├── .gitignore ├── BappDescription.html ├── BappManifest.bmf ├── LICENSE ├── README.md ├── Screenshots ├── SME-Screenshot1.JPG └── SME-Screenshot2.JPG ├── site_map_extractor.py └── unittest links.html /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | env/ 12 | build/ 13 | develop-eggs/ 14 | dist/ 15 | downloads/ 16 | eggs/ 17 | .eggs/ 18 | lib/ 19 | lib64/ 20 | parts/ 21 | sdist/ 22 | var/ 23 | wheels/ 24 | *.egg-info/ 25 | .installed.cfg 26 | *.egg 27 | 28 | # PyInstaller 29 | # Usually these files are written by a python script from a template 30 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 31 | *.manifest 32 | *.spec 33 | 34 | # Installer logs 35 | pip-log.txt 36 | pip-delete-this-directory.txt 37 | 38 | # Unit test / coverage reports 39 | htmlcov/ 40 | .tox/ 41 | .coverage 42 | .coverage.* 43 | .cache 44 | nosetests.xml 45 | coverage.xml 46 | *.cover 47 | .hypothesis/ 48 | 49 | # Translations 50 | *.mo 51 | *.pot 52 | 53 | # Django stuff: 54 | *.log 55 | local_settings.py 56 | 57 | # Flask stuff: 58 | instance/ 59 | .webassets-cache 60 | 61 | # Scrapy stuff: 62 | .scrapy 63 | 64 | # Sphinx documentation 65 | docs/_build/ 66 | 67 | # PyBuilder 68 | target/ 69 | 70 | # Jupyter Notebook 71 | .ipynb_checkpoints 72 | 73 | # pyenv 74 | .python-version 75 | 76 | # celery beat schedule file 77 | celerybeat-schedule 78 | 79 | # SageMath parsed files 80 | *.sage.py 81 | 82 | # dotenv 83 | .env 84 | 85 | # virtualenv 86 | .venv 87 | venv/ 88 | ENV/ 89 | 90 | # Spyder project settings 91 | .spyderproject 92 | .spyproject 93 | 94 | # Rope project settings 95 | .ropeproject 96 | 97 | # mkdocs documentation 98 | /site 99 | 100 | # mypy 101 | .mypy_cache/ 102 | -------------------------------------------------------------------------------- /BappDescription.html: -------------------------------------------------------------------------------- 1 |

This extension extracts information from the Site Map. You can use the full site map or just in-scope items. Three types of information can be extracted:

2 | 3 |

Anchor Links - Searches responses for links of the form <a href=. Note that this will include links within JavaScript and in commented out areas. The log displays the found links and the page the link was found on. You have the option to select absolute links, relative links, or both. Log data can optionally be saved to a .csv file.

4 | 5 |

Response Codes - Finds all requests that returned one of the selected response code ranges (1xx/2xx/3xx/4xx/5xx). The log displays the page requested, the referer if one was specified, the specific response code, and if the response was a redirect, where the page was redirected. The log can optionally be saved to a .csv file.

6 | 7 |

Export Site Map - Saves the site map requests and responses to a .txt file. You can specify that all requests should be exported or only those with a corresponding response. The full content of the requests and responses is saved. This enables you to write independent code to further process the site map as you wish.

8 | 9 | -------------------------------------------------------------------------------- /BappManifest.bmf: -------------------------------------------------------------------------------- 1 | Uuid: f991b67d4ef94f3c8692c3edca06583e 2 | ExtensionType: 2 3 | Name: Site Map Extractor 4 | RepoName: site-map-extractor 5 | ScreenVersion: 1.2 6 | SerialVersion: 6 7 | MinPlatformVersion: 0 8 | ProOnly: False 9 | Author: Susan Wright 10 | ShortDescription: Extracts key data from the Site Map and allows export to CSV. 11 | EntryPoint: site_map_extractor.py 12 | BuildCommand: 13 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 swright573 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Site Map Extractor 2 | Site Map Extractor is a (fully passive) Burp extension written in Python that extracts various information from the Site Map. Optionally you can select to search the full site map or just the in-scope items. There are 3 types of information that can be extracted. 3 | 4 | #### Extract ' site map > content will allow update. 198 | self.siteMapData = self._callbacks.getSiteMap(None) 199 | # What links should be extracted? absolute links, relative links, or both? 200 | self.destAbs = self.destRel = False 201 | if self.uiLinksAbs.isSelected(): 202 | self.destAbs = True 203 | if self.uiLinksRel.isSelected(): 204 | self.destRel = True 205 | 206 | # Start building JTable to contain the extracted data 207 | self.colNames = ('Page', 'HTTPS?', 'Link', 'Description', 'Target', 'Rel=', 'Possible vulnerabilities') 208 | self.tableData = [] 209 | for i in self.siteMapData: 210 | try: 211 | self.requestInfo = self._helpers.analyzeRequest(i) 212 | self.url = self.requestInfo.getUrl() 213 | 214 | if self.scopeOnly() and not(self._callbacks.isInScope(self.url)): 215 | continue 216 | 217 | self.urlDecode = self._helpers.urlDecode(str(self.url)) 218 | 219 | self.response = i.getResponse() 220 | if self.response == None: # if there's no response, there won't be any links :-) 221 | continue 222 | 223 | self.responseInfo = self._helpers.analyzeResponse(self.response) 224 | self.responseOffset = self.responseInfo.getBodyOffset() 225 | self.responseBody = self._helpers.bytesToString(self.response)[self.responseOffset:] 226 | 227 | keep_looking = True 228 | while keep_looking: # there may be multiple links in the response 229 | #TODO: known issue: if link does not start with end tag 295 | # This assumes that the link is correctly ended 296 | posEndTag = self.responseBody.lower().find("") 297 | self.fullLink = self.responseBody[0:posEndTag] 298 | 299 | # Looking for > at the end of the ") 302 | self.description = self.responseBody[posEndA+1:posEndTag] 303 | 304 | 305 | # Looking for a possible target that is described 306 | self.target = "" 307 | if self.responseBody.lower().find("target") < posEndA: 308 | posTarget = self.responseBody.lower().find("target") 309 | #search the end of this parameter - might be ' or " or even a space, but it should be directly after the target 310 | 311 | if self.responseBody[posTarget+7:posTarget+8] == '"': 312 | endQuote = '"' 313 | elif self.responseBody[posTarget+7:posTarget+8] == "'": 314 | endQuote = "'" 315 | else: 316 | endQuote = ">" 317 | 318 | posTargetEnd = self.responseBody[posTarget+8:posEndA].lower().find(endQuote) 319 | #TODO rework needed 320 | self.target = self.responseBody[posTarget+8:posTarget+8+posTargetEnd] 321 | 322 | self.rel = "" 323 | if self.responseBody.lower().find("rel") < posEndA: 324 | posRel = self.responseBody.lower().find("rel") 325 | #search the end of this parameter - might be ' or " or even a space, but it should be directly after the target 326 | if self.responseBody[posRel+4:posRel+5] == '"': 327 | endQuote = '"' 328 | elif self.responseBody[posRel+4:posRel+5] == "'": 329 | endQuote = "'" 330 | else: 331 | endQuote = ">" 332 | 333 | posRelEnd = self.responseBody[posRel+5:posEndA].lower().find(endQuote) 334 | 335 | self.rel = self.responseBody[posRel+5:posRel+5+posRelEnd] 336 | 337 | #Is this link vulnerable to Tabnabbing? 338 | if self.target != "" and not isRelLink: 339 | if self.rel.lower().find("noopener") == -1: 340 | self.Vulnerabilities = self.Vulnerabilities + " Tabnabbing" 341 | #if rel= is not defined, but target is, the link is still vulnerable for tabnabbing 342 | elif self.target != "" and not isRelLink: 343 | self.Vulnerabilities = self.Vulnerabilities + " Tabnabbing" 344 | 345 | 346 | if (isAbsLink and self.destAbs) or (isRelLink and self.destRel): 347 | # remove white space and extra CR/LF characters 348 | self.tableData.append([self.stripURLPort(self.urlDecode), str(self.isHttps), self.lstripWS(self.stripCRLF(self.link)), self.lstripWS(self.stripCRLF(self.description)), self.lstripWS(self.stripCRLF(self.target)), self.lstripWS(self.stripCRLF(self.rel)), self.lstripWS(self.stripCRLF(self.Vulnerabilities))]) 349 | 350 | except: 351 | print('An error occured during processing of a link [ ' + str(i) + ' ] ignored it and continued with the next.') 352 | 353 | dataModel = DefaultTableModel(self.tableData, self.colNames) 354 | self.uiLogTable = swing.JTable(dataModel) 355 | self.uiLogTable.setAutoCreateRowSorter(True); 356 | 357 | self.uiLogPane.setViewportView(self.uiLogTable) 358 | 359 | def exportCodes(self, e): 360 | self.blankLog() 361 | self.siteMapData = self._callbacks.getSiteMap(None) 362 | # response codes to be included 363 | self.rcodes = [] 364 | if self.uiRcode1xx.isSelected(): 365 | self.rcodes += '1' 366 | if self.uiRcode2xx.isSelected(): 367 | self.rcodes += '2' 368 | if self.uiRcode3xx.isSelected(): 369 | self.rcodes += '3' 370 | if self.uiRcode4xx.isSelected(): 371 | self.rcodes += '4' 372 | if self.uiRcode5xx.isSelected(): 373 | self.rcodes += '5' 374 | 375 | if '3' in self.rcodes: 376 | self.colNames = ('Request','Referer','Response Code','Redirects To') 377 | else: 378 | self.colNames = ('Request','Referer','Response Code') 379 | self.tableData = [] 380 | 381 | for i in self.siteMapData: 382 | self.requestInfo = self._helpers.analyzeRequest(i) 383 | self.url = self.requestInfo.getUrl() 384 | if self.scopeOnly() and not(self._callbacks.isInScope(self.url)): 385 | continue 386 | 387 | self.urlDecode = self._helpers.urlDecode(str(self.url)) 388 | self.response = i.getResponse() 389 | if self.response == None: 390 | continue 391 | # Get referer if there is one 392 | self.requestHeaders = self.requestInfo.getHeaders() 393 | self.referer = '' 394 | for j in self.requestHeaders: 395 | if j.startswith('Referer:'): 396 | self.fullReferer = j.split(' ')[1] 397 | # drop the querystring parameter 398 | self.referer = self.fullReferer.split('?')[0] 399 | # Get response code 400 | self.responseInfo = self._helpers.analyzeResponse(self.response) 401 | self.responseCode = self.responseInfo.getStatusCode() 402 | self.firstDigit = str(self.responseCode)[0] 403 | if self.firstDigit not in self.rcodes: 404 | continue 405 | if self.firstDigit in ['1','2','4','5']: # Return codes 1xx, 2xx, 4xx, 5xx 406 | self.tableData.append([self.stripURLPort(self.urlDecode), str(self.referer), str(self.responseCode)]) 407 | elif self.firstDigit == '3': # Return code 3xx Redirection 408 | self.requestHeaders = self.requestInfo.getHeaders() 409 | self.responseHeaders = self.responseInfo.getHeaders() 410 | for j in self.responseHeaders: 411 | if j.startswith('Location:'): 412 | self.location = j.split(' ')[1] 413 | self.tableData.append([self.stripURLPort(self.urlDecode), str(self.referer), str(self.responseCode), self.location]) 414 | 415 | dataModel = DefaultTableModel(self.tableData, self.colNames) 416 | self.uiLogTable = swing.JTable(dataModel) 417 | self.uiLogTable.setAutoCreateRowSorter(True); 418 | self.uiLogPane.setViewportView(self.uiLogTable) 419 | 420 | def exportSiteMap(self,e): 421 | self.blankLog() 422 | f, ok = self.openFile('txt', 'Text files', 'wb') 423 | if ok: 424 | # Retrieve site map data 425 | self.siteMapData = self._callbacks.getSiteMap(None) 426 | if self.uiMustHaveResponse.isSelected(): 427 | self.outputAll = False 428 | else: 429 | self.outputAll = True 430 | for i in self.siteMapData: 431 | self.myrequest = i.getRequest() #self._helpers.urlDecode(i.getRequest()) 432 | self.requestInfo = self._helpers.analyzeRequest(i) 433 | self.url = self.requestInfo.getUrl() 434 | if self.scopeOnly() and not(self._callbacks.isInScope(self.url)): 435 | continue 436 | self.myresponse = i.getResponse() #self._helpers.urlDecode(i.getResponse()) 437 | if self.myresponse != None: 438 | f.write('----- REQUEST\r\n') 439 | f.write(self.myrequest) #self._helpers.urlEncode(self.myrequest)) 440 | f.write('\n') 441 | f.write('----- RESPONSE\r\n') 442 | f.write(self.myresponse) #self._helpers.urlEncode(self.myresponse)) 443 | f.write('\n') 444 | elif not self.uiMustHaveResponse: 445 | f.write('----- REQUEST\r\n') 446 | f.write(self.myrequest) #self._helpers.urlEncode(self.myrequest)) 447 | f.write('\n') 448 | f.close() 449 | JOptionPane.showMessageDialog(self.tab,'The Site Map file was successfully written.') 450 | 451 | def savetoCsvFile(self,e): 452 | if self.tableData == []: 453 | JOptionPane.showMessageDialog(self.tab,'The log contains no data.') 454 | return 455 | f, ok = self.openFile('csv', 'CSV files', 'wb') 456 | if ok: 457 | self.writer = csv.writer(f) 458 | self.writer.writerow(list(self.colNames)) 459 | for i in self.tableData: 460 | self.writer.writerow(i) 461 | f.close() 462 | JOptionPane.showMessageDialog(self.tab,'The csv file was successfully written.') 463 | 464 | def openFile(self, fileext, filedesc, fileparm): 465 | myFilePath = '' 466 | chooseFile = JFileChooser() 467 | myFilter = FileNameExtensionFilter(filedesc,[fileext]) 468 | chooseFile.setFileFilter(myFilter) 469 | ret = chooseFile.showOpenDialog(self.tab) 470 | if ret == JFileChooser.APPROVE_OPTION: 471 | file = chooseFile.getSelectedFile() 472 | myFilePath = str(file.getCanonicalPath()).lower() 473 | if not myFilePath.endswith(fileext): 474 | myFilePath += '.' + fileext 475 | okWrite = JOptionPane.YES_OPTION 476 | if os.path.isfile(myFilePath): 477 | okWrite = JOptionPane.showConfirmDialog(self.tab,'File already exists. Ok to over-write?','',JOptionPane.YES_NO_OPTION) 478 | if okWrite == JOptionPane.NO_OPTION: 479 | return 480 | j = True 481 | while j: 482 | try: 483 | f = open(myFilePath,mode=fileparm) 484 | j = False 485 | except IOError: 486 | okWrite = JOptionPane.showConfirmDialog(self.tab,'File cannot be opened. Correct and retry?','',JOptionPane.YES_NO_OPTION) 487 | if okWrite == JOptionPane.NO_OPTION: 488 | return None, False 489 | return f, True 490 | 491 | def stripCRLF(self, link): 492 | link = link.rstrip('\r') 493 | link = link.rstrip('\n') 494 | return link 495 | 496 | def lstripWS(self, link): 497 | return link.lstrip() 498 | 499 | def stripURLPort(self, url): 500 | # Thanks to shpendk for this code(https://github.com/PortSwigger/site-map-fetcher/) 501 | return url.split(':')[0] + ':' + url.split(':')[1] + '/' + url.split(':')[2].split('/',1)[1] 502 | 503 | def blankLogTable(self): 504 | self.tableData = [] 505 | return 506 | 507 | # This function is used when program wants to clear the log. 508 | def blankLog(self): 509 | self.uiLogPane.setViewportView(None) 510 | self.blankLogTable() 511 | return 512 | 513 | # This function is used when the user clicks the Clear Log button. 514 | def clearLog(self, e): 515 | self.uiLogPane.setViewportView(None) 516 | self.blankLogTable() 517 | return 518 | 519 | -------------------------------------------------------------------------------- /unittest links.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |

Testcases for Site Map Extractor

4 | Last tested with:
5 | - Burp Suite Pro 2.1.07
6 | - Jython 2.7.1
7 |
8 | How to test?
9 | Put this file on a webserver and request it (make sure you get a 200, not cache) using a browser with Burp as proxy.
10 | Open the Site Map Extractor Extension, set it to full site map and hit 'run'.
11 | Re-test? Delete the request 'item' from the Proxy > HTTP History first.
12 |
13 |
14 | 15 | == http cases with double quotes === 16 | 17 | Case 1A: " with http 18 | 1A 19 | 20 | Case 1B: " with http and target blank 21 | 1B 22 | 23 | Case 1C: " with http and target _blank with rel="nofollow" 24 | 1C 25 | 26 | Case 1D: " with http and target _blank with rel="nofollow noreferrer" 27 | 1D 28 | 29 | Case 1E: " with http and target _blank with rel="nofollow noreferrer" 30 | 1E 31 | 32 | == https cases with double quotes === 33 | 34 | Case 2A: " with https 35 | 2A 36 | 37 | Case 2B: " with https and target blank 38 | 2B 39 | 40 | Case 2C: " with https and target _blank with rel="nofollow" 41 | 2C 42 | 43 | Case 2D: " with https and target _blank with rel="nofollow noreferrer" 44 | 2D 45 | 46 | Case 2E: " with https and target _blank with rel="nofollow noreferrer noopener" 47 | 2E 48 | 49 | 50 | == https cases with double quotes to other domain=== 51 | 52 | Case 3A: " with https to other domain 53 | 3A 54 | 55 | Case 3B: " with https and target blank to other domain 56 | 3B 57 | 58 | Case 3C: " with https and target _blank with rel="nofollow" to other domain 59 | 3C 60 | 61 | Case 3D: " with https and target _blank with rel="nofollow noreferrer" to other domain 62 | 3D 63 | 64 | 65 | 66 | == http cases with single quotes === 67 | 68 | Case 4A: ' with http 69 | 4A 70 | 71 | Case 4B: ' with http and target blank 72 | 4B 73 | 74 | Case 4C: ' with http and target _blank with rel='nofollow' 75 | 4C 76 | 77 | Case 4D: ' with http and target _blank with rel='nofollow noreferrer' 78 | 4D 79 | 80 | == https cases with double quotes === 81 | 82 | Case 5A: ' with https 83 | 5A 84 | 85 | Case 5B: ' with https and target blank 86 | 5B 87 | 88 | Case 5C: ' with https and target _blank with rel='nofollow' 89 | 5C 90 | 91 | Case 5D: ' with https and target _blank with rel='nofollow noreferrer' 92 | 5D 93 | 94 | == https cases with double quotes to other domain=== 95 | 96 | Case 6A: ' with https to other domain 97 | 6A 98 | 99 | Case 6B: ' with https and target blank to other domain 100 | 6B 101 | 102 | Case 6C: ' with https and target _blank with rel='nofollow' to other domain 103 | 6C 104 | 105 | Case 6D: ' with https and target _blank with rel='nofollow noreferrer' to other domain 106 | 6D 107 | 108 | == relative cases with single quotes === 109 | 110 | Case 7A: ' with relative 111 | 7A 112 | 113 | Case 7B: ' with http and target blank 114 | 7B 115 | 116 | Case 7C: ' with http and target _blank with rel='nofollow' 117 | 7C 118 | 119 | Case 7D: ' with http and target _blank with rel='nofollow noreferrer' 120 | 7D 121 | 122 | == relative cases with double quotes === 123 | 124 | Case 8A: ' with relative 125 | 8A 126 | 127 | Case 8B: ' with https and target blank 128 | 8B 129 | 130 | Case 8C: ' with https and target _blank with rel='nofollow' 131 | 8C 132 | 133 | Case 8D: ' with https and target _blank with rel='nofollow noreferrer' 134 | 8D 135 | 136 | 137 | == Some troublemakers ;) 138 | 139 | 10A 140 | 141 | 10B 142 | 143 | 10C 144 | 145 | 10D 146 | 147 | 10E 148 | 149 | 10F 150 | 151 | 10G 152 | 153 | 154 | 10H 155 | 156 | 10I 157 | 158 | 10J: Exact case yet unknown, but happens sometimes with unicode, add when known 159 | 160 | 161 | --------------------------------------------------------------------------------