├── README.md ├── bypasswaf.jar ├── bypasswaf.py └── src └── burp ├── BurpExtender.java ├── IBurpExtender.java ├── IBurpExtenderCallbacks.java ├── IContextMenuFactory.java ├── IContextMenuInvocation.java ├── ICookie.java ├── IExtensionHelpers.java ├── IExtensionStateListener.java ├── IHttpListener.java ├── IHttpRequestResponse.java ├── IHttpRequestResponsePersisted.java ├── IHttpRequestResponseWithMarkers.java ├── IHttpService.java ├── IInterceptedProxyMessage.java ├── IIntruderAttack.java ├── IIntruderPayloadGenerator.java ├── IIntruderPayloadGeneratorFactory.java ├── IIntruderPayloadProcessor.java ├── IMenuItemHandler.java ├── IMessageEditor.java ├── IMessageEditorController.java ├── IMessageEditorTab.java ├── IMessageEditorTabFactory.java ├── IParameter.java ├── IProxyListener.java ├── IRequestInfo.java ├── IResponseInfo.java ├── IScanIssue.java ├── IScanQueueItem.java ├── IScannerCheck.java ├── IScannerInsertionPoint.java ├── IScannerInsertionPointProvider.java ├── IScannerListener.java ├── IScopeChangeListener.java ├── ISessionHandlingAction.java ├── ITab.java ├── ITempFile.java └── ITextEditor.java /README.md: -------------------------------------------------------------------------------- 1 | bypasswaf 2 | ========= 3 | 4 | Add headers to all Burp requests to bypass some WAF products. This extension will automatically add the following headers to all requests. 5 | 6 | 
 7 |   X-Originating-IP: 127.0.0.1
 8 |   X-Forwarded-For: 127.0.0.1
 9 |   X-Remote-IP: 127.0.0.1
10 |   X-Remote-Addr: 127.0.0.1
11 |   X-Client-IP: 127.0.0.1
12 |
13 | 14 | 15 | Usage 16 | ===== 17 | 18 | Steps include: 19 |
    20 |
  1. Add extension to burp
    2. 21 |
  2. Create a session handling rule in Burp that invokes this extension
    3. 22 |
  3. Modify the scope to include applicable tools and URLs
    4. 23 |
  4. Configure the bypass options on the "Bypass WAF" tab
    5. 24 |
  5. Test away
    6. 25 |
26 | 27 | More information can be found at: https://www.codewatch.org/blog/?p=408 28 | 29 | 30 | Features 31 | ======== 32 | 33 | All of the features are based on Jason Haddix's work found here, and Ivan Ristic's WAF bypass work found here and here. 34 | 35 | Bypass WAF contains the following features: 36 | 37 | 38 | 39 | A description of each feature follows: 40 |
    41 |
  1. Users can modify the X-Originating-IP, X-Forwarded-For, X-Remote-IP, X-Remote-Addr headers sent in each request. This is probably the top bypass technique i the tool. It isn't unusual for a WAF to be configured to trust itself (127.0.0.1) or an upstream proxy device, which is what this bypass targets.
    2. 42 |
  2. The "Content-Type" header can remain unchanged in each request, removed from all requests, or by modified to one of the many other options for each request. Some WAFs will only decode/evaluate requests based on known content types, this feature targets that weakness.
    3. 43 |
  3. The "Host" header can also be modified. Poorly configured WAFs might be configured to only evaluate requests based on the correct FQDN of the host found in this header, which is what this bypass targets.
    4. 44 |
  4. The request type option allows the Burp user to only use the remaining bypass techniques on the given request method of "GET" or "POST", or to apply them on all requests.
    5. 45 |
  5. The path injection feature can leave a request unmodified, inject random path info information (/path/to/example.php/randomvalue?restofquery), or inject a random path parameter (/path/to/example.php;randomparam=randomvalue?resetofquery). This can be used to bypass poorly written rules that rely on path information.
    6. 46 |
  6. The path obfuscation feature modifies the last forward slash in the path to a random value, or by default does nothing. The last slash can be modified to one of many values that in many cases results in a still valid request but can bypass poorly written WAF rules that rely on path information.
    7. 47 |
  7. The parameter obfuscation feature is language specific. PHP will discard a + at the beginning of each parameter, but a poorly written WAF rule might be written for specific parameter names, thus ignoring parameters with a + at the beginning. Similarly, ASP discards a % at the beginning of each parameter.
    8. 48 |
  8. The "Set Configuration" button activates all the settings that you have chosen.
    9. 49 |
50 | 51 | All of these features can be combined to provide multiple bypass options. 52 | 53 | 54 | Future 55 | ====== 56 | 57 | I intend to add the following features, at a minimum, to future versions: 58 |
    59 |
  1. HTTP Parameter Pollution - Automatically perform HPP attacks on GET/POST parameters.
    2. 60 |
  2. HTTP Requests Smuggling - Automatically perform an HTTP request smuggling attack on each request where a dummy request is added to the beginning and the real (smuggled) request is added at the end.
    3. 61 |
62 | 63 | I have been adding features rapidly and it is very possible that the above will be in the code by the time anyone actually reads this. 64 | 65 | 66 | Note 67 | ===== 68 | 69 | I am not maintaining the Python version. 70 | -------------------------------------------------------------------------------- /bypasswaf.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/codewatchorg/bypasswaf/496c24f47df9e89bb87c67522f5d2df6ac8904c3/bypasswaf.jar -------------------------------------------------------------------------------- /bypasswaf.py: -------------------------------------------------------------------------------- 1 | from burp import IBurpExtender 2 | """ 3 | Name: Bypass WAF 4 | Version: 0.0.1 5 | Date: 11/16/2014 6 | Author: Josh Berry - josh.berry@codewatch.org 7 | Github: https://github.com/codewatchorg/bypasswaf 8 | 9 | Description: This plugin adds headers useful for bypassing some WAF devices when added to a Burp Session Handling rule. 10 | 11 | This plugin was inspired by the Bypassing web application firewalls using HTTP headers found here: 12 | http://h30499.www3.hp.com/t5/Fortify-Application-Security/Bypassing-web-application-firewalls-using-HTTP-headers/ba-p/6418366#.VGlMR-90wsd 13 | 14 | This article by Fishnet was used to help understand how to build the plugin: 15 | https://www.fishnetsecurity.com/6labs/blog/automatically-adding-new-header-burp 16 | 17 | """ 18 | 19 | from burp import ISessionHandlingAction 20 | from burp import IParameter 21 | 22 | class BurpExtender(IBurpExtender, ISessionHandlingAction): 23 | 24 | def registerExtenderCallbacks(self, callbacks): 25 | self._callbacks = callbacks 26 | self._helpers = callbacks.getHelpers() 27 | callbacks.setExtensionName("Bypass WAF") 28 | callbacks.registerSessionHandlingAction(self) 29 | return 30 | 31 | def performAction(self, currentRequest, macroItems): 32 | requestInfo = self._helpers.analyzeRequest(currentRequest) 33 | headers = requestInfo.getHeaders() 34 | reqBody = currentRequest.getRequest()[requestInfo.getBodyOffset():] 35 | 36 | # WAF Bypass IP 37 | bypassip = '127.0.0.1' 38 | 39 | # Add WAF Bypass headers 40 | headers.add('x-originating-IP: '+bypassip) 41 | headers.add('x-forwarded-for: '+bypassip) 42 | headers.add('x-remote-IP: '+bypassip) 43 | headers.add('x-remote-addr: '+bypassip) 44 | 45 | # Build request with bypass headers 46 | message = self._helpers.buildHttpMessage(headers, reqBody) 47 | 48 | # Update Request with New Header 49 | currentRequest.setRequest(message) 50 | return 51 | -------------------------------------------------------------------------------- /src/burp/BurpExtender.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Name: Bypass WAF 3 | * Version: 0.2.3 4 | * Date: 11/16/2014 5 | * Author: Josh Berry - josh.berry@codewatch.org 6 | * Github: https://github.com/codewatchorg/bypasswaf 7 | * 8 | * Description: This plugin adds headers useful for bypassing some WAF devices when added to a Burp Session Handling rule. 9 | * 10 | * This plugin was inspired by the Bypassing web application firewalls using HTTP headers found here: 11 | * http://h30499.www3.hp.com/t5/Fortify-Application-Security/Bypassing-web-application-firewalls-using-HTTP-headers/ba-p/6418366#.VGlMR-90wsd 12 | * 13 | * This article by Fishnet was used to help understand how to build the plugin: 14 | * https://www.fishnetsecurity.com/6labs/blog/automatically-adding-new-header-burp 15 | * 16 | * Other bypass techinques have largely been derived from Ivan Ristic's work: 17 | * https://media.blackhat.com/bh-us-12/Briefings/Ristic/BH_US_12_Ristic_Protocol_Level_WP.pdf 18 | * https://media.blackhat.com/bh-us-12/Briefings/Ristic/BH_US_12_Ristic_Protocol_Level_Slides.pdf 19 | * https://github.com/ironbee/waf-research 20 | */ 21 | 22 | package burp; 23 | 24 | import java.util.List; 25 | import java.awt.Component; 26 | import javax.swing.JPanel; 27 | import javax.swing.JLabel; 28 | import javax.swing.JTextField; 29 | import javax.swing.JButton; 30 | import javax.swing.JComboBox; 31 | import javax.swing.JCheckBox; 32 | import java.awt.event.ActionEvent; 33 | import java.awt.event.ActionListener; 34 | import java.io.PrintWriter; 35 | import java.util.Arrays; 36 | import java.util.ArrayList; 37 | import java.util.HashMap; 38 | import java.util.Random; 39 | import java.net.URLDecoder; 40 | 41 | public class BurpExtender implements IBurpExtender, ISessionHandlingAction, ITab { 42 | 43 | public IBurpExtenderCallbacks extCallbacks; 44 | public IExtensionHelpers extHelpers; 45 | public JPanel bwafPanel; 46 | private static final String bypassWafVersion = "0.2.3"; 47 | private PrintWriter printOut; 48 | private String bypassIP = "127.0.0.1"; 49 | private String contentTypeBypass = "Keep"; 50 | private String hostNameBypass = "DefaultHostname"; 51 | private String pathInfoBypass = "NoPathInfo"; 52 | private String pathObfuscationBypass = "NoObfuscation"; 53 | private String paramObfuscationBypass = "None"; 54 | private String bypassRequestType = "All"; 55 | private String charEncoding = "None"; 56 | private String spaceEncoding = "None"; 57 | private String spacePayload = "None"; 58 | private Integer bypassHpp = 0; 59 | private Integer defaultSizeValue = 100; 60 | private String bypassHppLocation = "First"; 61 | private String defaultHttpVersion = "HTTP/1.1"; 62 | private String defaultPathParam = ""; 63 | private String defaultPathValue = ""; 64 | private String defaultHppValue = "1"; 65 | private final List bwafHeaders = Arrays.asList("X-Originating-IP", "X-Forwarded-For", "X-Remote-IP", "X-Remote-Addr", "X-Client-IP"); 66 | private final List bwafPathInfo = Arrays.asList("NoPathInfo", "PathInfoInjection", "PathParametersInjection"); 67 | private final List bwafHeaderInit = Arrays.asList( 0, 0, 0, 0, 0 ); 68 | private final HashMap bwafCharEncodings = new HashMap(); 69 | private final HashMap bwafQueryEncodings = new HashMap(); 70 | private final HashMap bwafSpacePayloads = new HashMap(); 71 | private final List bwafCharEncodeTypes = Arrays.asList("None", "URL", "%u", "Double URL", "Double Double URL", "Double %u"); 72 | private final List bwafQueryEncodeTypes = Arrays.asList("None", "URL", "%u", "Double URL", "Double Double", "Double %u", "Hex"); 73 | private final List bwafSpaceTypes = Arrays.asList("Null", "Tab", "NL", "CR", "VTab", "NB"); 74 | private final List bwafRequestTypes = Arrays.asList("All", "GET", "POST"); 75 | private final List bwafParamObfuscation = Arrays.asList("None", "+", "%", "%20", "%00"); 76 | private final List bwafHppLocation = Arrays.asList("First", "Last"); 77 | private final List bwafPathInfoSize = new ArrayList(); 78 | private final List bwafPathObfuscSize = new ArrayList(); 79 | private final List bwafPathObfuscation = Arrays.asList( 80 | "NoObfuscation", 81 | "//", 82 | "/./", 83 | "/random/../", 84 | "\\", 85 | "/.//", 86 | "/./\\", 87 | "/.\\", 88 | "/random/..//", 89 | "/random/.././/", 90 | "/random/.././\\", 91 | "/random/../.\\", 92 | "%2f%2f", 93 | "%2f.%2f", 94 | "%2frandom%2f..%2f", 95 | "%5c", 96 | "%2f.%2f%2f", 97 | "%2f.%2f\\", 98 | "%2f.\\", 99 | "%2f.%5c", 100 | "%2f.%2f%5c", 101 | "%2frandom%2f..%2f%2f", 102 | "%2frandom%2f..%2f.%2f%2f", 103 | "%2frandom%2f..%2f.%2f%5c", 104 | "%2frandom%2f..%2f.%5c", 105 | "%252f%252f", 106 | "%252f.%252f", 107 | "%252frandom%252f..%252f", 108 | "%255c", 109 | "%252f.%252f%252f", 110 | "%252f.%252f\\", 111 | "%252f.\\", 112 | "%252f.%255c", 113 | "%252f.%252f%255c", 114 | "%252frandom%252f..%252f%252f", 115 | "%252frandom%252f..%252f.%252f%252f", 116 | "%252frandom%252f..%252f.%252f%255c", 117 | "%252frandom%252f..%252f.%255c", 118 | "%u002f%u002f", 119 | "%u002f.%u002f", 120 | "%u002frandom%u002f..%u002f", 121 | "%u005c", 122 | "%u002f.%u002f%u002f", 123 | "%u002f.%u002f\\", 124 | "%u002f.\\", 125 | "%u002f.%u005c", 126 | "%u002f.%u002f%u005c", 127 | "%u002frandom%u002f..%u002f%u002f", 128 | "%u002frandom%u002f..%u002f.%u002f%u002f", 129 | "%u002frandom%u002f..%u002f.%u002f%u005c", 130 | "%u002frandom%u002f..%u002f.%u005c", 131 | "%002f%002f", 132 | "%002f.%002f", 133 | "%002frandom%002f..%002f", 134 | "%005c", 135 | "%002f.%002f%002f", 136 | "%002f.%002f\\", 137 | "%002f.\\", 138 | "%002f.%005c", 139 | "%002f.%002f%005c", 140 | "%002frandom%002f..%002f%002f", 141 | "%002frandom%002f..%002f.%002f%002f", 142 | "%002frandom%002f..%002f.%002f%005c", 143 | "%002frandom%002f..%002f.%005c" 144 | ); 145 | 146 | private final List bwafCTHeaders = Arrays.asList( 147 | "Keep", 148 | "Remove", 149 | "invalid", 150 | "example", 151 | "multipart/", 152 | "multipart/digest", 153 | "multipart/digest; boundary=0000", 154 | "multipart/; boundary=0000", 155 | "multipart/fake", 156 | "multipart/fake; boundary=0000", 157 | "multipart/mixed", 158 | "multipart/mixed; boundary=0000", 159 | "multipart/alternative", 160 | "multipart/alternative; boundary=0000", 161 | "multipart/related", 162 | "multipart/related; boundary=0000", 163 | "multipart/form-data", 164 | "multipart/form-data; boundary=0000", 165 | "multipart/form-data ; boundary=0000", 166 | "multipart/form-data, boundary=0000", 167 | "multipart/form-data boundary=0000", 168 | "multipart/form-data; boundary=\"0000\"", 169 | "multipart/form-data; boundary=0000'", 170 | "multipart/form-data; boundary911=0000", 171 | "multipart/form-data; boundary =0000", 172 | "multipart/form-data; boundary= 0000", 173 | "multipart/form-data; boundary=0000 1111", 174 | "multipart/form-data; boundary=0000,1111", 175 | "multipart/form-data; boundary=0000 boundary=1111", 176 | "multipart/form-data; boundary=0000, boundary=1111", 177 | "multipart/form-data; boundary=0000; boundary=1111", 178 | "multipart/fake; boundary=0000", 179 | "multipart/fake ; boundary=0000", 180 | "multipart/fake, boundary=0000", 181 | "multipart/fake; boundary=\"0000\"", 182 | "multipart/fake; boundary=0000'", 183 | "multipart/fake boundary=0000", 184 | "multipart/form-data-rand; boundary=0000", 185 | "multipart/form-data-rand boundary=0000", 186 | "multipart/form-data-rand ; boundary=0000", 187 | "multipart/form-data-rand, boundary=0000", 188 | "multipart/form-data-rand; boundary=\"0000\"", 189 | "multipart/form-data-rand; boundary=0000'", 190 | "multipart/signed", 191 | "multipart/signed; boundary=0000", 192 | "multipart/encrypted", 193 | "multipart/encrypted; boundary=0000", 194 | "multipart/example", 195 | "multipart/example; boundary=0000", 196 | "text/cmd", 197 | "text/css", 198 | "text/csv", 199 | "text/example", 200 | "text/fake", 201 | "text/html", 202 | "text/javascript", 203 | "text/plain", 204 | "text/rtf", 205 | "text/vnd.abc", 206 | "text/xml", 207 | "text/x-gwt-rpc", 208 | "text/x-jquery-tmpl", 209 | "text/x-markdown", 210 | "application/example", 211 | "application/fake", 212 | "application/ecmascript", 213 | "application/json", 214 | "application/javascript", 215 | "application/xml", 216 | "application/x-javascript", 217 | "application/x-latex", 218 | "application/x-www-form-urlencoded", 219 | "application/x-www-form-urlencoded-rand" 220 | ); 221 | 222 | /* Create random values for obfuscation functions */ 223 | public String setRand(int sz) { 224 | char[] randChars = "abcdefghijklmnopqrstuvwxyz0123456789".toCharArray(); 225 | StringBuilder randString = new StringBuilder(); 226 | Random random = new Random(); 227 | 228 | for (int i = 0; i <= sz; i++) { 229 | char c = randChars[random.nextInt(randChars.length)]; 230 | randString.append(c); 231 | } 232 | 233 | return randString.toString(); 234 | } 235 | 236 | @Override 237 | public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) { 238 | extCallbacks = callbacks; 239 | extHelpers = extCallbacks.getHelpers(); 240 | extCallbacks.setExtensionName("Bypass WAF"); 241 | extCallbacks.registerSessionHandlingAction(this); 242 | 243 | /* Initialize encodings for URL character */ 244 | bwafCharEncodings.put("None", "None"); 245 | bwafCharEncodings.put("URL", "%"); 246 | bwafCharEncodings.put("%u", "%u00"); 247 | bwafCharEncodings.put("Double URL", "%25"); 248 | bwafCharEncodings.put("Double Double URL", "%25%"); 249 | bwafCharEncodings.put("Double %u", "%u0025%u00"); 250 | 251 | /* Initialize encodings for spaces in query parameters */ 252 | bwafQueryEncodings.put("None", "None"); 253 | bwafQueryEncodings.put("URL", "%"); 254 | bwafQueryEncodings.put("%u", "%u00"); 255 | bwafQueryEncodings.put("Double URL", "%25"); 256 | bwafQueryEncodings.put("Double Double", "%25%"); 257 | bwafQueryEncodings.put("Double %u", "%u0025%u00"); 258 | bwafQueryEncodings.put("Hex", "\\x"); 259 | 260 | /* Initialize space types */ 261 | bwafSpacePayloads.put("Null", "00"); 262 | bwafSpacePayloads.put("Tab", "09"); 263 | bwafSpacePayloads.put("NL", "0A"); 264 | bwafSpacePayloads.put("CR", "0D"); 265 | bwafSpacePayloads.put("VTab", "0B"); 266 | bwafSpacePayloads.put("NB", "A0"); 267 | 268 | /* Intialize size arrays */ 269 | for (int sz = 1; sz <= defaultSizeValue; sz++) { 270 | bwafPathInfoSize.add(String.valueOf(sz)); 271 | bwafPathObfuscSize.add(String.valueOf(sz)); 272 | } 273 | 274 | /* Create a tab to configure header values */ 275 | bwafPanel = new JPanel(null); 276 | JLabel bwafIPLabel = new JLabel(); 277 | JLabel bwafIPDescLabel = new JLabel(); 278 | JLabel bwafCTLabel = new JLabel(); 279 | JLabel bwafCTDescLabel = new JLabel(); 280 | JLabel bwafHostLabel = new JLabel(); 281 | JLabel bwafHostDescLabel = new JLabel(); 282 | JLabel bwafReqTypesLabel = new JLabel(); 283 | JLabel bwafReqTypesDescLabel = new JLabel(); 284 | JLabel bwafPathInfoLabel = new JLabel(); 285 | JLabel bwafPathInfoDescLabel = new JLabel(); 286 | JLabel bwafPathInfoSizeLabel = new JLabel(); 287 | JLabel bwafPathObfuscLabel = new JLabel(); 288 | JLabel bwafPathObfuscDescLabel = new JLabel(); 289 | JLabel bwafPathObfuscSizeLabel = new JLabel(); 290 | JLabel bwafSetHeaderDescLabel = new JLabel(); 291 | JLabel bwafParamObfuscLabel = new JLabel(); 292 | JLabel bwafParamObfuscDescLabel = new JLabel(); 293 | JLabel bwafHppCheckLabel = new JLabel(); 294 | JLabel bwafHppCheckDescLabel = new JLabel(); 295 | JLabel bwafHppLocationLabel = new JLabel(); 296 | JLabel bwafCharEncodeLabel = new JLabel(); 297 | JLabel bwafCharEncodeDescLabel = new JLabel(); 298 | JLabel bwafQueryEncodeLabel = new JLabel(); 299 | JLabel bwafQueryEncodeDescLabel = new JLabel(); 300 | JLabel bwafSpacePayloadLabel = new JLabel(); 301 | JLabel bwafHppValueLabel = new JLabel(); 302 | final JComboBox bwafCTCbx = new JComboBox(bwafCTHeaders.toArray()); 303 | final JComboBox bwafPathInfoCbx = new JComboBox(bwafPathInfo.toArray()); 304 | final JComboBox bwafPathInfoSizeCbx = new JComboBox(bwafPathInfoSize.toArray()); 305 | final JComboBox bwafPathObfuscCbx = new JComboBox(bwafPathObfuscation.toArray()); 306 | final JComboBox bwafPathObfuscSizeCbx = new JComboBox(bwafPathObfuscSize.toArray()); 307 | final JComboBox bwafReqTypesCbx = new JComboBox(bwafRequestTypes.toArray()); 308 | final JComboBox bwafParamObfuscCbx = new JComboBox(bwafParamObfuscation.toArray()); 309 | final JComboBox bwafHppLocationCbx = new JComboBox(bwafHppLocation.toArray()); 310 | final JComboBox bwafCharEncodeCbx = new JComboBox(bwafCharEncodeTypes.toArray()); 311 | final JComboBox bwafQueryEncodeCbx = new JComboBox(bwafQueryEncodeTypes.toArray()); 312 | final JComboBox bwafSpacePayloadCbx = new JComboBox(bwafSpaceTypes.toArray()); 313 | final JCheckBox bwafHppCheck = new JCheckBox("HPP"); 314 | final JTextField bwafIPText = new JTextField(); 315 | final JTextField bwafHostText = new JTextField(); 316 | final JTextField bwafHppValueText = new JTextField(); 317 | JButton bwafSetHeaderBtn = new JButton("Set Configuration"); 318 | printOut = new PrintWriter(extCallbacks.getStdout(), true); 319 | printHeader(); 320 | 321 | /* Set values for labels, panels, locations, etc */ 322 | bwafIPLabel.setText("Header IP:"); 323 | bwafIPDescLabel.setText("Set IP for X-Originating-IP, X-Forwarded-For, X-Remote-IP, X-Remote-Addr, and X-Client-IP headers."); 324 | bwafIPLabel.setBounds(16, 15, 75, 20); 325 | bwafIPText.setBounds(146, 12, 310, 26); 326 | bwafIPDescLabel.setBounds(606, 15, 600, 20); 327 | 328 | /* Set Content-Type headers */ 329 | bwafCTLabel.setText("Content-Type:"); 330 | bwafCTDescLabel.setText("Keep current Content-Type, remove it, or replace with one of these values."); 331 | bwafCTLabel.setBounds(16, 50, 85, 20); 332 | bwafCTCbx.setBounds(146, 47, 310, 26); 333 | bwafCTDescLabel.setBounds(606, 50, 600, 20); 334 | 335 | /* Set host header */ 336 | bwafHostLabel.setText("Host Header:"); 337 | bwafHostDescLabel.setText("Modify what is sent in the Host header."); 338 | bwafHostLabel.setBounds(16, 85, 85, 20); 339 | bwafHostText.setBounds(146, 82, 310, 26); 340 | bwafHostDescLabel.setBounds(606, 85, 600, 20); 341 | 342 | /* Configure to path info and other certain request methods or all */ 343 | bwafReqTypesLabel.setText("Request Method:"); 344 | bwafReqTypesDescLabel.setText("Configure options below for all request methods, GET only, or POST only."); 345 | bwafReqTypesLabel.setBounds(16, 120, 115, 20); 346 | bwafReqTypesCbx.setBounds(146, 117, 310, 26); 347 | bwafReqTypesDescLabel.setBounds(606, 120, 600, 20); 348 | 349 | /* Set path info or parameters */ 350 | bwafPathInfoLabel.setText("Path Info:"); 351 | bwafPathInfoDescLabel.setText("Do nothing, add random path info at end of URL, or add random path parameters at end of URL. Set the size of the random data."); 352 | bwafPathInfoLabel.setBounds(16, 155, 115, 20); 353 | bwafPathInfoCbx.setBounds(146, 152, 310, 26); 354 | bwafPathInfoSizeLabel.setText("Size:"); 355 | bwafPathInfoSizeLabel.setBounds(476, 155, 40, 20); 356 | bwafPathInfoSizeCbx.setBounds(526, 152, 60, 26); 357 | bwafPathInfoDescLabel.setBounds(606, 155, 800, 20); 358 | 359 | /* Set last / to a new value */ 360 | bwafPathObfuscLabel.setText("Path Obfuscation:"); 361 | bwafPathObfuscDescLabel.setText("Do nothing or replace the last / in the request with one of these values. Set the size of the random value where applicable."); 362 | bwafPathObfuscLabel.setBounds(16, 190, 115, 20); 363 | bwafPathObfuscCbx.setBounds(146, 187, 310, 26); 364 | bwafPathObfuscSizeLabel.setText("Size:"); 365 | bwafPathObfuscSizeLabel.setBounds(476, 190, 40, 20); 366 | bwafPathObfuscSizeCbx.setBounds(526, 187, 60, 26); 367 | bwafPathObfuscDescLabel.setBounds(606, 190, 850, 20); 368 | 369 | /* Add character to beginning of every parameter */ 370 | bwafParamObfuscLabel.setText("Param Obfuscation:"); 371 | bwafParamObfuscDescLabel.setText("Add the following character to the beginning of every parameter name."); 372 | bwafParamObfuscLabel.setBounds(16, 225, 115, 20); 373 | bwafParamObfuscCbx.setBounds(146, 222, 310, 26); 374 | bwafParamObfuscDescLabel.setBounds(606, 225, 600, 20); 375 | 376 | /* HTTP Parameter Pollution check */ 377 | bwafHppCheckLabel.setText("HPP:"); 378 | bwafHppCheckLabel.setBounds(16, 260, 115, 20); 379 | bwafHppCheck.setBounds(146, 257, 50, 26); 380 | bwafHppLocationLabel.setText("Place:"); 381 | bwafHppLocationLabel.setBounds(256, 260, 40, 20); 382 | bwafHppLocationCbx.setBounds(316, 257, 140, 26); 383 | bwafHppValueLabel.setText("Value:"); 384 | bwafHppValueLabel.setBounds(476, 260, 40, 20); 385 | bwafHppValueText.setBounds(526, 257, 60, 26); 386 | bwafHppCheckDescLabel.setText("Perform HPP, keeping the original payload in either the First/Last (duplicate) parameter value, replace the other value with a 1 or chosen value."); 387 | bwafHppCheckDescLabel.setBounds(606, 260, 850, 20); 388 | 389 | /* Character encoding obfuscation */ 390 | bwafCharEncodeLabel.setText("Character Encodings:"); 391 | bwafCharEncodeDescLabel.setText("Encode a single character in the URL with the selected encoding type."); 392 | bwafCharEncodeLabel.setBounds(16, 295, 140, 20); 393 | bwafCharEncodeCbx.setBounds(146, 292, 310, 26); 394 | bwafCharEncodeDescLabel.setBounds(606, 295, 600, 20); 395 | 396 | /* Query space encoding obfuscation */ 397 | bwafQueryEncodeLabel.setText("Space Encodings:"); 398 | bwafQueryEncodeDescLabel.setText("Encode spaces in query parameters with misinterpreted values (nulls, tabs, new lines, carriage returns, vert tabs, and non-breaking spaces)."); 399 | bwafQueryEncodeLabel.setBounds(16, 330, 140, 20); 400 | bwafQueryEncodeCbx.setBounds(146, 327, 115, 26); 401 | bwafSpacePayloadLabel.setText("Type:"); 402 | bwafSpacePayloadLabel.setBounds(286, 330, 45, 20); 403 | bwafSpacePayloadCbx.setBounds(341, 327, 115, 26); 404 | bwafQueryEncodeDescLabel.setBounds(606, 330, 850, 20); 405 | 406 | /* Create button for setting options */ 407 | bwafSetHeaderDescLabel.setText("Enable the WAF bypass configuration."); 408 | bwafSetHeaderDescLabel.setBounds(606, 365, 600, 20); 409 | bwafSetHeaderBtn.setBounds(146, 363, 310, 20); 410 | bwafSetHeaderBtn.addActionListener(new ActionListener() { 411 | public void actionPerformed(ActionEvent e) { 412 | bypassIP = bwafIPText.getText(); 413 | hostNameBypass = bwafHostText.getText(); 414 | contentTypeBypass = (String)bwafCTCbx.getSelectedItem(); 415 | pathInfoBypass = (String)bwafPathInfoCbx.getSelectedItem(); 416 | pathObfuscationBypass = (String)bwafPathObfuscCbx.getSelectedItem(); 417 | paramObfuscationBypass = (String)bwafParamObfuscCbx.getSelectedItem(); 418 | bypassRequestType = (String)bwafReqTypesCbx.getSelectedItem(); 419 | bypassHppLocation = (String)bwafHppLocationCbx.getSelectedItem(); 420 | bwafCTCbx.setSelectedIndex(bwafCTCbx.getSelectedIndex()); 421 | bwafPathInfoCbx.setSelectedIndex(bwafPathInfoCbx.getSelectedIndex()); 422 | bwafPathObfuscCbx.setSelectedIndex(bwafPathObfuscCbx.getSelectedIndex()); 423 | bwafParamObfuscCbx.setSelectedIndex(bwafParamObfuscCbx.getSelectedIndex()); 424 | bwafReqTypesCbx.setSelectedIndex(bwafReqTypesCbx.getSelectedIndex()); 425 | bwafHppLocationCbx.setSelectedIndex(bwafHppLocationCbx.getSelectedIndex()); 426 | bwafCharEncodeCbx.setSelectedIndex(bwafCharEncodeCbx.getSelectedIndex()); 427 | bwafQueryEncodeCbx.setSelectedIndex(bwafQueryEncodeCbx.getSelectedIndex()); 428 | bwafSpacePayloadCbx.setSelectedIndex(bwafSpacePayloadCbx.getSelectedIndex()); 429 | bwafPathInfoSizeCbx.setSelectedIndex(bwafPathInfoSizeCbx.getSelectedIndex()); 430 | bwafPathObfuscSizeCbx.setSelectedIndex(bwafPathObfuscSizeCbx.getSelectedIndex()); 431 | 432 | if (!pathInfoBypass.startsWith("NoPathInfo")) { 433 | defaultPathParam = setRand(bwafPathInfoSizeCbx.getSelectedIndex()); 434 | defaultPathValue = setRand(bwafPathInfoSizeCbx.getSelectedIndex()); 435 | } else { 436 | defaultPathParam = ""; 437 | defaultPathValue = ""; 438 | } 439 | 440 | /* Check if it was one of the random values */ 441 | if (pathObfuscationBypass.contains("random")) { 442 | pathObfuscationBypass = pathObfuscationBypass.replace("random", setRand(bwafPathObfuscSizeCbx.getSelectedIndex())); 443 | } 444 | 445 | /* Is HPP enabled? */ 446 | if (bwafHppCheck.isSelected()){ 447 | bypassHpp = 1; 448 | 449 | if (!bwafHppValueText.getText().isEmpty()) { 450 | defaultHppValue = bwafHppValueText.getText(); 451 | } else { 452 | defaultHppValue = "1"; 453 | } 454 | } else { 455 | bypassHpp = 0; 456 | } 457 | 458 | charEncoding = bwafCharEncodings.get(bwafCharEncodeCbx.getItemAt(bwafCharEncodeCbx.getSelectedIndex())); 459 | spaceEncoding = bwafQueryEncodings.get(bwafQueryEncodeCbx.getItemAt(bwafQueryEncodeCbx.getSelectedIndex())); 460 | 461 | /* Check to see if double double */ 462 | if (spaceEncoding.contains("%25%")) { 463 | String initPayload = bwafSpacePayloads.get(bwafSpacePayloadCbx.getItemAt(bwafSpacePayloadCbx.getSelectedIndex())); 464 | StringBuilder encChar = new StringBuilder(); 465 | encChar.append(toHex(initPayload.charAt(0) / 16)); 466 | encChar.append(toHex(initPayload.charAt(0) % 16)); 467 | encChar.append('%'); 468 | encChar.append(toHex(initPayload.charAt(1) / 16)); 469 | encChar.append(toHex(initPayload.charAt(1) % 16)); 470 | spacePayload = spaceEncoding + encChar; 471 | } else { 472 | spacePayload = spaceEncoding + bwafSpacePayloads.get(bwafSpacePayloadCbx.getItemAt(bwafSpacePayloadCbx.getSelectedIndex())); 473 | } 474 | } 475 | }); 476 | 477 | /* Initialize defaults */ 478 | bwafIPText.setText(bypassIP); 479 | bwafCTCbx.setSelectedIndex(0); 480 | bwafHostText.setText(hostNameBypass); 481 | bwafPathInfoCbx.setSelectedIndex(0); 482 | bwafPathObfuscCbx.setSelectedIndex(0); 483 | bwafParamObfuscCbx.setSelectedIndex(0); 484 | bwafReqTypesCbx.setSelectedIndex(0); 485 | bwafHppLocationCbx.setSelectedIndex(0); 486 | bwafCharEncodeCbx.setSelectedIndex(0); 487 | bwafQueryEncodeCbx.setSelectedIndex(0); 488 | bwafSpacePayloadCbx.setSelectedIndex(0); 489 | bwafPathInfoSizeCbx.setSelectedIndex(9); 490 | bwafPathObfuscSizeCbx.setSelectedIndex(9); 491 | 492 | /* Add label and field to tab */ 493 | bwafPanel.add(bwafIPLabel); 494 | bwafPanel.add(bwafIPDescLabel); 495 | bwafPanel.add(bwafIPText); 496 | bwafPanel.add(bwafCTLabel); 497 | bwafPanel.add(bwafCTDescLabel); 498 | bwafPanel.add(bwafCTCbx); 499 | bwafPanel.add(bwafHostLabel); 500 | bwafPanel.add(bwafHostDescLabel); 501 | bwafPanel.add(bwafHostText); 502 | bwafPanel.add(bwafReqTypesLabel); 503 | bwafPanel.add(bwafReqTypesDescLabel); 504 | bwafPanel.add(bwafReqTypesCbx); 505 | bwafPanel.add(bwafPathInfoLabel); 506 | bwafPanel.add(bwafPathInfoDescLabel); 507 | bwafPanel.add(bwafPathInfoCbx); 508 | bwafPanel.add(bwafPathInfoSizeLabel); 509 | bwafPanel.add(bwafPathInfoSizeCbx); 510 | bwafPanel.add(bwafPathObfuscLabel); 511 | bwafPanel.add(bwafPathObfuscDescLabel); 512 | bwafPanel.add(bwafPathObfuscCbx); 513 | bwafPanel.add(bwafPathObfuscSizeLabel); 514 | bwafPanel.add(bwafPathObfuscSizeCbx); 515 | bwafPanel.add(bwafParamObfuscLabel); 516 | bwafPanel.add(bwafParamObfuscDescLabel); 517 | bwafPanel.add(bwafParamObfuscCbx); 518 | bwafPanel.add(bwafHppCheckLabel); 519 | bwafPanel.add(bwafHppCheck); 520 | bwafPanel.add(bwafHppCheckDescLabel); 521 | bwafPanel.add(bwafHppLocationLabel); 522 | bwafPanel.add(bwafHppLocationCbx); 523 | bwafPanel.add(bwafHppValueLabel); 524 | bwafPanel.add(bwafHppValueText); 525 | bwafPanel.add(bwafSetHeaderBtn); 526 | bwafPanel.add(bwafSetHeaderDescLabel); 527 | bwafPanel.add(bwafCharEncodeLabel); 528 | bwafPanel.add(bwafCharEncodeDescLabel); 529 | bwafPanel.add(bwafCharEncodeCbx); 530 | bwafPanel.add(bwafQueryEncodeLabel); 531 | bwafPanel.add(bwafQueryEncodeDescLabel); 532 | bwafPanel.add(bwafQueryEncodeCbx); 533 | bwafPanel.add(bwafSpacePayloadLabel); 534 | bwafPanel.add(bwafSpacePayloadCbx); 535 | 536 | /* Add the tab to Burp */ 537 | extCallbacks.customizeUiComponent(bwafPanel); 538 | extCallbacks.addSuiteTab(BurpExtender.this); 539 | } 540 | 541 | /* Print to extension output tab */ 542 | public void printHeader() { 543 | printOut.println("Bypass WAF: v" + bypassWafVersion + "\n==================\nBypass WAF devices with headers. " 544 | + "WAFs are frequently configured to whitelist specific IPs and do this based on HTTP headers\n\n" 545 | + "josh.berry@codewatch.org"); 546 | } 547 | 548 | /* Tab caption */ 549 | @Override 550 | public String getTabCaption() { return "Bypass WAF"; } 551 | 552 | /* Java component to return to Burp */ 553 | @Override 554 | public Component getUiComponent() { return bwafPanel; } 555 | 556 | /* Action to set in a session rule */ 557 | @Override 558 | public String getActionName(){ return "Bypass WAF"; } 559 | 560 | /* Hex encoding for URLs */ 561 | private static char toHex(int ch) { 562 | return (char) (ch < 10 ? '0' + ch : 'A' + ch - 10); 563 | } 564 | 565 | /* Action for extension to perform */ 566 | @Override 567 | public void performAction(IHttpRequestResponse currentRequest, IHttpRequestResponse[] macroItems) { 568 | 569 | /* Setup default variables */ 570 | IRequestInfo requestInfo = extHelpers.analyzeRequest(currentRequest); 571 | List headers = requestInfo.getHeaders(); 572 | String reqPath = requestInfo.getUrl().getPath(); 573 | String reqQuery = requestInfo.getUrl().getQuery(); 574 | String reqRef = requestInfo.getUrl().getRef(); 575 | String reqRaw = new String(currentRequest.getRequest()); 576 | String reqBody = reqRaw.substring(requestInfo.getBodyOffset()); 577 | Integer contentInHeader = 0; 578 | Integer updateUrl = 0; 579 | String newReq = ""; 580 | String reqMethod = ""; 581 | String newPath = ""; 582 | String newQuery = ""; 583 | String newRef = ""; 584 | 585 | if (reqQuery != null) { 586 | newQuery = "?" + reqQuery; 587 | } 588 | 589 | if (reqRef != null) { 590 | newRef = "#" + reqRef; 591 | } 592 | 593 | /* Loop through the headers to add or set values */ 594 | for (int i = 0; i < headers.size(); i++) { 595 | 596 | /* Set to one of the selected content types or remove Content-Type */ 597 | if (headers.get(i).startsWith("Content-Type:")) { 598 | if (contentTypeBypass.startsWith("Remove")) { 599 | headers.remove(i); 600 | } else if (!contentTypeBypass.startsWith("Keep")) { 601 | headers.set(i, "Content-Type: " + contentTypeBypass); 602 | contentInHeader = 1; 603 | } 604 | /* Set host header value */ 605 | } else if (headers.get(i).startsWith("Host:")) { 606 | if (!hostNameBypass.startsWith("DefaultHostname")) { 607 | headers.set(i, "Host: " + hostNameBypass); 608 | } 609 | } 610 | 611 | /* If this is the the first header (GET/POST with URL) check to see if we are modifying path, path info, or parameters */ 612 | if (i == 0 && (headers.get(i).startsWith("GET ") || headers.get(i).startsWith("POST "))) { 613 | 614 | /* Check request type, only process if a match is found */ 615 | if (bypassRequestType.startsWith("All") || (headers.get(i).startsWith("GET ") && bypassRequestType.startsWith("GET")) || (headers.get(i).startsWith("POST ") && bypassRequestType.startsWith("POST"))) { 616 | 617 | /* Determine whether it was a GET or POST request, and use the correct method */ 618 | if (headers.get(i).startsWith("GET ")) { 619 | reqMethod = "GET"; 620 | } else { 621 | reqMethod = "POST"; 622 | } 623 | 624 | /* Perform character encoding obfuscation */ 625 | if (reqPath.contains("/") && !charEncoding.contains("None")) { 626 | StringBuilder encodeReplace = new StringBuilder(reqPath); 627 | char encChar1; 628 | char encChar2; 629 | char encChar3; 630 | 631 | if (reqPath.lastIndexOf("/") > 0) { 632 | encChar1 = reqPath.charAt(reqPath.lastIndexOf("/")-1); 633 | } else { 634 | encChar1 = '/'; 635 | } 636 | 637 | if (reqPath.length() > 1) { 638 | encChar2 = reqPath.charAt(reqPath.lastIndexOf("/")+1); 639 | } else { 640 | encChar2 = '/'; 641 | } 642 | 643 | if (reqPath.length() > 2) { 644 | encChar3 = reqPath.charAt(reqPath.lastIndexOf("/")+2); 645 | } else { 646 | encChar3 = '/'; 647 | } 648 | 649 | StringBuilder encChar = new StringBuilder(); 650 | 651 | if (reqPath.lastIndexOf("/") > 0 && !String.valueOf(encChar1).contains("/") 652 | && !String.valueOf(encChar1).contains("?") && !String.valueOf(encChar1).contains("=") 653 | && !String.valueOf(encChar1).contains(";") && !String.valueOf(encChar1).contains("&")) { 654 | 655 | /* Add encoding to character before / */ 656 | encChar.append(charEncoding); 657 | 658 | /* Check to see if double double */ 659 | if (charEncoding.contains("%25%")) { 660 | StringBuilder firstEncode = new StringBuilder(); 661 | firstEncode.append(toHex(encChar1 / 16)); 662 | firstEncode.append(toHex(encChar1 % 16)); 663 | encChar.append(toHex(firstEncode.charAt(0) / 16)); 664 | encChar.append(toHex(firstEncode.charAt(0) % 16)); 665 | encChar.append('%'); 666 | encChar.append(toHex(firstEncode.charAt(1) / 16)); 667 | encChar.append(toHex(firstEncode.charAt(1) % 16)); 668 | } else { 669 | encChar.append(toHex(encChar1 / 16)); 670 | encChar.append(toHex(encChar1 % 16)); 671 | } 672 | 673 | /* Replace character in URL string */ 674 | encodeReplace.replace(reqPath.lastIndexOf("/")-1, reqPath.lastIndexOf("/"), encChar.toString() ); 675 | newPath = encodeReplace.toString(); 676 | newReq = reqMethod + " " + newPath + newQuery + newRef + " " + defaultHttpVersion; 677 | updateUrl = 1; 678 | 679 | } else if (reqPath.length() > 2 && !String.valueOf(encChar2).contains("/") 680 | && !String.valueOf(encChar2).contains("?") && !String.valueOf(encChar2).contains("=") 681 | && !String.valueOf(encChar2).contains(";") && !String.valueOf(encChar2).contains("&")) { 682 | 683 | /* Add encoding to character after / */ 684 | encChar.append(charEncoding); 685 | 686 | /* Check to see if double double */ 687 | if (charEncoding.contains("%25%")) { 688 | StringBuilder firstEncode = new StringBuilder(); 689 | firstEncode.append(toHex(encChar2 / 16)); 690 | firstEncode.append(toHex(encChar2 % 16)); 691 | encChar.append(toHex(firstEncode.charAt(0) / 16)); 692 | encChar.append(toHex(firstEncode.charAt(0) % 16)); 693 | encChar.append('%'); 694 | encChar.append(toHex(firstEncode.charAt(1) / 16)); 695 | encChar.append(toHex(firstEncode.charAt(1) % 16)); 696 | } else { 697 | encChar.append(toHex(encChar2 / 16)); 698 | encChar.append(toHex(encChar2 % 16)); 699 | } 700 | 701 | /* Replace character in URL string */ 702 | encodeReplace.replace(reqPath.lastIndexOf("/")+1, reqPath.lastIndexOf("/")+2, encChar.toString() ); 703 | newPath = encodeReplace.toString(); 704 | newReq = reqMethod + " " + newPath + newQuery + newRef + " " + defaultHttpVersion; 705 | updateUrl = 1; 706 | 707 | } else if (reqPath.length() > 3 && !String.valueOf(encChar3).contains("/") 708 | && !String.valueOf(encChar3).contains("?") && !String.valueOf(encChar3).contains("=") 709 | && !String.valueOf(encChar3).contains(";") && !String.valueOf(encChar3).contains("&")) { 710 | 711 | /* Add encoding to second character after / */ 712 | encChar.append(charEncoding); 713 | 714 | /* Check to see if double double */ 715 | if (charEncoding.contains("%25%")) { 716 | StringBuilder firstEncode = new StringBuilder(); 717 | firstEncode.append(toHex(encChar3 / 16)); 718 | firstEncode.append(toHex(encChar3 % 16)); 719 | encChar.append(toHex(firstEncode.charAt(0) / 16)); 720 | encChar.append(toHex(firstEncode.charAt(0) % 16)); 721 | encChar.append('%'); 722 | encChar.append(toHex(firstEncode.charAt(1) / 16)); 723 | encChar.append(toHex(firstEncode.charAt(1) % 16)); 724 | } else { 725 | encChar.append(toHex(encChar3 / 16)); 726 | encChar.append(toHex(encChar3 % 16)); 727 | } 728 | 729 | /* Replace character in URL string */ 730 | encodeReplace.replace(reqPath.lastIndexOf("/")+2, reqPath.lastIndexOf("/")+3, encChar.toString() ); 731 | newPath = encodeReplace.toString(); 732 | newReq = reqMethod + " " + newPath + newQuery + newRef + " " + defaultHttpVersion; 733 | updateUrl = 1; 734 | 735 | } 736 | } 737 | 738 | /* Obfuscate the last path (/) value */ 739 | if (!pathObfuscationBypass.startsWith("NoObfuscation")) { 740 | 741 | /* If there was a slash, replace last one with obfuscated version */ 742 | if (reqPath.contains("/") && newPath.isEmpty()) { 743 | StringBuilder slashReplace = new StringBuilder(reqPath); 744 | slashReplace.replace(reqPath.lastIndexOf("/"), reqPath.lastIndexOf("/")+1, pathObfuscationBypass ); 745 | newPath = slashReplace.toString(); 746 | newReq = reqMethod + " " + newPath + newQuery + newRef + " " + defaultHttpVersion; 747 | updateUrl = 1; 748 | } else if (reqPath.contains("/")) { 749 | StringBuilder slashReplace = new StringBuilder(newPath); 750 | slashReplace.replace(newPath.lastIndexOf("/"), newPath.lastIndexOf("/")+1, pathObfuscationBypass ); 751 | newPath = slashReplace.toString(); 752 | newReq = reqMethod + " " + newPath + newQuery + newRef + " " + defaultHttpVersion; 753 | updateUrl = 1; 754 | } 755 | } 756 | 757 | /* Set path info in URL */ 758 | if (!pathInfoBypass.startsWith("NoPathInfo")) { 759 | 760 | /* Determine the right injection and set the new request */ 761 | if (pathInfoBypass.startsWith("PathInfoInjection") && !reqPath.contains(defaultPathParam) && !newQuery.contains(defaultPathParam) && newReq.isEmpty()) { 762 | 763 | if (newPath.isEmpty()) { 764 | newPath = reqPath + "/" + defaultPathParam; 765 | } else { 766 | newPath = newPath + "/" + defaultPathParam; 767 | } 768 | 769 | newReq = reqMethod + " " + newPath + newQuery + newRef + " " + defaultHttpVersion; 770 | updateUrl = 1; 771 | } else if (pathInfoBypass.startsWith("PathInfoInjection") && !reqPath.contains(defaultPathParam) && !newQuery.contains(defaultPathParam) && !newReq.isEmpty()) { 772 | 773 | if (newPath.isEmpty()) { 774 | newPath = reqPath + "/" + defaultPathParam; 775 | } else { 776 | newPath = newPath + "/" + defaultPathParam; 777 | } 778 | 779 | newReq = reqMethod + " " + newPath + newQuery + newRef + " " + defaultHttpVersion; 780 | } else if (pathInfoBypass.startsWith("PathParametersInjection") && !reqPath.contains(defaultPathParam) && !newQuery.contains(defaultPathParam) && newReq.isEmpty()) { 781 | 782 | if (newPath.isEmpty()) { 783 | newPath = reqPath + ";" + defaultPathParam + "=" + defaultPathValue; 784 | } else { 785 | newPath = newPath + ";" + defaultPathParam + "=" + defaultPathValue; 786 | } 787 | 788 | newReq = reqMethod + " " + newPath + newQuery + newRef + " " + defaultHttpVersion; 789 | updateUrl = 1; 790 | } else if (pathInfoBypass.startsWith("PathParametersInjection") && !reqPath.contains(defaultPathParam) && !newQuery.contains(defaultPathParam) && !newReq.isEmpty()) { 791 | 792 | if (newPath.isEmpty()) { 793 | newPath = reqPath + ";" + defaultPathParam + "=" + defaultPathValue; 794 | } else { 795 | newPath = newPath + ";" + defaultPathParam + "=" + defaultPathValue; 796 | } 797 | 798 | newReq = reqMethod + " " + newPath + newQuery + newRef + " " + defaultHttpVersion; 799 | } 800 | } 801 | 802 | /* Add special character to beginning of all parameter names */ 803 | if (!paramObfuscationBypass.startsWith("None")) { 804 | 805 | /* Determine the right injection and set the new request in URL */ 806 | if (newQuery.startsWith("?") && !newQuery.startsWith("?" + paramObfuscationBypass) && newReq.isEmpty()) { 807 | newQuery = newQuery.replaceFirst("\\?", "?" + paramObfuscationBypass); 808 | newQuery = newQuery.replaceAll("&", "&" + paramObfuscationBypass); 809 | String updPath = ""; 810 | 811 | if (newPath.isEmpty()) { 812 | updPath = reqPath; 813 | } else { 814 | updPath = newPath; 815 | } 816 | 817 | newReq = reqMethod + " " + updPath + newQuery + newRef + " " + defaultHttpVersion; 818 | updateUrl = 1; 819 | } else if (newQuery.startsWith("?") && !newQuery.startsWith("?" + paramObfuscationBypass) && !newReq.isEmpty()) { 820 | newQuery = newQuery.replaceFirst("\\?", "?" + paramObfuscationBypass); 821 | newQuery = newQuery.replaceAll("&", "&" + paramObfuscationBypass); 822 | String updPath = ""; 823 | 824 | if (newPath.isEmpty()) { 825 | updPath = reqPath; 826 | } else { 827 | updPath = newPath; 828 | } 829 | 830 | newReq = reqMethod + " " + updPath + newQuery + newRef + " " + defaultHttpVersion; 831 | } 832 | 833 | /* Determine the right injection and set the new request in POST body */ 834 | if (!reqBody.startsWith(paramObfuscationBypass) && reqMethod.startsWith("POST")) { 835 | reqBody = paramObfuscationBypass + reqBody.replaceAll("&", "&" + paramObfuscationBypass); 836 | } 837 | } 838 | 839 | /* Replace space characters with specially encoded non-standard space characters */ 840 | if (!spaceEncoding.startsWith("None")) { 841 | if (newReq.isEmpty() && newQuery.startsWith("?")) { 842 | String updQuery = ""; 843 | 844 | /* Get the params so that we can change the spaces in each */ 845 | if (newQuery.contains("&") && newQuery.contains("=")) { 846 | for (String pageFields: newQuery.split("&")) { 847 | String[] pageParams = pageFields.split("="); 848 | String updParam = pageParams[1].replaceAll("\\+", spacePayload); 849 | updParam = updParam.replaceAll("%2[bB]", spacePayload); 850 | updParam = updParam.replaceAll("\\s+", spacePayload); 851 | updParam = updParam.replaceAll("%20", spacePayload); 852 | updQuery = updQuery + pageParams[0] + "=" + updParam + "&"; 853 | } 854 | } else if (newQuery.contains("=")) { 855 | String[] pageParams = newQuery.split("="); 856 | String updParam = pageParams[1].replaceAll("\\+", spacePayload); 857 | updParam = updParam.replaceAll("%2[bB]", spacePayload); 858 | updParam = updParam.replaceAll("\\s+", spacePayload); 859 | updParam = updParam.replaceAll("%20", spacePayload); 860 | updQuery = pageParams[0] + "=" + updParam + "&"; 861 | } 862 | 863 | newQuery = "?" + updQuery.substring(1, updQuery.length()-1); 864 | String updPath = ""; 865 | 866 | if (newPath.isEmpty()) { 867 | updPath = reqPath; 868 | } else { 869 | updPath = newPath; 870 | } 871 | 872 | newReq = reqMethod + " " + updPath + newQuery + newRef + " " + defaultHttpVersion; 873 | updateUrl = 1; 874 | } else if (!newReq.isEmpty() && newQuery.startsWith("?")) { 875 | String updQuery = ""; 876 | 877 | /* Get the params so that we can change the spaces in each */ 878 | if (newQuery.contains("&") && newQuery.contains("=")) { 879 | for (String pageFields: newQuery.split("&")) { 880 | String[] pageParams = pageFields.split("="); 881 | String updParam = pageParams[1].replaceAll("\\+", spacePayload); 882 | updParam = updParam.replaceAll("%2[bB]", spacePayload); 883 | updParam = updParam.replaceAll("\\s+", spacePayload); 884 | updParam = updParam.replaceAll("%20", spacePayload); 885 | updQuery = updQuery + pageParams[0] + "=" + updParam + "&"; 886 | } 887 | } else if (newQuery.contains("=")) { 888 | String[] pageParams = newQuery.split("="); 889 | String updParam = pageParams[1].replaceAll("\\+", spacePayload); 890 | updParam = updParam.replaceAll("%2[bB]", spacePayload); 891 | updParam = updParam.replaceAll("\\s+", spacePayload); 892 | updParam = updParam.replaceAll("%20", spacePayload); 893 | updQuery = pageParams[0] + "=" + updParam + "&";; 894 | } 895 | 896 | newQuery = "?" + updQuery.substring(1, updQuery.length()-1); 897 | String updPath = ""; 898 | 899 | if (newPath.isEmpty()) { 900 | updPath = reqPath; 901 | } else { 902 | updPath = newPath; 903 | } 904 | 905 | newReq = reqMethod + " " + updPath + newQuery + newRef + " " + defaultHttpVersion; 906 | } 907 | 908 | /* Determine the right injection and set the new request in POST body */ 909 | if (reqMethod.startsWith("POST")) { 910 | String updQuery = ""; 911 | 912 | /* Get the params so that we can change the spaces in each */ 913 | if (reqBody.contains("&") && reqBody.contains("=")) { 914 | for (String pageFields: reqBody.split("&")) { 915 | String[] pageParams = pageFields.split("="); 916 | String updParam = pageParams[1].replaceAll("\\+", spacePayload); 917 | updParam = updParam.replaceAll("%2[bB]", spacePayload); 918 | updParam = updParam.replaceAll("\\s+", spacePayload); 919 | updParam = updParam.replaceAll("%20", spacePayload); 920 | updQuery = updQuery + pageParams[0] + "=" + updParam + "&"; 921 | } 922 | } else if (reqBody.contains("=")) { 923 | String[] pageParams = reqBody.split("="); 924 | String updParam = pageParams[1].replaceAll("\\+", spacePayload); 925 | updParam = updParam.replaceAll("%2[bB]", spacePayload); 926 | updParam = updParam.replaceAll("\\s+", spacePayload); 927 | updParam = updParam.replaceAll("%20", spacePayload); 928 | updQuery = updQuery + pageParams[0] + "=" + updParam + "&"; 929 | } 930 | 931 | newQuery = updQuery.substring(0, updQuery.length()-1); 932 | reqBody = newQuery; 933 | } 934 | } 935 | 936 | /* Perform HPP if enabled */ 937 | if (bypassHpp == 1) { 938 | if (newReq.isEmpty() && newQuery.startsWith("?")) { 939 | String updQuery = ""; 940 | 941 | /* Get the params so that we can either change the first or last to 1 */ 942 | if (newQuery.contains("&") && newQuery.contains("=")) { 943 | for (String pageFields: newQuery.split("&")) { 944 | String[] pageParams = pageFields.split("="); 945 | updQuery = updQuery + pageParams[0] + "=" + defaultHppValue + "&"; 946 | } 947 | } else if (newQuery.contains("=")) { 948 | String[] pageParams = newQuery.split("="); 949 | updQuery = updQuery + pageParams[0] + "=" + defaultHppValue + "&"; 950 | } 951 | 952 | /* Figure out whether to set first or duplicate param to 1 */ 953 | if (bypassHppLocation.startsWith("First")) { 954 | newQuery = newQuery + "&" + updQuery.substring(1, updQuery.length()-1); 955 | } else { 956 | newQuery = updQuery + newQuery.substring(1, newQuery.length()); 957 | } 958 | 959 | String updPath = ""; 960 | 961 | if (newPath.isEmpty()) { 962 | updPath = reqPath; 963 | } else { 964 | updPath = newPath; 965 | } 966 | 967 | newReq = reqMethod + " " + updPath + newQuery + newRef + " " + defaultHttpVersion; 968 | updateUrl = 1; 969 | } else if (!newReq.isEmpty() && newQuery.startsWith("?")) { 970 | String updQuery = ""; 971 | 972 | /* Get the params so that we can either change the first or last to 1 or value */ 973 | if (newQuery.contains("&") && newQuery.contains("=")) { 974 | for (String pageFields: newQuery.split("&")) { 975 | String[] pageParams = pageFields.split("="); 976 | updQuery = updQuery + pageParams[0] + "=" + defaultHppValue + "&"; 977 | } 978 | } else if (newQuery.contains("=")) { 979 | String[] pageParams = newQuery.split("="); 980 | updQuery = updQuery + pageParams[0] + "=" + defaultHppValue + "&"; 981 | } 982 | 983 | /* Figure out whether to set first or duplicate param to 1 or value */ 984 | if (bypassHppLocation.startsWith("First")) { 985 | newQuery = newQuery + "&" + updQuery.substring(1, updQuery.length()-1); 986 | } else { 987 | newQuery = updQuery + newQuery.substring(1, newQuery.length()); 988 | } 989 | 990 | String updPath = ""; 991 | 992 | if (newPath.isEmpty()) { 993 | updPath = reqPath; 994 | } else { 995 | updPath = newPath; 996 | } 997 | 998 | newReq = reqMethod + " " + updPath + newQuery + newRef + " " + defaultHttpVersion; 999 | } 1000 | 1001 | /* Determine the right injection and set the new request in POST body */ 1002 | if (reqMethod.startsWith("POST")) { 1003 | String updQuery = ""; 1004 | 1005 | /* Get the params so that we can either change the first or last to 1 */ 1006 | if (reqBody.contains("&") && reqBody.contains("=")) { 1007 | for (String pageFields: reqBody.split("&")) { 1008 | String[] pageParams = pageFields.split("="); 1009 | updQuery = updQuery + pageParams[0] + "=" + defaultHppValue + "&"; 1010 | } 1011 | } else if (reqBody.contains("=")) { 1012 | String[] pageParams = reqBody.split("="); 1013 | updQuery = updQuery + pageParams[0] + "=" + defaultHppValue + "&"; 1014 | } 1015 | 1016 | /* Figure out whether to set first or duplicate param to 1 */ 1017 | if (bypassHppLocation.startsWith("First")) { 1018 | newQuery = reqBody + "&" + updQuery.substring(0, updQuery.length()-1); 1019 | } else { 1020 | newQuery = updQuery + reqBody; 1021 | } 1022 | 1023 | reqBody = newQuery; 1024 | } 1025 | } 1026 | } 1027 | } 1028 | 1029 | /* Check to see if the bypass headers have already been set */ 1030 | for (int j = 0; j < bwafHeaders.size(); j++) { 1031 | if (headers.get(i).startsWith(bwafHeaders.get(j))) { 1032 | bwafHeaderInit.set(j, 1); 1033 | } 1034 | } 1035 | } 1036 | 1037 | /* If the request URL was modified, update it here */ 1038 | if (updateUrl == 1) { 1039 | headers.set(0, newReq); 1040 | } 1041 | 1042 | /* If set to a specific content type, but Content-Type wasn't in request, then add */ 1043 | if (contentInHeader == 0 && !contentTypeBypass.startsWith("Keep") && !contentTypeBypass.startsWith("Remove")) { 1044 | headers.add("Content-Type: " + contentTypeBypass); 1045 | } 1046 | 1047 | /* Add WAF Bypass headers if they don't already exist */ 1048 | for (int idx = 0; idx < bwafHeaderInit.size(); idx++) { 1049 | if (bwafHeaderInit.get(idx) == 0) { 1050 | headers.add(bwafHeaders.get(idx) + ": " + bypassIP); 1051 | } 1052 | } 1053 | 1054 | /* Build request with bypass headers */ 1055 | byte[] message = extHelpers.buildHttpMessage(headers, reqBody.getBytes()); 1056 | 1057 | /* Update Request with New Header */ 1058 | currentRequest.setRequest(message); 1059 | } 1060 | } -------------------------------------------------------------------------------- /src/burp/IBurpExtender.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IBurpExtender.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * All extensions must implement this interface. 14 | * 15 | * Implementations must be called BurpExtender, in the package burp, must be 16 | * declared public, and must provide a default (public, no-argument) 17 | * constructor. 18 | */ 19 | public interface IBurpExtender 20 | { 21 | /** 22 | * This method is invoked when the extension is loaded. It registers an 23 | * instance of the 24 | * IBurpExtenderCallbacks interface, providing methods that may 25 | * be invoked by the extension to perform various actions. 26 | * 27 | * @param callbacks An 28 | * IBurpExtenderCallbacks object. 29 | */ 30 | void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks); 31 | } 32 | -------------------------------------------------------------------------------- /src/burp/IBurpExtenderCallbacks.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IBurpExtenderCallbacks.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.Component; 13 | import java.io.OutputStream; 14 | import java.util.List; 15 | import java.util.Map; 16 | 17 | /** 18 | * This interface is used by Burp Suite to pass to extensions a set of callback 19 | * methods that can be used by extensions to perform various actions within 20 | * Burp. 21 | * 22 | * When an extension is loaded, Burp invokes its 23 | * registerExtenderCallbacks() method and passes an instance of the 24 | * IBurpExtenderCallbacks interface. The extension may then invoke 25 | * the methods of this interface as required in order to extend Burp's 26 | * functionality. 27 | */ 28 | public interface IBurpExtenderCallbacks 29 | { 30 | /** 31 | * Flag used to identify Burp Suite as a whole. 32 | */ 33 | static final int TOOL_SUITE = 0x00000001; 34 | /** 35 | * Flag used to identify the Burp Target tool. 36 | */ 37 | static final int TOOL_TARGET = 0x00000002; 38 | /** 39 | * Flag used to identify the Burp Proxy tool. 40 | */ 41 | static final int TOOL_PROXY = 0x00000004; 42 | /** 43 | * Flag used to identify the Burp Spider tool. 44 | */ 45 | static final int TOOL_SPIDER = 0x00000008; 46 | /** 47 | * Flag used to identify the Burp Scanner tool. 48 | */ 49 | static final int TOOL_SCANNER = 0x00000010; 50 | /** 51 | * Flag used to identify the Burp Intruder tool. 52 | */ 53 | static final int TOOL_INTRUDER = 0x00000020; 54 | /** 55 | * Flag used to identify the Burp Repeater tool. 56 | */ 57 | static final int TOOL_REPEATER = 0x00000040; 58 | /** 59 | * Flag used to identify the Burp Sequencer tool. 60 | */ 61 | static final int TOOL_SEQUENCER = 0x00000080; 62 | /** 63 | * Flag used to identify the Burp Decoder tool. 64 | */ 65 | static final int TOOL_DECODER = 0x00000100; 66 | /** 67 | * Flag used to identify the Burp Comparer tool. 68 | */ 69 | static final int TOOL_COMPARER = 0x00000200; 70 | /** 71 | * Flag used to identify the Burp Extender tool. 72 | */ 73 | static final int TOOL_EXTENDER = 0x00000400; 74 | 75 | /** 76 | * This method is used to set the display name for the current extension, 77 | * which will be displayed within the user interface for the Extender tool. 78 | * 79 | * @param name The extension name. 80 | */ 81 | void setExtensionName(String name); 82 | 83 | /** 84 | * This method is used to obtain an 85 | * IExtensionHelpers object, which can be used by the extension 86 | * to perform numerous useful tasks. 87 | * 88 | * @return An object containing numerous helper methods, for tasks such as 89 | * building and analyzing HTTP requests. 90 | */ 91 | IExtensionHelpers getHelpers(); 92 | 93 | /** 94 | * This method is used to obtain the current extension's standard output 95 | * stream. Extensions should write all output to this stream, allowing the 96 | * Burp user to configure how that output is handled from within the UI. 97 | * 98 | * @return The extension's standard output stream. 99 | */ 100 | OutputStream getStdout(); 101 | 102 | /** 103 | * This method is used to obtain the current extension's standard error 104 | * stream. Extensions should write all error messages to this stream, 105 | * allowing the Burp user to configure how that output is handled from 106 | * within the UI. 107 | * 108 | * @return The extension's standard error stream. 109 | */ 110 | OutputStream getStderr(); 111 | 112 | /** 113 | * This method is used to register a listener which will be notified of 114 | * changes to the extension's state. Note: Any extensions that start 115 | * background threads or open system resources (such as files or database 116 | * connections) should register a listener and terminate threads / close 117 | * resources when the extension is unloaded. 118 | * 119 | * @param listener An object created by the extension that implements the 120 | * IExtensionStateListener interface. 121 | */ 122 | void registerExtensionStateListener(IExtensionStateListener listener); 123 | 124 | /** 125 | * This method is used to register a listener which will be notified of 126 | * requests and responses made by any Burp tool. Extensions can perform 127 | * custom analysis or modification of these messages by registering an HTTP 128 | * listener. 129 | * 130 | * @param listener An object created by the extension that implements the 131 | * IHttpListener interface. 132 | */ 133 | void registerHttpListener(IHttpListener listener); 134 | 135 | /** 136 | * This method is used to register a listener which will be notified of 137 | * requests and responses being processed by the Proxy tool. Extensions can 138 | * perform custom analysis or modification of these messages, and control 139 | * in-UI message interception, by registering a proxy listener. 140 | * 141 | * @param listener An object created by the extension that implements the 142 | * IProxyListener interface. 143 | */ 144 | void registerProxyListener(IProxyListener listener); 145 | 146 | /** 147 | * This method is used to register a listener which will be notified of new 148 | * issues that are reported by the Scanner tool. Extensions can perform 149 | * custom analysis or logging of Scanner issues by registering a Scanner 150 | * listener. 151 | * 152 | * @param listener An object created by the extension that implements the 153 | * IScannerListener interface. 154 | */ 155 | void registerScannerListener(IScannerListener listener); 156 | 157 | /** 158 | * This method is used to register a listener which will be notified of 159 | * changes to Burp's suite-wide target scope. 160 | * 161 | * @param listener An object created by the extension that implements the 162 | * IScopeChangeListener interface. 163 | */ 164 | void registerScopeChangeListener(IScopeChangeListener listener); 165 | 166 | /** 167 | * This method is used to register a factory for custom context menu items. 168 | * When the user invokes a context menu anywhere within Burp, the factory 169 | * will be passed details of the invocation event, and asked to provide any 170 | * custom context menu items that should be shown. 171 | * 172 | * @param factory An object created by the extension that implements the 173 | * IContextMenuFactory interface. 174 | */ 175 | void registerContextMenuFactory(IContextMenuFactory factory); 176 | 177 | /** 178 | * This method is used to register a factory for custom message editor tabs. 179 | * For each message editor that already exists, or is subsequently created, 180 | * within Burp, the factory will be asked to provide a new instance of an 181 | * IMessageEditorTab object, which can provide custom rendering 182 | * or editing of HTTP messages. 183 | * 184 | * @param factory An object created by the extension that implements the 185 | * IMessageEditorTabFactory interface. 186 | */ 187 | void registerMessageEditorTabFactory(IMessageEditorTabFactory factory); 188 | 189 | /** 190 | * This method is used to register a provider of Scanner insertion points. 191 | * For each base request that is actively scanned, Burp will ask the 192 | * provider to provide any custom scanner insertion points that are 193 | * appropriate for the request. 194 | * 195 | * @param provider An object created by the extension that implements the 196 | * IScannerInsertionPointProvider interface. 197 | */ 198 | void registerScannerInsertionPointProvider( 199 | IScannerInsertionPointProvider provider); 200 | 201 | /** 202 | * This method is used to register a custom Scanner check. When performing 203 | * scanning, Burp will ask the check to perform active or passive scanning 204 | * on the base request, and report any Scanner issues that are identified. 205 | * 206 | * @param check An object created by the extension that implements the 207 | * IScannerCheck interface. 208 | */ 209 | void registerScannerCheck(IScannerCheck check); 210 | 211 | /** 212 | * This method is used to register a factory for Intruder payloads. Each 213 | * registered factory will be available within the Intruder UI for the user 214 | * to select as the payload source for an attack. When this is selected, the 215 | * factory will be asked to provide a new instance of an 216 | * IIntruderPayloadGenerator object, which will be used to 217 | * generate payloads for the attack. 218 | * 219 | * @param factory An object created by the extension that implements the 220 | * IIntruderPayloadGeneratorFactory interface. 221 | */ 222 | void registerIntruderPayloadGeneratorFactory( 223 | IIntruderPayloadGeneratorFactory factory); 224 | 225 | /** 226 | * This method is used to register a custom Intruder payload processor. Each 227 | * registered processor will be available within the Intruder UI for the 228 | * user to select as the action for a payload processing rule. 229 | * 230 | * @param processor An object created by the extension that implements the 231 | * IIntruderPayloadProcessor interface. 232 | */ 233 | void registerIntruderPayloadProcessor(IIntruderPayloadProcessor processor); 234 | 235 | /** 236 | * This method is used to register a custom session handling action. Each 237 | * registered action will be available within the session handling rule UI 238 | * for the user to select as a rule action. Users can choose to invoke an 239 | * action directly in its own right, or following execution of a macro. 240 | * 241 | * @param action An object created by the extension that implements the 242 | * ISessionHandlingAction interface. 243 | */ 244 | void registerSessionHandlingAction(ISessionHandlingAction action); 245 | 246 | /** 247 | * This method is used to add a custom tab to the main Burp Suite window. 248 | * 249 | * @param tab An object created by the extension that implements the 250 | * ITab interface. 251 | */ 252 | void addSuiteTab(ITab tab); 253 | 254 | /** 255 | * This method is used to remove a previously-added tab from the main Burp 256 | * Suite window. 257 | * 258 | * @param tab An object created by the extension that implements the 259 | * ITab interface. 260 | */ 261 | void removeSuiteTab(ITab tab); 262 | 263 | /** 264 | * This method is used to customize UI components in line with Burp's UI 265 | * style, including font size, colors, table line spacing, etc. 266 | * 267 | * @param component The UI component to be customized. 268 | */ 269 | void customizeUiComponent(Component component); 270 | 271 | /** 272 | * This method is used to create a new instance of Burp's HTTP message 273 | * editor, for the extension to use in its own UI. 274 | * 275 | * @param controller An object created by the extension that implements the 276 | * IMessageEditorController interface. This parameter is 277 | * optional and may be 278 | * null. If it is provided, then the message editor will query 279 | * the controller when required to obtain details about the currently 280 | * displayed message, including the 281 | * IHttpService for the message, and the associated request or 282 | * response message. If a controller is not provided, then the message 283 | * editor will not support context menu actions, such as sending requests to 284 | * other Burp tools. 285 | * @param editable Indicates whether the editor created should be editable, 286 | * or used only for message viewing. 287 | * @return An object that implements the 288 | * IMessageEditor interface, and which the extension can use in 289 | * its own UI. 290 | */ 291 | IMessageEditor createMessageEditor(IMessageEditorController controller, 292 | boolean editable); 293 | 294 | /** 295 | * This method is used to save configuration settings for the extension in a 296 | * persistent way that survives reloads of the extension and of Burp Suite. 297 | * Saved settings can be retrieved using the method 298 | * loadExtensionSetting(). 299 | * 300 | * @param name The name of the setting. 301 | * @param value The value of the setting. If this value is 302 | * null then any existing setting with the specified name will 303 | * be removed. 304 | */ 305 | void saveExtensionSetting(String name, String value); 306 | 307 | /** 308 | * This method is used to load configuration settings for the extension that 309 | * were saved using the method 310 | * saveExtensionSetting(). 311 | * 312 | * @param name The name of the setting. 313 | * @return The value of the setting, or 314 | * null if no value is set. 315 | */ 316 | String loadExtensionSetting(String name); 317 | 318 | /** 319 | * This method is used to create a new instance of Burp's plain text editor, 320 | * for the extension to use in its own UI. 321 | * 322 | * @return An object that implements the 323 | * ITextEditor interface, and which the extension can use in 324 | * its own UI. 325 | */ 326 | ITextEditor createTextEditor(); 327 | 328 | /** 329 | * This method can be used to send an HTTP request to the Burp Repeater 330 | * tool. The request will be displayed in the user interface, but will not 331 | * be issued until the user initiates this action. 332 | * 333 | * @param host The hostname of the remote HTTP server. 334 | * @param port The port of the remote HTTP server. 335 | * @param useHttps Flags whether the protocol is HTTPS or HTTP. 336 | * @param request The full HTTP request. 337 | * @param tabCaption An optional caption which will appear on the Repeater 338 | * tab containing the request. If this value is 339 | * null then a default tab index will be displayed. 340 | */ 341 | void sendToRepeater( 342 | String host, 343 | int port, 344 | boolean useHttps, 345 | byte[] request, 346 | String tabCaption); 347 | 348 | /** 349 | * This method can be used to send an HTTP request to the Burp Intruder 350 | * tool. The request will be displayed in the user interface, and markers 351 | * for attack payloads will be placed into default locations within the 352 | * request. 353 | * 354 | * @param host The hostname of the remote HTTP server. 355 | * @param port The port of the remote HTTP server. 356 | * @param useHttps Flags whether the protocol is HTTPS or HTTP. 357 | * @param request The full HTTP request. 358 | */ 359 | void sendToIntruder( 360 | String host, 361 | int port, 362 | boolean useHttps, 363 | byte[] request); 364 | 365 | /** 366 | * This method can be used to send an HTTP request to the Burp Intruder 367 | * tool. The request will be displayed in the user interface, and markers 368 | * for attack payloads will be placed into the specified locations within 369 | * the request. 370 | * 371 | * @param host The hostname of the remote HTTP server. 372 | * @param port The port of the remote HTTP server. 373 | * @param useHttps Flags whether the protocol is HTTPS or HTTP. 374 | * @param request The full HTTP request. 375 | * @param payloadPositionOffsets A list of index pairs representing the 376 | * payload positions to be used. Each item in the list must be an int[2] 377 | * array containing the start and end offsets for the payload position. 378 | */ 379 | void sendToIntruder( 380 | String host, 381 | int port, 382 | boolean useHttps, 383 | byte[] request, 384 | List payloadPositionOffsets); 385 | 386 | /** 387 | * This method can be used to send a seed URL to the Burp Spider tool. If 388 | * the URL is not within the current Spider scope, the user will be asked if 389 | * they wish to add the URL to the scope. If the Spider is not currently 390 | * running, it will be started. The seed URL will be requested, and the 391 | * Spider will process the application's response in the normal way. 392 | * 393 | * @param url The new seed URL to begin spidering from. 394 | */ 395 | void sendToSpider( 396 | java.net.URL url); 397 | 398 | /** 399 | * This method can be used to send an HTTP request to the Burp Scanner tool 400 | * to perform an active vulnerability scan. If the request is not within the 401 | * current active scanning scope, the user will be asked if they wish to 402 | * proceed with the scan. 403 | * 404 | * @param host The hostname of the remote HTTP server. 405 | * @param port The port of the remote HTTP server. 406 | * @param useHttps Flags whether the protocol is HTTPS or HTTP. 407 | * @param request The full HTTP request. 408 | * @return The resulting scan queue item. 409 | */ 410 | IScanQueueItem doActiveScan( 411 | String host, 412 | int port, 413 | boolean useHttps, 414 | byte[] request); 415 | 416 | /** 417 | * This method can be used to send an HTTP request to the Burp Scanner tool 418 | * to perform an active vulnerability scan, based on a custom list of 419 | * insertion points that are to be scanned. If the request is not within the 420 | * current active scanning scope, the user will be asked if they wish to 421 | * proceed with the scan. 422 | * 423 | * @param host The hostname of the remote HTTP server. 424 | * @param port The port of the remote HTTP server. 425 | * @param useHttps Flags whether the protocol is HTTPS or HTTP. 426 | * @param request The full HTTP request. 427 | * @param insertionPointOffsets A list of index pairs representing the 428 | * positions of the insertion points that should be scanned. Each item in 429 | * the list must be an int[2] array containing the start and end offsets for 430 | * the insertion point. 431 | * @return The resulting scan queue item. 432 | */ 433 | IScanQueueItem doActiveScan( 434 | String host, 435 | int port, 436 | boolean useHttps, 437 | byte[] request, 438 | List insertionPointOffsets); 439 | 440 | /** 441 | * This method can be used to send an HTTP request to the Burp Scanner tool 442 | * to perform a passive vulnerability scan. 443 | * 444 | * @param host The hostname of the remote HTTP server. 445 | * @param port The port of the remote HTTP server. 446 | * @param useHttps Flags whether the protocol is HTTPS or HTTP. 447 | * @param request The full HTTP request. 448 | * @param response The full HTTP response. 449 | */ 450 | void doPassiveScan( 451 | String host, 452 | int port, 453 | boolean useHttps, 454 | byte[] request, 455 | byte[] response); 456 | 457 | /** 458 | * This method can be used to issue HTTP requests and retrieve their 459 | * responses. 460 | * 461 | * @param httpService The HTTP service to which the request should be sent. 462 | * @param request The full HTTP request. 463 | * @return An object that implements the 464 | * IHttpRequestResponse interface, and which the extension can 465 | * query to obtain the details of the response. 466 | */ 467 | IHttpRequestResponse makeHttpRequest(IHttpService httpService, 468 | byte[] request); 469 | 470 | /** 471 | * This method can be used to issue HTTP requests and retrieve their 472 | * responses. 473 | * 474 | * @param host The hostname of the remote HTTP server. 475 | * @param port The port of the remote HTTP server. 476 | * @param useHttps Flags whether the protocol is HTTPS or HTTP. 477 | * @param request The full HTTP request. 478 | * @return The full response retrieved from the remote server. 479 | */ 480 | byte[] makeHttpRequest( 481 | String host, 482 | int port, 483 | boolean useHttps, 484 | byte[] request); 485 | 486 | /** 487 | * This method can be used to query whether a specified URL is within the 488 | * current Suite-wide scope. 489 | * 490 | * @param url The URL to query. 491 | * @return Returns 492 | * true if the URL is within the current Suite-wide scope. 493 | */ 494 | boolean isInScope(java.net.URL url); 495 | 496 | /** 497 | * This method can be used to include the specified URL in the Suite-wide 498 | * scope. 499 | * 500 | * @param url The URL to include in the Suite-wide scope. 501 | */ 502 | void includeInScope(java.net.URL url); 503 | 504 | /** 505 | * This method can be used to exclude the specified URL from the Suite-wide 506 | * scope. 507 | * 508 | * @param url The URL to exclude from the Suite-wide scope. 509 | */ 510 | void excludeFromScope(java.net.URL url); 511 | 512 | /** 513 | * This method can be used to display a specified message in the Burp Suite 514 | * alerts tab. 515 | * 516 | * @param message The alert message to display. 517 | */ 518 | void issueAlert(String message); 519 | 520 | /** 521 | * This method returns details of all items in the Proxy history. 522 | * 523 | * @return The contents of the Proxy history. 524 | */ 525 | IHttpRequestResponse[] getProxyHistory(); 526 | 527 | /** 528 | * This method returns details of items in the site map. 529 | * 530 | * @param urlPrefix This parameter can be used to specify a URL prefix, in 531 | * order to extract a specific subset of the site map. The method performs a 532 | * simple case-sensitive text match, returning all site map items whose URL 533 | * begins with the specified prefix. If this parameter is null, the entire 534 | * site map is returned. 535 | * 536 | * @return Details of items in the site map. 537 | */ 538 | IHttpRequestResponse[] getSiteMap(String urlPrefix); 539 | 540 | /** 541 | * This method returns all of the current scan issues for URLs matching the 542 | * specified literal prefix. 543 | * 544 | * @param urlPrefix This parameter can be used to specify a URL prefix, in 545 | * order to extract a specific subset of scan issues. The method performs a 546 | * simple case-sensitive text match, returning all scan issues whose URL 547 | * begins with the specified prefix. If this parameter is null, all issues 548 | * are returned. 549 | * @return Details of the scan issues. 550 | */ 551 | IScanIssue[] getScanIssues(String urlPrefix); 552 | 553 | /** 554 | * This method is used to retrieve the contents of Burp's session handling 555 | * cookie jar. Extensions that provide an 556 | * ISessionHandlingAction can query and update the cookie jar 557 | * in order to handle unusual session handling mechanisms. 558 | * 559 | * @return A list of 560 | * ICookie objects representing the contents of Burp's session 561 | * handling cookie jar. 562 | */ 563 | List getCookieJarContents(); 564 | 565 | /** 566 | * This method is used to update the contents of Burp's session handling 567 | * cookie jar. Extensions that provide an 568 | * ISessionHandlingAction can query and update the cookie jar 569 | * in order to handle unusual session handling mechanisms. 570 | * 571 | * @param cookie An 572 | * ICookie object containing details of the cookie to be 573 | * updated. If the cookie jar already contains a cookie that matches the 574 | * specified domain and name, then that cookie will be updated with the new 575 | * value and expiration, unless the new value is 576 | * null, in which case the cookie will be removed. If the 577 | * cookie jar does not already contain a cookie that matches the specified 578 | * domain and name, then the cookie will be added. 579 | */ 580 | void updateCookieJar(ICookie cookie); 581 | 582 | /** 583 | * This method can be used to add an item to Burp's site map with the 584 | * specified request/response details. This will overwrite the details of 585 | * any existing matching item in the site map. 586 | * 587 | * @param item Details of the item to be added to the site map 588 | */ 589 | void addToSiteMap(IHttpRequestResponse item); 590 | 591 | /** 592 | * This method can be used to restore Burp's state from a specified saved 593 | * state file. This method blocks until the restore operation is completed, 594 | * and must not be called from the event dispatch thread. 595 | * 596 | * @param file The file containing Burp's saved state. 597 | */ 598 | void restoreState(java.io.File file); 599 | 600 | /** 601 | * This method can be used to save Burp's state to a specified file. This 602 | * method blocks until the save operation is completed, and must not be 603 | * called from the event dispatch thread. 604 | * 605 | * @param file The file to save Burp's state in. 606 | */ 607 | void saveState(java.io.File file); 608 | 609 | /** 610 | * This method causes Burp to save all of its current configuration as a Map 611 | * of name/value Strings. 612 | * 613 | * @return A Map of name/value Strings reflecting Burp's current 614 | * configuration. 615 | */ 616 | Map saveConfig(); 617 | 618 | /** 619 | * This method causes Burp to load a new configuration from the Map of 620 | * name/value Strings provided. Any settings not specified in the Map will 621 | * be restored to their default values. To selectively update only some 622 | * settings and leave the rest unchanged, you should first call 623 | * saveConfig() to obtain Burp's current configuration, modify 624 | * the relevant items in the Map, and then call 625 | * loadConfig() with the same Map. 626 | * 627 | * @param config A map of name/value Strings to use as Burp's new 628 | * configuration. 629 | */ 630 | void loadConfig(Map config); 631 | 632 | /** 633 | * This method sets the master interception mode for Burp Proxy. 634 | * 635 | * @param enabled Indicates whether interception of Proxy messages should be 636 | * enabled. 637 | */ 638 | void setProxyInterceptionEnabled(boolean enabled); 639 | 640 | /** 641 | * This method retrieves information about the version of Burp in which the 642 | * extension is running. It can be used by extensions to dynamically adjust 643 | * their behavior depending on the functionality and APIs supported by the 644 | * current version. 645 | * 646 | * @return An array of Strings comprised of: the product name (e.g. Burp 647 | * Suite Professional), the major version (e.g. 1.5), the minor version 648 | * (e.g. 03) 649 | */ 650 | String[] getBurpVersion(); 651 | 652 | /** 653 | * This method can be used to shut down Burp programmatically, with an 654 | * optional prompt to the user. If the method returns, the user canceled the 655 | * shutdown prompt. 656 | * 657 | * @param promptUser Indicates whether to prompt the user to confirm the 658 | * shutdown. 659 | */ 660 | void exitSuite(boolean promptUser); 661 | 662 | /** 663 | * This method is used to create a temporary file on disk containing the 664 | * provided data. Extensions can use temporary files for long-term storage 665 | * of runtime data, avoiding the need to retain that data in memory. 666 | * 667 | * @param buffer The data to be saved to a temporary file. 668 | * @return An object that implements the 669 | * ITempFile interface. 670 | */ 671 | ITempFile saveToTempFile(byte[] buffer); 672 | 673 | /** 674 | * This method is used to save the request and response of an 675 | * IHttpRequestResponse object to temporary files, so that they 676 | * are no longer held in memory. Extensions can used this method to convert 677 | * IHttpRequestResponse objects into a form suitable for 678 | * long-term storage. 679 | * 680 | * @param httpRequestResponse The 681 | * IHttpRequestResponse object whose request and response 682 | * messages are to be saved to temporary files. 683 | * @return An object that implements the 684 | * IHttpRequestResponsePersisted interface. 685 | */ 686 | IHttpRequestResponsePersisted saveBuffersToTempFiles( 687 | IHttpRequestResponse httpRequestResponse); 688 | 689 | /** 690 | * This method is used to apply markers to an HTTP request or response, at 691 | * offsets into the message that are relevant for some particular purpose. 692 | * Markers are used in various situations, such as specifying Intruder 693 | * payload positions, Scanner insertion points, and highlights in Scanner 694 | * issues. 695 | * 696 | * @param httpRequestResponse The 697 | * IHttpRequestResponse object to which the markers should be 698 | * applied. 699 | * @param requestMarkers A list of index pairs representing the offsets of 700 | * markers to be applied to the request message. Each item in the list must 701 | * be an int[2] array containing the start and end offsets for the marker. 702 | * This parameter is optional and may be 703 | * null if no request markers are required. 704 | * @param responseMarkers A list of index pairs representing the offsets of 705 | * markers to be applied to the response message. Each item in the list must 706 | * be an int[2] array containing the start and end offsets for the marker. 707 | * This parameter is optional and may be 708 | * null if no response markers are required. 709 | * @return An object that implements the 710 | * IHttpRequestResponseWithMarkers interface. 711 | */ 712 | IHttpRequestResponseWithMarkers applyMarkers( 713 | IHttpRequestResponse httpRequestResponse, 714 | List requestMarkers, 715 | List responseMarkers); 716 | 717 | /** 718 | * This method is used to obtain the descriptive name for the Burp tool 719 | * identified by the tool flag provided. 720 | * 721 | * @param toolFlag A flag identifying a Burp tool ( 722 | * TOOL_PROXY, 723 | * TOOL_SCANNER, etc.). Tool flags are defined within this 724 | * interface. 725 | * @return The descriptive name for the specified tool. 726 | */ 727 | String getToolName(int toolFlag); 728 | 729 | /** 730 | * This method is used to register a new Scanner issue. Note: 731 | * Wherever possible, extensions should implement custom Scanner checks 732 | * using 733 | * IScannerCheck and report issues via those checks, so as to 734 | * integrate with Burp's user-driven workflow, and ensure proper 735 | * consolidation of duplicate reported issues. This method is only designed 736 | * for tasks outside of the normal testing workflow, such as importing 737 | * results from other scanning tools. 738 | * 739 | * @param issue An object created by the extension that implements the 740 | * IScanIssue interface. 741 | */ 742 | void addScanIssue(IScanIssue issue); 743 | 744 | /** 745 | * This method parses the specified request and returns details of each 746 | * request parameter. 747 | * 748 | * @param request The request to be parsed. 749 | * @return An array of: 750 | * String[] { name, value, type } containing details of the 751 | * parameters contained within the request. 752 | * @deprecated Use 753 | * IExtensionHelpers.analyzeRequest() instead. 754 | */ 755 | @Deprecated 756 | String[][] getParameters(byte[] request); 757 | 758 | /** 759 | * This method parses the specified request and returns details of each HTTP 760 | * header. 761 | * 762 | * @param message The request to be parsed. 763 | * @return An array of HTTP headers. 764 | * @deprecated Use 765 | * IExtensionHelpers.analyzeRequest() or 766 | * IExtensionHelpers.analyzeResponse() instead. 767 | */ 768 | @Deprecated 769 | String[] getHeaders(byte[] message); 770 | 771 | /** 772 | * This method can be used to register a new menu item which will appear on 773 | * the various context menus that are used throughout Burp Suite to handle 774 | * user-driven actions. 775 | * 776 | * @param menuItemCaption The caption to be displayed on the menu item. 777 | * @param menuItemHandler The handler to be invoked when the user clicks on 778 | * the menu item. 779 | * @deprecated Use 780 | * registerContextMenuFactory() instead. 781 | */ 782 | @Deprecated 783 | void registerMenuItem( 784 | String menuItemCaption, 785 | IMenuItemHandler menuItemHandler); 786 | } 787 | -------------------------------------------------------------------------------- /src/burp/IContextMenuFactory.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IContextMenuFactory.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | import javax.swing.JMenuItem; 14 | 15 | /** 16 | * Extensions can implement this interface and then call 17 | * IBurpExtenderCallbacks.registerContextMenuFactory() to register 18 | * a factory for custom context menu items. 19 | */ 20 | public interface IContextMenuFactory 21 | { 22 | /** 23 | * This method will be called by Burp when the user invokes a context menu 24 | * anywhere within Burp. The factory can then provide any custom context 25 | * menu items that should be displayed in the context menu, based on the 26 | * details of the menu invocation. 27 | * 28 | * @param invocation An object that implements the 29 | * IMessageEditorTabFactory interface, which the extension can 30 | * query to obtain details of the context menu invocation. 31 | * @return A list of custom menu items (which may include sub-menus, 32 | * checkbox menu items, etc.) that should be displayed. Extensions may 33 | * return 34 | * null from this method, to indicate that no menu items are 35 | * required. 36 | */ 37 | List createMenuItems(IContextMenuInvocation invocation); 38 | } 39 | -------------------------------------------------------------------------------- /src/burp/IContextMenuInvocation.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IContextMenuInvocation.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.event.InputEvent; 13 | 14 | /** 15 | * This interface is used when Burp calls into an extension-provided 16 | * IContextMenuFactory with details of a context menu invocation. 17 | * The custom context menu factory can query this interface to obtain details of 18 | * the invocation event, in order to determine what menu items should be 19 | * displayed. 20 | */ 21 | public interface IContextMenuInvocation 22 | { 23 | /** 24 | * Used to indicate that the context menu is being invoked in a request 25 | * editor. 26 | */ 27 | static final byte CONTEXT_MESSAGE_EDITOR_REQUEST = 0; 28 | /** 29 | * Used to indicate that the context menu is being invoked in a response 30 | * editor. 31 | */ 32 | static final byte CONTEXT_MESSAGE_EDITOR_RESPONSE = 1; 33 | /** 34 | * Used to indicate that the context menu is being invoked in a non-editable 35 | * request viewer. 36 | */ 37 | static final byte CONTEXT_MESSAGE_VIEWER_REQUEST = 2; 38 | /** 39 | * Used to indicate that the context menu is being invoked in a non-editable 40 | * response viewer. 41 | */ 42 | static final byte CONTEXT_MESSAGE_VIEWER_RESPONSE = 3; 43 | /** 44 | * Used to indicate that the context menu is being invoked in the Target 45 | * site map tree. 46 | */ 47 | static final byte CONTEXT_TARGET_SITE_MAP_TREE = 4; 48 | /** 49 | * Used to indicate that the context menu is being invoked in the Target 50 | * site map table. 51 | */ 52 | static final byte CONTEXT_TARGET_SITE_MAP_TABLE = 5; 53 | /** 54 | * Used to indicate that the context menu is being invoked in the Proxy 55 | * history. 56 | */ 57 | static final byte CONTEXT_PROXY_HISTORY = 6; 58 | /** 59 | * Used to indicate that the context menu is being invoked in the Scanner 60 | * results. 61 | */ 62 | static final byte CONTEXT_SCANNER_RESULTS = 7; 63 | /** 64 | * Used to indicate that the context menu is being invoked in the Intruder 65 | * payload positions editor. 66 | */ 67 | static final byte CONTEXT_INTRUDER_PAYLOAD_POSITIONS = 8; 68 | /** 69 | * Used to indicate that the context menu is being invoked in an Intruder 70 | * attack results. 71 | */ 72 | static final byte CONTEXT_INTRUDER_ATTACK_RESULTS = 9; 73 | /** 74 | * Used to indicate that the context menu is being invoked in a search 75 | * results window. 76 | */ 77 | static final byte CONTEXT_SEARCH_RESULTS = 10; 78 | 79 | /** 80 | * This method can be used to retrieve the native Java input event that was 81 | * the trigger for the context menu invocation. 82 | * 83 | * @return The 84 | * InputEvent that was the trigger for the context menu 85 | * invocation. 86 | */ 87 | InputEvent getInputEvent(); 88 | 89 | /** 90 | * This method can be used to retrieve the Burp tool within which the 91 | * context menu was invoked. 92 | * 93 | * @return A flag indicating the Burp tool within which the context menu was 94 | * invoked. Burp tool flags are defined in the 95 | * IBurpExtenderCallbacks interface. 96 | */ 97 | int getToolFlag(); 98 | 99 | /** 100 | * This method can be used to retrieve the context within which the menu was 101 | * invoked. 102 | * 103 | * @return An index indicating the context within which the menu was 104 | * invoked. The indices used are defined within this interface. 105 | */ 106 | byte getInvocationContext(); 107 | 108 | /** 109 | * This method can be used to retrieve the bounds of the user's selection 110 | * into the current message, if applicable. 111 | * 112 | * @return An int[2] array containing the start and end offsets of the 113 | * user's selection in the current message. If the user has not made any 114 | * selection in the current message, both offsets indicate the position of 115 | * the caret within the editor. If the menu is not being invoked from a 116 | * message editor, the method returns 117 | * null. 118 | */ 119 | int[] getSelectionBounds(); 120 | 121 | /** 122 | * This method can be used to retrieve details of the HTTP requests / 123 | * responses that were shown or selected by the user when the context menu 124 | * was invoked. 125 | * 126 | * @return An array of 127 | * IHttpRequestResponse objects representing the items that 128 | * were shown or selected by the user when the context menu was invoked. 129 | * This method returns 130 | * null if no messages are applicable to the invocation. 131 | */ 132 | IHttpRequestResponse[] getSelectedMessages(); 133 | 134 | /** 135 | * This method can be used to retrieve details of the Scanner issues that 136 | * were selected by the user when the context menu was invoked. 137 | * 138 | * @return An array of 139 | * IScanIssue objects representing the issues that were 140 | * selected by the user when the context menu was invoked. This method 141 | * returns 142 | * null if no Scanner issues are applicable to the invocation. 143 | */ 144 | IScanIssue[] getSelectedIssues(); 145 | } 146 | -------------------------------------------------------------------------------- /src/burp/ICookie.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ICookie.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.Date; 13 | 14 | /** 15 | * This interface is used to hold details about an HTTP cookie. 16 | */ 17 | public interface ICookie 18 | { 19 | /** 20 | * This method is used to retrieve the domain for which the cookie is in 21 | * scope. 22 | * 23 | * @return The domain for which the cookie is in scope. Note: For 24 | * cookies that have been analyzed from responses (by calling 25 | * IExtensionHelpers.analyzeResponse() and then 26 | * IResponseInfo.getCookies(), the domain will be 27 | * null if the response did not explicitly set a domain 28 | * attribute for the cookie. 29 | */ 30 | String getDomain(); 31 | 32 | /** 33 | * This method is used to retrieve the expiration time for the cookie. 34 | * 35 | * @return The expiration time for the cookie, or 36 | * null if none is set (i.e., for non-persistent session 37 | * cookies). 38 | */ 39 | Date getExpiration(); 40 | 41 | /** 42 | * This method is used to retrieve the name of the cookie. 43 | * 44 | * @return The name of the cookie. 45 | */ 46 | String getName(); 47 | 48 | /** 49 | * This method is used to retrieve the value of the cookie. 50 | * @return The value of the cookie. 51 | */ 52 | String getValue(); 53 | } 54 | -------------------------------------------------------------------------------- /src/burp/IExtensionHelpers.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IExtensionHelpers.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.net.URL; 13 | import java.util.List; 14 | 15 | /** 16 | * This interface contains a number of helper methods, which extensions can use 17 | * to assist with various common tasks that arise for Burp extensions. 18 | * 19 | * Extensions can call 20 | * IBurpExtenderCallbacks.getHelpers to obtain an instance of this 21 | * interface. 22 | */ 23 | public interface IExtensionHelpers 24 | { 25 | /** 26 | * This method can be used to analyze an HTTP request, and obtain various 27 | * key details about it. 28 | * 29 | * @param request An 30 | * IHttpRequestResponse object containing the request to be 31 | * analyzed. 32 | * @return An 33 | * IRequestInfo object that can be queried to obtain details 34 | * about the request. 35 | */ 36 | IRequestInfo analyzeRequest(IHttpRequestResponse request); 37 | 38 | /** 39 | * This method can be used to analyze an HTTP request, and obtain various 40 | * key details about it. 41 | * 42 | * @param httpService The HTTP service associated with the request. This is 43 | * optional and may be 44 | * null, in which case the resulting 45 | * IRequestInfo object will not include the full request URL. 46 | * @param request The request to be analyzed. 47 | * @return An 48 | * IRequestInfo object that can be queried to obtain details 49 | * about the request. 50 | */ 51 | IRequestInfo analyzeRequest(IHttpService httpService, byte[] request); 52 | 53 | /** 54 | * This method can be used to analyze an HTTP request, and obtain various 55 | * key details about it. The resulting 56 | * IRequestInfo object will not include the full request URL. 57 | * To obtain the full URL, use one of the other overloaded 58 | * analyzeRequest() methods. 59 | * 60 | * @param request The request to be analyzed. 61 | * @return An 62 | * IRequestInfo object that can be queried to obtain details 63 | * about the request. 64 | */ 65 | IRequestInfo analyzeRequest(byte[] request); 66 | 67 | /** 68 | * This method can be used to analyze an HTTP response, and obtain various 69 | * key details about it. 70 | * 71 | * @param response The response to be analyzed. 72 | * @return An 73 | * IResponseInfo object that can be queried to obtain details 74 | * about the response. 75 | */ 76 | IResponseInfo analyzeResponse(byte[] response); 77 | 78 | /** 79 | * This method can be used to retrieve details of a specified parameter 80 | * within an HTTP request. Note: Use 81 | * analyzeRequest() to obtain details of all parameters within 82 | * the request. 83 | * 84 | * @param request The request to be inspected for the specified parameter. 85 | * @param parameterName The name of the parameter to retrieve. 86 | * @return An 87 | * IParameter object that can be queried to obtain details 88 | * about the parameter, or 89 | * null if the parameter was not found. 90 | */ 91 | IParameter getRequestParameter(byte[] request, String parameterName); 92 | 93 | /** 94 | * This method can be used to URL-decode the specified data. 95 | * 96 | * @param data The data to be decoded. 97 | * @return The decoded data. 98 | */ 99 | String urlDecode(String data); 100 | 101 | /** 102 | * This method can be used to URL-encode the specified data. Any characters 103 | * that do not need to be encoded within HTTP requests are not encoded. 104 | * 105 | * @param data The data to be encoded. 106 | * @return The encoded data. 107 | */ 108 | String urlEncode(String data); 109 | 110 | /** 111 | * This method can be used to URL-decode the specified data. 112 | * 113 | * @param data The data to be decoded. 114 | * @return The decoded data. 115 | */ 116 | byte[] urlDecode(byte[] data); 117 | 118 | /** 119 | * This method can be used to URL-encode the specified data. Any characters 120 | * that do not need to be encoded within HTTP requests are not encoded. 121 | * 122 | * @param data The data to be encoded. 123 | * @return The encoded data. 124 | */ 125 | byte[] urlEncode(byte[] data); 126 | 127 | /** 128 | * This method can be used to Base64-decode the specified data. 129 | * 130 | * @param data The data to be decoded. 131 | * @return The decoded data. 132 | */ 133 | byte[] base64Decode(String data); 134 | 135 | /** 136 | * This method can be used to Base64-decode the specified data. 137 | * 138 | * @param data The data to be decoded. 139 | * @return The decoded data. 140 | */ 141 | byte[] base64Decode(byte[] data); 142 | 143 | /** 144 | * This method can be used to Base64-encode the specified data. 145 | * 146 | * @param data The data to be encoded. 147 | * @return The encoded data. 148 | */ 149 | String base64Encode(String data); 150 | 151 | /** 152 | * This method can be used to Base64-encode the specified data. 153 | * 154 | * @param data The data to be encoded. 155 | * @return The encoded data. 156 | */ 157 | String base64Encode(byte[] data); 158 | 159 | /** 160 | * This method can be used to convert data from String form into an array of 161 | * bytes. The conversion does not reflect any particular character set, and 162 | * a character with the hex representation 0xWXYZ will always be converted 163 | * into a byte with the representation 0xYZ. It performs the opposite 164 | * conversion to the method 165 | * bytesToString(), and byte-based data that is converted to a 166 | * String and back again using these two methods is guaranteed to retain its 167 | * integrity (which may not be the case with conversions that reflect a 168 | * given character set). 169 | * 170 | * @param data The data to be converted. 171 | * @return The converted data. 172 | */ 173 | byte[] stringToBytes(String data); 174 | 175 | /** 176 | * This method can be used to convert data from an array of bytes into 177 | * String form. The conversion does not reflect any particular character 178 | * set, and a byte with the representation 0xYZ will always be converted 179 | * into a character with the hex representation 0x00YZ. It performs the 180 | * opposite conversion to the method 181 | * stringToBytes(), and byte-based data that is converted to a 182 | * String and back again using these two methods is guaranteed to retain its 183 | * integrity (which may not be the case with conversions that reflect a 184 | * given character set). 185 | * 186 | * @param data The data to be converted. 187 | * @return The converted data. 188 | */ 189 | String bytesToString(byte[] data); 190 | 191 | /** 192 | * This method searches a piece of data for the first occurrence of a 193 | * specified pattern. It works on byte-based data in a way that is similar 194 | * to the way the native Java method 195 | * String.indexOf() works on String-based data. 196 | * 197 | * @param data The data to be searched. 198 | * @param pattern The pattern to be searched for. 199 | * @param caseSensitive Flags whether or not the search is case-sensitive. 200 | * @param from The offset within 201 | * data where the search should begin. 202 | * @param to The offset within 203 | * data where the search should end. 204 | * @return The offset of the first occurrence of the pattern within the 205 | * specified bounds, or -1 if no match is found. 206 | */ 207 | int indexOf(byte[] data, 208 | byte[] pattern, 209 | boolean caseSensitive, 210 | int from, 211 | int to); 212 | 213 | /** 214 | * This method builds an HTTP message containing the specified headers and 215 | * message body. If applicable, the Content-Length header will be added or 216 | * updated, based on the length of the body. 217 | * 218 | * @param headers A list of headers to include in the message. 219 | * @param body The body of the message, of 220 | * null if the message has an empty body. 221 | * @return The resulting full HTTP message. 222 | */ 223 | byte[] buildHttpMessage(List headers, byte[] body); 224 | 225 | /** 226 | * This method creates a GET request to the specified URL. The headers used 227 | * in the request are determined by the Request headers settings as 228 | * configured in Burp Spider's options. 229 | * 230 | * @param url The URL to which the request should be made. 231 | * @return A request to the specified URL. 232 | */ 233 | byte[] buildHttpRequest(URL url); 234 | 235 | /** 236 | * This method adds a new parameter to an HTTP request, and if appropriate 237 | * updates the Content-Length header. 238 | * 239 | * @param request The request to which the parameter should be added. 240 | * @param parameter An 241 | * IParameter object containing details of the parameter to be 242 | * added. Supported parameter types are: 243 | * PARAM_URL, 244 | * PARAM_BODY and 245 | * PARAM_COOKIE. 246 | * @return A new HTTP request with the new parameter added. 247 | */ 248 | byte[] addParameter(byte[] request, IParameter parameter); 249 | 250 | /** 251 | * This method removes a parameter from an HTTP request, and if appropriate 252 | * updates the Content-Length header. 253 | * 254 | * @param request The request from which the parameter should be removed. 255 | * @param parameter An 256 | * IParameter object containing details of the parameter to be 257 | * removed. Supported parameter types are: 258 | * PARAM_URL, 259 | * PARAM_BODY and 260 | * PARAM_COOKIE. 261 | * @return A new HTTP request with the parameter removed. 262 | */ 263 | byte[] removeParameter(byte[] request, IParameter parameter); 264 | 265 | /** 266 | * This method updates the value of a parameter within an HTTP request, and 267 | * if appropriate updates the Content-Length header. Note: This 268 | * method can only be used to update the value of an existing parameter of a 269 | * specified type. If you need to change the type of an existing parameter, 270 | * you should first call 271 | * removeParameter() to remove the parameter with the old type, 272 | * and then call 273 | * addParameter() to add a parameter with the new type. 274 | * 275 | * @param request The request containing the parameter to be updated. 276 | * @param parameter An 277 | * IParameter object containing details of the parameter to be 278 | * updated. Supported parameter types are: 279 | * PARAM_URL, 280 | * PARAM_BODY and 281 | * PARAM_COOKIE. 282 | * @return A new HTTP request with the parameter updated. 283 | */ 284 | byte[] updateParameter(byte[] request, IParameter parameter); 285 | 286 | /** 287 | * This method can be used to toggle a request's method between GET and 288 | * POST. Parameters are relocated between the URL query string and message 289 | * body as required, and the Content-Length header is created or removed as 290 | * applicable. 291 | * 292 | * @param request The HTTP request whose method should be toggled. 293 | * @return A new HTTP request using the toggled method. 294 | */ 295 | byte[] toggleRequestMethod(byte[] request); 296 | 297 | /** 298 | * This method constructs an 299 | * IHttpService object based on the details provided. 300 | * 301 | * @param host The HTTP service host. 302 | * @param port The HTTP service port. 303 | * @param protocol The HTTP service protocol. 304 | * @return An 305 | * IHttpService object based on the details provided. 306 | */ 307 | IHttpService buildHttpService(String host, int port, String protocol); 308 | 309 | /** 310 | * This method constructs an 311 | * IHttpService object based on the details provided. 312 | * 313 | * @param host The HTTP service host. 314 | * @param port The HTTP service port. 315 | * @param useHttps Flags whether the HTTP service protocol is HTTPS or HTTP. 316 | * @return An 317 | * IHttpService object based on the details provided. 318 | */ 319 | IHttpService buildHttpService(String host, int port, boolean useHttps); 320 | 321 | /** 322 | * This method constructs an 323 | * IParameter object based on the details provided. 324 | * 325 | * @param name The parameter name. 326 | * @param value The parameter value. 327 | * @param type The parameter type, as defined in the 328 | * IParameter interface. 329 | * @return An 330 | * IParameter object based on the details provided. 331 | */ 332 | IParameter buildParameter(String name, String value, byte type); 333 | 334 | /** 335 | * This method constructs an 336 | * IScannerInsertionPoint object based on the details provided. 337 | * It can be used to quickly create a simple insertion point based on a 338 | * fixed payload location within a base request. 339 | * 340 | * @param insertionPointName The name of the insertion point. 341 | * @param baseRequest The request from which to build scan requests. 342 | * @param from The offset of the start of the payload location. 343 | * @param to The offset of the end of the payload location. 344 | * @return An 345 | * IScannerInsertionPoint object based on the details provided. 346 | */ 347 | IScannerInsertionPoint makeScannerInsertionPoint( 348 | String insertionPointName, 349 | byte[] baseRequest, 350 | int from, 351 | int to); 352 | } 353 | -------------------------------------------------------------------------------- /src/burp/IExtensionStateListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IExtensionStateListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerExtensionStateListener() to 15 | * register an extension state listener. The listener will be notified of 16 | * changes to the extension's state. Note: Any extensions that start 17 | * background threads or open system resources (such as files or database 18 | * connections) should register a listener and terminate threads / close 19 | * resources when the extension is unloaded. 20 | */ 21 | public interface IExtensionStateListener 22 | { 23 | /** 24 | * This method is called when the extension is unloaded. 25 | */ 26 | void extensionUnloaded(); 27 | } 28 | -------------------------------------------------------------------------------- /src/burp/IHttpListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerHttpListener() to register an 15 | * HTTP listener. The listener will be notified of requests and responses made 16 | * by any Burp tool. Extensions can perform custom analysis or modification of 17 | * these messages by registering an HTTP listener. 18 | */ 19 | public interface IHttpListener 20 | { 21 | /** 22 | * This method is invoked when an HTTP request is about to be issued, and 23 | * when an HTTP response has been received. 24 | * 25 | * @param toolFlag A flag indicating the Burp tool that issued the request. 26 | * Burp tool flags are defined in the 27 | * IBurpExtenderCallbacks interface. 28 | * @param messageIsRequest Flags whether the method is being invoked for a 29 | * request or response. 30 | * @param messageInfo Details of the request / response to be processed. 31 | * Extensions can call the setter methods on this object to update the 32 | * current message and so modify Burp's behavior. 33 | */ 34 | void processHttpMessage(int toolFlag, 35 | boolean messageIsRequest, 36 | IHttpRequestResponse messageInfo); 37 | } 38 | -------------------------------------------------------------------------------- /src/burp/IHttpRequestResponse.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpRequestResponse.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to retrieve and update details about HTTP messages. 14 | * 15 | * Note: The setter methods generally can only be used before the message 16 | * has been processed, and not in read-only contexts. The getter methods 17 | * relating to response details can only be used after the request has been 18 | * issued. 19 | */ 20 | public interface IHttpRequestResponse 21 | { 22 | /** 23 | * This method is used to retrieve the request message. 24 | * 25 | * @return The request message. 26 | */ 27 | byte[] getRequest(); 28 | 29 | /** 30 | * This method is used to update the request message. 31 | * 32 | * @param message The new request message. 33 | */ 34 | void setRequest(byte[] message); 35 | 36 | /** 37 | * This method is used to retrieve the response message. 38 | * 39 | * @return The response message. 40 | */ 41 | byte[] getResponse(); 42 | 43 | /** 44 | * This method is used to update the response message. 45 | * 46 | * @param message The new response message. 47 | */ 48 | void setResponse(byte[] message); 49 | 50 | /** 51 | * This method is used to retrieve the user-annotated comment for this item, 52 | * if applicable. 53 | * 54 | * @return The user-annotated comment for this item, or null if none is set. 55 | */ 56 | String getComment(); 57 | 58 | /** 59 | * This method is used to update the user-annotated comment for this item. 60 | * 61 | * @param comment The comment to be assigned to this item. 62 | */ 63 | void setComment(String comment); 64 | 65 | /** 66 | * This method is used to retrieve the user-annotated highlight for this 67 | * item, if applicable. 68 | * 69 | * @return The user-annotated highlight for this item, or null if none is 70 | * set. 71 | */ 72 | String getHighlight(); 73 | 74 | /** 75 | * This method is used to update the user-annotated highlight for this item. 76 | * 77 | * @param color The highlight color to be assigned to this item. Accepted 78 | * values are: red, orange, yellow, green, cyan, blue, pink, magenta, gray, 79 | * or a null String to clear any existing highlight. 80 | */ 81 | void setHighlight(String color); 82 | 83 | /** 84 | * This method is used to retrieve the HTTP service for this request / 85 | * response. 86 | * 87 | * @return An 88 | * IHttpService object containing details of the HTTP service. 89 | */ 90 | IHttpService getHttpService(); 91 | 92 | /** 93 | * This method is used to update the HTTP service for this request / 94 | * response. 95 | * 96 | * @param httpService An 97 | * IHttpService object containing details of the new HTTP 98 | * service. 99 | */ 100 | void setHttpService(IHttpService httpService); 101 | 102 | } 103 | -------------------------------------------------------------------------------- /src/burp/IHttpRequestResponsePersisted.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpRequestResponsePersisted.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used for an 14 | * IHttpRequestResponse object whose request and response messages 15 | * have been saved to temporary files using 16 | * IBurpExtenderCallbacks.saveBuffersToTempFiles(). 17 | */ 18 | public interface IHttpRequestResponsePersisted extends IHttpRequestResponse 19 | { 20 | /** 21 | * This method is used to permanently delete the saved temporary files. It 22 | * will no longer be possible to retrieve the request or response for this 23 | * item. 24 | */ 25 | void deleteTempFiles(); 26 | } 27 | -------------------------------------------------------------------------------- /src/burp/IHttpRequestResponseWithMarkers.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpRequestResponseWithMarkers.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * This interface is used for an 16 | * IHttpRequestResponse object that has had markers applied. 17 | * Extensions can create instances of this interface using 18 | * IBurpExtenderCallbacks.applyMarkers(), or provide their own 19 | * implementation. Markers are used in various situations, such as specifying 20 | * Intruder payload positions, Scanner insertion points, and highlights in 21 | * Scanner issues. 22 | */ 23 | public interface IHttpRequestResponseWithMarkers extends IHttpRequestResponse 24 | { 25 | /** 26 | * This method returns the details of the request markers. 27 | * 28 | * @return A list of index pairs representing the offsets of markers for the 29 | * request message. Each item in the list is an int[2] array containing the 30 | * start and end offsets for the marker. The method may return 31 | * null if no request markers are defined. 32 | */ 33 | List getRequestMarkers(); 34 | 35 | /** 36 | * This method returns the details of the response markers. 37 | * 38 | * @return A list of index pairs representing the offsets of markers for the 39 | * response message. Each item in the list is an int[2] array containing the 40 | * start and end offsets for the marker. The method may return 41 | * null if no response markers are defined. 42 | */ 43 | List getResponseMarkers(); 44 | } 45 | -------------------------------------------------------------------------------- /src/burp/IHttpService.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpService.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to provide details about an HTTP service, to which 14 | * HTTP requests can be sent. 15 | */ 16 | public interface IHttpService 17 | { 18 | /** 19 | * This method returns the hostname or IP address for the service. 20 | * 21 | * @return The hostname or IP address for the service. 22 | */ 23 | String getHost(); 24 | 25 | /** 26 | * This method returns the port number for the service. 27 | * 28 | * @return The port number for the service. 29 | */ 30 | int getPort(); 31 | 32 | /** 33 | * This method returns the protocol for the service. 34 | * 35 | * @return The protocol for the service. Expected values are "http" or 36 | * "https". 37 | */ 38 | String getProtocol(); 39 | } 40 | -------------------------------------------------------------------------------- /src/burp/IInterceptedProxyMessage.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IInterceptedProxyMessage.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to represent an HTTP message that has been intercepted 14 | * by Burp Proxy. Extensions can register an 15 | * IProxyListener to receive details of proxy messages using this 16 | * interface. * 17 | */ 18 | public interface IInterceptedProxyMessage 19 | { 20 | /** 21 | * This action causes Burp Proxy to follow the current interception rules to 22 | * determine the appropriate action to take for the message. 23 | */ 24 | static final int ACTION_FOLLOW_RULES = 0; 25 | /** 26 | * This action causes Burp Proxy to present the message to the user for 27 | * manual review or modification. 28 | */ 29 | static final int ACTION_DO_INTERCEPT = 1; 30 | /** 31 | * This action causes Burp Proxy to forward the message to the remote server 32 | * or client, without presenting it to the user. 33 | */ 34 | static final int ACTION_DONT_INTERCEPT = 2; 35 | /** 36 | * This action causes Burp Proxy to drop the message. 37 | */ 38 | static final int ACTION_DROP = 3; 39 | /** 40 | * This action causes Burp Proxy to follow the current interception rules to 41 | * determine the appropriate action to take for the message, and then make a 42 | * second call to processProxyMessage. 43 | */ 44 | static final int ACTION_FOLLOW_RULES_AND_REHOOK = 0x10; 45 | /** 46 | * This action causes Burp Proxy to present the message to the user for 47 | * manual review or modification, and then make a second call to 48 | * processProxyMessage. 49 | */ 50 | static final int ACTION_DO_INTERCEPT_AND_REHOOK = 0x11; 51 | /** 52 | * This action causes Burp Proxy to skip user interception, and then make a 53 | * second call to processProxyMessage. 54 | */ 55 | static final int ACTION_DONT_INTERCEPT_AND_REHOOK = 0x12; 56 | 57 | /** 58 | * This method retrieves a unique reference number for this 59 | * request/response. 60 | * 61 | * @return An identifier that is unique to a single request/response pair. 62 | * Extensions can use this to correlate details of requests and responses 63 | * and perform processing on the response message accordingly. 64 | */ 65 | int getMessageReference(); 66 | 67 | /** 68 | * This method retrieves details of the intercepted message. 69 | * 70 | * @return An 71 | * IHttpRequestResponse object containing details of the 72 | * intercepted message. 73 | */ 74 | IHttpRequestResponse getMessageInfo(); 75 | 76 | /** 77 | * This method retrieves the currently defined interception action. The 78 | * default action is 79 | * ACTION_FOLLOW_RULES. If multiple proxy listeners are 80 | * registered, then other listeners may already have modified the 81 | * interception action before it reaches the current listener. This method 82 | * can be used to determine whether this has occurred. 83 | * 84 | * @return The currently defined interception action. Possible values are 85 | * defined within this interface. 86 | */ 87 | int getInterceptAction(); 88 | 89 | /** 90 | * This method is used to update the interception action. 91 | * 92 | * @param interceptAction The new interception action. Possible values are 93 | * defined within this interface. 94 | */ 95 | void setInterceptAction(int interceptAction); 96 | } 97 | -------------------------------------------------------------------------------- /src/burp/IIntruderAttack.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IIntruderAttack.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to hold details about an Intruder attack. 14 | */ 15 | public interface IIntruderAttack 16 | { 17 | /** 18 | * This method is used to retrieve the HTTP service for the attack. 19 | * 20 | * @return The HTTP service for the attack. 21 | */ 22 | IHttpService getHttpService(); 23 | 24 | /** 25 | * This method is used to retrieve the request template for the attack. 26 | * 27 | * @return The request template for the attack. 28 | */ 29 | byte[] getRequestTemplate(); 30 | 31 | } 32 | -------------------------------------------------------------------------------- /src/burp/IIntruderPayloadGenerator.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IIntruderPayloadGenerator.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used for custom Intruder payload generators. Extensions 14 | * that have registered an 15 | * IIntruderPayloadGeneratorFactory must return a new instance of 16 | * this interface when required as part of a new Intruder attack. 17 | */ 18 | public interface IIntruderPayloadGenerator 19 | { 20 | /** 21 | * This method is used by Burp to determine whether the payload generator is 22 | * able to provide any further payloads. 23 | * 24 | * @return Extensions should return 25 | * false when all the available payloads have been used up, 26 | * otherwise 27 | * true. 28 | */ 29 | boolean hasMorePayloads(); 30 | 31 | /** 32 | * This method is used by Burp to obtain the value of the next payload. 33 | * 34 | * @param baseValue The base value of the current payload position. This 35 | * value may be 36 | * null if the concept of a base value is not applicable (e.g. 37 | * in a battering ram attack). 38 | * @return The next payload to use in the attack. 39 | */ 40 | byte[] getNextPayload(byte[] baseValue); 41 | 42 | /** 43 | * This method is used by Burp to reset the state of the payload generator 44 | * so that the next call to 45 | * getNextPayload() returns the first payload again. This 46 | * method will be invoked when an attack uses the same payload generator for 47 | * more than one payload position, for example in a sniper attack. 48 | */ 49 | void reset(); 50 | } 51 | -------------------------------------------------------------------------------- /src/burp/IIntruderPayloadGeneratorFactory.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IIntruderPayloadGeneratorFactory.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerIntruderPayloadGeneratorFactory() 15 | * to register a factory for custom Intruder payloads. 16 | */ 17 | public interface IIntruderPayloadGeneratorFactory 18 | { 19 | /** 20 | * This method is used by Burp to obtain the name of the payload generator. 21 | * This will be displayed as an option within the Intruder UI when the user 22 | * selects to use extension-generated payloads. 23 | * 24 | * @return The name of the payload generator. 25 | */ 26 | String getGeneratorName(); 27 | 28 | /** 29 | * This method is used by Burp when the user starts an Intruder attack that 30 | * uses this payload generator. 31 | * 32 | * @param attack An 33 | * IIntruderAttack object that can be queried to obtain details 34 | * about the attack in which the payload generator will be used. 35 | * @return A new instance of 36 | * IIntruderPayloadGenerator that will be used to generate 37 | * payloads for the attack. 38 | */ 39 | IIntruderPayloadGenerator createNewInstance(IIntruderAttack attack); 40 | } 41 | -------------------------------------------------------------------------------- /src/burp/IIntruderPayloadProcessor.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IIntruderPayloadProcessor.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerIntruderPayloadProcessor() to 15 | * register a custom Intruder payload processor. 16 | */ 17 | public interface IIntruderPayloadProcessor 18 | { 19 | /** 20 | * This method is used by Burp to obtain the name of the payload processor. 21 | * This will be displayed as an option within the Intruder UI when the user 22 | * selects to use an extension-provided payload processor. 23 | * 24 | * @return The name of the payload processor. 25 | */ 26 | String getProcessorName(); 27 | 28 | /** 29 | * This method is invoked by Burp each time the processor should be applied 30 | * to an Intruder payload. 31 | * 32 | * @param currentPayload The value of the payload to be processed. 33 | * @param originalPayload The value of the original payload prior to 34 | * processing by any already-applied processing rules. 35 | * @param baseValue The base value of the payload position, which will be 36 | * replaced with the current payload. 37 | * @return The value of the processed payload. This may be 38 | * null to indicate that the current payload should be skipped, 39 | * and the attack will move directly to the next payload. 40 | */ 41 | byte[] processPayload( 42 | byte[] currentPayload, 43 | byte[] originalPayload, 44 | byte[] baseValue); 45 | } 46 | -------------------------------------------------------------------------------- /src/burp/IMenuItemHandler.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMenuItemHandler.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerMenuItem() to register a custom 15 | * context menu item. 16 | * 17 | * @deprecated Use 18 | * IContextMenuFactory instead. 19 | */ 20 | @Deprecated 21 | public interface IMenuItemHandler 22 | { 23 | /** 24 | * This method is invoked by Burp Suite when the user clicks on a custom 25 | * menu item which the extension has registered with Burp. 26 | * 27 | * @param menuItemCaption The caption of the menu item which was clicked. 28 | * This parameter enables extensions to provide a single implementation 29 | * which handles multiple different menu items. 30 | * @param messageInfo Details of the HTTP message(s) for which the context 31 | * menu was displayed. 32 | */ 33 | void menuItemClicked( 34 | String menuItemCaption, 35 | IHttpRequestResponse[] messageInfo); 36 | } 37 | -------------------------------------------------------------------------------- /src/burp/IMessageEditor.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMessageEditor.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.Component; 13 | 14 | /** 15 | * This interface is used to provide extensions with an instance of Burp's HTTP 16 | * message editor, for the extension to use in its own UI. Extensions should 17 | * call 18 | * IBurpExtenderCallbacks.createMessageEditor() to obtain an 19 | * instance of this interface. 20 | */ 21 | public interface IMessageEditor 22 | { 23 | /** 24 | * This method returns the UI component of the editor, for extensions to add 25 | * to their own UI. 26 | * 27 | * @return The UI component of the editor. 28 | */ 29 | Component getComponent(); 30 | 31 | /** 32 | * This method is used to display an HTTP message in the editor. 33 | * 34 | * @param message The HTTP message to be displayed. 35 | * @param isRequest Flags whether the message is an HTTP request or 36 | * response. 37 | */ 38 | void setMessage(byte[] message, boolean isRequest); 39 | 40 | /** 41 | * This method is used to retrieve the currently displayed message, which 42 | * may have been modified by the user. 43 | * 44 | * @return The currently displayed HTTP message. 45 | */ 46 | byte[] getMessage(); 47 | 48 | /** 49 | * This method is used to determine whether the current message has been 50 | * modified by the user. 51 | * 52 | * @return An indication of whether the current message has been modified by 53 | * the user since it was first displayed. 54 | */ 55 | boolean isMessageModified(); 56 | 57 | /** 58 | * This method returns the data that is currently selected by the user. 59 | * 60 | * @return The data that is currently selected by the user, or 61 | * null if no selection is made. 62 | */ 63 | byte[] getSelectedData(); 64 | } 65 | -------------------------------------------------------------------------------- /src/burp/IMessageEditorController.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMessageEditorController.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used by an 14 | * IMessageEditor to obtain details about the currently displayed 15 | * message. Extensions that create instances of Burp's HTTP message editor can 16 | * optionally provide an implementation of 17 | * IMessageEditorController, which the editor will invoke when it 18 | * requires further information about the current message (for example, to send 19 | * it to another Burp tool). Extensions that provide custom editor tabs via an 20 | * IMessageEditorTabFactory will receive a reference to an 21 | * IMessageEditorController object for each tab instance they 22 | * generate, which the tab can invoke if it requires further information about 23 | * the current message. 24 | */ 25 | public interface IMessageEditorController 26 | { 27 | /** 28 | * This method is used to retrieve the HTTP service for the current message. 29 | * 30 | * @return The HTTP service for the current message. 31 | */ 32 | IHttpService getHttpService(); 33 | 34 | /** 35 | * This method is used to retrieve the HTTP request associated with the 36 | * current message (which may itself be a response). 37 | * 38 | * @return The HTTP request associated with the current message. 39 | */ 40 | byte[] getRequest(); 41 | 42 | /** 43 | * This method is used to retrieve the HTTP response associated with the 44 | * current message (which may itself be a request). 45 | * 46 | * @return The HTTP response associated with the current message. 47 | */ 48 | byte[] getResponse(); 49 | } 50 | -------------------------------------------------------------------------------- /src/burp/IMessageEditorTab.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMessageEditorTab.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.Component; 13 | 14 | /** 15 | * Extensions that register an 16 | * IMessageEditorTabFactory must return instances of this 17 | * interface, which Burp will use to create custom tabs within its HTTP message 18 | * editors. 19 | */ 20 | public interface IMessageEditorTab 21 | { 22 | /** 23 | * This method returns the caption that should appear on the custom tab when 24 | * it is displayed. Note: Burp invokes this method once when the tab 25 | * is first generated, and the same caption will be used every time the tab 26 | * is displayed. 27 | * 28 | * @return The caption that should appear on the custom tab when it is 29 | * displayed. 30 | */ 31 | String getTabCaption(); 32 | 33 | /** 34 | * This method returns the component that should be used as the contents of 35 | * the custom tab when it is displayed. Note: Burp invokes this 36 | * method once when the tab is first generated, and the same component will 37 | * be used every time the tab is displayed. 38 | * 39 | * @return The component that should be used as the contents of the custom 40 | * tab when it is displayed. 41 | */ 42 | Component getUiComponent(); 43 | 44 | /** 45 | * The hosting editor will invoke this method before it displays a new HTTP 46 | * message, so that the custom tab can indicate whether it should be enabled 47 | * for that message. 48 | * 49 | * @param content The message that is about to be displayed. 50 | * @param isRequest Indicates whether the message is a request or a 51 | * response. 52 | * @return The method should return 53 | * true if the custom tab is able to handle the specified 54 | * message, and so will be displayed within the editor. Otherwise, the tab 55 | * will be hidden while this message is displayed. 56 | */ 57 | boolean isEnabled(byte[] content, boolean isRequest); 58 | 59 | /** 60 | * The hosting editor will invoke this method to display a new message or to 61 | * clear the existing message. This method will only be called with a new 62 | * message if the tab has already returned 63 | * true to a call to 64 | * isEnabled() with the same message details. 65 | * 66 | * @param content The message that is to be displayed, or 67 | * null if the tab should clear its contents and disable any 68 | * editable controls. 69 | * @param isRequest Indicates whether the message is a request or a 70 | * response. 71 | */ 72 | void setMessage(byte[] content, boolean isRequest); 73 | 74 | /** 75 | * This method returns the currently displayed message. 76 | * 77 | * @return The currently displayed message. 78 | */ 79 | byte[] getMessage(); 80 | 81 | /** 82 | * This method is used to determine whether the currently displayed message 83 | * has been modified by the user. The hosting editor will always call 84 | * getMessage() before calling this method, so any pending 85 | * edits should be completed within 86 | * getMessage(). 87 | * 88 | * @return The method should return 89 | * true if the user has modified the current message since it 90 | * was first displayed. 91 | */ 92 | boolean isModified(); 93 | 94 | /** 95 | * This method is used to retrieve the data that is currently selected by 96 | * the user. 97 | * 98 | * @return The data that is currently selected by the user. This may be 99 | * null if no selection is currently made. 100 | */ 101 | byte[] getSelectedData(); 102 | } 103 | -------------------------------------------------------------------------------- /src/burp/IMessageEditorTabFactory.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMessageEditorTabFactory.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerMessageEditorTabFactory() to 15 | * register a factory for custom message editor tabs. This allows extensions to 16 | * provide custom rendering or editing of HTTP messages, within Burp's own HTTP 17 | * editor. 18 | */ 19 | public interface IMessageEditorTabFactory 20 | { 21 | /** 22 | * Burp will call this method once for each HTTP message editor, and the 23 | * factory should provide a new instance of an 24 | * IMessageEditorTab object. 25 | * 26 | * @param controller An 27 | * IMessageEditorController object, which the new tab can query 28 | * to retrieve details about the currently displayed message. This may be 29 | * null for extension-invoked message editors where the 30 | * extension has not provided an editor controller. 31 | * @param editable Indicates whether the hosting editor is editable or 32 | * read-only. 33 | * @return A new 34 | * IMessageEditorTab object for use within the message editor. 35 | */ 36 | IMessageEditorTab createNewInstance(IMessageEditorController controller, 37 | boolean editable); 38 | } 39 | -------------------------------------------------------------------------------- /src/burp/IParameter.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IParameter.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to hold details about an HTTP request parameter. 14 | */ 15 | public interface IParameter 16 | { 17 | /** 18 | * Used to indicate a parameter within the URL query string. 19 | */ 20 | static final byte PARAM_URL = 0; 21 | /** 22 | * Used to indicate a parameter within the message body. 23 | */ 24 | static final byte PARAM_BODY = 1; 25 | /** 26 | * Used to indicate an HTTP cookie. 27 | */ 28 | static final byte PARAM_COOKIE = 2; 29 | /** 30 | * Used to indicate an item of data within an XML structure. 31 | */ 32 | static final byte PARAM_XML = 3; 33 | /** 34 | * Used to indicate the value of a tag attribute within an XML structure. 35 | */ 36 | static final byte PARAM_XML_ATTR = 4; 37 | /** 38 | * Used to indicate the value of a parameter attribute within a multi-part 39 | * message body (such as the name of an uploaded file). 40 | */ 41 | static final byte PARAM_MULTIPART_ATTR = 5; 42 | /** 43 | * Used to indicate an item of data within a JSON structure. 44 | */ 45 | static final byte PARAM_JSON = 6; 46 | 47 | /** 48 | * This method is used to retrieve the parameter type. 49 | * 50 | * @return The parameter type. The available types are defined within this 51 | * interface. 52 | */ 53 | byte getType(); 54 | 55 | /** 56 | * This method is used to retrieve the parameter name. 57 | * 58 | * @return The parameter name. 59 | */ 60 | String getName(); 61 | 62 | /** 63 | * This method is used to retrieve the parameter value. 64 | * 65 | * @return The parameter value. 66 | */ 67 | String getValue(); 68 | 69 | /** 70 | * This method is used to retrieve the start offset of the parameter name 71 | * within the HTTP request. 72 | * 73 | * @return The start offset of the parameter name within the HTTP request, 74 | * or -1 if the parameter is not associated with a specific request. 75 | */ 76 | int getNameStart(); 77 | 78 | /** 79 | * This method is used to retrieve the end offset of the parameter name 80 | * within the HTTP request. 81 | * 82 | * @return The end offset of the parameter name within the HTTP request, or 83 | * -1 if the parameter is not associated with a specific request. 84 | */ 85 | int getNameEnd(); 86 | 87 | /** 88 | * This method is used to retrieve the start offset of the parameter value 89 | * within the HTTP request. 90 | * 91 | * @return The start offset of the parameter value within the HTTP request, 92 | * or -1 if the parameter is not associated with a specific request. 93 | */ 94 | int getValueStart(); 95 | 96 | /** 97 | * This method is used to retrieve the end offset of the parameter value 98 | * within the HTTP request. 99 | * 100 | * @return The end offset of the parameter value within the HTTP request, or 101 | * -1 if the parameter is not associated with a specific request. 102 | */ 103 | int getValueEnd(); 104 | } 105 | -------------------------------------------------------------------------------- /src/burp/IProxyListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IProxyListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerHttpListener() to register a 15 | * Proxy listener. The listener will be notified of requests and responses being 16 | * processed by the Proxy tool. Extensions can perform custom analysis or 17 | * modification of these messages, and control in-UI message interception, by 18 | * registering a proxy listener. 19 | */ 20 | public interface IProxyListener 21 | { 22 | /** 23 | * This method is invoked when an HTTP message is being processed by the 24 | * Proxy. 25 | * 26 | * @param messageIsRequest Indicates whether the HTTP message is a request 27 | * or a response. 28 | * @param message An 29 | * IInterceptedProxyMessage object that extensions can use to 30 | * query and update details of the message, and control whether the message 31 | * should be intercepted and displayed to the user for manual review or 32 | * modification. 33 | */ 34 | void processProxyMessage( 35 | boolean messageIsRequest, 36 | IInterceptedProxyMessage message); 37 | } 38 | -------------------------------------------------------------------------------- /src/burp/IRequestInfo.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IRequestInfo.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.net.URL; 13 | import java.util.List; 14 | 15 | /** 16 | * This interface is used to retrieve key details about an HTTP request. 17 | * Extensions can obtain an 18 | * IRequestInfo object for a given request by calling 19 | * IExtensionHelpers.analyzeRequest(). 20 | */ 21 | public interface IRequestInfo 22 | { 23 | /** 24 | * Used to indicate that there is no content. 25 | */ 26 | static final byte CONTENT_TYPE_NONE = 0; 27 | /** 28 | * Used to indicate URL-encoded content. 29 | */ 30 | static final byte CONTENT_TYPE_URL_ENCODED = 1; 31 | /** 32 | * Used to indicate multi-part content. 33 | */ 34 | static final byte CONTENT_TYPE_MULTIPART = 2; 35 | /** 36 | * Used to indicate XML content. 37 | */ 38 | static final byte CONTENT_TYPE_XML = 3; 39 | /** 40 | * Used to indicate JSON content. 41 | */ 42 | static final byte CONTENT_TYPE_JSON = 4; 43 | /** 44 | * Used to indicate AMF content. 45 | */ 46 | static final byte CONTENT_TYPE_AMF = 5; 47 | /** 48 | * Used to indicate unknown content. 49 | */ 50 | static final byte CONTENT_TYPE_UNKNOWN = -1; 51 | 52 | /** 53 | * This method is used to obtain the HTTP method used in the request. 54 | * 55 | * @return The HTTP method used in the request. 56 | */ 57 | String getMethod(); 58 | 59 | /** 60 | * This method is used to obtain the URL in the request. 61 | * 62 | * @return The URL in the request. 63 | */ 64 | URL getUrl(); 65 | 66 | /** 67 | * This method is used to obtain the HTTP headers contained in the request. 68 | * 69 | * @return The HTTP headers contained in the request. 70 | */ 71 | List getHeaders(); 72 | 73 | /** 74 | * This method is used to obtain the parameters contained in the request. 75 | * 76 | * @return The parameters contained in the request. 77 | */ 78 | List getParameters(); 79 | 80 | /** 81 | * This method is used to obtain the offset within the request where the 82 | * message body begins. 83 | * 84 | * @return The offset within the request where the message body begins. 85 | */ 86 | int getBodyOffset(); 87 | 88 | /** 89 | * This method is used to obtain the content type of the message body. 90 | * 91 | * @return An indication of the content type of the message body. Available 92 | * types are defined within this interface. 93 | */ 94 | byte getContentType(); 95 | } 96 | -------------------------------------------------------------------------------- /src/burp/IResponseInfo.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IResponseInfo.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * This interface is used to retrieve key details about an HTTP response. 16 | * Extensions can obtain an 17 | * IResponseInfo object for a given response by calling 18 | * IExtensionHelpers.analyzeResponse(). 19 | */ 20 | public interface IResponseInfo 21 | { 22 | /** 23 | * This method is used to obtain the HTTP headers contained in the response. 24 | * 25 | * @return The HTTP headers contained in the response. 26 | */ 27 | List getHeaders(); 28 | 29 | /** 30 | * This method is used to obtain the offset within the response where the 31 | * message body begins. 32 | * 33 | * @return The offset within the response where the message body begins. 34 | */ 35 | int getBodyOffset(); 36 | 37 | /** 38 | * This method is used to obtain the HTTP status code contained in the 39 | * response. 40 | * 41 | * @return The HTTP status code contained in the response. 42 | */ 43 | short getStatusCode(); 44 | 45 | /** 46 | * This method is used to obtain details of the HTTP cookies set in the 47 | * response. 48 | * 49 | * @return A list of 50 | * ICookie objects representing the cookies set in the 51 | * response, if any. 52 | */ 53 | List getCookies(); 54 | } 55 | -------------------------------------------------------------------------------- /src/burp/IScanIssue.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScanIssue.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to retrieve details of Scanner issues. Extensions can 14 | * obtain details of issues by registering an 15 | * IScannerListener or by calling 16 | * IBurpExtenderCallbacks.getScanIssues(). Extensions can also add 17 | * custom Scanner issues by registering an 18 | * IScannerCheck or calling 19 | * IBurpExtenderCallbacks.addScanIssue(), and providing their own 20 | * implementations of this interface 21 | */ 22 | public interface IScanIssue 23 | { 24 | /** 25 | * This method returns the URL for which the issue was generated. 26 | * 27 | * @return The URL for which the issue was generated. 28 | */ 29 | java.net.URL getUrl(); 30 | 31 | /** 32 | * This method returns the name of the issue type. 33 | * 34 | * @return The name of the issue type (e.g. "SQL injection"). 35 | */ 36 | String getIssueName(); 37 | 38 | /** 39 | * This method returns a numeric identifier of the issue type. See the Burp 40 | * Scanner help documentation for a listing of all the issue types. 41 | * 42 | * @return A numeric identifier of the issue type. 43 | */ 44 | int getIssueType(); 45 | 46 | /** 47 | * This method returns the issue severity level. 48 | * 49 | * @return The issue severity level. Expected values are "High", "Medium", 50 | * "Low", "Information" or "False positive". 51 | * 52 | */ 53 | String getSeverity(); 54 | 55 | /** 56 | * This method returns the issue confidence level. 57 | * 58 | * @return The issue confidence level. Expected values are "Certain", "Firm" 59 | * or "Tentative". 60 | */ 61 | String getConfidence(); 62 | 63 | /** 64 | * This method returns a background description for this type of issue. 65 | * 66 | * @return A background description for this type of issue, or 67 | * null if none applies. 68 | */ 69 | String getIssueBackground(); 70 | 71 | /** 72 | * This method returns a background description of the remediation for this 73 | * type of issue. 74 | * 75 | * @return A background description of the remediation for this type of 76 | * issue, or 77 | * null if none applies. 78 | */ 79 | String getRemediationBackground(); 80 | 81 | /** 82 | * This method returns detailed information about this specific instance of 83 | * the issue. 84 | * 85 | * @return Detailed information about this specific instance of the issue, 86 | * or 87 | * null if none applies. 88 | */ 89 | String getIssueDetail(); 90 | 91 | /** 92 | * This method returns detailed information about the remediation for this 93 | * specific instance of the issue. 94 | * 95 | * @return Detailed information about the remediation for this specific 96 | * instance of the issue, or 97 | * null if none applies. 98 | */ 99 | String getRemediationDetail(); 100 | 101 | /** 102 | * This method returns the HTTP messages on the basis of which the issue was 103 | * generated. 104 | * 105 | * @return The HTTP messages on the basis of which the issue was generated. 106 | * Note: The items in this array should be instances of 107 | * IHttpRequestResponseWithMarkers if applicable, so that 108 | * details of the relevant portions of the request and response messages are 109 | * available. 110 | */ 111 | IHttpRequestResponse[] getHttpMessages(); 112 | 113 | /** 114 | * This method returns the HTTP service for which the issue was generated. 115 | * 116 | * @return The HTTP service for which the issue was generated. 117 | */ 118 | IHttpService getHttpService(); 119 | 120 | } 121 | -------------------------------------------------------------------------------- /src/burp/IScanQueueItem.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScanQueueItem.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to retrieve details of items in the Burp Scanner 14 | * active scan queue. Extensions can obtain references to scan queue items by 15 | * calling 16 | * IBurpExtenderCallbacks.doActiveScan(). 17 | */ 18 | public interface IScanQueueItem 19 | { 20 | /** 21 | * This method returns a description of the status of the scan queue item. 22 | * 23 | * @return A description of the status of the scan queue item. 24 | */ 25 | String getStatus(); 26 | 27 | /** 28 | * This method returns an indication of the percentage completed for the 29 | * scan queue item. 30 | * 31 | * @return An indication of the percentage completed for the scan queue 32 | * item. 33 | */ 34 | byte getPercentageComplete(); 35 | 36 | /** 37 | * This method returns the number of requests that have been made for the 38 | * scan queue item. 39 | * 40 | * @return The number of requests that have been made for the scan queue 41 | * item. 42 | */ 43 | int getNumRequests(); 44 | 45 | /** 46 | * This method returns the number of network errors that have occurred for 47 | * the scan queue item. 48 | * 49 | * @return The number of network errors that have occurred for the scan 50 | * queue item. 51 | */ 52 | int getNumErrors(); 53 | 54 | /** 55 | * This method returns the number of attack insertion points being used for 56 | * the scan queue item. 57 | * 58 | * @return The number of attack insertion points being used for the scan 59 | * queue item. 60 | */ 61 | int getNumInsertionPoints(); 62 | 63 | /** 64 | * This method allows the scan queue item to be canceled. 65 | */ 66 | void cancel(); 67 | 68 | /** 69 | * This method returns details of the issues generated for the scan queue 70 | * item. Note: different items within the scan queue may contain 71 | * duplicated versions of the same issues - for example, if the same request 72 | * has been scanned multiple times. Duplicated issues are consolidated in 73 | * the main view of scan results. Extensions can register an 74 | * IScannerListener to get details only of unique, newly 75 | * discovered Scanner issues post-consolidation. 76 | * 77 | * @return Details of the issues generated for the scan queue item. 78 | */ 79 | IScanIssue[] getIssues(); 80 | } 81 | -------------------------------------------------------------------------------- /src/burp/IScannerCheck.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScannerCheck.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * Extensions can implement this interface and then call 16 | * IBurpExtenderCallbacks.registerScannerCheck() to register a 17 | * custom Scanner check. When performing scanning, Burp will ask the check to 18 | * perform active or passive scanning on the base request, and report any 19 | * Scanner issues that are identified. 20 | */ 21 | public interface IScannerCheck 22 | { 23 | /** 24 | * The Scanner invokes this method for each base request / response that is 25 | * passively scanned. Note: Extensions should not only analyze the 26 | * HTTP messages provided during passive scanning, and should not make any 27 | * new HTTP requests of their own. 28 | * 29 | * @param baseRequestResponse The base HTTP request / response that should 30 | * be passively scanned. 31 | * @return A list of 32 | * IScanIssue objects, or 33 | * null if no issues are identified. 34 | */ 35 | List doPassiveScan(IHttpRequestResponse baseRequestResponse); 36 | 37 | /** 38 | * The Scanner invokes this method for each insertion point that is actively 39 | * scanned. Extensions may issue HTTP requests as required to carry out 40 | * active scanning, and should use the 41 | * IScannerInsertionPoint object provided to build scan 42 | * requests for particular payloads. Note: Extensions are responsible 43 | * for ensuring that attack payloads are suitably encoded within requests 44 | * (for example, by URL-encoding relevant metacharacters in the URL query 45 | * string). Encoding is not automatically carried out by the 46 | * IScannerInsertionPoint, because this would prevent Scanner 47 | * checks from testing for certain input filter bypasses. Extensions should 48 | * query the 49 | * IScannerInsertionPoint to determine its type, and apply any 50 | * encoding that may be appropriate. 51 | * 52 | * @param baseRequestResponse The base HTTP request / response that should 53 | * be actively scanned. 54 | * @param insertionPoint An 55 | * IScannerInsertionPoint object that can be queried to obtain 56 | * details of the insertion point being tested, and can be used to build 57 | * scan requests for particular payloads. 58 | * @return A list of 59 | * IScanIssue objects, or 60 | * null if no issues are identified. 61 | */ 62 | List doActiveScan( 63 | IHttpRequestResponse baseRequestResponse, 64 | IScannerInsertionPoint insertionPoint); 65 | 66 | /** 67 | * The Scanner invokes this method when the custom Scanner check has 68 | * reported multiple issues for the same URL path. This can arise either 69 | * because there are multiple distinct vulnerabilities, or because the same 70 | * (or a similar) request has been scanned more than once. The custom check 71 | * should determine whether the issues are duplicates. In most cases, where 72 | * a check uses distinct issue names or descriptions for distinct issues, 73 | * the consolidation process will simply be a matter of comparing these 74 | * features for the two issues. 75 | * 76 | * @param existingIssue An issue that was previously reported by this 77 | * Scanner check. 78 | * @param newIssue An issue at the same URL path that has been newly 79 | * reported by this Scanner check. 80 | * @return An indication of which issue(s) should be reported in the main 81 | * Scanner results. The method should return 82 | * -1 to report the existing issue only, 83 | * 0 to report both issues, and 84 | * 1 to report the new issue only. 85 | */ 86 | int consolidateDuplicateIssues( 87 | IScanIssue existingIssue, 88 | IScanIssue newIssue); 89 | } 90 | -------------------------------------------------------------------------------- /src/burp/IScannerInsertionPoint.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScannerInsertionPoint.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to define an insertion point for use by active Scanner 14 | * checks. Extensions can obtain instances of this interface by registering an 15 | * IScannerCheck, or can create instances for use by Burp's own 16 | * scan checks by registering an 17 | * IScannerInsertionPointProvider. 18 | */ 19 | public interface IScannerInsertionPoint 20 | { 21 | /** 22 | * Used to indicate where the payload is inserted into the value of a URL 23 | * parameter. 24 | */ 25 | static final byte INS_PARAM_URL = 0x00; 26 | /** 27 | * Used to indicate where the payload is inserted into the value of a body 28 | * parameter. 29 | */ 30 | static final byte INS_PARAM_BODY = 0x01; 31 | /** 32 | * Used to indicate where the payload is inserted into the value of an HTTP 33 | * cookie. 34 | */ 35 | static final byte INS_PARAM_COOKIE = 0x02; 36 | /** 37 | * Used to indicate where the payload is inserted into the value of an item 38 | * of data within an XML data structure. 39 | */ 40 | static final byte INS_PARAM_XML = 0x03; 41 | /** 42 | * Used to indicate where the payload is inserted into the value of a tag 43 | * attribute within an XML structure. 44 | */ 45 | static final byte INS_PARAM_XML_ATTR = 0x04; 46 | /** 47 | * Used to indicate where the payload is inserted into the value of a 48 | * parameter attribute within a multi-part message body (such as the name of 49 | * an uploaded file). 50 | */ 51 | static final byte INS_PARAM_MULTIPART_ATTR = 0x05; 52 | /** 53 | * Used to indicate where the payload is inserted into the value of an item 54 | * of data within a JSON structure. 55 | */ 56 | static final byte INS_PARAM_JSON = 0x06; 57 | /** 58 | * Used to indicate where the payload is inserted into the value of an AMF 59 | * parameter. 60 | */ 61 | static final byte INS_PARAM_AMF = 0x07; 62 | /** 63 | * Used to indicate where the payload is inserted into the value of an HTTP 64 | * request header. 65 | */ 66 | static final byte INS_HEADER = 0x20; 67 | /** 68 | * Used to indicate where the payload is inserted into a REST parameter 69 | * within the URL file path. 70 | */ 71 | static final byte INS_URL_REST = 0x21; 72 | /** 73 | * Used to indicate where the payload is inserted into the name of an added 74 | * URL parameter. 75 | */ 76 | static final byte INS_PARAM_NAME_URL = 0x22; 77 | /** 78 | * Used to indicate where the payload is inserted into the name of an added 79 | * body parameter. 80 | */ 81 | static final byte INS_PARAM_NAME_BODY = 0x23; 82 | /** 83 | * Used to indicate where the payload is inserted at a location manually 84 | * configured by the user. 85 | */ 86 | static final byte INS_USER_PROVIDED = 0x40; 87 | /** 88 | * Used to indicate where the insertion point is provided by an 89 | * extension-registered 90 | * IScannerInsertionPointProvider. 91 | */ 92 | static final byte INS_EXTENSION_PROVIDED = 0x41; 93 | /** 94 | * Used to indicate where the payload is inserted at an unknown location 95 | * within the request. 96 | */ 97 | static final byte INS_UNKNOWN = 0x7f; 98 | 99 | /** 100 | * This method returns the name of the insertion point. 101 | * 102 | * @return The name of the insertion point (for example, a description of a 103 | * particular request parameter). 104 | */ 105 | String getInsertionPointName(); 106 | 107 | /** 108 | * This method returns the base value for this insertion point. 109 | * 110 | * @return the base value that appears in this insertion point in the base 111 | * request being scanned, or 112 | * null if there is no value in the base request that 113 | * corresponds to this insertion point. 114 | */ 115 | String getBaseValue(); 116 | 117 | /** 118 | * This method is used to build a request with the specified payload placed 119 | * into the insertion point. Any necessary adjustments to the Content-Length 120 | * header will be made by the Scanner itself when the request is issued, and 121 | * there is no requirement for the insertion point to do this. Note: 122 | * Burp's built-in scan checks do not apply any payload encoding (such as 123 | * URL-encoding) when dealing with an extension-provided insertion point. 124 | * Custom insertion points are responsible for performing any data encoding 125 | * that is necessary given the nature and location of the insertion point. 126 | * 127 | * @param payload The payload that should be placed into the insertion 128 | * point. 129 | * @return The resulting request. 130 | */ 131 | byte[] buildRequest(byte[] payload); 132 | 133 | /** 134 | * This method is used to determine the offsets of the payload value within 135 | * the request, when it is placed into the insertion point. Scan checks may 136 | * invoke this method when reporting issues, so as to highlight the relevant 137 | * part of the request within the UI. 138 | * 139 | * @param payload The payload that should be placed into the insertion 140 | * point. 141 | * @return An int[2] array containing the start and end offsets of the 142 | * payload within the request, or null if this is not applicable (for 143 | * example, where the insertion point places a payload into a serialized 144 | * data structure, the raw payload may not literally appear anywhere within 145 | * the resulting request). 146 | */ 147 | int[] getPayloadOffsets(byte[] payload); 148 | 149 | /** 150 | * This method returns the type of the insertion point. 151 | * 152 | * @return The type of the insertion point. Available types are defined in 153 | * this interface. 154 | */ 155 | byte getInsertionPointType(); 156 | } 157 | -------------------------------------------------------------------------------- /src/burp/IScannerInsertionPointProvider.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScannerInsertionPointProvider.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * Extensions can implement this interface and then call 16 | * IBurpExtenderCallbacks.registerScannerInsertionPointProvider() 17 | * to register a factory for custom Scanner insertion points. 18 | */ 19 | public interface IScannerInsertionPointProvider 20 | { 21 | /** 22 | * When a request is actively scanned, the Scanner will invoke this method, 23 | * and the provider should provide a list of custom insertion points that 24 | * will be used in the scan. Note: these insertion points are used in 25 | * addition to those that are derived from Burp Scanner's configuration, and 26 | * those provided by any other Burp extensions. 27 | * 28 | * @param baseRequestResponse The base request that will be actively 29 | * scanned. 30 | * @return A list of 31 | * IScannerInsertionPoint objects that should be used in the 32 | * scanning, or 33 | * null if no custom insertion points are applicable for this 34 | * request. 35 | */ 36 | List getInsertionPoints( 37 | IHttpRequestResponse baseRequestResponse); 38 | } 39 | -------------------------------------------------------------------------------- /src/burp/IScannerListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScannerListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerScannerListener() to register a 15 | * Scanner listener. The listener will be notified of new issues that are 16 | * reported by the Scanner tool. Extensions can perform custom analysis or 17 | * logging of Scanner issues by registering a Scanner listener. 18 | */ 19 | public interface IScannerListener 20 | { 21 | /** 22 | * This method is invoked when a new issue is added to Burp Scanner's 23 | * results. 24 | * 25 | * @param issue An 26 | * IScanIssue object that the extension can query to obtain 27 | * details about the new issue. 28 | */ 29 | void newScanIssue(IScanIssue issue); 30 | } 31 | -------------------------------------------------------------------------------- /src/burp/IScopeChangeListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScopeChangeListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerScopeChangeListener() to register 15 | * a scope change listener. The listener will be notified whenever a change 16 | * occurs to Burp's suite-wide target scope. 17 | */ 18 | public interface IScopeChangeListener 19 | { 20 | /** 21 | * This method is invoked whenever a change occurs to Burp's suite-wide 22 | * target scope. 23 | */ 24 | void scopeChanged(); 25 | } 26 | -------------------------------------------------------------------------------- /src/burp/ISessionHandlingAction.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ISessionHandlingAction.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerSessionHandlingAction() to 15 | * register a custom session handling action. Each registered action will be 16 | * available within the session handling rule UI for the user to select as a 17 | * rule action. Users can choose to invoke an action directly in its own right, 18 | * or following execution of a macro. 19 | */ 20 | public interface ISessionHandlingAction 21 | { 22 | /** 23 | * This method is used by Burp to obtain the name of the session handling 24 | * action. This will be displayed as an option within the session handling 25 | * rule editor when the user selects to execute an extension-provided 26 | * action. 27 | * 28 | * @return The name of the action. 29 | */ 30 | String getActionName(); 31 | 32 | /** 33 | * This method is invoked when the session handling action should be 34 | * executed. This may happen as an action in its own right, or as a 35 | * sub-action following execution of a macro. 36 | * 37 | * @param currentRequest The base request that is currently being processed. 38 | * The action can query this object to obtain details about the base 39 | * request. It can issue additional requests of its own if necessary, and 40 | * can use the setter methods on this object to update the base request. 41 | * @param macroItems If the action is invoked following execution of a 42 | * macro, this parameter contains the result of executing the macro. 43 | * Otherwise, it is 44 | * null. Actions can use the details of the macro items to 45 | * perform custom analysis of the macro to derive values of non-standard 46 | * session handling tokens, etc. 47 | */ 48 | void performAction( 49 | IHttpRequestResponse currentRequest, 50 | IHttpRequestResponse[] macroItems); 51 | } 52 | -------------------------------------------------------------------------------- /src/burp/ITab.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ITab.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.Component; 13 | 14 | /** 15 | * This interface is used to provide Burp with details of a custom tab that will 16 | * be added to Burp's UI, using a method such as 17 | * IBurpExtenderCallbacks.addSuiteTab(). 18 | */ 19 | public interface ITab 20 | { 21 | /** 22 | * Burp uses this method to obtain the caption that should appear on the 23 | * custom tab when it is displayed. 24 | * 25 | * @return The caption that should appear on the custom tab when it is 26 | * displayed. 27 | */ 28 | String getTabCaption(); 29 | 30 | /** 31 | * Burp uses this method to obtain the component that should be used as the 32 | * contents of the custom tab when it is displayed. 33 | * 34 | * @return The component that should be used as the contents of the custom 35 | * tab when it is displayed. 36 | */ 37 | Component getUiComponent(); 38 | } 39 | -------------------------------------------------------------------------------- /src/burp/ITempFile.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ITempFile.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to hold details of a temporary file that has been 14 | * created via a call to 15 | * IBurpExtenderCallbacks.saveToTempFile(). 16 | * 17 | */ 18 | public interface ITempFile 19 | { 20 | /** 21 | * This method is used to retrieve the contents of the buffer that was saved 22 | * in the temporary file. 23 | * 24 | * @return The contents of the buffer that was saved in the temporary file. 25 | */ 26 | byte[] getBuffer(); 27 | 28 | /** 29 | * This method is used to permanently delete the temporary file when it is 30 | * no longer required. 31 | */ 32 | void delete(); 33 | } 34 | -------------------------------------------------------------------------------- /src/burp/ITextEditor.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ITextEditor.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.Component; 13 | 14 | /** 15 | * This interface is used to provide extensions with an instance of Burp's raw 16 | * text editor, for the extension to use in its own UI. Extensions should call 17 | * IBurpExtenderCallbacks.createTextEditor() to obtain an instance 18 | * of this interface. 19 | */ 20 | public interface ITextEditor 21 | { 22 | /** 23 | * This method returns the UI component of the editor, for extensions to add 24 | * to their own UI. 25 | * 26 | * @return The UI component of the editor. 27 | */ 28 | Component getComponent(); 29 | 30 | /** 31 | * This method is used to control whether the editor is currently editable. 32 | * This status can be toggled on and off as required. 33 | * 34 | * @param editable Indicates whether the editor should be currently 35 | * editable. 36 | */ 37 | void setEditable(boolean editable); 38 | 39 | /** 40 | * This method is used to update the currently displayed text in the editor. 41 | * 42 | * @param text The text to be displayed. 43 | */ 44 | void setText(byte[] text); 45 | 46 | /** 47 | * This method is used to retrieve the currently displayed text. 48 | * 49 | * @return The currently displayed text. 50 | */ 51 | byte[] getText(); 52 | 53 | /** 54 | * This method is used to determine whether the user has modified the 55 | * contents of the editor. 56 | * 57 | * @return An indication of whether the user has modified the contents of 58 | * the editor since the last call to 59 | * setText(). 60 | */ 61 | boolean isTextModified(); 62 | 63 | /** 64 | * This method is used to obtain the currently selected text. 65 | * 66 | * @return The currently selected text, or 67 | * null if the user has not made any selection. 68 | */ 69 | byte[] getSelectedText(); 70 | 71 | /** 72 | * This method can be used to retrieve the bounds of the user's selection 73 | * into the displayed text, if applicable. 74 | * 75 | * @return An int[2] array containing the start and end offsets of the 76 | * user's selection within the displayed text. If the user has not made any 77 | * selection in the current message, both offsets indicate the position of 78 | * the caret within the editor. 79 | */ 80 | int[] getSelectionBounds(); 81 | 82 | /** 83 | * This method is used to update the search expression that is shown in the 84 | * search bar below the editor. The editor will automatically highlight any 85 | * regions of the displayed text that match the search expression. 86 | * 87 | * @param expression The search expression. 88 | */ 89 | void setSearchExpression(String expression); 90 | } 91 | --------------------------------------------------------------------------------