├── .travis.yml
├── .gitignore
├── BappManifest.bmf
├── BappDescription.html
├── src
    ├── test
    │   ├── resources
    │   │   └── burp
    │   │   │   ├── falsePositives.txt
    │   │   │   └── testResponse.txt
    │   └── java
    │   │   └── burp
    │   │       └── RegexTest.java
    ├── burp
    │   └── match-rules.tab
    └── main
    │   ├── resources
    │       └── burp
    │       │   └── match-rules.tab
    │   └── java
    │       └── burp
    │           └── BurpExtender.java
├── README.md
└── pom.xml


/.travis.yml:
--------------------------------------------------------------------------------
1 | language: java
2 | jdk:
3 |   - openjdk8
4 |   - openjdk11
5 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | /nbproject/private/
2 | /build/
3 | /dist/
4 | /target/
5 | .idea
6 | *.iml
7 | *~
8 | .DS_Store
9 | 


--------------------------------------------------------------------------------
/BappManifest.bmf:
--------------------------------------------------------------------------------
 1 | Uuid: 4f01db4b668c4126a68e4673df796f0f
 2 | ExtensionType: 1
 3 | Name: Error Message Checks
 4 | RepoName: error-message-checks
 5 | ScreenVersion: 2.0.5
 6 | SerialVersion: 13
 7 | MinPlatformVersion: 0
 8 | ProOnly: True
 9 | Author: August Detlefsen
10 | ShortDescription: Passively detects detailed server error messages.
11 | EntryPoint: target/burp-suite-error-message-checks-2.0.0.jar
12 | BuildCommand: mvn package -DskipTests=true -Dmaven.javadoc.skip=true -B
13 | SupportedProducts: Pro
14 | 


--------------------------------------------------------------------------------
/BappDescription.html:
--------------------------------------------------------------------------------
 1 | <p>This extension passively reports detailed server error messages.</p>
 2 | 
 3 | <p>Detailed error messages are often not visible during the normal course of testing. Some examples are:</p>
 4 | <ul>
 5 |     <li>Java: "[SEVERE] at net.minecraft.server.World.tickEntities(World.java:1146)"</li>
 6 |     <li>ASP.Net: "System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint) +2071"</li>
 7 |     <li>PHP: "c() called at [/tmp/include.php:10]"</li>
 8 |     <li>Perl: "Use of uninitialized value in string eq at /Library/Perl/5.8.6/WWW/Mechanize.pm line 695"</li>
 9 | </ul>
10 | 
11 | <p>New in version 2.0.1:</p>
12 | <ul>
13 |     <li>Reports the regexes matched</li>
14 |     <li>Loads match rules using Burp proxy configuration</li>
15 |     <li>Backup loading of match rules from BApp jar</li>
16 | </ul>
17 | 
18 | 


--------------------------------------------------------------------------------
/src/test/resources/burp/falsePositives.txt:
--------------------------------------------------------------------------------
1 | !function(e){function t(n){if(a[n])return a[n].exports;var i=a[n]={exports:{},id:n,loaded:!1};return e[n].call(i.exports,i,i.exports,t),i.loaded=!0,i.exports}var n=window.atwpjp;window.atwpjp=function(a,o){for(var r,s,d=0,u=[];d<a.length;d++)s=a[d],i[s]&&u.push.apply(u,i[s]),i[s]=0;for(r in o){var c=o[r];switch(typeof c){case"object":e[r]=function(t){var n=t.slice(1),a=t[0];return function(t,i,o){e[a].apply(this,[t,i,o].concat(n))}}(c);break;case"function":e[r]=c;break;default:e[r]=e[c]}}for(n&&n(a,o);u.length;)u.shift().call(null,t)};var a={},i={0:0};t.e=function(e,n){if(0===i[e])return n.call(null,t);if(void 0!==i[e])i[e].push(n);else{i[e]=[n];var a=document.getElementsByTagName("head")[0],o=document.createElement("script");
2 | at (202)
3 | ensure that initWidget() has been called.
4 | else { // Long format (show items)
5 | dispatchException: funct


--------------------------------------------------------------------------------
/src/burp/match-rules.tab:
--------------------------------------------------------------------------------
 1 | \.php on line [0-9]+	0	PHP	Low	Certain
 2 | \.php</b> on line <b>[0-9]+	0	PHP	Low	Certain
 3 | Fatal error:	0	PHP	Low	Certain
 4 | \.php:[0-9]+	0	PHP	Low	Certain
 5 | \[(ODBC SQL Server Driver|SQL Server|ODBC Driver Manager)\]	0	Microsoft SQL Server	Low	Certain
 6 | You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near	0	MySQL	Medium	Certain
 7 | \.java:[0-9]+	0	Java	Low	Certain
 8 | \.java\((Inlined )?Compiled Code\)	0	Java	Low	Certain
 9 | [A-Za-z\.]+\(([A-Za-z0-9, ]+)?\) \+[0-9]+	0	ASP.Net	Low	Certain
10 | at (\/[A-Za-z0-9\.]+)*\.pm line [0-9]+	0	Perl	Low	Certain
11 | File \"[A-Za-z0-9\-_\./]*\", line [0-9]+, in	0	Python	Low	Certain
12 | \.rb:[0-9]+:in	0	Ruby	Low	Certain
13 | Exception of type	0	ASP.Net	Low	Certain
14 | --- End of inner exception stack trace ---	0	ASP.Net	Low	Certain
15 | Microsoft OLE DB Provider	0	ASP.Net	Low	Certain
16 | Error ([\d-]+) \([\dA-F]+\)	0	ASP.Net	Low	Certain
17 | at ([a-zA-Z0-9]*\.)*([a-zA-Z0-9]*)\([a-zA-Z0-9, ]*\)	0	ASP.Net	Low	Certain


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | [![Build Status](https://travis-ci.org/augustd/burp-suite-error-message-checks.svg?branch=master)](https://travis-ci.org/augustd/burp-suite-error-message-checks)
 2 | [![Known Vulnerabilities](https://snyk.io/test/github/augustd/burp-suite-error-message-checks/badge.svg)](https://snyk.io/test/github/augustd/burp-suite-error-message-checks)
 3 | 
 4 | # burp-suite-error-message-checks
 5 | This Burp Suite 1.5+ extension passively detects server error messages in running applications. Some examples:
 6 | 
 7 | - Fatal error: Call to a member function getId() on a non-object in /var/www/docroot/application/modules/controllers/ModalController.php on line 609
 8 | - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax
 9 | - [SEVERE] at net.minecraft.server.World.tickEntities(World.java:1146)
10 | - System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint) +2071
11 | - c() called at [/tmp/include.php:10]
12 | - Use of uninitialized value in string eq at /Library/Perl/5.8.6/WWW/Mechanize.pm line 695
13 | 
14 | Often error messages may go unnoticed by a tester who is only looking at the application UI. This extension is designed to passively detect error messages, even during scanning, spidering, etc.
15 | 
16 | Match rules are loaded from a [remote tab-delimited file](https://github.com/augustd/burp-suite-error-message-checks/blob/master/src/main/resources/burp/match-rules.tab) at extension startup. Users can also load their own match rules from a local file or using the BApp GUI.
17 | 
18 | ## Building: 
19 | `mvn clean install`
20 | 


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 3 |     <modelVersion>4.0.0</modelVersion>
 4 |     <groupId>com.codemagi</groupId>
 5 |     <artifactId>burp-suite-error-message-checks</artifactId>
 6 |     <version>2.0.0</version>
 7 |     <packaging>jar</packaging>
 8 |     <dependencies>
 9 |         <dependency>
10 |             <groupId>com.codemagi</groupId>
11 |             <artifactId>burp-suite-utils</artifactId>
12 |             <version>1.2.5</version>
13 |         </dependency>
14 |         <dependency>
15 |             <groupId>junit</groupId>
16 |             <artifactId>junit</artifactId>
17 |             <version>4.13.2</version>
18 |             <scope>test</scope>
19 |         </dependency>
20 |     </dependencies>
21 |     <properties>
22 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
23 |         <maven.compiler.source>1.8</maven.compiler.source>
24 |         <maven.compiler.target>1.8</maven.compiler.target>
25 |     </properties>
26 |     <build>
27 |         <plugins>
28 |             <plugin>
29 |                 <groupId>org.apache.maven.plugins</groupId>
30 |                 <artifactId>maven-shade-plugin</artifactId>
31 |                 <version>3.1.0</version>
32 |                 <executions>
33 |                     <execution>
34 |                         <phase>package</phase>
35 |                         <goals>
36 |                             <goal>shade</goal>
37 |                         </goals>
38 |                         <configuration>
39 |                             <createDependencyReducedPom>false</createDependencyReducedPom>
40 |                         </configuration>
41 |                     </execution>
42 |                 </executions>
43 |             </plugin>
44 |         </plugins>
45 |     </build>
46 | </project>
47 | 


--------------------------------------------------------------------------------
/src/main/resources/burp/match-rules.tab:
--------------------------------------------------------------------------------
 1 | AH[0-9]{5}:	0	Apache Server	Low	Firm
 2 | mod_[\w]+:	0	Apache Server	Low	Firm
 3 | ([A-Za-z]{1,32}\.)+[A-Za-z]{0,32}\(([A-Za-z0-9]+\s+[A-Za-z0-9]+[,\s]*)*\)\s+\+{1}\d+	0	ASP.Net	Low	Certain	3
 4 | "Message":"Invalid web service call	0	ASP.Net	Low	Certain
 5 | Exception of type	0	ASP.Net	Low	Certain
 6 | --- End of inner exception stack trace ---	0	ASP.Net	Low	Certain
 7 | Microsoft OLE DB Provider	0	ASP.Net	Low	Certain
 8 | Error ([\d-]+) \([\dA-Fa-f]+\)	0	ASP.Net	Low	Certain
 9 | \bat ([a-zA-Z0-9_]*\.)*([a-zA-Z0-9_]+)\([a-zA-Z0-9, \[\]\&\;]*\)	0	ASP.Net	Low	Certain	4
10 | System.([A-Za-z]{1,32}\.)*[A-Za-z]{0,32}Exception:	0	ASP.Net	Low	Certain	6
11 | in [A-Za-z]:\\([A-Za-z0-9_]+\\)+[A-Za-z0-9_\-]+(\.aspx)?\.cs:line [\d]+	0	ASP.Net	Low	Certain	2
12 | [A-Za-z\.]+\(([A-Za-z0-9, ]+)?\) \+[0-9]+	0	ASP.Net	Low	Certain	3
13 | Syntax error in string in query expression	0	ASP.Net	Medium	Certain
14 | CLI Driver.*DB2	0	DB2	Low	Certain	0
15 | DB2 SQL error	0	DB2	Low	Certain	0
16 | db2_\w+\(	0	DB2	Low	Certain	0
17 | \bdb2_\w+\(	0	DB2	Low	Certain	0
18 | \[function.ibase.query\]	0	Firebird	Low	Certain	0
19 | Dynamic SQL Error	0	Firebird	Low	Certain	0
20 | Warning.*ibase_.*	0	Firebird	Low	Certain	0
21 | \.groovy:[0-9]+	0	Groovy	High	Certain
22 | org\.hsqldb\.jdbc	0	HyperSQL	Low	Certain	0
23 | Exception.*Informix	0	Informix	Low	Certain	0
24 | Warning.*ingre_	0	Ingres DB	Low	Certain	0
25 | Ingres SQLSTATE	0	Ingres DB	Low	Certain	0
26 | Ingres\W.*Driver	0	Ingres DB	Low	Certain	0
27 | HSQLDB	0	Ingres DB	Low	Certain	0
28 | \.java:[0-9]+	0	Java	Low	Certain
29 | \.java\((Inlined )?Compiled Code\)	0	Java	Low	Certain	2
30 | \.invoke\(Unknown Source\)	0	Java	Low	Certain
31 | nested exception is	0	Java	Low	Firm
32 | java\.lang\.([A-Za-z0-9_]*)Exception	0	Java	Medium	Firm	5
33 | java.io.FileNotFoundException:	0	Java	Low	Certain
34 | \.js:[0-9]+:[0-9]+	0	Javascript	Low	Certain
35 | JBWEB[0-9]{6}:	0	JBoss	Low	Firm
36 | ((dn|dc|cn|ou|uid|o|c)=[\w\d]*,\s?){2,}	0	LDAP	Low	Firm
37 | DB Error:	0	Maria	Low	Certain	0
38 | \[(ODBC SQL Server Driver|SQL Server|ODBC Driver Manager)\]	0	Microsoft SQL Server	Low	Certain
39 | Unclosed quotation mark	0	Microsoft SQL Server	Low	Certain	1
40 | warning.*mssql_.*	0	Microsoft SQL Server	Low	Certain	0
41 | Driver.* SQL[-_]*Server	0	Microsoft SQL Server	Low	Certain	0
42 | (\W|\A)SQL Server.*Driver	0	Microsoft SQL Server	Low	Certain	0
43 | Conversion failed when converting the	0	Microsoft SQL Server	Low	Certain	0
44 | Cannot initialize the data source object of OLE DB provider "[\w]*" for linked server "[\w]*"	0	Microsoft SQL Server	Low	Certain
45 | E QUERY\s+\[thread1\] SyntaxError:	0	MongoDB	Low	Certain	2
46 | uncaught exception:	0	MongoDB	Low	Certain
47 | You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near	0	MySQL	Medium	Certain
48 | Illegal mix of collations \([\w\s\,]+\) and \([\w\s\,]+\) for operation	0	MySQL	Medium	Certain
49 | Error: Unknown column	0	MySQL	Low	Certain	0
50 | Warning.*mysql_.*	0	MySQL	Low	Certain	0
51 | valid MySQL result	0	MySQL	Low	Certain	0
52 | MySqlClient\.	0	MySQL	Low	Certain	0
53 | com\.mysql\.jdbc\.exceptions	0	MySQL	Low	Certain	0
54 | warning mysql_	0	MySQL	Low	Certain	0
55 | 1062 Duplicate entry	0	MYSQL	Low	Certain	0
56 | client intended to address	0	NGINX Server	Low	Firm
57 | could not build optimal proxy_headers_hash	0	NGINX Server	Low	Firm
58 | ReferenceError:	0	Node.js	Low	Certain
59 | TypeError:	0	Node.js	Low	Certain
60 | UnhandledPromiseRejectionWarning:	0	Node.js	Low	Certain
61 | quoted string not properly terminated	0	Oracle	Low	Certain	1
62 | \bORA-[0-9]{5}	0	Oracle	Low	Certain
63 | Oracle.*Driver]	0	Oracle	Low	Certain	0
64 | Warning.*\Woci_.*	0	Oracle	Low	Certain	0
65 | Warning.*\Wora_.*	0	Oracle	Low	Certain	0
66 | Warning: oci_parse()	0	Oracle	Low	Certain	0
67 | at (\/[A-Za-z0-9\.]+)*\.pm line [0-9]+	0	Perl	Low	Certain
68 | \.php on line [0-9]+	0	PHP	Low	Certain	4
69 | \.php</b> on line <b>[0-9]+	0	PHP	Low	Certain
70 | Fatal error:	0	PHP	Low	Certain	2
71 | \.php:[0-9]+	0	PHP	Low	Certain
72 | Undefined (index|variable|offset):	0	PHP	Low	Certain	3
73 | PostgreSQL.*ERROR	0	PostgreSQL	Low	Certain	0
74 | Warning.*\Wpg_.*	0	PostgreSQL	Low	Certain	0
75 | valid PostgreSQL result	0	PostgreSQL	Low	Certain	0
76 | Npgsql\.	0	PostgreSQL	Low	Certain	0
77 | org\.postgresql\.util\.PSQLException	0	PostgreSQL	Low	Certain	0
78 | Traceback \(most recent call last\):	0	Python	Low	Certain
79 | File \"[A-Za-z0-9\-_\./]*\", line [0-9]+, in	0	Python	Low	Certain
80 | NameError:	0	Python	Low	Certain
81 | ImportError:	0	Python	Low	Certain
82 | IndentationError:	0	Python	Low	Certain
83 | \.rb:[0-9]+:in	0	Ruby	Low	Certain
84 | SQL error.*POS([0-9]+).*	0	SAP MaxDB	Low	Certain	0
85 | Warning.*maxdb.*	0	SAP MaxDB	Low	Certain	0
86 | \.scala:[0-9]+	0	Scala	Low	Certain
87 | SQLite/JDBCDriver	0	SQLite	Low	Certain	0
88 | SQLite.Exception	0	SQLite	Low	Certain	0
89 | System.Data.SQLite.SQLiteException	0	SQLite	Low	Certain	0
90 | Warning.*sqlite_.*	0	SQLite	Low	Certain	0
91 | Warning.*SQLite3::	0	SQLite	Low	Certain	0
92 | \[SQLITE_ERROR\]	0	SQLite	Low	Certain	0
93 | (?i)Warning.*sybase.*	0	Sybase	Low	Certain	0
94 | Sybase message	0	Sybase	Low	Certain	0
95 | Sybase.*Server message.*	0	Sybase	Low	Certain	0
96 | \(generated by waitress\)	0	Waitress Python server	Information	Certain
97 | 132120c8|38ad52fa|38cf013d|38cf0259|38cf025a|38cf025b|38cf025c|38cf025d|38cf025e|38cf025f|38cf0421|38cf0424|38cf0425|38cf0427|38cf0428|38cf0432|38cf0434|38cf0437|38cf0439|38cf0442|38cf07aa|38cf08cc|38cf04d7|38cf04c6|websealerror	0	WebSEAL	Low	Certain	2


--------------------------------------------------------------------------------
/src/test/resources/burp/testResponse.txt:
--------------------------------------------------------------------------------
 1 | Fatal error: Call to a member function getId() on a non-object in /var/www/docroot/application/modules/controllers/ModalController.php on line 609
 2 | <b>Warning</b>: Invalid argument supplied for foreach() in <b>/home/content/.../admin/model/report/sale.php</b> on line <b>87</b>
 3 | Fatal error: Undefined class constant 'PRODUCT' in 
 4 | OLE DB provider "MSDASQL" for linked server "INFORMIX_LIBRARY" returned message "[Microsoft][ODBC Driver Manager] Driver's SQLSetConnectAttr failed".
 5 | Cannot initialize the data source object of OLE DB provider "MSDASQL" for linked server "INFORMIX_LIBRARY".
 6 | You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Details (title, first, last, NRIC, po' at line 1
 7 | <p>Illegal mix of collations (latin1_swedish_ci ,IMPLICIT) and (utf8_general_ci ,COERCIBLE) for operation ’=’</p>
 8 | [SEVERE] at net.minecraft.server.World.tickEntities(World.java:1146)
 9 | at com.aptrix.pluto.cmpnt.FormatterCmpnt.applyMicroTemplate(FormatterCmpnt.java(Compiled Code))
10 | at com.aptrix.pluto.cmpnt.FormatterCmpnt.resolveNode(FormatterCmpnt.java(Inlined Compiled Code))
11 | at sun.reflect.GeneratedMethodAccessor3159.invoke(Unknown Source)
12 | Failed to convert property value of type [java.lang.String] to required type [boolean] for property order; nested exception is java.lang.IllegalArgumentException
13 | SyntaxError: Unexpected token &amp; in JSON at position 52<br> &nbsp; &nbsp;at JSON.parse (&lt;anonymous&gt;)<br> &nbsp; &nbsp;at parse (/app/node_modules/body-parser/lib/types/json.js:88:17)<br> &nbsp; &nbsp;
14 | <html><head><title>JBoss Web/7.4.10.Final-redhat-1 - JBWEB000064: Error report</title><style>
15 | System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint) +2071
16 | System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Integer blah) +2071
17 | System.Web.UI.Page.ProcessRequestMain() +2071
18 | "Message":"Invalid web service call
19 | c() called at [/tmp/include.php:10]
20 | Use of uninitialized value in string eq at /Library/Perl/5.8.6/WWW/Mechanize.pm line 695
21 | Traceback (most recent call last): 
22 |   File "/test123.py", line 26, in <module>
23 | from /usr/lib/ruby/vendor_ruby/vagrant/bundler.rb:231:in `internal_install'
24 | Exception of type 'System.Windows.Forms.AxHost+InvalidActiveXStateException' was thrown.
25 | Value:'conn.ServerVersion' threw an exception of type 'System.InvalidOperationException' string {System.InvalidOperationException}
26 | --- End of inner exception stack trace ---
27 | Microsoft OLE DB Provider for ODBC Drivers error '80004005'
28 | Error 1123-4567 (1a2f2a4f)
29 | at some.class.Something(String this, int that)
30 | at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior)
31 | at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object&amp; executeResult)
32 | System.Web.Services.Protocols.SoapException: Web Exception ---&gt; System.Exception:
33 | in c:\inetpub\wwwroot\Portal\DSPII\App_Code\DCSDownloadService.cs:line 866
34 | in c:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs:line 68
35 | Syntax error in string in query expression 'username =
36 | ,\"scala.Option.map(Option.scala:146)\"
37 | (generated by waitress)
38 | com.example.some.java.software.with.those.endless.package.names.NotFoundLdapException","softwareError":null,"message":"ldap search failed: LdapSearchObject(baseDN='cn=placeholder1,cn=placeholder2,ou=placeholder3,ou=placeholder4,ou=placeholder5,o=placeholder6,c=placeholder7', scope=SOME, deref=foo, sizeLimit=0, timeLimit=0, filter='(objectClass=someother)', attrs={description})
39 | #WebSeal: 
40 |      * Code: 0x38cf04d7
41 | &ERROR_CODE=0x38cf0428&
42 | TempScript.groovy:243
43 | aaaa.lang.groovy.blablaException
44 | Unclosed quotation mark after the character string 'diff.bak'.
45 | ORA-01756: quoted string not properly terminated
46 | java.lang.NullPointerException: Attempt to invoke virtual method 'boolean java.lang.String.equals(java.lang.Object)' on a null object reference
47 | java.lang.IllegalArgumentException: Argument is not an array
48 | java.lang.IllegalStateException: Could not execute method for android:onClick
49 | java.lang.Exception: something something goes here
50 | java.io.FileNotFoundException: File (filename.txt) not found in the specified path
51 | System.NullReferenceException: Object reference not set to an instance of an object.
52 | System.ArgumentNullException: Value cannot be null. (Parameter 'arg')
53 | System.IO.FileNotFoundException: Could not find file 'C:\myfolder\myfile.txt'.
54 | System.InvalidOperationException: Sequence contains no elements
55 | Notice: Undefined index: mykey in C:\xampp\htdocs\test\index.php on line 15
56 | Notice: Undefined variable: varName in C:\xampp\htdocs\test\index.php on line 15
57 | Notice: Undefined offset: 5 in C:\xampp\htdocs\test\index.php on line 15
58 | NameError: name 'undefinedVar' is not defined
59 | ImportError: No module named 'nonexistentmodule'
60 | IndentationError: expected an indented block
61 | ReferenceError: nonExistentFunction is not defined
62 | TypeError: Cannot read property 'prop' of undefined
63 | UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 1): Error: This is an error text
64 | AH00526: Syntax error on line 20 of /etc/apache2/apache2.conf: Invalid command 'undefCommand', perhaps misspelled or defined by a module not included in the server configuration
65 | mod_evasive: client 192.168.1.101 has reached or exceeded the 'maxconnsperip' limit.
66 | client intended to address ipv6 backend without ipv6 on socket
67 | could not build optimal proxy_headers_hash, you should increase either proxy_headers_hash_max_size: 512 or proxy_headers_hash_bucket_size: 64; ignoring proxy_headers_hash_bucket_size
68 | E QUERY [thread1] SyntaxError: invalid object initializer
69 | 2016-10-26T19:34:34.886-0400 E QUERY    [thread1] SyntaxError: missing ; before statement @(shell eval):1:5
70 | uncaught exception: out of memory


--------------------------------------------------------------------------------
/src/main/java/burp/BurpExtender.java:
--------------------------------------------------------------------------------
  1 | package burp;
  2 | 
  3 | import com.codemagi.burp.MatchRule;
  4 | import com.codemagi.burp.PassiveScan;
  5 | import com.codemagi.burp.RuleTableComponent;
  6 | import com.codemagi.burp.ScanIssue;
  7 | import com.codemagi.burp.ScanIssueConfidence;
  8 | import com.codemagi.burp.ScanIssueSeverity;
  9 | import com.codemagi.burp.ScannerMatch;
 10 | import com.monikamorrow.burp.BurpSuiteTab;
 11 | import com.monikamorrow.burp.ToolsScopeComponent;
 12 | 
 13 | import javax.swing.*;
 14 | import java.net.URL;
 15 | import java.util.*;
 16 | import java.util.regex.Pattern;
 17 | 
 18 | /**
 19 |  * Burp Extender to find instances of applications revealing detailed error messages
 20 |  *
 21 |  * Some examples:
 22 |  * <li>Fatal error: Call to a member function getId() on a non-object in /var/www/docroot/application/modules/controllers/ModalController.php on line 609
 23 |  * <li>[SEVERE] at net.minecraft.server.World.tickEntities(World.java:1146)
 24 |  * <li>Use of uninitialized value in string eq at /Library/Perl/5.8.6/WWW/Mechanize.pm line 695
 25 |  *
 26 |  * @author August Detlefsen [augustd at codemagi dot com]
 27 |  * @contributor James Kettle (Ruby detection pattern)
 28 |  */
 29 | public class BurpExtender extends PassiveScan implements IHttpListener {
 30 | 
 31 |     public static final String TAB_NAME = "Errors";
 32 | 	public static final String ISSUE_NAME = "Detailed Error Messages Revealed";
 33 | 
 34 | 	protected RuleTableComponent rulesTable;
 35 | 	protected ToolsScopeComponent toolsScope;
 36 | 	protected BurpSuiteTab mTab;
 37 | 
 38 | 	@Override
 39 | 	protected void initPassiveScan() {
 40 | 		//set the extension Name
 41 | 		extensionName = "Error Message Checks";
 42 | 
 43 | 		//set the settings namespace
 44 | 		settingsNamespace = "EMC_";
 45 | 
 46 | 		//Create the GUI
 47 | 		rulesTable = new RuleTableComponent(this, callbacks, "https://raw.githubusercontent.com/augustd/burp-suite-error-message-checks/master/src/main/resources/burp/match-rules.tab", "burp/match-rules.tab");
 48 | 		mTab = new BurpSuiteTab(TAB_NAME, callbacks);
 49 | 		mTab.addComponent(rulesTable);
 50 | 		
 51 | 		toolsScope = new ToolsScopeComponent(callbacks);
 52 | 		toolsScope.setEnabledToolConfig(IBurpExtenderCallbacks.TOOL_PROXY, false); 
 53 | 		toolsScope.setToolDefault(IBurpExtenderCallbacks.TOOL_PROXY, true);
 54 | 		toolsScope.setToolDefault(IBurpExtenderCallbacks.TOOL_SCANNER, true);
 55 | 		toolsScope.setToolDefault(IBurpExtenderCallbacks.TOOL_REPEATER, true);
 56 | 		toolsScope.setToolDefault(IBurpExtenderCallbacks.TOOL_INTRUDER, true);
 57 | 		mTab.addComponent(toolsScope);
 58 | 		
 59 | 		//register this extension as an HTTP listener
 60 | 		callbacks.registerHttpListener(this);
 61 | 	}
 62 | 
 63 | 	protected String getIssueName() {
 64 | 		return ISSUE_NAME;
 65 | 	}
 66 | 
 67 | 	protected String getIssueDetail(List<com.codemagi.burp.ScannerMatch> matches) {
 68 | 		com.codemagi.burp.ScannerMatch firstMatch = matches.get(0);
 69 | 
 70 | 		StringBuilder description = new StringBuilder(matches.size() * 256);
 71 | 		description.append("The application displays detailed error messages when unhandled ").append(firstMatch.getType()).append(" exceptions occur.<br>");
 72 | 		description.append("Detailed technical error messages can allow an adversary to gain information about the application and database that could be used to conduct further attacks.");
 73 |                 description.append("The following expressions were matched in the HTTP response: <ul>");
 74 |                 
 75 |                 Set<Pattern> distinctPatterns = getDistinctPatterns(matches);
 76 |                 for (Pattern pattern : distinctPatterns) {
 77 |                     description.append("<li>").append(pattern.toString()).append("</li>");
 78 |                 }
 79 |                 description.append("</ul>");
 80 | 		return description.toString();
 81 | 	}
 82 | 
 83 | 	protected ScanIssueSeverity getIssueSeverity(List<com.codemagi.burp.ScannerMatch> matches) {
 84 | 		ScanIssueSeverity output = ScanIssueSeverity.INFO;
 85 | 		for (ScannerMatch match : matches) {
 86 | 			//if the severity value of the match is higher, then update the stdout value
 87 | 			ScanIssueSeverity matchSeverity = match.getSeverity();
 88 | 			if (matchSeverity != null && 
 89 | 				output.getValue() < matchSeverity.getValue()) {
 90 | 
 91 | 				output = matchSeverity;
 92 | 			}
 93 | 		}
 94 | 		return output;
 95 | 	}
 96 | 
 97 | 	protected ScanIssueConfidence getIssueConfidence(List<com.codemagi.burp.ScannerMatch> matches) {
 98 | 		ScanIssueConfidence output = ScanIssueConfidence.TENTATIVE;
 99 | 		for (ScannerMatch match : matches) {
100 | 			//if the severity value of the match is higher, then update the stdout value
101 | 			ScanIssueConfidence matchConfidence = match.getConfidence();
102 | 			if (matchConfidence != null
103 | 				&& output.getValue() < matchConfidence.getValue()) {
104 | 
105 | 				output = matchConfidence;
106 | 			}
107 | 		}
108 | 		return output;
109 | 	}
110 | 
111 | 	@Override
112 | 	protected IScanIssue getScanIssue(IHttpRequestResponse baseRequestResponse, List<ScannerMatch> matches, List<int[]> startStop) {
113 | 		ScanIssueSeverity overallSeverity = getIssueSeverity(matches);
114 | 		ScanIssueConfidence overallConfidence = getIssueConfidence(matches);
115 | 
116 | 		return new ScanIssue(
117 | 				baseRequestResponse,
118 | 				helpers,
119 | 				callbacks,
120 | 				startStop,
121 | 				getIssueName(),
122 | 				getIssueDetail(matches),
123 | 				overallSeverity.getName(),
124 | 				overallConfidence.getName());
125 | 	}
126 | 
127 | 	@Override
128 | 	public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) {
129 | 		if (!messageIsRequest && toolsScope.isToolSelected(toolFlag)) {
130 | 			ScanWorker task = new ScanWorker(messageInfo);
131 | 			task.execute();
132 | 		}
133 | 	}
134 | 
135 | 	@Override
136 | 	public List<IScanIssue> doPassiveScan(IHttpRequestResponse baseRequestResponse) {
137 | 		return new ArrayList<>();
138 | 	}
139 | 
140 | 	class ScanWorker extends SwingWorker<Void, Void> {
141 | 
142 | 		IHttpRequestResponse messageInfo;
143 | 
144 | 		public ScanWorker(IHttpRequestResponse messageInfo) {
145 | 			callbacks.printOutput("new scan task =======================================");
146 | 			this.messageInfo = messageInfo;
147 | 		}
148 | 
149 | 		@Override
150 | 		protected Void doInBackground() throws Exception {
151 | 			//first get the scan issues
152 | 			List<IScanIssue> issues = runPassiveScanChecks(messageInfo);
153 | 
154 | 			//if we have found issues, consolidate duplicates and add new issues to the Scanner tab
155 | 			if (issues != null && !issues.isEmpty()) {
156 | 				callbacks.printOutput("NEW issues: " + issues.size());
157 | 				//get the request URL prefix
158 | 				URL url = helpers.analyzeRequest(messageInfo).getUrl();
159 | 				String urlPrefix = url.getProtocol() + "://" + url.getHost() + url.getPath();
160 | 				callbacks.printOutput("Consolidating issues for urlPrefix: " + urlPrefix);
161 | 
162 | 				//get existing issues
163 | 				IScanIssue[] existingArray = callbacks.getScanIssues(urlPrefix);
164 | 				Set<IScanIssue> existingIssues = new HashSet<>();
165 | 				for (IScanIssue arrayIssue : existingArray) {
166 | 					//create instances of ScanIssue class so we can compare them
167 | 					ScanIssue existing = new ScanIssue(arrayIssue);
168 | 					//add to HashSet to resolve dupes
169 | 					existingIssues.add(existing);
170 | 				}
171 | 
172 | 				//iterate through newly found issues
173 | 				for (IScanIssue newIssue : issues) {
174 | 					if (!existingIssues.contains(newIssue)) {
175 | 						callbacks.printOutput("Adding NEW scan issue: " + newIssue);
176 | 						callbacks.addScanIssue(newIssue);
177 | 					}
178 | 				}
179 | 			}
180 | 			return null;
181 | 		}
182 | 
183 | 	}
184 | 
185 |     private Set<Pattern> getDistinctPatterns(List<ScannerMatch> matches) {
186 |         Set<Pattern> output = new HashSet<>();
187 |         for (ScannerMatch match : matches) {
188 |             MatchRule rule = match.getRule();
189 |             if (rule != null) {
190 |                 output.add(rule.getPattern());
191 |             }
192 |         }
193 |         return output;
194 |     }
195 | 
196 | }
197 | 


--------------------------------------------------------------------------------
/src/test/java/burp/RegexTest.java:
--------------------------------------------------------------------------------
  1 | package burp;
  2 | 
  3 | import com.codemagi.burp.MatchRule;
  4 | import com.codemagi.burp.ScanIssueConfidence;
  5 | import com.codemagi.burp.ScanIssueSeverity;
  6 | import java.io.BufferedReader;
  7 | import java.io.File;
  8 | import java.io.FileReader;
  9 | import java.io.IOException;
 10 | import java.io.InputStream;
 11 | import java.io.InputStreamReader;
 12 | import java.net.URI;
 13 | import java.net.URISyntaxException;
 14 | import java.util.ArrayList;
 15 | import java.util.List;
 16 | import java.util.regex.Matcher;
 17 | import java.util.regex.Pattern;
 18 | import java.util.regex.PatternSyntaxException;
 19 | 
 20 | import org.junit.*;
 21 | 
 22 | import static org.junit.Assert.*;
 23 | 
 24 | /**
 25 |  *
 26 |  * @author august
 27 |  */
 28 | public class RegexTest {
 29 | 
 30 |     static List<MatchRule> matchRules = new ArrayList<>();
 31 |     static String testResponse;
 32 |     static String falsePositives;
 33 | 	static boolean loadSuccessful; 
 34 |     
 35 |     @BeforeClass
 36 |     public static void setUpClass() throws Exception {
 37 | 		loadSuccessful = loadMatchRules("burp/match-rules.tab");
 38 |         testResponse = loadTestResponse("burp/testResponse.txt");
 39 |         falsePositives = loadTestResponse("burp/falsePositives.txt");
 40 |     }
 41 | 
 42 |     @AfterClass
 43 |     public static void tearDownClass() throws Exception {
 44 |     }
 45 | 
 46 |     @Before
 47 |     public void setUp() throws Exception {
 48 |         //testLoadMatchRules();
 49 |     }
 50 | 
 51 |     @After
 52 |     public void tearDown() throws Exception {
 53 |     }
 54 |     
 55 |     @Test
 56 |     public void testLoadMatchRules() {
 57 |         System.out.println("***** testLoadMatchRules *****");
 58 |         
 59 |         assertTrue(loadSuccessful);
 60 |     }
 61 |     
 62 |     @Test
 63 |     public void testMatchRules() {
 64 |         System.out.println("***** testMatchRules *****");
 65 |         
 66 |         int matchCount = 0;
 67 | 		int expectedCount = 0;
 68 |         
 69 |         for (MatchRule rule : matchRules) {
 70 | 	        int expectedMatches = (rule.getExpectedMatches() != null) ? rule.getExpectedMatches() : 1 ;
 71 | 			expectedCount += expectedMatches;
 72 | 			System.out.print("Testing rule: '" + rule.getPattern() + "' expected: " + expectedMatches);
 73 | 			Matcher matcher = rule.getPattern().matcher(testResponse);
 74 |             long startTime = System.nanoTime();
 75 |             int foundMatches = 0;
 76 |             StringBuilder matches = new StringBuilder();
 77 |             while (matcher.find()) {
 78 |                 foundMatches++;
 79 |                 matches.append(matcher.group()).append("\n");
 80 |             }
 81 |             
 82 | 			long endTime = System.nanoTime();
 83 | 			long elapsedTime = endTime - startTime; 
 84 |             System.out.println(" matches: " + foundMatches + " time: " + elapsedTime + " ns");
 85 | 			System.out.println("   Matched: ");
 86 |             System.out.println(matches.toString());
 87 | 			//check that the match rule regex has acceptable performance
 88 | 			assertTrue("Regex " + rule.getPattern() + " took too long to execute (" + elapsedTime + "ms)", 200000000 > elapsedTime);
 89 |             
 90 | 			if (foundMatches >= expectedMatches) { 
 91 |                 matchCount += foundMatches;
 92 |             } else {
 93 |                 System.out.println("Unable to find match for: " + rule.getPattern());
 94 |             }
 95 | 
 96 | 	        assertEquals(matchCount, expectedCount);
 97 |         }
 98 |         
 99 |         System.out.println(String.format("Found %d matches out of %d", matchCount, expectedCount));
100 |         assertEquals(matchCount, expectedCount);
101 |     }
102 | 
103 | 	@Ignore
104 | 	@Test
105 | 	public void testSpecificMatchRules() {
106 | 		System.out.println("***** testSpecificMatchRules *****");
107 | 
108 | 		int matchCount = 0;
109 | 
110 | 		MatchRule rule = loadSpecificMatchRule("java\\.lang\\.([A-Za-z0-9_]*)Exception\t0\tJava\tMedium\tFirm\t5");
111 | 
112 | 		int expectedMatches = (rule.getExpectedMatches() != null) ? rule.getExpectedMatches() : 1 ;
113 | 		System.out.print("Testing rule: '" + rule.getPattern() + "' expected: " + expectedMatches);
114 | 		Matcher matcher = rule.getPattern().matcher(testResponse);
115 | 		long startTime = System.nanoTime();
116 | 		Integer foundMatches = 0;
117 | 		StringBuilder matches = new StringBuilder();
118 | 		while (matcher.find()) {
119 | 			foundMatches++;
120 | 
121 | 			matches.append(matcher.group()).append("\n");
122 | 		}
123 | 
124 | 		long endTime = System.nanoTime();
125 | 		long elapsedTime = endTime - startTime;
126 | 		System.out.println(" matches: " + foundMatches + " time: " + elapsedTime + " ns");
127 | 		System.out.println("   Matched: ");
128 | 		System.out.println(matches);
129 | 
130 | 		//check that the match rule regex has acceptable performance
131 | 		assertTrue("Regex " + rule.getPattern() + " took too long to execute (" + elapsedTime + "ms)", 200000000 > elapsedTime);
132 | 
133 | 		System.out.println(String.format("Found %d matches out of %d", foundMatches, rule.getExpectedMatches()));
134 | 		assertEquals(rule.getExpectedMatches(), foundMatches);
135 | 	}
136 | 
137 | 	@Test
138 |     public void testFalsePositives() {
139 |         System.out.println("***** testFalsePositives *****");
140 |         
141 |         int matchCount = 0;
142 |         
143 |         for (MatchRule rule : matchRules) {
144 |             System.out.print("Testing rule: " + rule.getPattern() + " confidence: " + rule.getConfidence());
145 | 
146 |             //allow for low confidence rules
147 |             if (ScanIssueConfidence.TENTATIVE.equals(rule.getConfidence())) {
148 |                 System.out.println();
149 |                 continue;
150 |             }
151 | 
152 |             Matcher matcher = rule.getPattern().matcher(falsePositives);
153 |             int foundMatches = 0;
154 |             while (matcher.find()) {
155 |                 foundMatches++;
156 |             }
157 |             
158 |             System.out.println(" matches: " + foundMatches);
159 |             
160 | 			if (foundMatches >= 1) { 
161 |                 matchCount++;
162 |                 System.out.println("Found false positive for: " + rule.getPattern());
163 |             }
164 |         }
165 |         
166 |         System.out.println(String.format("Found %d matches out of %d", matchCount, matchRules.size()));
167 |         assertEquals(0, matchCount);
168 |     }
169 |     
170 |     /**
171 |      * Load match rules from a file
172 |      */
173 |     private static boolean loadMatchRules(String url) {
174 | 		//load match rules from file
175 |         System.out.println("***** loadMatchRules: " + url);
176 | 
177 | 		try {
178 | 		    //read match rules from the stream
179 | 		    InputStream is = RegexTest.class.getClassLoader().getResourceAsStream(url);
180 | 		    BufferedReader reader = new BufferedReader(new InputStreamReader(is, "UTF-8"));
181 | 
182 | 		    String str;
183 | 		    while ((str = reader.readLine()) != null) {
184 | 				System.out.println("Match Rule: " + str);
185 | 				if (str.trim().length() == 0) {
186 | 				    continue;
187 | 				}
188 | 
189 | 				String[] values = str.split("\\t");
190 | 
191 | 	            try {
192 | 	                Pattern pattern = Pattern.compile(values[0]);
193 | 
194 | 	                MatchRule rule = new MatchRule(
195 | 	                        pattern,
196 | 	                        Integer.parseInt(values[1]),
197 | 	                        values[2],
198 | 	                        ScanIssueSeverity.fromName(values[3]),
199 | 	                        ScanIssueConfidence.fromName(values[4])
200 | 	                );
201 | 
202 | 	                if (values.length > 5) {
203 | 	                    rule.setExpectedMatches(Integer.parseInt(values[5]));
204 | 	                } else {
205 | 						rule.setExpectedMatches(1);
206 | 	                }
207 | 
208 | 	                matchRules.add(rule);
209 | 
210 | 	            } catch (PatternSyntaxException pse) {
211 | 	                pse.printStackTrace();
212 | 	            }
213 | 		    }
214 | 
215 | 	        return true;
216 | 
217 | 		} catch (IOException e) {
218 | 		    e.printStackTrace();
219 | 		} catch (NumberFormatException e) {
220 | 		    e.printStackTrace();
221 | 	    }
222 |         
223 |         return false;
224 |     }
225 | 
226 | 	private static MatchRule loadSpecificMatchRule(String ruleSource) {
227 | 		//load match rules from file
228 | 		System.out.println("***** loadSpecificMatchRule: " + ruleSource);
229 | 
230 | 		try {
231 | 			String[] values = ruleSource.split("\\t");
232 | 
233 | 			try {
234 | 				Pattern pattern = Pattern.compile(values[0]);
235 | 
236 | 				MatchRule rule = new MatchRule(
237 | 						pattern,
238 | 						Integer.parseInt(values[1]),
239 | 						values[2],
240 | 						ScanIssueSeverity.fromName(values[3]),
241 | 						ScanIssueConfidence.fromName(values[4])
242 | 				);
243 | 
244 | 				if (values.length > 5) {
245 | 					rule.setExpectedMatches(Integer.parseInt(values[5]));
246 | 				} else {
247 | 					rule.setExpectedMatches(1);
248 | 				}
249 | 
250 | 				return rule;
251 | 
252 | 			} catch (PatternSyntaxException pse) {
253 | 				pse.printStackTrace();
254 | 			}
255 | 
256 | 		} catch (NumberFormatException e) {
257 | 			e.printStackTrace();
258 | 		}
259 | 
260 | 		return null;
261 | 	}
262 | 
263 | 	/**
264 |      * Load match rules from a file
265 |      */
266 |     private static String loadTestResponse(String url) throws URISyntaxException {
267 | 		//load match rules from file
268 |         System.out.println("***** loadMatchRules: " + url);
269 |         StringBuilder output = new StringBuilder();
270 |         
271 | 		try {
272 | 		    //read match rules from the stream
273 | 	            URI path = RegexTest.class.getClassLoader().getResource(url).toURI();
274 | 	            File f = new File(path);
275 | 		    BufferedReader reader = new BufferedReader(new FileReader(f));
276 | 
277 | 		    String str;
278 | 		    while ((str = reader.readLine()) != null) {
279 | 			System.out.println("Test response: " + str);
280 | 	                output.append(str);
281 | 		    }
282 |             
283 |             return output.toString();
284 | 
285 | 		} catch (IOException e) {
286 | 		    e.printStackTrace();
287 | 		} catch (NumberFormatException e) {
288 | 		    e.printStackTrace();
289 | 		}
290 |         
291 |         return null;
292 |     }
293 | }
294 | 


--------------------------------------------------------------------------------