This extension adds an active scan check to find PHP object injection vulnerabilities.
2 | 3 |It passes a serialized PDO object in each insertion point. If PHP
4 | tries to unserialize this object a fatal exception is thrown triggered in the
5 | object's __wakeup() method (ext/pdo/pdo_dbh.c).
PHP Object Injection is a vulnerability where a vulnerable application unserializes " + 219 | "user-controllable data. Doing so can be used to instantiate arbitrary objects that depending " + 220 | "on their implementations can be used for various attacks. These attacks include arbitrary code " + 221 | "execution, SQL injection, arbitrary file access, and others.
\n" + 222 | "See also: https://www.owasp.org/index.php/PHP_Object_Injection
"; 223 | } 224 | 225 | @Override 226 | public String getRemediationBackground() { 227 | return "Avoid unserializing untrusted (user) data. Instead use a safer alternative, like json_decode()."; 228 | } 229 | 230 | @Override 231 | public String getIssueDetail() { 232 | return detail; 233 | } 234 | 235 | @Override 236 | public String getRemediationDetail() { 237 | return null; 238 | } 239 | 240 | @Override 241 | public IHttpRequestResponse[] getHttpMessages() { 242 | return httpMessages; 243 | } 244 | 245 | @Override 246 | public IHttpService getHttpService() { 247 | return httpService; 248 | } 249 | 250 | } -------------------------------------------------------------------------------- /src/burp/IBurpExtender.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IBurpExtender.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * All extensions must implement this interface. 14 | * 15 | * Implementations must be called BurpExtender, in the package burp, must be 16 | * declared public, and must provide a default (public, no-argument) 17 | * constructor. 18 | */ 19 | public interface IBurpExtender 20 | { 21 | /** 22 | * This method is invoked when the extension is loaded. It registers an 23 | * instance of the 24 | *IBurpExtenderCallbacks interface, providing methods that may
25 | * be invoked by the extension to perform various actions.
26 | *
27 | * @param callbacks An
28 | * IBurpExtenderCallbacks object.
29 | */
30 | void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks);
31 | }
32 |
--------------------------------------------------------------------------------
/src/burp/IBurpExtenderCallbacks.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IBurpExtenderCallbacks.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | import java.awt.Component;
13 | import java.io.OutputStream;
14 | import java.util.List;
15 | import java.util.Map;
16 |
17 | /**
18 | * This interface is used by Burp Suite to pass to extensions a set of callback
19 | * methods that can be used by extensions to perform various actions within
20 | * Burp.
21 | *
22 | * When an extension is loaded, Burp invokes its
23 | * registerExtenderCallbacks() method and passes an instance of the
24 | * IBurpExtenderCallbacks interface. The extension may then invoke
25 | * the methods of this interface as required in order to extend Burp's
26 | * functionality.
27 | */
28 | public interface IBurpExtenderCallbacks
29 | {
30 | /**
31 | * Flag used to identify Burp Suite as a whole.
32 | */
33 | static final int TOOL_SUITE = 0x00000001;
34 | /**
35 | * Flag used to identify the Burp Target tool.
36 | */
37 | static final int TOOL_TARGET = 0x00000002;
38 | /**
39 | * Flag used to identify the Burp Proxy tool.
40 | */
41 | static final int TOOL_PROXY = 0x00000004;
42 | /**
43 | * Flag used to identify the Burp Spider tool.
44 | */
45 | static final int TOOL_SPIDER = 0x00000008;
46 | /**
47 | * Flag used to identify the Burp Scanner tool.
48 | */
49 | static final int TOOL_SCANNER = 0x00000010;
50 | /**
51 | * Flag used to identify the Burp Intruder tool.
52 | */
53 | static final int TOOL_INTRUDER = 0x00000020;
54 | /**
55 | * Flag used to identify the Burp Repeater tool.
56 | */
57 | static final int TOOL_REPEATER = 0x00000040;
58 | /**
59 | * Flag used to identify the Burp Sequencer tool.
60 | */
61 | static final int TOOL_SEQUENCER = 0x00000080;
62 | /**
63 | * Flag used to identify the Burp Decoder tool.
64 | */
65 | static final int TOOL_DECODER = 0x00000100;
66 | /**
67 | * Flag used to identify the Burp Comparer tool.
68 | */
69 | static final int TOOL_COMPARER = 0x00000200;
70 | /**
71 | * Flag used to identify the Burp Extender tool.
72 | */
73 | static final int TOOL_EXTENDER = 0x00000400;
74 |
75 | /**
76 | * This method is used to set the display name for the current extension,
77 | * which will be displayed within the user interface for the Extender tool.
78 | *
79 | * @param name The extension name.
80 | */
81 | void setExtensionName(String name);
82 |
83 | /**
84 | * This method is used to obtain an
85 | * IExtensionHelpers object, which can be used by the extension
86 | * to perform numerous useful tasks.
87 | *
88 | * @return An object containing numerous helper methods, for tasks such as
89 | * building and analyzing HTTP requests.
90 | */
91 | IExtensionHelpers getHelpers();
92 |
93 | /**
94 | * This method is used to obtain the current extension's standard output
95 | * stream. Extensions should write all output to this stream, allowing the
96 | * Burp user to configure how that output is handled from within the UI.
97 | *
98 | * @return The extension's standard output stream.
99 | */
100 | OutputStream getStdout();
101 |
102 | /**
103 | * This method is used to obtain the current extension's standard error
104 | * stream. Extensions should write all error messages to this stream,
105 | * allowing the Burp user to configure how that output is handled from
106 | * within the UI.
107 | *
108 | * @return The extension's standard error stream.
109 | */
110 | OutputStream getStderr();
111 |
112 | /**
113 | * This method is used to register a listener which will be notified of
114 | * changes to the extension's state. Note: Any extensions that start
115 | * background threads or open system resources (such as files or database
116 | * connections) should register a listener and terminate threads / close
117 | * resources when the extension is unloaded.
118 | *
119 | * @param listener An object created by the extension that implements the
120 | * IExtensionStateListener interface.
121 | */
122 | void registerExtensionStateListener(IExtensionStateListener listener);
123 |
124 | /**
125 | * This method is used to register a listener which will be notified of
126 | * requests and responses made by any Burp tool. Extensions can perform
127 | * custom analysis or modification of these messages by registering an HTTP
128 | * listener.
129 | *
130 | * @param listener An object created by the extension that implements the
131 | * IHttpListener interface.
132 | */
133 | void registerHttpListener(IHttpListener listener);
134 |
135 | /**
136 | * This method is used to register a listener which will be notified of
137 | * requests and responses being processed by the Proxy tool. Extensions can
138 | * perform custom analysis or modification of these messages, and control
139 | * in-UI message interception, by registering a proxy listener.
140 | *
141 | * @param listener An object created by the extension that implements the
142 | * IProxyListener interface.
143 | */
144 | void registerProxyListener(IProxyListener listener);
145 |
146 | /**
147 | * This method is used to register a listener which will be notified of new
148 | * issues that are reported by the Scanner tool. Extensions can perform
149 | * custom analysis or logging of Scanner issues by registering a Scanner
150 | * listener.
151 | *
152 | * @param listener An object created by the extension that implements the
153 | * IScannerListener interface.
154 | */
155 | void registerScannerListener(IScannerListener listener);
156 |
157 | /**
158 | * This method is used to register a listener which will be notified of
159 | * changes to Burp's suite-wide target scope.
160 | *
161 | * @param listener An object created by the extension that implements the
162 | * IScopeChangeListener interface.
163 | */
164 | void registerScopeChangeListener(IScopeChangeListener listener);
165 |
166 | /**
167 | * This method is used to register a factory for custom context menu items.
168 | * When the user invokes a context menu anywhere within Burp, the factory
169 | * will be passed details of the invocation event, and asked to provide any
170 | * custom context menu items that should be shown.
171 | *
172 | * @param factory An object created by the extension that implements the
173 | * IContextMenuFactory interface.
174 | */
175 | void registerContextMenuFactory(IContextMenuFactory factory);
176 |
177 | /**
178 | * This method is used to register a factory for custom message editor tabs.
179 | * For each message editor that already exists, or is subsequently created,
180 | * within Burp, the factory will be asked to provide a new instance of an
181 | * IMessageEditorTab object, which can provide custom rendering
182 | * or editing of HTTP messages.
183 | *
184 | * @param factory An object created by the extension that implements the
185 | * IMessageEditorTabFactory interface.
186 | */
187 | void registerMessageEditorTabFactory(IMessageEditorTabFactory factory);
188 |
189 | /**
190 | * This method is used to register a provider of Scanner insertion points.
191 | * For each base request that is actively scanned, Burp will ask the
192 | * provider to provide any custom scanner insertion points that are
193 | * appropriate for the request.
194 | *
195 | * @param provider An object created by the extension that implements the
196 | * IScannerInsertionPointProvider interface.
197 | */
198 | void registerScannerInsertionPointProvider(
199 | IScannerInsertionPointProvider provider);
200 |
201 | /**
202 | * This method is used to register a custom Scanner check. When performing
203 | * scanning, Burp will ask the check to perform active or passive scanning
204 | * on the base request, and report any Scanner issues that are identified.
205 | *
206 | * @param check An object created by the extension that implements the
207 | * IScannerCheck interface.
208 | */
209 | void registerScannerCheck(IScannerCheck check);
210 |
211 | /**
212 | * This method is used to register a factory for Intruder payloads. Each
213 | * registered factory will be available within the Intruder UI for the user
214 | * to select as the payload source for an attack. When this is selected, the
215 | * factory will be asked to provide a new instance of an
216 | * IIntruderPayloadGenerator object, which will be used to
217 | * generate payloads for the attack.
218 | *
219 | * @param factory An object created by the extension that implements the
220 | * IIntruderPayloadGeneratorFactory interface.
221 | */
222 | void registerIntruderPayloadGeneratorFactory(
223 | IIntruderPayloadGeneratorFactory factory);
224 |
225 | /**
226 | * This method is used to register a custom Intruder payload processor. Each
227 | * registered processor will be available within the Intruder UI for the
228 | * user to select as the action for a payload processing rule.
229 | *
230 | * @param processor An object created by the extension that implements the
231 | * IIntruderPayloadProcessor interface.
232 | */
233 | void registerIntruderPayloadProcessor(IIntruderPayloadProcessor processor);
234 |
235 | /**
236 | * This method is used to register a custom session handling action. Each
237 | * registered action will be available within the session handling rule UI
238 | * for the user to select as a rule action. Users can choose to invoke an
239 | * action directly in its own right, or following execution of a macro.
240 | *
241 | * @param action An object created by the extension that implements the
242 | * ISessionHandlingAction interface.
243 | */
244 | void registerSessionHandlingAction(ISessionHandlingAction action);
245 |
246 | /**
247 | * This method is used to add a custom tab to the main Burp Suite window.
248 | *
249 | * @param tab An object created by the extension that implements the
250 | * ITab interface.
251 | */
252 | void addSuiteTab(ITab tab);
253 |
254 | /**
255 | * This method is used to remove a previously-added tab from the main Burp
256 | * Suite window.
257 | *
258 | * @param tab An object created by the extension that implements the
259 | * ITab interface.
260 | */
261 | void removeSuiteTab(ITab tab);
262 |
263 | /**
264 | * This method is used to customize UI components in line with Burp's UI
265 | * style, including font size, colors, table line spacing, etc.
266 | *
267 | * @param component The UI component to be customized.
268 | */
269 | void customizeUiComponent(Component component);
270 |
271 | /**
272 | * This method is used to create a new instance of Burp's HTTP message
273 | * editor, for the extension to use in its own UI.
274 | *
275 | * @param controller An object created by the extension that implements the
276 | * IMessageEditorController interface. This parameter is
277 | * optional and may be
278 | * null. If it is provided, then the message editor will query
279 | * the controller when required to obtain details about the currently
280 | * displayed message, including the
281 | * IHttpService for the message, and the associated request or
282 | * response message. If a controller is not provided, then the message
283 | * editor will not support context menu actions, such as sending requests to
284 | * other Burp tools.
285 | * @param editable Indicates whether the editor created should be editable,
286 | * or used only for message viewing.
287 | * @return An object that implements the
288 | * IMessageEditor interface, and which the extension can use in
289 | * its own UI.
290 | */
291 | IMessageEditor createMessageEditor(IMessageEditorController controller,
292 | boolean editable);
293 |
294 | /**
295 | * This method is used to save configuration settings for the extension in a
296 | * persistent way that survives reloads of the extension and of Burp Suite.
297 | * Saved settings can be retrieved using the method
298 | * loadExtensionSetting().
299 | *
300 | * @param name The name of the setting.
301 | * @param value The value of the setting. If this value is
302 | * null then any existing setting with the specified name will
303 | * be removed.
304 | */
305 | void saveExtensionSetting(String name, String value);
306 |
307 | /**
308 | * This method is used to load configuration settings for the extension that
309 | * were saved using the method
310 | * saveExtensionSetting().
311 | *
312 | * @param name The name of the setting.
313 | * @return The value of the setting, or
314 | * null if no value is set.
315 | */
316 | String loadExtensionSetting(String name);
317 |
318 | /**
319 | * This method is used to create a new instance of Burp's plain text editor,
320 | * for the extension to use in its own UI.
321 | *
322 | * @return An object that implements the
323 | * ITextEditor interface, and which the extension can use in
324 | * its own UI.
325 | */
326 | ITextEditor createTextEditor();
327 |
328 | /**
329 | * This method can be used to send an HTTP request to the Burp Repeater
330 | * tool. The request will be displayed in the user interface, but will not
331 | * be issued until the user initiates this action.
332 | *
333 | * @param host The hostname of the remote HTTP server.
334 | * @param port The port of the remote HTTP server.
335 | * @param useHttps Flags whether the protocol is HTTPS or HTTP.
336 | * @param request The full HTTP request.
337 | * @param tabCaption An optional caption which will appear on the Repeater
338 | * tab containing the request. If this value is
339 | * null then a default tab index will be displayed.
340 | */
341 | void sendToRepeater(
342 | String host,
343 | int port,
344 | boolean useHttps,
345 | byte[] request,
346 | String tabCaption);
347 |
348 | /**
349 | * This method can be used to send an HTTP request to the Burp Intruder
350 | * tool. The request will be displayed in the user interface, and markers
351 | * for attack payloads will be placed into default locations within the
352 | * request.
353 | *
354 | * @param host The hostname of the remote HTTP server.
355 | * @param port The port of the remote HTTP server.
356 | * @param useHttps Flags whether the protocol is HTTPS or HTTP.
357 | * @param request The full HTTP request.
358 | */
359 | void sendToIntruder(
360 | String host,
361 | int port,
362 | boolean useHttps,
363 | byte[] request);
364 |
365 | /**
366 | * This method can be used to send an HTTP request to the Burp Intruder
367 | * tool. The request will be displayed in the user interface, and markers
368 | * for attack payloads will be placed into the specified locations within
369 | * the request.
370 | *
371 | * @param host The hostname of the remote HTTP server.
372 | * @param port The port of the remote HTTP server.
373 | * @param useHttps Flags whether the protocol is HTTPS or HTTP.
374 | * @param request The full HTTP request.
375 | * @param payloadPositionOffsets A list of index pairs representing the
376 | * payload positions to be used. Each item in the list must be an int[2]
377 | * array containing the start and end offsets for the payload position.
378 | */
379 | void sendToIntruder(
380 | String host,
381 | int port,
382 | boolean useHttps,
383 | byte[] request,
384 | ListIHttpRequestResponse interface, and which the extension can
465 | * query to obtain the details of the response.
466 | */
467 | IHttpRequestResponse makeHttpRequest(IHttpService httpService,
468 | byte[] request);
469 |
470 | /**
471 | * This method can be used to issue HTTP requests and retrieve their
472 | * responses.
473 | *
474 | * @param host The hostname of the remote HTTP server.
475 | * @param port The port of the remote HTTP server.
476 | * @param useHttps Flags whether the protocol is HTTPS or HTTP.
477 | * @param request The full HTTP request.
478 | * @return The full response retrieved from the remote server.
479 | */
480 | byte[] makeHttpRequest(
481 | String host,
482 | int port,
483 | boolean useHttps,
484 | byte[] request);
485 |
486 | /**
487 | * This method can be used to query whether a specified URL is within the
488 | * current Suite-wide scope.
489 | *
490 | * @param url The URL to query.
491 | * @return Returns
492 | * true if the URL is within the current Suite-wide scope.
493 | */
494 | boolean isInScope(java.net.URL url);
495 |
496 | /**
497 | * This method can be used to include the specified URL in the Suite-wide
498 | * scope.
499 | *
500 | * @param url The URL to include in the Suite-wide scope.
501 | */
502 | void includeInScope(java.net.URL url);
503 |
504 | /**
505 | * This method can be used to exclude the specified URL from the Suite-wide
506 | * scope.
507 | *
508 | * @param url The URL to exclude from the Suite-wide scope.
509 | */
510 | void excludeFromScope(java.net.URL url);
511 |
512 | /**
513 | * This method can be used to display a specified message in the Burp Suite
514 | * alerts tab.
515 | *
516 | * @param message The alert message to display.
517 | */
518 | void issueAlert(String message);
519 |
520 | /**
521 | * This method returns details of all items in the Proxy history.
522 | *
523 | * @return The contents of the Proxy history.
524 | */
525 | IHttpRequestResponse[] getProxyHistory();
526 |
527 | /**
528 | * This method returns details of items in the site map.
529 | *
530 | * @param urlPrefix This parameter can be used to specify a URL prefix, in
531 | * order to extract a specific subset of the site map. The method performs a
532 | * simple case-sensitive text match, returning all site map items whose URL
533 | * begins with the specified prefix. If this parameter is null, the entire
534 | * site map is returned.
535 | *
536 | * @return Details of items in the site map.
537 | */
538 | IHttpRequestResponse[] getSiteMap(String urlPrefix);
539 |
540 | /**
541 | * This method returns all of the current scan issues for URLs matching the
542 | * specified literal prefix.
543 | *
544 | * @param urlPrefix This parameter can be used to specify a URL prefix, in
545 | * order to extract a specific subset of scan issues. The method performs a
546 | * simple case-sensitive text match, returning all scan issues whose URL
547 | * begins with the specified prefix. If this parameter is null, all issues
548 | * are returned.
549 | * @return Details of the scan issues.
550 | */
551 | IScanIssue[] getScanIssues(String urlPrefix);
552 |
553 | /**
554 | * This method is used to retrieve the contents of Burp's session handling
555 | * cookie jar. Extensions that provide an
556 | * ISessionHandlingAction can query and update the cookie jar
557 | * in order to handle unusual session handling mechanisms.
558 | *
559 | * @return A list of
560 | * ICookie objects representing the contents of Burp's session
561 | * handling cookie jar.
562 | */
563 | ListISessionHandlingAction can query and update the cookie jar
569 | * in order to handle unusual session handling mechanisms.
570 | *
571 | * @param cookie An
572 | * ICookie object containing details of the cookie to be
573 | * updated. If the cookie jar already contains a cookie that matches the
574 | * specified domain and name, then that cookie will be updated with the new
575 | * value and expiration, unless the new value is
576 | * null, in which case the cookie will be removed. If the
577 | * cookie jar does not already contain a cookie that matches the specified
578 | * domain and name, then the cookie will be added.
579 | */
580 | void updateCookieJar(ICookie cookie);
581 |
582 | /**
583 | * This method can be used to add an item to Burp's site map with the
584 | * specified request/response details. This will overwrite the details of
585 | * any existing matching item in the site map.
586 | *
587 | * @param item Details of the item to be added to the site map
588 | */
589 | void addToSiteMap(IHttpRequestResponse item);
590 |
591 | /**
592 | * This method can be used to restore Burp's state from a specified saved
593 | * state file. This method blocks until the restore operation is completed,
594 | * and must not be called from the event dispatch thread.
595 | *
596 | * @param file The file containing Burp's saved state.
597 | */
598 | void restoreState(java.io.File file);
599 |
600 | /**
601 | * This method can be used to save Burp's state to a specified file. This
602 | * method blocks until the save operation is completed, and must not be
603 | * called from the event dispatch thread.
604 | *
605 | * @param file The file to save Burp's state in.
606 | */
607 | void saveState(java.io.File file);
608 |
609 | /**
610 | * This method causes Burp to save all of its current configuration as a Map
611 | * of name/value Strings.
612 | *
613 | * @return A Map of name/value Strings reflecting Burp's current
614 | * configuration.
615 | */
616 | MapsaveConfig() to obtain Burp's current configuration, modify
624 | * the relevant items in the Map, and then call
625 | * loadConfig() with the same Map.
626 | *
627 | * @param config A map of name/value Strings to use as Burp's new
628 | * configuration.
629 | */
630 | void loadConfig(MapITempFile interface.
670 | */
671 | ITempFile saveToTempFile(byte[] buffer);
672 |
673 | /**
674 | * This method is used to save the request and response of an
675 | * IHttpRequestResponse object to temporary files, so that they
676 | * are no longer held in memory. Extensions can used this method to convert
677 | * IHttpRequestResponse objects into a form suitable for
678 | * long-term storage.
679 | *
680 | * @param httpRequestResponse The
681 | * IHttpRequestResponse object whose request and response
682 | * messages are to be saved to temporary files.
683 | * @return An object that implements the
684 | * IHttpRequestResponsePersisted interface.
685 | */
686 | IHttpRequestResponsePersisted saveBuffersToTempFiles(
687 | IHttpRequestResponse httpRequestResponse);
688 |
689 | /**
690 | * This method is used to apply markers to an HTTP request or response, at
691 | * offsets into the message that are relevant for some particular purpose.
692 | * Markers are used in various situations, such as specifying Intruder
693 | * payload positions, Scanner insertion points, and highlights in Scanner
694 | * issues.
695 | *
696 | * @param httpRequestResponse The
697 | * IHttpRequestResponse object to which the markers should be
698 | * applied.
699 | * @param requestMarkers A list of index pairs representing the offsets of
700 | * markers to be applied to the request message. Each item in the list must
701 | * be an int[2] array containing the start and end offsets for the marker.
702 | * This parameter is optional and may be
703 | * null if no request markers are required.
704 | * @param responseMarkers A list of index pairs representing the offsets of
705 | * markers to be applied to the response message. Each item in the list must
706 | * be an int[2] array containing the start and end offsets for the marker.
707 | * This parameter is optional and may be
708 | * null if no response markers are required.
709 | * @return An object that implements the
710 | * IHttpRequestResponseWithMarkers interface.
711 | */
712 | IHttpRequestResponseWithMarkers applyMarkers(
713 | IHttpRequestResponse httpRequestResponse,
714 | ListTOOL_PROXY,
723 | * TOOL_SCANNER, etc.). Tool flags are defined within this
724 | * interface.
725 | * @return The descriptive name for the specified tool.
726 | */
727 | String getToolName(int toolFlag);
728 |
729 | /**
730 | * This method is used to register a new Scanner issue. Note:
731 | * Wherever possible, extensions should implement custom Scanner checks
732 | * using
733 | * IScannerCheck and report issues via those checks, so as to
734 | * integrate with Burp's user-driven workflow, and ensure proper
735 | * consolidation of duplicate reported issues. This method is only designed
736 | * for tasks outside of the normal testing workflow, such as importing
737 | * results from other scanning tools.
738 | *
739 | * @param issue An object created by the extension that implements the
740 | * IScanIssue interface.
741 | */
742 | void addScanIssue(IScanIssue issue);
743 |
744 | /**
745 | * This method parses the specified request and returns details of each
746 | * request parameter.
747 | *
748 | * @param request The request to be parsed.
749 | * @return An array of:
750 | * String[] { name, value, type } containing details of the
751 | * parameters contained within the request.
752 | * @deprecated Use
753 | * IExtensionHelpers.analyzeRequest() instead.
754 | */
755 | @Deprecated
756 | String[][] getParameters(byte[] request);
757 |
758 | /**
759 | * This method parses the specified request and returns details of each HTTP
760 | * header.
761 | *
762 | * @param message The request to be parsed.
763 | * @return An array of HTTP headers.
764 | * @deprecated Use
765 | * IExtensionHelpers.analyzeRequest() or
766 | * IExtensionHelpers.analyzeResponse() instead.
767 | */
768 | @Deprecated
769 | String[] getHeaders(byte[] message);
770 |
771 | /**
772 | * This method can be used to register a new menu item which will appear on
773 | * the various context menus that are used throughout Burp Suite to handle
774 | * user-driven actions.
775 | *
776 | * @param menuItemCaption The caption to be displayed on the menu item.
777 | * @param menuItemHandler The handler to be invoked when the user clicks on
778 | * the menu item.
779 | * @deprecated Use
780 | * registerContextMenuFactory() instead.
781 | */
782 | @Deprecated
783 | void registerMenuItem(
784 | String menuItemCaption,
785 | IMenuItemHandler menuItemHandler);
786 | }
787 |
--------------------------------------------------------------------------------
/src/burp/IContextMenuFactory.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IContextMenuFactory.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | import java.util.List;
13 | import javax.swing.JMenuItem;
14 |
15 | /**
16 | * Extensions can implement this interface and then call
17 | * IBurpExtenderCallbacks.registerContextMenuFactory() to register
18 | * a factory for custom context menu items.
19 | */
20 | public interface IContextMenuFactory
21 | {
22 | /**
23 | * This method will be called by Burp when the user invokes a context menu
24 | * anywhere within Burp. The factory can then provide any custom context
25 | * menu items that should be displayed in the context menu, based on the
26 | * details of the menu invocation.
27 | *
28 | * @param invocation An object that implements the
29 | * IMessageEditorTabFactory interface, which the extension can
30 | * query to obtain details of the context menu invocation.
31 | * @return A list of custom menu items (which may include sub-menus,
32 | * checkbox menu items, etc.) that should be displayed. Extensions may
33 | * return
34 | * null from this method, to indicate that no menu items are
35 | * required.
36 | */
37 | ListIContextMenuFactory with details of a context menu invocation.
17 | * The custom context menu factory can query this interface to obtain details of
18 | * the invocation event, in order to determine what menu items should be
19 | * displayed.
20 | */
21 | public interface IContextMenuInvocation
22 | {
23 | /**
24 | * Used to indicate that the context menu is being invoked in a request
25 | * editor.
26 | */
27 | static final byte CONTEXT_MESSAGE_EDITOR_REQUEST = 0;
28 | /**
29 | * Used to indicate that the context menu is being invoked in a response
30 | * editor.
31 | */
32 | static final byte CONTEXT_MESSAGE_EDITOR_RESPONSE = 1;
33 | /**
34 | * Used to indicate that the context menu is being invoked in a non-editable
35 | * request viewer.
36 | */
37 | static final byte CONTEXT_MESSAGE_VIEWER_REQUEST = 2;
38 | /**
39 | * Used to indicate that the context menu is being invoked in a non-editable
40 | * response viewer.
41 | */
42 | static final byte CONTEXT_MESSAGE_VIEWER_RESPONSE = 3;
43 | /**
44 | * Used to indicate that the context menu is being invoked in the Target
45 | * site map tree.
46 | */
47 | static final byte CONTEXT_TARGET_SITE_MAP_TREE = 4;
48 | /**
49 | * Used to indicate that the context menu is being invoked in the Target
50 | * site map table.
51 | */
52 | static final byte CONTEXT_TARGET_SITE_MAP_TABLE = 5;
53 | /**
54 | * Used to indicate that the context menu is being invoked in the Proxy
55 | * history.
56 | */
57 | static final byte CONTEXT_PROXY_HISTORY = 6;
58 | /**
59 | * Used to indicate that the context menu is being invoked in the Scanner
60 | * results.
61 | */
62 | static final byte CONTEXT_SCANNER_RESULTS = 7;
63 | /**
64 | * Used to indicate that the context menu is being invoked in the Intruder
65 | * payload positions editor.
66 | */
67 | static final byte CONTEXT_INTRUDER_PAYLOAD_POSITIONS = 8;
68 | /**
69 | * Used to indicate that the context menu is being invoked in an Intruder
70 | * attack results.
71 | */
72 | static final byte CONTEXT_INTRUDER_ATTACK_RESULTS = 9;
73 | /**
74 | * Used to indicate that the context menu is being invoked in a search
75 | * results window.
76 | */
77 | static final byte CONTEXT_SEARCH_RESULTS = 10;
78 |
79 | /**
80 | * This method can be used to retrieve the native Java input event that was
81 | * the trigger for the context menu invocation.
82 | *
83 | * @return The
84 | * InputEvent that was the trigger for the context menu
85 | * invocation.
86 | */
87 | InputEvent getInputEvent();
88 |
89 | /**
90 | * This method can be used to retrieve the Burp tool within which the
91 | * context menu was invoked.
92 | *
93 | * @return A flag indicating the Burp tool within which the context menu was
94 | * invoked. Burp tool flags are defined in the
95 | * IBurpExtenderCallbacks interface.
96 | */
97 | int getToolFlag();
98 |
99 | /**
100 | * This method can be used to retrieve the context within which the menu was
101 | * invoked.
102 | *
103 | * @return An index indicating the context within which the menu was
104 | * invoked. The indices used are defined within this interface.
105 | */
106 | byte getInvocationContext();
107 |
108 | /**
109 | * This method can be used to retrieve the bounds of the user's selection
110 | * into the current message, if applicable.
111 | *
112 | * @return An int[2] array containing the start and end offsets of the
113 | * user's selection in the current message. If the user has not made any
114 | * selection in the current message, both offsets indicate the position of
115 | * the caret within the editor. If the menu is not being invoked from a
116 | * message editor, the method returns
117 | * null.
118 | */
119 | int[] getSelectionBounds();
120 |
121 | /**
122 | * This method can be used to retrieve details of the HTTP requests /
123 | * responses that were shown or selected by the user when the context menu
124 | * was invoked.
125 | *
126 | * @return An array of
127 | * IHttpRequestResponse objects representing the items that
128 | * were shown or selected by the user when the context menu was invoked.
129 | * This method returns
130 | * null if no messages are applicable to the invocation.
131 | */
132 | IHttpRequestResponse[] getSelectedMessages();
133 |
134 | /**
135 | * This method can be used to retrieve details of the Scanner issues that
136 | * were selected by the user when the context menu was invoked.
137 | *
138 | * @return An array of
139 | * IScanIssue objects representing the issues that were
140 | * selected by the user when the context menu was invoked. This method
141 | * returns
142 | * null if no Scanner issues are applicable to the invocation.
143 | */
144 | IScanIssue[] getSelectedIssues();
145 | }
146 |
--------------------------------------------------------------------------------
/src/burp/ICookie.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)ICookie.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | import java.util.Date;
13 |
14 | /**
15 | * This interface is used to hold details about an HTTP cookie.
16 | */
17 | public interface ICookie
18 | {
19 | /**
20 | * This method is used to retrieve the domain for which the cookie is in
21 | * scope.
22 | *
23 | * @return The domain for which the cookie is in scope. Note: For
24 | * cookies that have been analyzed from responses (by calling
25 | * IExtensionHelpers.analyzeResponse() and then
26 | * IResponseInfo.getCookies(), the domain will be
27 | * null if the response did not explicitly set a domain
28 | * attribute for the cookie.
29 | */
30 | String getDomain();
31 |
32 | /**
33 | * This method is used to retrieve the expiration time for the cookie.
34 | *
35 | * @return The expiration time for the cookie, or
36 | * null if none is set (i.e., for non-persistent session
37 | * cookies).
38 | */
39 | Date getExpiration();
40 |
41 | /**
42 | * This method is used to retrieve the name of the cookie.
43 | *
44 | * @return The name of the cookie.
45 | */
46 | String getName();
47 |
48 | /**
49 | * This method is used to retrieve the value of the cookie.
50 | * @return The value of the cookie.
51 | */
52 | String getValue();
53 | }
54 |
--------------------------------------------------------------------------------
/src/burp/IExtensionHelpers.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IExtensionHelpers.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | import java.net.URL;
13 | import java.util.List;
14 |
15 | /**
16 | * This interface contains a number of helper methods, which extensions can use
17 | * to assist with various common tasks that arise for Burp extensions.
18 | *
19 | * Extensions can call
20 | * IBurpExtenderCallbacks.getHelpers to obtain an instance of this
21 | * interface.
22 | */
23 | public interface IExtensionHelpers
24 | {
25 | /**
26 | * This method can be used to analyze an HTTP request, and obtain various
27 | * key details about it.
28 | *
29 | * @param request An
30 | * IHttpRequestResponse object containing the request to be
31 | * analyzed.
32 | * @return An
33 | * IRequestInfo object that can be queried to obtain details
34 | * about the request.
35 | */
36 | IRequestInfo analyzeRequest(IHttpRequestResponse request);
37 |
38 | /**
39 | * This method can be used to analyze an HTTP request, and obtain various
40 | * key details about it.
41 | *
42 | * @param httpService The HTTP service associated with the request. This is
43 | * optional and may be
44 | * null, in which case the resulting
45 | * IRequestInfo object will not include the full request URL.
46 | * @param request The request to be analyzed.
47 | * @return An
48 | * IRequestInfo object that can be queried to obtain details
49 | * about the request.
50 | */
51 | IRequestInfo analyzeRequest(IHttpService httpService, byte[] request);
52 |
53 | /**
54 | * This method can be used to analyze an HTTP request, and obtain various
55 | * key details about it. The resulting
56 | * IRequestInfo object will not include the full request URL.
57 | * To obtain the full URL, use one of the other overloaded
58 | * analyzeRequest() methods.
59 | *
60 | * @param request The request to be analyzed.
61 | * @return An
62 | * IRequestInfo object that can be queried to obtain details
63 | * about the request.
64 | */
65 | IRequestInfo analyzeRequest(byte[] request);
66 |
67 | /**
68 | * This method can be used to analyze an HTTP response, and obtain various
69 | * key details about it.
70 | *
71 | * @param response The response to be analyzed.
72 | * @return An
73 | * IResponseInfo object that can be queried to obtain details
74 | * about the response.
75 | */
76 | IResponseInfo analyzeResponse(byte[] response);
77 |
78 | /**
79 | * This method can be used to retrieve details of a specified parameter
80 | * within an HTTP request. Note: Use
81 | * analyzeRequest() to obtain details of all parameters within
82 | * the request.
83 | *
84 | * @param request The request to be inspected for the specified parameter.
85 | * @param parameterName The name of the parameter to retrieve.
86 | * @return An
87 | * IParameter object that can be queried to obtain details
88 | * about the parameter, or
89 | * null if the parameter was not found.
90 | */
91 | IParameter getRequestParameter(byte[] request, String parameterName);
92 |
93 | /**
94 | * This method can be used to URL-decode the specified data.
95 | *
96 | * @param data The data to be decoded.
97 | * @return The decoded data.
98 | */
99 | String urlDecode(String data);
100 |
101 | /**
102 | * This method can be used to URL-encode the specified data. Any characters
103 | * that do not need to be encoded within HTTP requests are not encoded.
104 | *
105 | * @param data The data to be encoded.
106 | * @return The encoded data.
107 | */
108 | String urlEncode(String data);
109 |
110 | /**
111 | * This method can be used to URL-decode the specified data.
112 | *
113 | * @param data The data to be decoded.
114 | * @return The decoded data.
115 | */
116 | byte[] urlDecode(byte[] data);
117 |
118 | /**
119 | * This method can be used to URL-encode the specified data. Any characters
120 | * that do not need to be encoded within HTTP requests are not encoded.
121 | *
122 | * @param data The data to be encoded.
123 | * @return The encoded data.
124 | */
125 | byte[] urlEncode(byte[] data);
126 |
127 | /**
128 | * This method can be used to Base64-decode the specified data.
129 | *
130 | * @param data The data to be decoded.
131 | * @return The decoded data.
132 | */
133 | byte[] base64Decode(String data);
134 |
135 | /**
136 | * This method can be used to Base64-decode the specified data.
137 | *
138 | * @param data The data to be decoded.
139 | * @return The decoded data.
140 | */
141 | byte[] base64Decode(byte[] data);
142 |
143 | /**
144 | * This method can be used to Base64-encode the specified data.
145 | *
146 | * @param data The data to be encoded.
147 | * @return The encoded data.
148 | */
149 | String base64Encode(String data);
150 |
151 | /**
152 | * This method can be used to Base64-encode the specified data.
153 | *
154 | * @param data The data to be encoded.
155 | * @return The encoded data.
156 | */
157 | String base64Encode(byte[] data);
158 |
159 | /**
160 | * This method can be used to convert data from String form into an array of
161 | * bytes. The conversion does not reflect any particular character set, and
162 | * a character with the hex representation 0xWXYZ will always be converted
163 | * into a byte with the representation 0xYZ. It performs the opposite
164 | * conversion to the method
165 | * bytesToString(), and byte-based data that is converted to a
166 | * String and back again using these two methods is guaranteed to retain its
167 | * integrity (which may not be the case with conversions that reflect a
168 | * given character set).
169 | *
170 | * @param data The data to be converted.
171 | * @return The converted data.
172 | */
173 | byte[] stringToBytes(String data);
174 |
175 | /**
176 | * This method can be used to convert data from an array of bytes into
177 | * String form. The conversion does not reflect any particular character
178 | * set, and a byte with the representation 0xYZ will always be converted
179 | * into a character with the hex representation 0x00YZ. It performs the
180 | * opposite conversion to the method
181 | * stringToBytes(), and byte-based data that is converted to a
182 | * String and back again using these two methods is guaranteed to retain its
183 | * integrity (which may not be the case with conversions that reflect a
184 | * given character set).
185 | *
186 | * @param data The data to be converted.
187 | * @return The converted data.
188 | */
189 | String bytesToString(byte[] data);
190 |
191 | /**
192 | * This method searches a piece of data for the first occurrence of a
193 | * specified pattern. It works on byte-based data in a way that is similar
194 | * to the way the native Java method
195 | * String.indexOf() works on String-based data.
196 | *
197 | * @param data The data to be searched.
198 | * @param pattern The pattern to be searched for.
199 | * @param caseSensitive Flags whether or not the search is case-sensitive.
200 | * @param from The offset within
201 | * data where the search should begin.
202 | * @param to The offset within
203 | * data where the search should end.
204 | * @return The offset of the first occurrence of the pattern within the
205 | * specified bounds, or -1 if no match is found.
206 | */
207 | int indexOf(byte[] data,
208 | byte[] pattern,
209 | boolean caseSensitive,
210 | int from,
211 | int to);
212 |
213 | /**
214 | * This method builds an HTTP message containing the specified headers and
215 | * message body. If applicable, the Content-Length header will be added or
216 | * updated, based on the length of the body.
217 | *
218 | * @param headers A list of headers to include in the message.
219 | * @param body The body of the message, of
220 | * null if the message has an empty body.
221 | * @return The resulting full HTTP message.
222 | */
223 | byte[] buildHttpMessage(ListIParameter object containing details of the parameter to be
242 | * added. Supported parameter types are:
243 | * PARAM_URL,
244 | * PARAM_BODY and
245 | * PARAM_COOKIE.
246 | * @return A new HTTP request with the new parameter added.
247 | */
248 | byte[] addParameter(byte[] request, IParameter parameter);
249 |
250 | /**
251 | * This method removes a parameter from an HTTP request, and if appropriate
252 | * updates the Content-Length header.
253 | *
254 | * @param request The request from which the parameter should be removed.
255 | * @param parameter An
256 | * IParameter object containing details of the parameter to be
257 | * removed. Supported parameter types are:
258 | * PARAM_URL,
259 | * PARAM_BODY and
260 | * PARAM_COOKIE.
261 | * @return A new HTTP request with the parameter removed.
262 | */
263 | byte[] removeParameter(byte[] request, IParameter parameter);
264 |
265 | /**
266 | * This method updates the value of a parameter within an HTTP request, and
267 | * if appropriate updates the Content-Length header. Note: This
268 | * method can only be used to update the value of an existing parameter of a
269 | * specified type. If you need to change the type of an existing parameter,
270 | * you should first call
271 | * removeParameter() to remove the parameter with the old type,
272 | * and then call
273 | * addParameter() to add a parameter with the new type.
274 | *
275 | * @param request The request containing the parameter to be updated.
276 | * @param parameter An
277 | * IParameter object containing details of the parameter to be
278 | * updated. Supported parameter types are:
279 | * PARAM_URL,
280 | * PARAM_BODY and
281 | * PARAM_COOKIE.
282 | * @return A new HTTP request with the parameter updated.
283 | */
284 | byte[] updateParameter(byte[] request, IParameter parameter);
285 |
286 | /**
287 | * This method can be used to toggle a request's method between GET and
288 | * POST. Parameters are relocated between the URL query string and message
289 | * body as required, and the Content-Length header is created or removed as
290 | * applicable.
291 | *
292 | * @param request The HTTP request whose method should be toggled.
293 | * @return A new HTTP request using the toggled method.
294 | */
295 | byte[] toggleRequestMethod(byte[] request);
296 |
297 | /**
298 | * This method constructs an
299 | * IHttpService object based on the details provided.
300 | *
301 | * @param host The HTTP service host.
302 | * @param port The HTTP service port.
303 | * @param protocol The HTTP service protocol.
304 | * @return An
305 | * IHttpService object based on the details provided.
306 | */
307 | IHttpService buildHttpService(String host, int port, String protocol);
308 |
309 | /**
310 | * This method constructs an
311 | * IHttpService object based on the details provided.
312 | *
313 | * @param host The HTTP service host.
314 | * @param port The HTTP service port.
315 | * @param useHttps Flags whether the HTTP service protocol is HTTPS or HTTP.
316 | * @return An
317 | * IHttpService object based on the details provided.
318 | */
319 | IHttpService buildHttpService(String host, int port, boolean useHttps);
320 |
321 | /**
322 | * This method constructs an
323 | * IParameter object based on the details provided.
324 | *
325 | * @param name The parameter name.
326 | * @param value The parameter value.
327 | * @param type The parameter type, as defined in the
328 | * IParameter interface.
329 | * @return An
330 | * IParameter object based on the details provided.
331 | */
332 | IParameter buildParameter(String name, String value, byte type);
333 |
334 | /**
335 | * This method constructs an
336 | * IScannerInsertionPoint object based on the details provided.
337 | * It can be used to quickly create a simple insertion point based on a
338 | * fixed payload location within a base request.
339 | *
340 | * @param insertionPointName The name of the insertion point.
341 | * @param baseRequest The request from which to build scan requests.
342 | * @param from The offset of the start of the payload location.
343 | * @param to The offset of the end of the payload location.
344 | * @return An
345 | * IScannerInsertionPoint object based on the details provided.
346 | */
347 | IScannerInsertionPoint makeScannerInsertionPoint(
348 | String insertionPointName,
349 | byte[] baseRequest,
350 | int from,
351 | int to);
352 | }
353 |
--------------------------------------------------------------------------------
/src/burp/IExtensionStateListener.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IExtensionStateListener.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | /**
13 | * Extensions can implement this interface and then call
14 | * IBurpExtenderCallbacks.registerExtensionStateListener() to
15 | * register an extension state listener. The listener will be notified of
16 | * changes to the extension's state. Note: Any extensions that start
17 | * background threads or open system resources (such as files or database
18 | * connections) should register a listener and terminate threads / close
19 | * resources when the extension is unloaded.
20 | */
21 | public interface IExtensionStateListener
22 | {
23 | /**
24 | * This method is called when the extension is unloaded.
25 | */
26 | void extensionUnloaded();
27 | }
28 |
--------------------------------------------------------------------------------
/src/burp/IHttpListener.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IHttpListener.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | /**
13 | * Extensions can implement this interface and then call
14 | * IBurpExtenderCallbacks.registerHttpListener() to register an
15 | * HTTP listener. The listener will be notified of requests and responses made
16 | * by any Burp tool. Extensions can perform custom analysis or modification of
17 | * these messages by registering an HTTP listener.
18 | */
19 | public interface IHttpListener
20 | {
21 | /**
22 | * This method is invoked when an HTTP request is about to be issued, and
23 | * when an HTTP response has been received.
24 | *
25 | * @param toolFlag A flag indicating the Burp tool that issued the request.
26 | * Burp tool flags are defined in the
27 | * IBurpExtenderCallbacks interface.
28 | * @param messageIsRequest Flags whether the method is being invoked for a
29 | * request or response.
30 | * @param messageInfo Details of the request / response to be processed.
31 | * Extensions can call the setter methods on this object to update the
32 | * current message and so modify Burp's behavior.
33 | */
34 | void processHttpMessage(int toolFlag,
35 | boolean messageIsRequest,
36 | IHttpRequestResponse messageInfo);
37 | }
38 |
--------------------------------------------------------------------------------
/src/burp/IHttpRequestResponse.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IHttpRequestResponse.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | /**
13 | * This interface is used to retrieve and update details about HTTP messages.
14 | *
15 | * Note: The setter methods generally can only be used before the message
16 | * has been processed, and not in read-only contexts. The getter methods
17 | * relating to response details can only be used after the request has been
18 | * issued.
19 | */
20 | public interface IHttpRequestResponse
21 | {
22 | /**
23 | * This method is used to retrieve the request message.
24 | *
25 | * @return The request message.
26 | */
27 | byte[] getRequest();
28 |
29 | /**
30 | * This method is used to update the request message.
31 | *
32 | * @param message The new request message.
33 | */
34 | void setRequest(byte[] message);
35 |
36 | /**
37 | * This method is used to retrieve the response message.
38 | *
39 | * @return The response message.
40 | */
41 | byte[] getResponse();
42 |
43 | /**
44 | * This method is used to update the response message.
45 | *
46 | * @param message The new response message.
47 | */
48 | void setResponse(byte[] message);
49 |
50 | /**
51 | * This method is used to retrieve the user-annotated comment for this item,
52 | * if applicable.
53 | *
54 | * @return The user-annotated comment for this item, or null if none is set.
55 | */
56 | String getComment();
57 |
58 | /**
59 | * This method is used to update the user-annotated comment for this item.
60 | *
61 | * @param comment The comment to be assigned to this item.
62 | */
63 | void setComment(String comment);
64 |
65 | /**
66 | * This method is used to retrieve the user-annotated highlight for this
67 | * item, if applicable.
68 | *
69 | * @return The user-annotated highlight for this item, or null if none is
70 | * set.
71 | */
72 | String getHighlight();
73 |
74 | /**
75 | * This method is used to update the user-annotated highlight for this item.
76 | *
77 | * @param color The highlight color to be assigned to this item. Accepted
78 | * values are: red, orange, yellow, green, cyan, blue, pink, magenta, gray,
79 | * or a null String to clear any existing highlight.
80 | */
81 | void setHighlight(String color);
82 |
83 | /**
84 | * This method is used to retrieve the HTTP service for this request /
85 | * response.
86 | *
87 | * @return An
88 | * IHttpService object containing details of the HTTP service.
89 | */
90 | IHttpService getHttpService();
91 |
92 | /**
93 | * This method is used to update the HTTP service for this request /
94 | * response.
95 | *
96 | * @param httpService An
97 | * IHttpService object containing details of the new HTTP
98 | * service.
99 | */
100 | void setHttpService(IHttpService httpService);
101 |
102 | }
103 |
--------------------------------------------------------------------------------
/src/burp/IHttpRequestResponsePersisted.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IHttpRequestResponsePersisted.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | /**
13 | * This interface is used for an
14 | * IHttpRequestResponse object whose request and response messages
15 | * have been saved to temporary files using
16 | * IBurpExtenderCallbacks.saveBuffersToTempFiles().
17 | */
18 | public interface IHttpRequestResponsePersisted extends IHttpRequestResponse
19 | {
20 | /**
21 | * This method is used to permanently delete the saved temporary files. It
22 | * will no longer be possible to retrieve the request or response for this
23 | * item.
24 | */
25 | void deleteTempFiles();
26 | }
27 |
--------------------------------------------------------------------------------
/src/burp/IHttpRequestResponseWithMarkers.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IHttpRequestResponseWithMarkers.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | import java.util.List;
13 |
14 | /**
15 | * This interface is used for an
16 | * IHttpRequestResponse object that has had markers applied.
17 | * Extensions can create instances of this interface using
18 | * IBurpExtenderCallbacks.applyMarkers(), or provide their own
19 | * implementation. Markers are used in various situations, such as specifying
20 | * Intruder payload positions, Scanner insertion points, and highlights in
21 | * Scanner issues.
22 | */
23 | public interface IHttpRequestResponseWithMarkers extends IHttpRequestResponse
24 | {
25 | /**
26 | * This method returns the details of the request markers.
27 | *
28 | * @return A list of index pairs representing the offsets of markers for the
29 | * request message. Each item in the list is an int[2] array containing the
30 | * start and end offsets for the marker. The method may return
31 | * null if no request markers are defined.
32 | */
33 | Listnull if no response markers are defined.
42 | */
43 | ListIProxyListener to receive details of proxy messages using this
16 | * interface. *
17 | */
18 | public interface IInterceptedProxyMessage
19 | {
20 | /**
21 | * This action causes Burp Proxy to follow the current interception rules to
22 | * determine the appropriate action to take for the message.
23 | */
24 | static final int ACTION_FOLLOW_RULES = 0;
25 | /**
26 | * This action causes Burp Proxy to present the message to the user for
27 | * manual review or modification.
28 | */
29 | static final int ACTION_DO_INTERCEPT = 1;
30 | /**
31 | * This action causes Burp Proxy to forward the message to the remote server
32 | * or client, without presenting it to the user.
33 | */
34 | static final int ACTION_DONT_INTERCEPT = 2;
35 | /**
36 | * This action causes Burp Proxy to drop the message.
37 | */
38 | static final int ACTION_DROP = 3;
39 | /**
40 | * This action causes Burp Proxy to follow the current interception rules to
41 | * determine the appropriate action to take for the message, and then make a
42 | * second call to processProxyMessage.
43 | */
44 | static final int ACTION_FOLLOW_RULES_AND_REHOOK = 0x10;
45 | /**
46 | * This action causes Burp Proxy to present the message to the user for
47 | * manual review or modification, and then make a second call to
48 | * processProxyMessage.
49 | */
50 | static final int ACTION_DO_INTERCEPT_AND_REHOOK = 0x11;
51 | /**
52 | * This action causes Burp Proxy to skip user interception, and then make a
53 | * second call to processProxyMessage.
54 | */
55 | static final int ACTION_DONT_INTERCEPT_AND_REHOOK = 0x12;
56 |
57 | /**
58 | * This method retrieves a unique reference number for this
59 | * request/response.
60 | *
61 | * @return An identifier that is unique to a single request/response pair.
62 | * Extensions can use this to correlate details of requests and responses
63 | * and perform processing on the response message accordingly.
64 | */
65 | int getMessageReference();
66 |
67 | /**
68 | * This method retrieves details of the intercepted message.
69 | *
70 | * @return An
71 | * IHttpRequestResponse object containing details of the
72 | * intercepted message.
73 | */
74 | IHttpRequestResponse getMessageInfo();
75 |
76 | /**
77 | * This method retrieves the currently defined interception action. The
78 | * default action is
79 | * ACTION_FOLLOW_RULES. If multiple proxy listeners are
80 | * registered, then other listeners may already have modified the
81 | * interception action before it reaches the current listener. This method
82 | * can be used to determine whether this has occurred.
83 | *
84 | * @return The currently defined interception action. Possible values are
85 | * defined within this interface.
86 | */
87 | int getInterceptAction();
88 |
89 | /**
90 | * This method is used to update the interception action.
91 | *
92 | * @param interceptAction The new interception action. Possible values are
93 | * defined within this interface.
94 | */
95 | void setInterceptAction(int interceptAction);
96 | }
97 |
--------------------------------------------------------------------------------
/src/burp/IIntruderAttack.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IIntruderAttack.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | /**
13 | * This interface is used to hold details about an Intruder attack.
14 | */
15 | public interface IIntruderAttack
16 | {
17 | /**
18 | * This method is used to retrieve the HTTP service for the attack.
19 | *
20 | * @return The HTTP service for the attack.
21 | */
22 | IHttpService getHttpService();
23 |
24 | /**
25 | * This method is used to retrieve the request template for the attack.
26 | *
27 | * @return The request template for the attack.
28 | */
29 | byte[] getRequestTemplate();
30 |
31 | }
32 |
--------------------------------------------------------------------------------
/src/burp/IIntruderPayloadGenerator.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IIntruderPayloadGenerator.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | /**
13 | * This interface is used for custom Intruder payload generators. Extensions
14 | * that have registered an
15 | * IIntruderPayloadGeneratorFactory must return a new instance of
16 | * this interface when required as part of a new Intruder attack.
17 | */
18 | public interface IIntruderPayloadGenerator
19 | {
20 | /**
21 | * This method is used by Burp to determine whether the payload generator is
22 | * able to provide any further payloads.
23 | *
24 | * @return Extensions should return
25 | * false when all the available payloads have been used up,
26 | * otherwise
27 | * true.
28 | */
29 | boolean hasMorePayloads();
30 |
31 | /**
32 | * This method is used by Burp to obtain the value of the next payload.
33 | *
34 | * @param baseValue The base value of the current payload position. This
35 | * value may be
36 | * null if the concept of a base value is not applicable (e.g.
37 | * in a battering ram attack).
38 | * @return The next payload to use in the attack.
39 | */
40 | byte[] getNextPayload(byte[] baseValue);
41 |
42 | /**
43 | * This method is used by Burp to reset the state of the payload generator
44 | * so that the next call to
45 | * getNextPayload() returns the first payload again. This
46 | * method will be invoked when an attack uses the same payload generator for
47 | * more than one payload position, for example in a sniper attack.
48 | */
49 | void reset();
50 | }
51 |
--------------------------------------------------------------------------------
/src/burp/IIntruderPayloadGeneratorFactory.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IIntruderPayloadGeneratorFactory.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | /**
13 | * Extensions can implement this interface and then call
14 | * IBurpExtenderCallbacks.registerIntruderPayloadGeneratorFactory()
15 | * to register a factory for custom Intruder payloads.
16 | */
17 | public interface IIntruderPayloadGeneratorFactory
18 | {
19 | /**
20 | * This method is used by Burp to obtain the name of the payload generator.
21 | * This will be displayed as an option within the Intruder UI when the user
22 | * selects to use extension-generated payloads.
23 | *
24 | * @return The name of the payload generator.
25 | */
26 | String getGeneratorName();
27 |
28 | /**
29 | * This method is used by Burp when the user starts an Intruder attack that
30 | * uses this payload generator.
31 | *
32 | * @param attack An
33 | * IIntruderAttack object that can be queried to obtain details
34 | * about the attack in which the payload generator will be used.
35 | * @return A new instance of
36 | * IIntruderPayloadGenerator that will be used to generate
37 | * payloads for the attack.
38 | */
39 | IIntruderPayloadGenerator createNewInstance(IIntruderAttack attack);
40 | }
41 |
--------------------------------------------------------------------------------
/src/burp/IIntruderPayloadProcessor.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IIntruderPayloadProcessor.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | /**
13 | * Extensions can implement this interface and then call
14 | * IBurpExtenderCallbacks.registerIntruderPayloadProcessor() to
15 | * register a custom Intruder payload processor.
16 | */
17 | public interface IIntruderPayloadProcessor
18 | {
19 | /**
20 | * This method is used by Burp to obtain the name of the payload processor.
21 | * This will be displayed as an option within the Intruder UI when the user
22 | * selects to use an extension-provided payload processor.
23 | *
24 | * @return The name of the payload processor.
25 | */
26 | String getProcessorName();
27 |
28 | /**
29 | * This method is invoked by Burp each time the processor should be applied
30 | * to an Intruder payload.
31 | *
32 | * @param currentPayload The value of the payload to be processed.
33 | * @param originalPayload The value of the original payload prior to
34 | * processing by any already-applied processing rules.
35 | * @param baseValue The base value of the payload position, which will be
36 | * replaced with the current payload.
37 | * @return The value of the processed payload. This may be
38 | * null to indicate that the current payload should be skipped,
39 | * and the attack will move directly to the next payload.
40 | */
41 | byte[] processPayload(
42 | byte[] currentPayload,
43 | byte[] originalPayload,
44 | byte[] baseValue);
45 | }
46 |
--------------------------------------------------------------------------------
/src/burp/IMenuItemHandler.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IMenuItemHandler.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | /**
13 | * Extensions can implement this interface and then call
14 | * IBurpExtenderCallbacks.registerMenuItem() to register a custom
15 | * context menu item.
16 | *
17 | * @deprecated Use
18 | * IContextMenuFactory instead.
19 | */
20 | @Deprecated
21 | public interface IMenuItemHandler
22 | {
23 | /**
24 | * This method is invoked by Burp Suite when the user clicks on a custom
25 | * menu item which the extension has registered with Burp.
26 | *
27 | * @param menuItemCaption The caption of the menu item which was clicked.
28 | * This parameter enables extensions to provide a single implementation
29 | * which handles multiple different menu items.
30 | * @param messageInfo Details of the HTTP message(s) for which the context
31 | * menu was displayed.
32 | */
33 | void menuItemClicked(
34 | String menuItemCaption,
35 | IHttpRequestResponse[] messageInfo);
36 | }
37 |
--------------------------------------------------------------------------------
/src/burp/IMessageEditor.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IMessageEditor.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | import java.awt.Component;
13 |
14 | /**
15 | * This interface is used to provide extensions with an instance of Burp's HTTP
16 | * message editor, for the extension to use in its own UI. Extensions should
17 | * call
18 | * IBurpExtenderCallbacks.createMessageEditor() to obtain an
19 | * instance of this interface.
20 | */
21 | public interface IMessageEditor
22 | {
23 | /**
24 | * This method returns the UI component of the editor, for extensions to add
25 | * to their own UI.
26 | *
27 | * @return The UI component of the editor.
28 | */
29 | Component getComponent();
30 |
31 | /**
32 | * This method is used to display an HTTP message in the editor.
33 | *
34 | * @param message The HTTP message to be displayed.
35 | * @param isRequest Flags whether the message is an HTTP request or
36 | * response.
37 | */
38 | void setMessage(byte[] message, boolean isRequest);
39 |
40 | /**
41 | * This method is used to retrieve the currently displayed message, which
42 | * may have been modified by the user.
43 | *
44 | * @return The currently displayed HTTP message.
45 | */
46 | byte[] getMessage();
47 |
48 | /**
49 | * This method is used to determine whether the current message has been
50 | * modified by the user.
51 | *
52 | * @return An indication of whether the current message has been modified by
53 | * the user since it was first displayed.
54 | */
55 | boolean isMessageModified();
56 |
57 | /**
58 | * This method returns the data that is currently selected by the user.
59 | *
60 | * @return The data that is currently selected by the user, or
61 | * null if no selection is made.
62 | */
63 | byte[] getSelectedData();
64 | }
65 |
--------------------------------------------------------------------------------
/src/burp/IMessageEditorController.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IMessageEditorController.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | /**
13 | * This interface is used by an
14 | * IMessageEditor to obtain details about the currently displayed
15 | * message. Extensions that create instances of Burp's HTTP message editor can
16 | * optionally provide an implementation of
17 | * IMessageEditorController, which the editor will invoke when it
18 | * requires further information about the current message (for example, to send
19 | * it to another Burp tool). Extensions that provide custom editor tabs via an
20 | * IMessageEditorTabFactory will receive a reference to an
21 | * IMessageEditorController object for each tab instance they
22 | * generate, which the tab can invoke if it requires further information about
23 | * the current message.
24 | */
25 | public interface IMessageEditorController
26 | {
27 | /**
28 | * This method is used to retrieve the HTTP service for the current message.
29 | *
30 | * @return The HTTP service for the current message.
31 | */
32 | IHttpService getHttpService();
33 |
34 | /**
35 | * This method is used to retrieve the HTTP request associated with the
36 | * current message (which may itself be a response).
37 | *
38 | * @return The HTTP request associated with the current message.
39 | */
40 | byte[] getRequest();
41 |
42 | /**
43 | * This method is used to retrieve the HTTP response associated with the
44 | * current message (which may itself be a request).
45 | *
46 | * @return The HTTP response associated with the current message.
47 | */
48 | byte[] getResponse();
49 | }
50 |
--------------------------------------------------------------------------------
/src/burp/IMessageEditorTab.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IMessageEditorTab.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | import java.awt.Component;
13 |
14 | /**
15 | * Extensions that register an
16 | * IMessageEditorTabFactory must return instances of this
17 | * interface, which Burp will use to create custom tabs within its HTTP message
18 | * editors.
19 | */
20 | public interface IMessageEditorTab
21 | {
22 | /**
23 | * This method returns the caption that should appear on the custom tab when
24 | * it is displayed. Note: Burp invokes this method once when the tab
25 | * is first generated, and the same caption will be used every time the tab
26 | * is displayed.
27 | *
28 | * @return The caption that should appear on the custom tab when it is
29 | * displayed.
30 | */
31 | String getTabCaption();
32 |
33 | /**
34 | * This method returns the component that should be used as the contents of
35 | * the custom tab when it is displayed. Note: Burp invokes this
36 | * method once when the tab is first generated, and the same component will
37 | * be used every time the tab is displayed.
38 | *
39 | * @return The component that should be used as the contents of the custom
40 | * tab when it is displayed.
41 | */
42 | Component getUiComponent();
43 |
44 | /**
45 | * The hosting editor will invoke this method before it displays a new HTTP
46 | * message, so that the custom tab can indicate whether it should be enabled
47 | * for that message.
48 | *
49 | * @param content The message that is about to be displayed.
50 | * @param isRequest Indicates whether the message is a request or a
51 | * response.
52 | * @return The method should return
53 | * true if the custom tab is able to handle the specified
54 | * message, and so will be displayed within the editor. Otherwise, the tab
55 | * will be hidden while this message is displayed.
56 | */
57 | boolean isEnabled(byte[] content, boolean isRequest);
58 |
59 | /**
60 | * The hosting editor will invoke this method to display a new message or to
61 | * clear the existing message. This method will only be called with a new
62 | * message if the tab has already returned
63 | * true to a call to
64 | * isEnabled() with the same message details.
65 | *
66 | * @param content The message that is to be displayed, or
67 | * null if the tab should clear its contents and disable any
68 | * editable controls.
69 | * @param isRequest Indicates whether the message is a request or a
70 | * response.
71 | */
72 | void setMessage(byte[] content, boolean isRequest);
73 |
74 | /**
75 | * This method returns the currently displayed message.
76 | *
77 | * @return The currently displayed message.
78 | */
79 | byte[] getMessage();
80 |
81 | /**
82 | * This method is used to determine whether the currently displayed message
83 | * has been modified by the user. The hosting editor will always call
84 | * getMessage() before calling this method, so any pending
85 | * edits should be completed within
86 | * getMessage().
87 | *
88 | * @return The method should return
89 | * true if the user has modified the current message since it
90 | * was first displayed.
91 | */
92 | boolean isModified();
93 |
94 | /**
95 | * This method is used to retrieve the data that is currently selected by
96 | * the user.
97 | *
98 | * @return The data that is currently selected by the user. This may be
99 | * null if no selection is currently made.
100 | */
101 | byte[] getSelectedData();
102 | }
103 |
--------------------------------------------------------------------------------
/src/burp/IMessageEditorTabFactory.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IMessageEditorTabFactory.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | /**
13 | * Extensions can implement this interface and then call
14 | * IBurpExtenderCallbacks.registerMessageEditorTabFactory() to
15 | * register a factory for custom message editor tabs. This allows extensions to
16 | * provide custom rendering or editing of HTTP messages, within Burp's own HTTP
17 | * editor.
18 | */
19 | public interface IMessageEditorTabFactory
20 | {
21 | /**
22 | * Burp will call this method once for each HTTP message editor, and the
23 | * factory should provide a new instance of an
24 | * IMessageEditorTab object.
25 | *
26 | * @param controller An
27 | * IMessageEditorController object, which the new tab can query
28 | * to retrieve details about the currently displayed message. This may be
29 | * null for extension-invoked message editors where the
30 | * extension has not provided an editor controller.
31 | * @param editable Indicates whether the hosting editor is editable or
32 | * read-only.
33 | * @return A new
34 | * IMessageEditorTab object for use within the message editor.
35 | */
36 | IMessageEditorTab createNewInstance(IMessageEditorController controller,
37 | boolean editable);
38 | }
39 |
--------------------------------------------------------------------------------
/src/burp/IParameter.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IParameter.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | /**
13 | * This interface is used to hold details about an HTTP request parameter.
14 | */
15 | public interface IParameter
16 | {
17 | /**
18 | * Used to indicate a parameter within the URL query string.
19 | */
20 | static final byte PARAM_URL = 0;
21 | /**
22 | * Used to indicate a parameter within the message body.
23 | */
24 | static final byte PARAM_BODY = 1;
25 | /**
26 | * Used to indicate an HTTP cookie.
27 | */
28 | static final byte PARAM_COOKIE = 2;
29 | /**
30 | * Used to indicate an item of data within an XML structure.
31 | */
32 | static final byte PARAM_XML = 3;
33 | /**
34 | * Used to indicate the value of a tag attribute within an XML structure.
35 | */
36 | static final byte PARAM_XML_ATTR = 4;
37 | /**
38 | * Used to indicate the value of a parameter attribute within a multi-part
39 | * message body (such as the name of an uploaded file).
40 | */
41 | static final byte PARAM_MULTIPART_ATTR = 5;
42 | /**
43 | * Used to indicate an item of data within a JSON structure.
44 | */
45 | static final byte PARAM_JSON = 6;
46 |
47 | /**
48 | * This method is used to retrieve the parameter type.
49 | *
50 | * @return The parameter type. The available types are defined within this
51 | * interface.
52 | */
53 | byte getType();
54 |
55 | /**
56 | * This method is used to retrieve the parameter name.
57 | *
58 | * @return The parameter name.
59 | */
60 | String getName();
61 |
62 | /**
63 | * This method is used to retrieve the parameter value.
64 | *
65 | * @return The parameter value.
66 | */
67 | String getValue();
68 |
69 | /**
70 | * This method is used to retrieve the start offset of the parameter name
71 | * within the HTTP request.
72 | *
73 | * @return The start offset of the parameter name within the HTTP request,
74 | * or -1 if the parameter is not associated with a specific request.
75 | */
76 | int getNameStart();
77 |
78 | /**
79 | * This method is used to retrieve the end offset of the parameter name
80 | * within the HTTP request.
81 | *
82 | * @return The end offset of the parameter name within the HTTP request, or
83 | * -1 if the parameter is not associated with a specific request.
84 | */
85 | int getNameEnd();
86 |
87 | /**
88 | * This method is used to retrieve the start offset of the parameter value
89 | * within the HTTP request.
90 | *
91 | * @return The start offset of the parameter value within the HTTP request,
92 | * or -1 if the parameter is not associated with a specific request.
93 | */
94 | int getValueStart();
95 |
96 | /**
97 | * This method is used to retrieve the end offset of the parameter value
98 | * within the HTTP request.
99 | *
100 | * @return The end offset of the parameter value within the HTTP request, or
101 | * -1 if the parameter is not associated with a specific request.
102 | */
103 | int getValueEnd();
104 | }
105 |
--------------------------------------------------------------------------------
/src/burp/IProxyListener.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IProxyListener.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | /**
13 | * Extensions can implement this interface and then call
14 | * IBurpExtenderCallbacks.registerHttpListener() to register a
15 | * Proxy listener. The listener will be notified of requests and responses being
16 | * processed by the Proxy tool. Extensions can perform custom analysis or
17 | * modification of these messages, and control in-UI message interception, by
18 | * registering a proxy listener.
19 | */
20 | public interface IProxyListener
21 | {
22 | /**
23 | * This method is invoked when an HTTP message is being processed by the
24 | * Proxy.
25 | *
26 | * @param messageIsRequest Indicates whether the HTTP message is a request
27 | * or a response.
28 | * @param message An
29 | * IInterceptedProxyMessage object that extensions can use to
30 | * query and update details of the message, and control whether the message
31 | * should be intercepted and displayed to the user for manual review or
32 | * modification.
33 | */
34 | void processProxyMessage(
35 | boolean messageIsRequest,
36 | IInterceptedProxyMessage message);
37 | }
38 |
--------------------------------------------------------------------------------
/src/burp/IRequestInfo.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IRequestInfo.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | import java.net.URL;
13 | import java.util.List;
14 |
15 | /**
16 | * This interface is used to retrieve key details about an HTTP request.
17 | * Extensions can obtain an
18 | * IRequestInfo object for a given request by calling
19 | * IExtensionHelpers.analyzeRequest().
20 | */
21 | public interface IRequestInfo
22 | {
23 | /**
24 | * Used to indicate that there is no content.
25 | */
26 | static final byte CONTENT_TYPE_NONE = 0;
27 | /**
28 | * Used to indicate URL-encoded content.
29 | */
30 | static final byte CONTENT_TYPE_URL_ENCODED = 1;
31 | /**
32 | * Used to indicate multi-part content.
33 | */
34 | static final byte CONTENT_TYPE_MULTIPART = 2;
35 | /**
36 | * Used to indicate XML content.
37 | */
38 | static final byte CONTENT_TYPE_XML = 3;
39 | /**
40 | * Used to indicate JSON content.
41 | */
42 | static final byte CONTENT_TYPE_JSON = 4;
43 | /**
44 | * Used to indicate AMF content.
45 | */
46 | static final byte CONTENT_TYPE_AMF = 5;
47 | /**
48 | * Used to indicate unknown content.
49 | */
50 | static final byte CONTENT_TYPE_UNKNOWN = -1;
51 |
52 | /**
53 | * This method is used to obtain the HTTP method used in the request.
54 | *
55 | * @return The HTTP method used in the request.
56 | */
57 | String getMethod();
58 |
59 | /**
60 | * This method is used to obtain the URL in the request.
61 | *
62 | * @return The URL in the request.
63 | */
64 | URL getUrl();
65 |
66 | /**
67 | * This method is used to obtain the HTTP headers contained in the request.
68 | *
69 | * @return The HTTP headers contained in the request.
70 | */
71 | ListIResponseInfo object for a given response by calling
18 | * IExtensionHelpers.analyzeResponse().
19 | */
20 | public interface IResponseInfo
21 | {
22 | /**
23 | * This method is used to obtain the HTTP headers contained in the response.
24 | *
25 | * @return The HTTP headers contained in the response.
26 | */
27 | ListICookie objects representing the cookies set in the
51 | * response, if any.
52 | */
53 | ListIScannerListener or by calling
16 | * IBurpExtenderCallbacks.getScanIssues(). Extensions can also add
17 | * custom Scanner issues by registering an
18 | * IScannerCheck or calling
19 | * IBurpExtenderCallbacks.addScanIssue(), and providing their own
20 | * implementations of this interface
21 | */
22 | public interface IScanIssue
23 | {
24 | /**
25 | * This method returns the URL for which the issue was generated.
26 | *
27 | * @return The URL for which the issue was generated.
28 | */
29 | java.net.URL getUrl();
30 |
31 | /**
32 | * This method returns the name of the issue type.
33 | *
34 | * @return The name of the issue type (e.g. "SQL injection").
35 | */
36 | String getIssueName();
37 |
38 | /**
39 | * This method returns a numeric identifier of the issue type. See the Burp
40 | * Scanner help documentation for a listing of all the issue types.
41 | *
42 | * @return A numeric identifier of the issue type.
43 | */
44 | int getIssueType();
45 |
46 | /**
47 | * This method returns the issue severity level.
48 | *
49 | * @return The issue severity level. Expected values are "High", "Medium",
50 | * "Low", "Information" or "False positive".
51 | *
52 | */
53 | String getSeverity();
54 |
55 | /**
56 | * This method returns the issue confidence level.
57 | *
58 | * @return The issue confidence level. Expected values are "Certain", "Firm"
59 | * or "Tentative".
60 | */
61 | String getConfidence();
62 |
63 | /**
64 | * This method returns a background description for this type of issue.
65 | *
66 | * @return A background description for this type of issue, or
67 | * null if none applies.
68 | */
69 | String getIssueBackground();
70 |
71 | /**
72 | * This method returns a background description of the remediation for this
73 | * type of issue.
74 | *
75 | * @return A background description of the remediation for this type of
76 | * issue, or
77 | * null if none applies.
78 | */
79 | String getRemediationBackground();
80 |
81 | /**
82 | * This method returns detailed information about this specific instance of
83 | * the issue.
84 | *
85 | * @return Detailed information about this specific instance of the issue,
86 | * or
87 | * null if none applies.
88 | */
89 | String getIssueDetail();
90 |
91 | /**
92 | * This method returns detailed information about the remediation for this
93 | * specific instance of the issue.
94 | *
95 | * @return Detailed information about the remediation for this specific
96 | * instance of the issue, or
97 | * null if none applies.
98 | */
99 | String getRemediationDetail();
100 |
101 | /**
102 | * This method returns the HTTP messages on the basis of which the issue was
103 | * generated.
104 | *
105 | * @return The HTTP messages on the basis of which the issue was generated.
106 | * Note: The items in this array should be instances of
107 | * IHttpRequestResponseWithMarkers if applicable, so that
108 | * details of the relevant portions of the request and response messages are
109 | * available.
110 | */
111 | IHttpRequestResponse[] getHttpMessages();
112 |
113 | /**
114 | * This method returns the HTTP service for which the issue was generated.
115 | *
116 | * @return The HTTP service for which the issue was generated.
117 | */
118 | IHttpService getHttpService();
119 |
120 | }
121 |
--------------------------------------------------------------------------------
/src/burp/IScanQueueItem.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IScanQueueItem.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | /**
13 | * This interface is used to retrieve details of items in the Burp Scanner
14 | * active scan queue. Extensions can obtain references to scan queue items by
15 | * calling
16 | * IBurpExtenderCallbacks.doActiveScan().
17 | */
18 | public interface IScanQueueItem
19 | {
20 | /**
21 | * This method returns a description of the status of the scan queue item.
22 | *
23 | * @return A description of the status of the scan queue item.
24 | */
25 | String getStatus();
26 |
27 | /**
28 | * This method returns an indication of the percentage completed for the
29 | * scan queue item.
30 | *
31 | * @return An indication of the percentage completed for the scan queue
32 | * item.
33 | */
34 | byte getPercentageComplete();
35 |
36 | /**
37 | * This method returns the number of requests that have been made for the
38 | * scan queue item.
39 | *
40 | * @return The number of requests that have been made for the scan queue
41 | * item.
42 | */
43 | int getNumRequests();
44 |
45 | /**
46 | * This method returns the number of network errors that have occurred for
47 | * the scan queue item.
48 | *
49 | * @return The number of network errors that have occurred for the scan
50 | * queue item.
51 | */
52 | int getNumErrors();
53 |
54 | /**
55 | * This method returns the number of attack insertion points being used for
56 | * the scan queue item.
57 | *
58 | * @return The number of attack insertion points being used for the scan
59 | * queue item.
60 | */
61 | int getNumInsertionPoints();
62 |
63 | /**
64 | * This method allows the scan queue item to be canceled.
65 | */
66 | void cancel();
67 |
68 | /**
69 | * This method returns details of the issues generated for the scan queue
70 | * item. Note: different items within the scan queue may contain
71 | * duplicated versions of the same issues - for example, if the same request
72 | * has been scanned multiple times. Duplicated issues are consolidated in
73 | * the main view of scan results. Extensions can register an
74 | * IScannerListener to get details only of unique, newly
75 | * discovered Scanner issues post-consolidation.
76 | *
77 | * @return Details of the issues generated for the scan queue item.
78 | */
79 | IScanIssue[] getIssues();
80 | }
81 |
--------------------------------------------------------------------------------
/src/burp/IScannerCheck.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IScannerCheck.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | import java.util.List;
13 |
14 | /**
15 | * Extensions can implement this interface and then call
16 | * IBurpExtenderCallbacks.registerScannerCheck() to register a
17 | * custom Scanner check. When performing scanning, Burp will ask the check to
18 | * perform active or passive scanning on the base request, and report any
19 | * Scanner issues that are identified.
20 | */
21 | public interface IScannerCheck
22 | {
23 | /**
24 | * The Scanner invokes this method for each base request / response that is
25 | * passively scanned. Note: Extensions should not only analyze the
26 | * HTTP messages provided during passive scanning, and should not make any
27 | * new HTTP requests of their own.
28 | *
29 | * @param baseRequestResponse The base HTTP request / response that should
30 | * be passively scanned.
31 | * @return A list of
32 | * IScanIssue objects, or
33 | * null if no issues are identified.
34 | */
35 | ListIScannerInsertionPoint object provided to build scan
42 | * requests for particular payloads. Note: Extensions are responsible
43 | * for ensuring that attack payloads are suitably encoded within requests
44 | * (for example, by URL-encoding relevant metacharacters in the URL query
45 | * string). Encoding is not automatically carried out by the
46 | * IScannerInsertionPoint, because this would prevent Scanner
47 | * checks from testing for certain input filter bypasses. Extensions should
48 | * query the
49 | * IScannerInsertionPoint to determine its type, and apply any
50 | * encoding that may be appropriate.
51 | *
52 | * @param baseRequestResponse The base HTTP request / response that should
53 | * be actively scanned.
54 | * @param insertionPoint An
55 | * IScannerInsertionPoint object that can be queried to obtain
56 | * details of the insertion point being tested, and can be used to build
57 | * scan requests for particular payloads.
58 | * @return A list of
59 | * IScanIssue objects, or
60 | * null if no issues are identified.
61 | */
62 | List-1 to report the existing issue only,
83 | * 0 to report both issues, and
84 | * 1 to report the new issue only.
85 | */
86 | int consolidateDuplicateIssues(
87 | IScanIssue existingIssue,
88 | IScanIssue newIssue);
89 | }
90 |
--------------------------------------------------------------------------------
/src/burp/IScannerInsertionPoint.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IScannerInsertionPoint.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | /**
13 | * This interface is used to define an insertion point for use by active Scanner
14 | * checks. Extensions can obtain instances of this interface by registering an
15 | * IScannerCheck, or can create instances for use by Burp's own
16 | * scan checks by registering an
17 | * IScannerInsertionPointProvider.
18 | */
19 | public interface IScannerInsertionPoint
20 | {
21 | /**
22 | * Used to indicate where the payload is inserted into the value of a URL
23 | * parameter.
24 | */
25 | static final byte INS_PARAM_URL = 0x00;
26 | /**
27 | * Used to indicate where the payload is inserted into the value of a body
28 | * parameter.
29 | */
30 | static final byte INS_PARAM_BODY = 0x01;
31 | /**
32 | * Used to indicate where the payload is inserted into the value of an HTTP
33 | * cookie.
34 | */
35 | static final byte INS_PARAM_COOKIE = 0x02;
36 | /**
37 | * Used to indicate where the payload is inserted into the value of an item
38 | * of data within an XML data structure.
39 | */
40 | static final byte INS_PARAM_XML = 0x03;
41 | /**
42 | * Used to indicate where the payload is inserted into the value of a tag
43 | * attribute within an XML structure.
44 | */
45 | static final byte INS_PARAM_XML_ATTR = 0x04;
46 | /**
47 | * Used to indicate where the payload is inserted into the value of a
48 | * parameter attribute within a multi-part message body (such as the name of
49 | * an uploaded file).
50 | */
51 | static final byte INS_PARAM_MULTIPART_ATTR = 0x05;
52 | /**
53 | * Used to indicate where the payload is inserted into the value of an item
54 | * of data within a JSON structure.
55 | */
56 | static final byte INS_PARAM_JSON = 0x06;
57 | /**
58 | * Used to indicate where the payload is inserted into the value of an AMF
59 | * parameter.
60 | */
61 | static final byte INS_PARAM_AMF = 0x07;
62 | /**
63 | * Used to indicate where the payload is inserted into the value of an HTTP
64 | * request header.
65 | */
66 | static final byte INS_HEADER = 0x20;
67 | /**
68 | * Used to indicate where the payload is inserted into a REST parameter
69 | * within the URL file path.
70 | */
71 | static final byte INS_URL_REST = 0x21;
72 | /**
73 | * Used to indicate where the payload is inserted into the name of an added
74 | * URL parameter.
75 | */
76 | static final byte INS_PARAM_NAME_URL = 0x22;
77 | /**
78 | * Used to indicate where the payload is inserted into the name of an added
79 | * body parameter.
80 | */
81 | static final byte INS_PARAM_NAME_BODY = 0x23;
82 | /**
83 | * Used to indicate where the payload is inserted at a location manually
84 | * configured by the user.
85 | */
86 | static final byte INS_USER_PROVIDED = 0x40;
87 | /**
88 | * Used to indicate where the insertion point is provided by an
89 | * extension-registered
90 | * IScannerInsertionPointProvider.
91 | */
92 | static final byte INS_EXTENSION_PROVIDED = 0x41;
93 | /**
94 | * Used to indicate where the payload is inserted at an unknown location
95 | * within the request.
96 | */
97 | static final byte INS_UNKNOWN = 0x7f;
98 |
99 | /**
100 | * This method returns the name of the insertion point.
101 | *
102 | * @return The name of the insertion point (for example, a description of a
103 | * particular request parameter).
104 | */
105 | String getInsertionPointName();
106 |
107 | /**
108 | * This method returns the base value for this insertion point.
109 | *
110 | * @return the base value that appears in this insertion point in the base
111 | * request being scanned, or
112 | * null if there is no value in the base request that
113 | * corresponds to this insertion point.
114 | */
115 | String getBaseValue();
116 |
117 | /**
118 | * This method is used to build a request with the specified payload placed
119 | * into the insertion point. Any necessary adjustments to the Content-Length
120 | * header will be made by the Scanner itself when the request is issued, and
121 | * there is no requirement for the insertion point to do this. Note:
122 | * Burp's built-in scan checks do not apply any payload encoding (such as
123 | * URL-encoding) when dealing with an extension-provided insertion point.
124 | * Custom insertion points are responsible for performing any data encoding
125 | * that is necessary given the nature and location of the insertion point.
126 | *
127 | * @param payload The payload that should be placed into the insertion
128 | * point.
129 | * @return The resulting request.
130 | */
131 | byte[] buildRequest(byte[] payload);
132 |
133 | /**
134 | * This method is used to determine the offsets of the payload value within
135 | * the request, when it is placed into the insertion point. Scan checks may
136 | * invoke this method when reporting issues, so as to highlight the relevant
137 | * part of the request within the UI.
138 | *
139 | * @param payload The payload that should be placed into the insertion
140 | * point.
141 | * @return An int[2] array containing the start and end offsets of the
142 | * payload within the request, or null if this is not applicable (for
143 | * example, where the insertion point places a payload into a serialized
144 | * data structure, the raw payload may not literally appear anywhere within
145 | * the resulting request).
146 | */
147 | int[] getPayloadOffsets(byte[] payload);
148 |
149 | /**
150 | * This method returns the type of the insertion point.
151 | *
152 | * @return The type of the insertion point. Available types are defined in
153 | * this interface.
154 | */
155 | byte getInsertionPointType();
156 | }
157 |
--------------------------------------------------------------------------------
/src/burp/IScannerInsertionPointProvider.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IScannerInsertionPointProvider.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | import java.util.List;
13 |
14 | /**
15 | * Extensions can implement this interface and then call
16 | * IBurpExtenderCallbacks.registerScannerInsertionPointProvider()
17 | * to register a factory for custom Scanner insertion points.
18 | */
19 | public interface IScannerInsertionPointProvider
20 | {
21 | /**
22 | * When a request is actively scanned, the Scanner will invoke this method,
23 | * and the provider should provide a list of custom insertion points that
24 | * will be used in the scan. Note: these insertion points are used in
25 | * addition to those that are derived from Burp Scanner's configuration, and
26 | * those provided by any other Burp extensions.
27 | *
28 | * @param baseRequestResponse The base request that will be actively
29 | * scanned.
30 | * @return A list of
31 | * IScannerInsertionPoint objects that should be used in the
32 | * scanning, or
33 | * null if no custom insertion points are applicable for this
34 | * request.
35 | */
36 | ListIBurpExtenderCallbacks.registerScannerListener() to register a
15 | * Scanner listener. The listener will be notified of new issues that are
16 | * reported by the Scanner tool. Extensions can perform custom analysis or
17 | * logging of Scanner issues by registering a Scanner listener.
18 | */
19 | public interface IScannerListener
20 | {
21 | /**
22 | * This method is invoked when a new issue is added to Burp Scanner's
23 | * results.
24 | *
25 | * @param issue An
26 | * IScanIssue object that the extension can query to obtain
27 | * details about the new issue.
28 | */
29 | void newScanIssue(IScanIssue issue);
30 | }
31 |
--------------------------------------------------------------------------------
/src/burp/IScopeChangeListener.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)IScopeChangeListener.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | /**
13 | * Extensions can implement this interface and then call
14 | * IBurpExtenderCallbacks.registerScopeChangeListener() to register
15 | * a scope change listener. The listener will be notified whenever a change
16 | * occurs to Burp's suite-wide target scope.
17 | */
18 | public interface IScopeChangeListener
19 | {
20 | /**
21 | * This method is invoked whenever a change occurs to Burp's suite-wide
22 | * target scope.
23 | */
24 | void scopeChanged();
25 | }
26 |
--------------------------------------------------------------------------------
/src/burp/ISessionHandlingAction.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)ISessionHandlingAction.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | /**
13 | * Extensions can implement this interface and then call
14 | * IBurpExtenderCallbacks.registerSessionHandlingAction() to
15 | * register a custom session handling action. Each registered action will be
16 | * available within the session handling rule UI for the user to select as a
17 | * rule action. Users can choose to invoke an action directly in its own right,
18 | * or following execution of a macro.
19 | */
20 | public interface ISessionHandlingAction
21 | {
22 | /**
23 | * This method is used by Burp to obtain the name of the session handling
24 | * action. This will be displayed as an option within the session handling
25 | * rule editor when the user selects to execute an extension-provided
26 | * action.
27 | *
28 | * @return The name of the action.
29 | */
30 | String getActionName();
31 |
32 | /**
33 | * This method is invoked when the session handling action should be
34 | * executed. This may happen as an action in its own right, or as a
35 | * sub-action following execution of a macro.
36 | *
37 | * @param currentRequest The base request that is currently being processed.
38 | * The action can query this object to obtain details about the base
39 | * request. It can issue additional requests of its own if necessary, and
40 | * can use the setter methods on this object to update the base request.
41 | * @param macroItems If the action is invoked following execution of a
42 | * macro, this parameter contains the result of executing the macro.
43 | * Otherwise, it is
44 | * null. Actions can use the details of the macro items to
45 | * perform custom analysis of the macro to derive values of non-standard
46 | * session handling tokens, etc.
47 | */
48 | void performAction(
49 | IHttpRequestResponse currentRequest,
50 | IHttpRequestResponse[] macroItems);
51 | }
52 |
--------------------------------------------------------------------------------
/src/burp/ITab.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)ITab.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | import java.awt.Component;
13 |
14 | /**
15 | * This interface is used to provide Burp with details of a custom tab that will
16 | * be added to Burp's UI, using a method such as
17 | * IBurpExtenderCallbacks.addSuiteTab().
18 | */
19 | public interface ITab
20 | {
21 | /**
22 | * Burp uses this method to obtain the caption that should appear on the
23 | * custom tab when it is displayed.
24 | *
25 | * @return The caption that should appear on the custom tab when it is
26 | * displayed.
27 | */
28 | String getTabCaption();
29 |
30 | /**
31 | * Burp uses this method to obtain the component that should be used as the
32 | * contents of the custom tab when it is displayed.
33 | *
34 | * @return The component that should be used as the contents of the custom
35 | * tab when it is displayed.
36 | */
37 | Component getUiComponent();
38 | }
39 |
--------------------------------------------------------------------------------
/src/burp/ITempFile.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)ITempFile.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | /**
13 | * This interface is used to hold details of a temporary file that has been
14 | * created via a call to
15 | * IBurpExtenderCallbacks.saveToTempFile().
16 | *
17 | */
18 | public interface ITempFile
19 | {
20 | /**
21 | * This method is used to retrieve the contents of the buffer that was saved
22 | * in the temporary file.
23 | *
24 | * @return The contents of the buffer that was saved in the temporary file.
25 | */
26 | byte[] getBuffer();
27 |
28 | /**
29 | * This method is used to permanently delete the temporary file when it is
30 | * no longer required.
31 | */
32 | void delete();
33 | }
34 |
--------------------------------------------------------------------------------
/src/burp/ITextEditor.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | /*
4 | * @(#)ITextEditor.java
5 | *
6 | * Copyright PortSwigger Ltd. All rights reserved.
7 | *
8 | * This code may be used to extend the functionality of Burp Suite Free Edition
9 | * and Burp Suite Professional, provided that this usage does not violate the
10 | * license terms for those products.
11 | */
12 | import java.awt.Component;
13 |
14 | /**
15 | * This interface is used to provide extensions with an instance of Burp's raw
16 | * text editor, for the extension to use in its own UI. Extensions should call
17 | * IBurpExtenderCallbacks.createTextEditor() to obtain an instance
18 | * of this interface.
19 | */
20 | public interface ITextEditor
21 | {
22 | /**
23 | * This method returns the UI component of the editor, for extensions to add
24 | * to their own UI.
25 | *
26 | * @return The UI component of the editor.
27 | */
28 | Component getComponent();
29 |
30 | /**
31 | * This method is used to control whether the editor is currently editable.
32 | * This status can be toggled on and off as required.
33 | *
34 | * @param editable Indicates whether the editor should be currently
35 | * editable.
36 | */
37 | void setEditable(boolean editable);
38 |
39 | /**
40 | * This method is used to update the currently displayed text in the editor.
41 | *
42 | * @param text The text to be displayed.
43 | */
44 | void setText(byte[] text);
45 |
46 | /**
47 | * This method is used to retrieve the currently displayed text.
48 | *
49 | * @return The currently displayed text.
50 | */
51 | byte[] getText();
52 |
53 | /**
54 | * This method is used to determine whether the user has modified the
55 | * contents of the editor.
56 | *
57 | * @return An indication of whether the user has modified the contents of
58 | * the editor since the last call to
59 | * setText().
60 | */
61 | boolean isTextModified();
62 |
63 | /**
64 | * This method is used to obtain the currently selected text.
65 | *
66 | * @return The currently selected text, or
67 | * null if the user has not made any selection.
68 | */
69 | byte[] getSelectedText();
70 |
71 | /**
72 | * This method can be used to retrieve the bounds of the user's selection
73 | * into the displayed text, if applicable.
74 | *
75 | * @return An int[2] array containing the start and end offsets of the
76 | * user's selection within the displayed text. If the user has not made any
77 | * selection in the current message, both offsets indicate the position of
78 | * the caret within the editor.
79 | */
80 | int[] getSelectionBounds();
81 |
82 | /**
83 | * This method is used to update the search expression that is shown in the
84 | * search bar below the editor. The editor will automatically highlight any
85 | * regions of the displayed text that match the search expression.
86 | *
87 | * @param expression The search expression.
88 | */
89 | void setSearchExpression(String expression);
90 | }
91 |
--------------------------------------------------------------------------------