
32 | with jar
33 | }
--------------------------------------------------------------------------------
/bulkScan-all.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PortSwigger/active-scan-plus-plus/de36e31026cd1afea4898b5f17b01c0ba55e4b8d/bulkScan-all.jar
--------------------------------------------------------------------------------
/gradle/wrapper/gradle-wrapper.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PortSwigger/active-scan-plus-plus/de36e31026cd1afea4898b5f17b01c0ba55e4b8d/gradle/wrapper/gradle-wrapper.jar
--------------------------------------------------------------------------------
/gradle/wrapper/gradle-wrapper.properties:
--------------------------------------------------------------------------------
1 | distributionBase=GRADLE_USER_HOME
2 | distributionPath=wrapper/dists
3 | distributionUrl=https\://services.gradle.org/distributions/gradle-8.9-bin.zip
4 | zipStoreBase=GRADLE_USER_HOME
5 | zipStorePath=wrapper/dists
6 |
--------------------------------------------------------------------------------
/gradlew:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env sh
2 |
3 | #
4 | # Copyright 2015 the original author or authors.
5 | #
6 | # Licensed under the Apache License, Version 2.0 (the "License");
7 | # you may not use this file except in compliance with the License.
8 | # You may obtain a copy of the License at
9 | #
10 | # https://www.apache.org/licenses/LICENSE-2.0
11 | #
12 | # Unless required by applicable law or agreed to in writing, software
13 | # distributed under the License is distributed on an "AS IS" BASIS,
14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 | # See the License for the specific language governing permissions and
16 | # limitations under the License.
17 | #
18 |
19 | ##############################################################################
20 | ##
21 | ## Gradle start up script for UN*X
22 | ##
23 | ##############################################################################
24 |
25 | # Attempt to set APP_HOME
26 | # Resolve links: $0 may be a link
27 | PRG="$0"
28 | # Need this for relative symlinks.
29 | while [ -h "$PRG" ] ; do
30 | ls=`ls -ld "$PRG"`
31 | link=`expr "$ls" : '.*-> \(.*\)$'`
32 | if expr "$link" : '/.*' > /dev/null; then
33 | PRG="$link"
34 | else
35 | PRG=`dirname "$PRG"`"/$link"
36 | fi
37 | done
38 | SAVED="`pwd`"
39 | cd "`dirname \"$PRG\"`/" >/dev/null
40 | APP_HOME="`pwd -P`"
41 | cd "$SAVED" >/dev/null
42 |
43 | APP_NAME="Gradle"
44 | APP_BASE_NAME=`basename "$0"`
45 |
46 | # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
47 | DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
48 |
49 | # Use the maximum available, or set MAX_FD != -1 to use that value.
50 | MAX_FD="maximum"
51 |
52 | warn () {
53 | echo "$*"
54 | }
55 |
56 | die () {
57 | echo
58 | echo "$*"
59 | echo
60 | exit 1
61 | }
62 |
63 | # OS specific support (must be 'true' or 'false').
64 | cygwin=false
65 | msys=false
66 | darwin=false
67 | nonstop=false
68 | case "`uname`" in
69 | CYGWIN* )
70 | cygwin=true
71 | ;;
72 | Darwin* )
73 | darwin=true
74 | ;;
75 | MINGW* )
76 | msys=true
77 | ;;
78 | NONSTOP* )
79 | nonstop=true
80 | ;;
81 | esac
82 |
83 | CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
84 |
85 |
86 | # Determine the Java command to use to start the JVM.
87 | if [ -n "$JAVA_HOME" ] ; then
88 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
89 | # IBM's JDK on AIX uses strange locations for the executables
90 | JAVACMD="$JAVA_HOME/jre/sh/java"
91 | else
92 | JAVACMD="$JAVA_HOME/bin/java"
93 | fi
94 | if [ ! -x "$JAVACMD" ] ; then
95 | die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
96 |
97 | Please set the JAVA_HOME variable in your environment to match the
98 | location of your Java installation."
99 | fi
100 | else
101 | JAVACMD="java"
102 | which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
103 |
104 | Please set the JAVA_HOME variable in your environment to match the
105 | location of your Java installation."
106 | fi
107 |
108 | # Increase the maximum file descriptors if we can.
109 | if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
110 | MAX_FD_LIMIT=`ulimit -H -n`
111 | if [ $? -eq 0 ] ; then
112 | if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
113 | MAX_FD="$MAX_FD_LIMIT"
114 | fi
115 | ulimit -n $MAX_FD
116 | if [ $? -ne 0 ] ; then
117 | warn "Could not set maximum file descriptor limit: $MAX_FD"
118 | fi
119 | else
120 | warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
121 | fi
122 | fi
123 |
124 | # For Darwin, add options to specify how the application appears in the dock
125 | if $darwin; then
126 | GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
127 | fi
128 |
129 | # For Cygwin or MSYS, switch paths to Windows format before running java
130 | if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
131 | APP_HOME=`cygpath --path --mixed "$APP_HOME"`
132 | CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
133 |
134 | JAVACMD=`cygpath --unix "$JAVACMD"`
135 |
136 | # We build the pattern for arguments to be converted via cygpath
137 | ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
138 | SEP=""
139 | for dir in $ROOTDIRSRAW ; do
140 | ROOTDIRS="$ROOTDIRS$SEP$dir"
141 | SEP="|"
142 | done
143 | OURCYGPATTERN="(^($ROOTDIRS))"
144 | # Add a user-defined pattern to the cygpath arguments
145 | if [ "$GRADLE_CYGPATTERN" != "" ] ; then
146 | OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
147 | fi
148 | # Now convert the arguments - kludge to limit ourselves to /bin/sh
149 | i=0
150 | for arg in "$@" ; do
151 | CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
152 | CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option
153 |
154 | if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition
155 | eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
156 | else
157 | eval `echo args$i`="\"$arg\""
158 | fi
159 | i=`expr $i + 1`
160 | done
161 | case $i in
162 | 0) set -- ;;
163 | 1) set -- "$args0" ;;
164 | 2) set -- "$args0" "$args1" ;;
165 | 3) set -- "$args0" "$args1" "$args2" ;;
166 | 4) set -- "$args0" "$args1" "$args2" "$args3" ;;
167 | 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
168 | 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
169 | 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
170 | 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
171 | 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
172 | esac
173 | fi
174 |
175 | # Escape application args
176 | save () {
177 | for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
178 | echo " "
179 | }
180 | APP_ARGS=`save "$@"`
181 |
182 | # Collect all arguments for the java command, following the shell quoting and substitution rules
183 | eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
184 |
185 | exec "$JAVACMD" "$@"
186 |
--------------------------------------------------------------------------------
/gradlew.bat:
--------------------------------------------------------------------------------
1 | @rem
2 | @rem Copyright 2015 the original author or authors.
3 | @rem
4 | @rem Licensed under the Apache License, Version 2.0 (the "License");
5 | @rem you may not use this file except in compliance with the License.
6 | @rem You may obtain a copy of the License at
7 | @rem
8 | @rem https://www.apache.org/licenses/LICENSE-2.0
9 | @rem
10 | @rem Unless required by applicable law or agreed to in writing, software
11 | @rem distributed under the License is distributed on an "AS IS" BASIS,
12 | @rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | @rem See the License for the specific language governing permissions and
14 | @rem limitations under the License.
15 | @rem
16 |
17 | @if "%DEBUG%" == "" @echo off
18 | @rem ##########################################################################
19 | @rem
20 | @rem Gradle startup script for Windows
21 | @rem
22 | @rem ##########################################################################
23 |
24 | @rem Set local scope for the variables with windows NT shell
25 | if "%OS%"=="Windows_NT" setlocal
26 |
27 | set DIRNAME=%~dp0
28 | if "%DIRNAME%" == "" set DIRNAME=.
29 | set APP_BASE_NAME=%~n0
30 | set APP_HOME=%DIRNAME%
31 |
32 | @rem Resolve any "." and ".." in APP_HOME to make it shorter.
33 | for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
34 |
35 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
36 | set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
37 |
38 | @rem Find java.exe
39 | if defined JAVA_HOME goto findJavaFromJavaHome
40 |
41 | set JAVA_EXE=java.exe
42 | %JAVA_EXE% -version >NUL 2>&1
43 | if "%ERRORLEVEL%" == "0" goto execute
44 |
45 | echo.
46 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
47 | echo.
48 | echo Please set the JAVA_HOME variable in your environment to match the
49 | echo location of your Java installation.
50 |
51 | goto fail
52 |
53 | :findJavaFromJavaHome
54 | set JAVA_HOME=%JAVA_HOME:"=%
55 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe
56 |
57 | if exist "%JAVA_EXE%" goto execute
58 |
59 | echo.
60 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
61 | echo.
62 | echo Please set the JAVA_HOME variable in your environment to match the
63 | echo location of your Java installation.
64 |
65 | goto fail
66 |
67 | :execute
68 | @rem Setup the command line
69 |
70 | set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
71 |
72 |
73 | @rem Execute Gradle
74 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
75 |
76 | :end
77 | @rem End local scope for the variables with windows NT shell
78 | if "%ERRORLEVEL%"=="0" goto mainEnd
79 |
80 | :fail
81 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
82 | rem the _cmd.exe /c_ return code!
83 | if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
84 | exit /b 1
85 |
86 | :mainEnd
87 | if "%OS%"=="Windows_NT" endlocal
88 |
89 | :omega
90 |
--------------------------------------------------------------------------------
/src/burp/BasicAuthInsertionPointProvider.java:
--------------------------------------------------------------------------------
1 | package burp;
2 | import burp.IScannerInsertionPoint;
3 |
4 | import java.util.Base64;
5 | import java.util.regex.Matcher;
6 | import java.util.regex.Pattern;
7 |
8 | public class BasicAuthInsertionPointProvider implements IScannerInsertionPoint {
9 | private String baseRequest;
10 | private int position;
11 | private String baseBlob;
12 | private String[] baseValues;
13 | private int baseOffset;
14 |
15 | public BasicAuthInsertionPointProvider(byte[] baseRequest, int position) {
16 | this.baseRequest = new String(baseRequest);
17 | this.position = position;
18 |
19 | Pattern pattern = Pattern.compile("^Authorization: Basic (.*)$", Pattern.MULTILINE);
20 | Matcher matcher = pattern.matcher(this.baseRequest);
21 | if (matcher.find()) {
22 | baseBlob = matcher.group(1);
23 | } else {
24 | throw new IllegalArgumentException("Authorization header not found");
25 | }
26 |
27 | String decodedBlob = new String(Base64.getDecoder().decode(baseBlob));
28 | baseValues = decodedBlob.split(":");
29 | baseOffset = this.baseRequest.indexOf(baseBlob);
30 | }
31 |
32 | @Override
33 | public String getInsertionPointName() {
34 | return "BasicAuth" + (position == 0 ? "UserName" : "Password");
35 | }
36 |
37 | @Override
38 | public String getBaseValue() {
39 | return baseValues[position];
40 | }
41 |
42 | private String makeBlob(byte[] payload) {
43 | String[] values = baseValues.clone();
44 | values[position] = new String(payload);
45 | return Base64.getEncoder().encodeToString(String.join(":", values).getBytes());
46 | }
47 |
48 | @Override
49 | public byte[] buildRequest(byte[] payload) {
50 | String newBlob = makeBlob(payload);
51 | return baseRequest.replace(baseBlob, newBlob).getBytes();
52 | }
53 |
54 | @Override
55 | public int[] getPayloadOffsets(byte[] payload) {
56 | String newBlob = makeBlob(payload);
57 | return new int[]{baseOffset, baseOffset + newBlob.length()};
58 | }
59 |
60 | @Override
61 | public byte getInsertionPointType() {
62 | return IScannerInsertionPoint.INS_EXTENSION_PROVIDED;
63 | }
64 | }
65 |
--------------------------------------------------------------------------------
/src/burp/BurpExtender.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | import burp.api.montoya.BurpExtension;
4 | import burp.api.montoya.MontoyaApi;
5 | import burp.api.montoya.core.BurpSuiteEdition;
6 |
7 | import java.lang.reflect.InvocationTargetException;
8 | import java.nio.charset.Charset;
9 |
10 | import java.util.HashMap;
11 | import java.util.concurrent.ConcurrentHashMap;
12 |
13 | public class BurpExtender implements IBurpExtender, IExtensionStateListener, BurpExtension {
14 | private static final String name = "ActiveScan++";
15 | private static final String version = "2.0.6";
16 | public boolean unloaded = false;
17 | static ConcurrentHashMap hostsToSkip = new ConcurrentHashMap<>();
18 |
19 | @Override
20 | public void initialize(MontoyaApi api) {
21 | Utilities.montoyaApi = api;
22 | if (!Utilities.montoyaApi.burpSuite().version().edition().equals(BurpSuiteEdition.ENTERPRISE_EDITION)) {
23 | BulkUtilities.registerContextMenu();
24 | }
25 | // api.http().registerHttpHandler(new Tester());
26 | // api.userInterface().registerContextMenuItemsProvider(new OfferHostnameOverride());
27 | }
28 |
29 | @Override
30 | public void registerExtenderCallbacks(final IBurpExtenderCallbacks callbacks) {
31 |
32 | new Utilities(callbacks, new HashMap<>(), name);
33 | Utilities.callbacks.setExtensionName(name);
34 | Utilities.callbacks.registerExtensionStateListener(this);
35 |
36 | Utilities.callbacks.registerScannerCheck(new PerHostScans("Per host scans"));
37 | Utilities.callbacks.registerScannerCheck(new PerRequestScans("Per request scans"));
38 | Utilities.callbacks.registerScannerCheck(new CodeExec("Code Exec"));
39 | Utilities.callbacks.registerScannerCheck(new EdgeSideInclude("Edge Side Include"));
40 | Utilities.callbacks.registerScannerCheck(new JetLeak("JetLeak"));
41 | Utilities.callbacks.registerScannerCheck(new SimpleFuzz("Simple Fuzz"));
42 | Utilities.callbacks.registerScannerCheck(new SolrScan("Solr Scan"));
43 | Utilities.callbacks.registerScannerCheck(new Struts201712611Scan("Struts 2017-12611 Scan"));
44 | Utilities.callbacks.registerScannerCheck(new SuspectTransform("Suspect Transform"));
45 | Utilities.callbacks.registerScannerCheck(new XMLScan("XML security"));
46 |
47 | new BulkScanLauncher(BulkScan.scans);
48 |
49 | Utilities.out("Loaded " + name + " v" + version);
50 | }
51 |
52 | public void extensionUnloaded() {
53 | Utilities.log("Aborting all attacks");
54 | Utilities.unloaded.set(true);
55 | }
56 |
57 | }
58 |
59 |
--------------------------------------------------------------------------------
/src/burp/CodeExec.java:
--------------------------------------------------------------------------------
1 | package burp;
2 | import org.apache.commons.lang3.tuple.ImmutablePair;
3 | import org.apache.commons.lang3.tuple.Pair;
4 | import static burp.Utilities.callbacks;
5 | import static burp.Utilities.helpers;
6 | import java.net.URL;
7 | import java.util.*;
8 |
9 | public class CodeExec extends ParamScan {
10 | private List _done;
11 | private HashMap> _payloads;
12 | private HashMap _extensionMappings;
13 |
14 | public CodeExec(String name) {
15 | super(name);
16 | this._done = new ArrayList<>();
17 |
18 | // Initialize payloads
19 | _payloads = new HashMap<>();
20 | _payloads.put("any", Arrays.asList(
21 | "\u0003 /bin/sleep $time \r",
22 | "'\r /bin/sleep $time \r",
23 | "\"\r /bin/sleep $time \r",
24 | "() { :;}; /bin/sleep $time",
25 | "() { _; } >_[$$($$())] { /bin/sleep $time; }", "$$(sleep $time)", "`sleep $time`"
26 | ));
27 | _payloads.put("php", Collections.emptyList());
28 | _payloads.put("perl", Arrays.asList("/bin/sleep $time|"));
29 | _payloads.put("ruby", Arrays.asList("|sleep $time & ping -n $time localhost & ping -c $time localhost"));
30 | _payloads.put("java", Arrays.asList(
31 | "${(new java.io.BufferedReader(new java.io.InputStreamReader(((new java.lang.ProcessBuilder(new java.lang.String[]{\"timeout\",\"$time\"})).start()).getInputStream()))).readLine()}${(new java.io.BufferedReader(new java.io.InputStreamReader(((new java.lang.ProcessBuilder(new java.lang.String[]{\"sleep\",\"$time\"})).start()).getInputStream()))).readLine()}"
32 | ));
33 |
34 | // Initialize extension mappings
35 | _extensionMappings = new HashMap<>();
36 | _extensionMappings.put("php5", "php");
37 | _extensionMappings.put("php4", "php");
38 | _extensionMappings.put("php3", "php");
39 | _extensionMappings.put("php", "php");
40 | _extensionMappings.put("pl", "perl");
41 | _extensionMappings.put("cgi", "perl");
42 | _extensionMappings.put("jsp", "java");
43 | _extensionMappings.put("do", "java");
44 | _extensionMappings.put("action", "java");
45 | _extensionMappings.put("rb", "ruby");
46 | _extensionMappings.put("", "php,ruby,java");
47 | _extensionMappings.put("unrecognised", "java");
48 | _extensionMappings.put("asp", "any");
49 | _extensionMappings.put("aspx", "any");
50 | }
51 |
52 | @Override
53 | List doScan(IHttpRequestResponse iHttpRequestResponse, IScannerInsertionPoint iScannerInsertionPoint) {
54 | return List.of();
55 | }
56 |
57 | @Override
58 | public List doActiveScan(IHttpRequestResponse basePair, IScannerInsertionPoint insertionPoint) {
59 | Set payloads = new HashSet<>();
60 | List languages = _getLangs(basePair);
61 |
62 | for (String lang : languages) {
63 | List newPayloads = _payloads.get(lang);
64 | if (newPayloads != null) {
65 | payloads.addAll(newPayloads);
66 | }
67 | }
68 | payloads.addAll(_payloads.get("any"));
69 |
70 | int delayTarget = 4000;
71 |
72 | for (String payload : payloads) {
73 |
74 | for (int confirmations = 0; ; confirmations++) {
75 |
76 | Pair attack = _attack(basePair, insertionPoint, payload, delayTarget);
77 | Pair dummyAttack = _attack(basePair, insertionPoint, payload, 0);
78 |
79 | long attackTime = attack.getKey();
80 | IHttpRequestResponse attackRequest = attack.getValue();
81 | long dummyTime = dummyAttack.getKey();
82 | IHttpRequestResponse dummyRequest = dummyAttack.getValue();
83 |
84 | if (dummyRequest.getResponse() == null) {
85 | Utilities.log("Received empty response to baseline request - abandoning attack");
86 | break;
87 | }
88 |
89 | // if (dummyTime > delayTarget) {
90 | // return List.of();
91 | // }
92 |
93 | if (attackTime < (delayTarget-100) || dummyTime + 1000 > attackTime) {
94 | break;
95 | }
96 |
97 | if (confirmations == 6) {
98 | Utilities.log("Code execution confirmed");
99 | URL url = helpers.analyzeRequest(attack.getValue()).getUrl();
100 | if (_done.contains(url)) {
101 | Utilities.log("Skipping report - vulnerability already reported");
102 | break;
103 | }
104 | _done.add(url);
105 | return Arrays.asList(new CustomScanIssue(
106 | attackRequest.getHttpService(),
107 | url,
108 | new IHttpRequestResponse[]{attackRequest},
109 | "Code injection",
110 | "The application appears to evaluate user input as code.
It was instructed to sleep for 0ms, and a response time of " + dummyTime + "ms was observed. It was then instructed to sleep for " + delayTarget + "ms, which resulted in a response time of " + attackTime + "ms. This was re-confirmed six times to reduce false-positives
It was instructed to sleep for 0ms, and a response time of " + dummyTime + "ms was observed. It was then instructed to sleep for "+delayTarget+"ms, which resulted in a response time of " + timer + "ms.
" +
42 | "The following probe was sent: " + htmlEncode(probe) +
43 | " In the response, the ESI comment has been stripped: " + htmlEncode(expect) +
44 | "
338 |
339 | This is a serious issue if the application is not externally accessible or uses IP-based access restrictions. Attackers can use DNS Rebinding to bypass any IP or firewall based access restrictions that may be in place, by proxying through their target's browser.
340 | Note that modern web browsers' use of DNS pinning does not effectively prevent this attack. The only effective mitigation is server-side: https://bugzilla.mozilla.org/show_bug.cgi?id=689835#c13
341 |
342 | Additionally, it may be possible to directly bypass poorly implemented access restrictions by sending a Host header of 'localhost'.
343 |
344 | Resources:
345 |
https://portswigger.net/web-security/host-header
346 |
347 | """;
348 | } else {
349 | title = "Host header poisoning";
350 | severity = CustomScanIssue.severity.Medium;
351 | confidence = "Tentative";
352 | description = """
353 | The application appears to trust the user-supplied host header. By supplying a malicious host header with a password reset request, it may be possible to generate a poisoned password reset link. Consider testing the host header for classic server-side injection vulnerabilities.
354 |
355 | Depending on the configuration of the server and any intervening caching devices, it may also be possible to use this for cache poisoning attacks.
356 |
357 | Resources: