├── VERSION ├── test └── buby_test.rb ├── java ├── buby.jar └── src │ ├── burp │ ├── IMenuItemHandler.java │ ├── IScanQueueItem.java │ ├── IScanIssue.java │ ├── IHttpRequestResponse.java │ ├── IBurpExtender.java │ └── IBurpExtenderCallbacks.java │ └── BurpExtender.java ├── .gitignore ├── lib ├── buby │ ├── extends.rb │ └── extends │ │ ├── buby_array_wrapper.rb │ │ ├── scan_issue.rb │ │ └── http_request_response.rb └── buby.rb ├── samples ├── drb_sample_cli.rb ├── watch_scan.rb ├── verb_tamperer.rb ├── drb_buby.rb ├── menu_copy_req.rb ├── mechanize_burp.rb └── poc_generator.rb ├── Rakefile ├── buby.gemspec ├── History.txt ├── bin └── buby └── README.rdoc /VERSION: -------------------------------------------------------------------------------- 1 | 1.3.1 -------------------------------------------------------------------------------- /test/buby_test.rb: -------------------------------------------------------------------------------- 1 | require 'rubygems' 2 | require 'buby' 3 | -------------------------------------------------------------------------------- /java/buby.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/courts/buby/master/java/buby.jar -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.sw? 2 | .DS_Store 3 | coverage 4 | rdoc 5 | pkg 6 | *.gem 7 | *.class 8 | -------------------------------------------------------------------------------- /lib/buby/extends.rb: -------------------------------------------------------------------------------- 1 | 2 | require 'buby/extends/buby_array_wrapper' 3 | require 'buby/extends/http_request_response' 4 | require 'buby/extends/scan_issue' 5 | -------------------------------------------------------------------------------- /samples/drb_sample_cli.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | # notice... we're using MRI ruby here, not JRuby (but either will work) 3 | 4 | require 'drb' 5 | 6 | unless drb_uri = ARGV.shift 7 | STDERR.puts "Usage: #{File.basename $0} druby://:" 8 | exit 1 9 | end 10 | 11 | drb = DRbObject.new nil, drb_uri 12 | rsp=drb.make_http_request 'example.com', 80, false, "GET / HTTP/1.0\r\n\r\n" 13 | 14 | puts rsp 15 | -------------------------------------------------------------------------------- /samples/watch_scan.rb: -------------------------------------------------------------------------------- 1 | 2 | module WatchScan 3 | def evt_http_message(tool_name, is_request, message_info) 4 | super(tool_name, is_request, message_info) 5 | if tool_name == 'scanner' 6 | if is_request 7 | puts "#"*70, "# REQUEST: #{message_info.url.toString}", "#"*70 8 | puts message_info.req_str 9 | puts 10 | else 11 | puts "#"*70, "# RESPONSE: #{message_info.url.toString}", "#"*70 12 | puts message_info.rsp_str 13 | puts 14 | end 15 | end 16 | end 17 | 18 | def init_WatchScan 19 | puts "WatchScan module initialized" 20 | end 21 | end 22 | -------------------------------------------------------------------------------- /samples/verb_tamperer.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env jruby 2 | require 'rubygems' 3 | require 'buby' 4 | 5 | module VerbTamperer 6 | def evt_proxy_message(*param) 7 | msg_ref, is_req, rhost, rport, is_https, http_meth, url, 8 | resourceType, status, req_content_type, message, action = param 9 | 10 | if is_req and http_meth == "GET" 11 | message[0,3] = "PET" 12 | action[0] = Buby::ACTION_DONT_INTERCEPT 13 | 14 | return super(*param).dup 15 | else 16 | return super(*param) 17 | end 18 | end 19 | end 20 | 21 | if __FILE__ == $0 22 | $burp = Buby.new() 23 | $burp.extend(VerbTamperer) 24 | $burp.start_burp() 25 | end 26 | -------------------------------------------------------------------------------- /samples/drb_buby.rb: -------------------------------------------------------------------------------- 1 | 2 | require 'rubygems' 3 | require 'buby' 4 | require 'drb' 5 | 6 | module DrbBuby 7 | attr_reader :drb_server 8 | 9 | def evt_register_callbacks(cb) 10 | super(cb) 11 | # cb.issueAlert("[DrbBuby] Service on: #{@drb_server.uri}") 12 | end 13 | 14 | def init_DrbBuby 15 | ## want to bind the DRb service on a specific socket? 16 | uri ='druby://127.0.0.1:9999' 17 | ## or let it choose one automatically: 18 | # uri = nil 19 | @drb_server = DRb.start_service uri, self 20 | puts "[DrbBuby] Service on: #{@drb_server.uri}" 21 | self.alert("[DrbBuby] Service on: #{@drb_server.uri}") 22 | end 23 | end 24 | 25 | if __FILE__ == $0 26 | $burp = Buby.new 27 | $burp.extend(DrbBuby) 28 | $burp.start_burp() 29 | $burp.init_DrbBuby 30 | end 31 | 32 | -------------------------------------------------------------------------------- /lib/buby/extends/buby_array_wrapper.rb: -------------------------------------------------------------------------------- 1 | 2 | class Buby 3 | class BubyArrayWrapper 4 | include Enumerable 5 | 6 | attr_reader :array_obj 7 | 8 | def initialize(obj) 9 | @array_obj = obj 10 | end 11 | 12 | def [](*args) 13 | if args.size == 1 and args.first.kind_of? Numeric 14 | self.array_obj[args[0]] 15 | else 16 | self.to_a(*args) 17 | end 18 | end 19 | 20 | def each 21 | self.array_obj.size.times do |idx| 22 | yield self.array_obj[idx] 23 | end 24 | end 25 | 26 | def size 27 | self.array_obj.size 28 | end 29 | alias length size 30 | 31 | def first 32 | return(self.array_obj[0]) if(self.size > 0) 33 | end 34 | 35 | def last 36 | return self.array_obj[self.size - 1] if(self.size > 0) 37 | end 38 | 39 | end 40 | 41 | end 42 | -------------------------------------------------------------------------------- /lib/buby/extends/scan_issue.rb: -------------------------------------------------------------------------------- 1 | require 'uri' 2 | 3 | class Buby 4 | 5 | class ScanIssuesList < BubyArrayWrapper 6 | def initialize(obj) 7 | ScanIssueHelper.implant(obj[0]) if obj.size > 0 8 | super(obj) 9 | end 10 | 11 | end 12 | 13 | module ScanIssueHelper 14 | # Returns a Ruby URI object derived from the java.net.URL object 15 | def uri 16 | @uri ||= URI.parse url.to_s if not url.nil? 17 | end 18 | 19 | # one-shot method to implant ourselves onto a target object's class 20 | # interface in ruby. All later instances will also get 'us' for free! 21 | def self.implant(base) 22 | return if @implanted 23 | base.class.instance_eval { include(ScanIssueHelper) } 24 | @implanted = true 25 | end 26 | 27 | def http_messages 28 | HttpRequestResponseList.new( self.getHttpMessages() ) 29 | end 30 | alias messages http_messages 31 | alias messages http_messages 32 | 33 | def self.implanted? ; @implanted; end 34 | end 35 | end 36 | 37 | -------------------------------------------------------------------------------- /samples/menu_copy_req.rb: -------------------------------------------------------------------------------- 1 | module CopyRequest 2 | def copyRequest(req) 3 | req = case 4 | when req.is_a?(Numeric) 5 | # offset to match UI 6 | self.proxy_history[req-1].req_str 7 | when req.kind_of?(String) 8 | req 9 | when (req.respond_to?(:java_class) and req.java_class.to_s == "[B") 10 | String.from_java_bytes(req) 11 | when req.respond_to?(:req_str) 12 | req.req_str 13 | else 14 | warn "unknown request type... ducking" 15 | req 16 | end 17 | 18 | java.awt.Toolkit.getDefaultToolkit.getSystemClipboard.setContents(java.awt.datatransfer.StringSelection.new(req), nil) 19 | req 20 | end 21 | alias copy_request copyRequest 22 | 23 | def init_CopyRequest 24 | CopyRequestHandler.init_handler("Copy request(s)", self) 25 | end 26 | end 27 | 28 | module CopyRequestHandler 29 | class << self 30 | attr_accessor :_burp 31 | attr_reader :menuItemCaption 32 | end 33 | 34 | def self.init_handler(menuItemCaption, _burp = $burp) 35 | @menuItemCaption = menuItemCaption 36 | @_burp = _burp 37 | @_burp.registerMenuItem(menuItemCaption, self) 38 | end 39 | 40 | def self.menuItemClicked(menuItemCaption, messageInfo) 41 | messageInfo = Buby::HttpRequestResponseList.new(messageInfo).map{|x| x.req_str}.join("\r\n\r\n#{'='*50}\r\n\r\n") 42 | java.awt.Toolkit.getDefaultToolkit.getSystemClipboard.setContents(java.awt.datatransfer.StringSelection.new(messageInfo), nil) 43 | end 44 | end 45 | -------------------------------------------------------------------------------- /java/src/burp/IMenuItemHandler.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMenuItemHandler.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite and Burp 9 | * Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | 13 | /** 14 | * This interface is used by implementations of the IBurpExtender 15 | * interface to provide to Burp Suite a handler for one or more custom menu 16 | * items, which appear on the various context menus that are used throughout 17 | * Burp Suite to handle user-driven actions. 18 | * 19 | * Extensions which need to add custom menu items to Burp should provide an 20 | * implementation of this interface, and use the registerMenuItem 21 | * method of IBurpExtenderCallbacks to register each custom menu 22 | * item. 23 | */ 24 | 25 | public interface IMenuItemHandler 26 | { 27 | /** 28 | * This method is invoked by Burp Suite when the user clicks on a custom 29 | * menu item which the extension has registered with Burp. 30 | * 31 | * @param menuItemCaption The caption of the menu item which was clicked. 32 | * This parameter enables extensions to provide a single implementation 33 | * which handles multiple different menu items. 34 | * @param messageInfo Details of the HTTP message(s) for which the context 35 | * menu was displayed. 36 | */ 37 | public void menuItemClicked( 38 | String menuItemCaption, 39 | IHttpRequestResponse[] messageInfo); 40 | } 41 | -------------------------------------------------------------------------------- /samples/mechanize_burp.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env jruby 2 | 3 | require 'rubygems' 4 | require 'buby' 5 | require 'mechanize' 6 | require 'rbkb/http' 7 | require 'irb' 8 | 9 | include Java 10 | 11 | # This Buby handler implementation simply keeps cookie state synched 12 | # for a Mechanize agent by intercepting all requests sent through the 13 | # Burp proxy. This lets you use Mechanize in tandem with your browser 14 | # through Burp without having to fuss around with cookies. 15 | module MechGlue 16 | attr_accessor :mech_agent 17 | 18 | def evt_proxy_message(*param) 19 | msg_ref, is_req, rhost, rport, is_https, http_meth, url, 20 | resourceType, status, req_content_type, message, action = param 21 | 22 | if (not is_req) and (message =~ /Set-Cookie/i) 23 | 24 | rsp = Rbkb::Http::Response.new(message, :ignore_content_length => true) 25 | 26 | # Get an uri object ready for mechanize 27 | uri = URI.parse(url) 28 | uri.scheme = (is_https)? "https" : "http" 29 | uri.host = rhost 30 | uri.port = rport 31 | 32 | # Grab cookies from headers: 33 | rsp.headers.get_header_value('Set-Cookie').each do |cookie| 34 | WWW::Mechanize::Cookie.parse(uri, cookie) do |c| 35 | @mech_agent.cookie_jar.add(uri, c) 36 | end 37 | end 38 | end 39 | return(message) 40 | end 41 | end 42 | 43 | 44 | if __FILE__ == $0 45 | $mech = WWW::Mechanize.new 46 | #$mech.set_proxy('localhost', '8080') 47 | 48 | $burp = Buby.new() 49 | $burp.extend(MechGlue) 50 | $burp.mech_agent = $mech 51 | $burp.start_burp 52 | 53 | puts "$burp is set to #{$burp.class}" 54 | puts "$mech is set to #{$mech.class}" 55 | IRB.start 56 | end 57 | 58 | -------------------------------------------------------------------------------- /Rakefile: -------------------------------------------------------------------------------- 1 | require 'rubygems' 2 | require 'rake' 3 | require 'rake/clean' 4 | 5 | begin 6 | require 'jeweler' 7 | Jeweler::Tasks.new do |gem| 8 | gem.name = "buby" 9 | gem.summary = %q{Buby is a mashup of JRuby with the popular commercial web security testing tool Burp Suite from PortSwigger} 10 | gem.description = %q{Buby is a mashup of JRuby with the popular commercial web security testing tool Burp Suite from PortSwigger. Burp is driven from and tied to JRuby with a Java extension using the BurpExtender API. This extension aims to add Ruby scriptability to Burp Suite with an interface comparable to the Burp's pure Java extension interface.} 11 | gem.email = "emonti@matasano.com, td@matasano.com" 12 | gem.homepage = "http://tduehr.github.com/buby" 13 | gem.authors = ["Eric Monti, tduehr"] 14 | gem.platform = "java" 15 | gem.test_files = ["test/buby_test.rb"] 16 | gem.require_paths << 'java' 17 | gem.rdoc_options = ["--main", "README.rdoc"] 18 | gem.extra_rdoc_files = ["History.txt", "README.rdoc", "bin/buby"] 19 | end 20 | Jeweler::GemcutterTasks.new 21 | rescue LoadError 22 | puts "Jeweler (or a dependency) not available. Install it with: sudo gem install jeweler" 23 | end 24 | 25 | require 'rake/testtask' 26 | Rake::TestTask.new(:test) do |test| 27 | test.libs << 'lib' << 'test' << 'java' 28 | test.pattern = 'test/**/*_test.rb' 29 | test.verbose = true 30 | end 31 | 32 | task :test => :check_dependencies 33 | 34 | task :default => :test 35 | 36 | require 'rake/rdoctask' 37 | Rake::RDocTask.new do |rdoc| 38 | if File.exist?('VERSION') 39 | version = File.read('VERSION') 40 | else 41 | version = "" 42 | end 43 | 44 | rdoc.rdoc_dir = 'rdoc' 45 | rdoc.title = "buby #{version}" 46 | rdoc.rdoc_files.include('README*') 47 | rdoc.rdoc_files.include('History.txt') 48 | rdoc.rdoc_files.include('bin/buby') 49 | rdoc.rdoc_files.include('lib/**/*.rb') 50 | end 51 | 52 | -------------------------------------------------------------------------------- /buby.gemspec: -------------------------------------------------------------------------------- 1 | # Generated by jeweler 2 | # DO NOT EDIT THIS FILE DIRECTLY 3 | # Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec' 4 | # -*- encoding: utf-8 -*- 5 | 6 | Gem::Specification.new do |s| 7 | s.name = %q{buby} 8 | s.version = "1.3.1" 9 | s.platform = %q{java} 10 | 11 | s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version= 12 | s.authors = [%q{Eric Monti, tduehr}] 13 | s.date = %q{2011-12-05} 14 | s.description = %q{Buby is a mashup of JRuby with the popular commercial web security testing tool Burp Suite from PortSwigger. Burp is driven from and tied to JRuby with a Java extension using the BurpExtender API. This extension aims to add Ruby scriptability to Burp Suite with an interface comparable to the Burp's pure Java extension interface.} 15 | s.email = %q{emonti@matasano.com, td@matasano.com} 16 | s.executables = [%q{buby}] 17 | s.extra_rdoc_files = [ 18 | "History.txt", 19 | "README.rdoc", 20 | "bin/buby" 21 | ] 22 | s.files = [ 23 | "History.txt", 24 | "README.rdoc", 25 | "Rakefile", 26 | "VERSION", 27 | "bin/buby", 28 | "buby.gemspec", 29 | "java/buby.jar", 30 | "java/src/BurpExtender.java", 31 | "java/src/burp/IBurpExtender.java", 32 | "java/src/burp/IBurpExtenderCallbacks.java", 33 | "java/src/burp/IHttpRequestResponse.java", 34 | "java/src/burp/IMenuItemHandler.java", 35 | "java/src/burp/IScanIssue.java", 36 | "java/src/burp/IScanQueueItem.java", 37 | "lib/buby.rb", 38 | "lib/buby/extends.rb", 39 | "lib/buby/extends/buby_array_wrapper.rb", 40 | "lib/buby/extends/http_request_response.rb", 41 | "lib/buby/extends/scan_issue.rb", 42 | "samples/drb_buby.rb", 43 | "samples/drb_sample_cli.rb", 44 | "samples/mechanize_burp.rb", 45 | "samples/menu_copy_req.rb", 46 | "samples/poc_generator.rb", 47 | "samples/verb_tamperer.rb", 48 | "samples/watch_scan.rb", 49 | "test/buby_test.rb" 50 | ] 51 | s.homepage = %q{http://tduehr.github.com/buby} 52 | s.rdoc_options = [%q{--main}, %q{README.rdoc}] 53 | s.require_paths = [%q{lib}, %q{java}, %q{java}] 54 | s.rubygems_version = %q{1.8.6} 55 | s.summary = %q{Buby is a mashup of JRuby with the popular commercial web security testing tool Burp Suite from PortSwigger} 56 | s.test_files = [%q{test/buby_test.rb}] 57 | 58 | if s.respond_to? :specification_version then 59 | s.specification_version = 3 60 | 61 | if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then 62 | else 63 | end 64 | else 65 | end 66 | end 67 | 68 | -------------------------------------------------------------------------------- /java/src/burp/IScanQueueItem.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScanQueueItem.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite and Burp 9 | * Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | 13 | /** 14 | * This interface is used to allow extensions to access details of items in the 15 | * Burp Scanner active scan queue. 16 | */ 17 | 18 | public interface IScanQueueItem 19 | { 20 | /** 21 | * Returns a description of the status of the scan queue item. 22 | * 23 | * @return A description of the status of the scan queue item. 24 | */ 25 | String getStatus(); 26 | 27 | /** 28 | * Returns an indication of the percentage completed for the scan queue item. 29 | * 30 | * @return An indication of the percentage completed for the scan queue item. 31 | */ 32 | byte getPercentageComplete(); 33 | 34 | /** 35 | * Returns the number of requests that have been made for the scan queue item. 36 | * 37 | * @return The number of requests that have been made for the scan queue item. 38 | */ 39 | int getNumRequests(); 40 | 41 | /** 42 | * Returns the number of network errors that have occurred for the scan 43 | * queue item. 44 | * 45 | * @return The number of network errors that have occurred for the scan 46 | * queue item. 47 | */ 48 | int getNumErrors(); 49 | 50 | /** 51 | * Returns the number of attack insertion points being used for the scan 52 | * queue item. 53 | * 54 | * @return The number of attack insertion points being used for the scan 55 | * queue item. 56 | */ 57 | int getNumInsertionPoints(); 58 | 59 | /** 60 | * This method allows the scan queue item to be cancelled. 61 | */ 62 | void cancel(); 63 | 64 | /** 65 | * This method returns details of the issues generated for the scan queue item. 66 | * 67 | * Note that different items within the scan queue may contain duplicated 68 | * versions of the same issues - for example, if the same request has been 69 | * scanned multiple times. Duplicated issues are consolidated in the main view 70 | * of scan results. You can implementIBurpExtender.newScanIssue to get details 71 | * only of unique, newly discovered scan issues post-consolidation. 72 | * 73 | * @return Details of the issues generated for the scan queue item. 74 | */ 75 | IScanIssue[] getIssues(); 76 | } 77 | -------------------------------------------------------------------------------- /History.txt: -------------------------------------------------------------------------------- 1 | == 1.2.1 / 2011-01-27 2 | * Fixed burp -v to print version... somewhat 3 | 4 | == 1.2.0 / 2010-08-29 5 | * added menu item support from 1.3 6 | * added some additional processing constants from 1.3 7 | 8 | == 1.1.7 / 2009-12-29 9 | * fix evt_proxy_message_raw bridge to modify proxy messages (broken in 1.1.6) 10 | * switched from bones to jeweler for project mgmt 11 | 12 | == 1.1.6 / 2009-11-19 13 | * fix 14 | * poc_generator.rb example fixed to properly parse port in Host header 15 | * fix evt_proxy_message bridge to deal correctly with binary content data 16 | 17 | == 1.1.5 / 2009-10-15 18 | * enhancements 19 | * added support for exitSuite in burp v 1.2.17+ 20 | * added samples/poc_generator.rb 21 | 22 | == 1.1.4.1 / 2009-09-22 23 | * fix 24 | * Buby.harvest_cookies_from_history() was broken. 25 | It now implements select() block semantics and always returns an array. 26 | 27 | == 1.1.4 / 2009-09-14 28 | * enhancements 29 | * buby got implants! (har har) 30 | * Ruby wrapper classes added for proxy_history, site_map, and scan_issues 31 | * Extensions module for IHttpRequestResponse burp's class implementation 32 | * Extensions module for IScanIssue burp's class implementation 33 | * Added -s/--state, -r/--require, -e/--extend to buby cmd-line executable 34 | * Added -v/--version buby cmd-line flag 35 | * Modified samples for use as modules with -r/-e as well as run standalone 36 | * Added drb client and server sample 37 | 38 | == 1.1.3.1 / 2009-09-09 39 | * fix 40 | * fixed a typo in the String type-check for Buby.getParameters() 41 | 42 | == 1.1.3 / 2009-08-25 43 | * 1 enhancement 44 | * new convenience methods added for iterating and searching through 45 | proxy history, scan history, etc. 46 | * 1 fix 47 | * The gem now includes a buby.jar which should be usable with Java 1.5+ 48 | (previously the jar had been compiled only for Java 1.6) 49 | 50 | == 1.1.2 / 2009-08-20 51 | * 1 enhancement 52 | * Support added for the new getScanIssues extender method exposed in v1.2.15 53 | See http://releases.portswigger.net/2009/08/v1215.html 54 | 55 | == 1.1.1 / 2009-06-24 56 | * Fix 57 | * fixed getSiteMap callback front-end so that it takes the urlprefix argument 58 | 59 | == 1.1.0 / 2009-06-18 60 | * 1 major enhancement 61 | * Support added for the new Burp API features added in Burp 1.2.09. 62 | See http://releases.portswigger.net/2009/05/v1209.html 63 | * 1 minor enhancement 64 | * buby command-line tool exposes arguments for debugging and IRB 65 | 66 | == 1.0.2 / 2009-06-02 67 | * Enhancements 68 | * Added a sample illustrating synching cookies with Mechanize 69 | 70 | == 1.0.1 / 2009-05-10 71 | * Enhancements 72 | * Added some sugar to make swapping Burp event handlers easier. 73 | * Fixed documentation errors 74 | 75 | == 1.0.0 / 2009-05-08 76 | 77 | * 1 major enhancement 78 | * Birthday! 79 | -------------------------------------------------------------------------------- /lib/buby/extends/http_request_response.rb: -------------------------------------------------------------------------------- 1 | require 'uri' 2 | 3 | class Buby 4 | 5 | class HttpRequestResponseList < BubyArrayWrapper 6 | def initialize(obj) 7 | HttpRequestResponseHelper.implant(obj[0]) if obj.size > 0 8 | super(obj) 9 | end 10 | 11 | end 12 | 13 | 14 | module HttpRequestResponseHelper 15 | 16 | # returns the response as a Ruby String object - returns an empty string 17 | # if response is nil. 18 | def response_str 19 | return response().nil? ? "" : ::String.from_java_bytes(response()) 20 | end 21 | alias response_string response_str 22 | alias rsp_str response_str 23 | 24 | 25 | # returns an array of response headers split into header name and value. 26 | # For example: 27 | # [ 28 | # ["HTTP/1.1 301 Moved Permanently"], 29 | # ["Server", "Apache/1.3.41 ..."], 30 | # ... 31 | # ] 32 | def response_headers 33 | if headers=(@rsp_split ||= rsp_str.split(/\r?\n\r?\n/, 2))[0] 34 | @rsp_headers ||= headers.split(/\r?\n/).map {|h| h.split(/\s*:\s*/,2)} 35 | end 36 | end 37 | alias rsp_headers response_headers 38 | 39 | # Returns the message body of the response, minus headers 40 | def response_body 41 | (@rsp_split ||= rsp_str.split(/\r?\n\r?\n/, 2))[1] 42 | end 43 | alias rsp_body response_body 44 | 45 | 46 | # Returns the full request as a Ruby String - returns an empty string if 47 | # request is nil. 48 | def request_str 49 | return request().nil? ? "" : ::String.from_java_bytes(request()) 50 | end 51 | alias request_string request_str 52 | alias req_str request_str 53 | 54 | 55 | # Returns a split array of headers. Example: 56 | # [ 57 | # ["GET / HTTP/1.1"], 58 | # ["Host", "www.example.org"], 59 | # ["User-Agent", "Mozilla/5.0 (..."], 60 | # ... 61 | # ] 62 | def request_headers 63 | if headers=(@req_split ||= req_str.split(/\r?\n\r?\n/, 2))[0] 64 | @req_headers ||= headers.split(/\r?\n/).map {|h| h.split(/\s*:\s*/,2)} 65 | end 66 | end 67 | alias req_headers request_headers 68 | 69 | 70 | # Returns the request message body or an empty string if there is none. 71 | def request_body 72 | (@req_split ||= req_str.split(/\r?\n\r?\n/, 2))[1] 73 | end 74 | alias req_body request_body 75 | 76 | 77 | # Returns a Ruby URI object derived from the java.net.URL object 78 | def uri 79 | @uri ||= URI.parse url.to_s if not url.nil? 80 | end 81 | 82 | 83 | # one-shot method to implant ourselves onto a target object's class 84 | # interface in ruby. All later instances will also get 'us' for free! 85 | def self.implant(base) 86 | return if @implanted 87 | base.class.instance_eval { include(HttpRequestResponseHelper) } 88 | @implanted = true 89 | end 90 | 91 | 92 | def self.implanted? ; @implanted; end 93 | end 94 | 95 | end 96 | -------------------------------------------------------------------------------- /bin/buby: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env jruby 2 | 3 | require File.expand_path(File.join(File.dirname(__FILE__), %w[.. lib buby])) 4 | require 'irb' 5 | require 'optparse' 6 | 7 | args = {} 8 | 9 | begin 10 | opts = OptionParser.new do |o| 11 | o.banner = "Usage: #{File.basename $0} [options]" 12 | 13 | o.on_tail("-h", "--help", "Show this help message") do 14 | raise opts.to_s 15 | end 16 | 17 | o.on("-i", "--interactive", "Start IRB") { args[:irb] = true } 18 | 19 | o.on("-d", "--debug", "Debug info") { args[:debug] = true } 20 | 21 | o.on("-B", "--load-burp=PATH", "Load Burp Jar from PATH") do |b| 22 | args[:load_burp] = b 23 | end 24 | 25 | o.on('-s', '--state=FILE', "Restore burp state file on startup") do |r| 26 | args[:restore] = r 27 | end 28 | 29 | o.on('-r', '--require=LIB', 30 | 'load a ruby lib (or jar) after Burp loads') do |i| 31 | (args[:requires] ||= []).push(i) 32 | end 33 | 34 | o.on('-e', '--extend=MOD', 35 | 'Extend Buby with a module (loaded via -r?)') do |m| 36 | (args[:extensions] ||= []).push(m) 37 | end 38 | 39 | o.on('-v', '--version', 'Prints version and exits.') do 40 | puts "#{File.basename $0} v#{Buby::VERSION}" 41 | exit 0 42 | end 43 | end 44 | 45 | opts.parse!(ARGV) 46 | 47 | if jar=args[:load_burp] 48 | raise "Load Burp Error: #{jar} did not provide burp.StartBurp" unless Buby.load_burp(jar) 49 | end 50 | 51 | raise "Load Burp Error: Specify a path to your burp.jar with -B" unless Buby.burp_loaded? 52 | 53 | rescue 54 | STDERR.puts $! 55 | exit 1 56 | end 57 | 58 | $DEBUG=true if args[:debug] 59 | 60 | $burp = Buby.start_burp() 61 | 62 | if libs=args[:requires] 63 | libs.each {|lib| STDERR.puts "Loading: #{lib.inspect}"; require(lib)} 64 | end 65 | 66 | def resolve_const(str) 67 | raise "can't resolve empty name #{str.inspect}" if str.empty? 68 | names = str.split('::') 69 | obj = ::Object 70 | names.each do |name| 71 | raise "#{name.inspect} is not defined" unless obj.const_defined?(name) 72 | obj = obj.const_get(name) 73 | end 74 | return obj if obj != ::Object 75 | end 76 | 77 | if mods=args[:extensions] 78 | mods.each do |mod| 79 | obj = resolve_const(mod) 80 | raise "#{obj.name} is not a module" unless obj.kind_of? Module 81 | STDERR.puts "Extending $burp with: #{obj.name}" 82 | $burp.extend(obj) 83 | if $burp.respond_to?(imeth=:"init_#{mod.split('::').last}") 84 | $burp.__send__ imeth 85 | end 86 | end 87 | end 88 | 89 | if f=args[:restore] 90 | raise "no such file #{f.inspect}" unless File.exists?(f) 91 | STDERR.puts "Restoring burp state from: #{f.inspect}" 92 | $burp.restore_state(f) 93 | end 94 | 95 | if args[:irb] 96 | # yucky hack... 97 | IRB.setup(nil) 98 | IRB.conf[:IRB_NAME] = File.basename($0, ".rb") 99 | module IRB 100 | class < 98 | 99 | 100 | 113 | 114 | 115 | } 116 | 117 | return ret 118 | end 119 | 120 | def init_CsrfPocGenerator 121 | # nop 122 | end 123 | end 124 | 125 | -------------------------------------------------------------------------------- /java/src/burp/IHttpRequestResponse.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpRequestResponse.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite and Burp 9 | * Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | 13 | /** 14 | * This interface is used to allow extensions to access details of HTTP messages 15 | * that are processed within Burp. 16 | * 17 | * Note that the setter methods generally can only be used before the message 18 | * has been forwarded to the application (e.g. using 19 | * IBurpExtender.processHttpMessage()) and not in read-only contexts (e.g. using 20 | * IBurpExtender.getProxyHistory()). Conversely, the getter methods relating to 21 | * response details can only be used after the message has been forwarded to the 22 | * application. 23 | */ 24 | 25 | public interface IHttpRequestResponse 26 | { 27 | /** 28 | * Returns the name of the application host. 29 | * 30 | * @return The name of the application host. 31 | */ 32 | String getHost(); 33 | 34 | /** 35 | * Returns the port number used by the application. 36 | * 37 | * @return The port number used by the application. 38 | */ 39 | int getPort(); 40 | 41 | /** 42 | * Returns the protocol used by the application. 43 | * 44 | * @return The protocol used by the application. 45 | */ 46 | String getProtocol(); 47 | 48 | /** 49 | * Sets the name of the application host to which the request should 50 | * be sent. 51 | * 52 | * @param host The name of the application host to which the request should 53 | * be sent. 54 | * @throws java.lang.Exception 55 | */ 56 | void setHost(String host) throws Exception; 57 | 58 | /** 59 | * Sets the port number to which the request should be sent. 60 | * 61 | * @param port The port number to which the request should be sent. 62 | * @throws java.lang.Exception 63 | */ 64 | void setPort(int port) throws Exception; 65 | 66 | /** 67 | * Sets the protocol which should be used by the request. 68 | * 69 | * @param protocol The protocol which should be used by the request. Valid 70 | * values are "http" and "https". 71 | * @throws java.lang.Exception 72 | */ 73 | void setProtocol(String protocol) throws Exception; 74 | 75 | /** 76 | * Returns the full request contents. 77 | * 78 | * @return The full request contents. 79 | * @throws java.lang.Exception 80 | */ 81 | byte[] getRequest() throws Exception; 82 | 83 | /** 84 | * Returns the URL within the request. 85 | * 86 | * @return The URL within the request. 87 | * @throws java.lang.Exception 88 | */ 89 | java.net.URL getUrl() throws Exception; 90 | 91 | /** 92 | * Sets the request contents which should be sent to the application. 93 | * 94 | * @param message The request contents which should be sent to the 95 | * application. 96 | * @throws java.lang.Exception 97 | */ 98 | void setRequest(byte[] message) throws Exception; 99 | 100 | /** 101 | * Returns the full response contents. 102 | * 103 | * @return The full response contents. 104 | * @throws java.lang.Exception 105 | */ 106 | byte[] getResponse() throws Exception; 107 | 108 | /** 109 | * Sets the response contents which should be processed by the 110 | * invoking Burp tool. 111 | * 112 | * @param message The response contents which should be processed by the 113 | * invoking Burp tool. 114 | * @throws java.lang.Exception 115 | */ 116 | void setResponse(byte[] message) throws Exception; 117 | 118 | /** 119 | * Returns the HTTP status code contained within the response. 120 | * 121 | * @return The HTTP status code contained within the response. 122 | * @throws java.lang.Exception 123 | */ 124 | short getStatusCode() throws Exception; 125 | 126 | /** 127 | * Returns the user-annotated comment for this item, if applicable. 128 | * 129 | * @return The user-annotated comment for this item, or null if none is set. 130 | */ 131 | String getComment() throws Exception; 132 | 133 | /** 134 | * Sets the user-annotated comment for this item. 135 | * 136 | * @param comment The comment to be associated with this item. 137 | * @throws Exception 138 | */ 139 | void setComment(String comment) throws Exception; 140 | 141 | /** 142 | * Returns the user-annotated highlight for this item, if applicable. 143 | * 144 | * @return The highlight color for this item, or null if none is set. 145 | */ 146 | String getHighlight() throws Exception; 147 | 148 | /** 149 | * Sets the user-annotated highlight for this item. 150 | * 151 | * @param color The highlight color to be assigned to this item. Accepted 152 | * values are: red, orange, yellow, green, cyan, blue, pink, magenta, gray. 153 | * @throws Exception 154 | */ 155 | void setHighlight(String color) throws Exception; 156 | } 157 | -------------------------------------------------------------------------------- /java/src/burp/IBurpExtender.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IBurpExtender.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite and Burp 9 | * Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | 13 | /** 14 | * This interface allows third-party code to extend Burp Suite's functionality. 15 | * 16 | * Implementations must be called BurpExtender, in the package burp, 17 | * must be declared public, and must provide a default (public, no-argument) 18 | * constructor. On startup, Burp Suite searches its classpath for the class 19 | * burp.BurpExtender, and attempts to dynamically load and instantiate this 20 | * class. The IBurpExtender methods implemented will then be 21 | * dynamically invoked as appropriate.

22 | * 23 | * Partial implementations are acceptable. The class will be used provided at 24 | * least one of the interface's methods is implemented.

25 | * 26 | * To make use of the interface, create a class called BurpExtender, in the 27 | * package burp, which implements one or more methods of the interface, and 28 | * place this into the application's classpath at startup. For example, if 29 | * Burp Suite is loaded from burp.jar, and BurpProxyExtender.jar contains the 30 | * class burp.BurpExtender, use the following command to launch Burp Suite and 31 | * load the IBurpExtender implementation:

32 | * 33 | *

    java -classpath burp.jar;BurpProxyExtender.jar burp.StartBurp

34 | * 35 | * (On Linux-based platforms, use a colon character instead of the semi-colon 36 | * as the classpath separator.) 37 | */ 38 | 39 | public interface IBurpExtender 40 | { 41 | /** 42 | * This method is invoked immediately after the implementation's constructor 43 | * to pass any command-line arguments that were passed to Burp Suite on 44 | * startup. It allows implementations to control aspects of their behaviour 45 | * at runtime by defining their own command-line arguments. 46 | * 47 | * @param args The command-line arguments passed to Burp Suite on startup. 48 | */ 49 | public void setCommandLineArgs(String[] args); 50 | 51 | /** 52 | * This method is invoked by Burp Proxy whenever a client request or server 53 | * response is received. It allows implementations to perform logging 54 | * functions, modify the message, specify an action (intercept, drop, etc.) 55 | * and perform any other arbitrary processing. 56 | * 57 | * @param messageReference An identifier which is unique to a single 58 | * request/response pair. This can be used to correlate details of requests 59 | * and responses and perform processing on the response message accordingly. 60 | * @param messageIsRequest Flags whether the message is a client request or 61 | * a server response. 62 | * @param remoteHost The hostname of the remote HTTP server. 63 | * @param remotePort The port of the remote HTTP server. 64 | * @param serviceIsHttps Flags whether the protocol is HTTPS or HTTP. 65 | * @param httpMethod The method verb used in the client request. 66 | * @param url The requested URL. 67 | * @param resourceType The filetype of the requested resource, or a 68 | * zero-length string if the resource has no filetype. 69 | * @param statusCode The HTTP status code returned by the server. This value 70 | * is null for request messages. 71 | * @param responseContentType The content-type string returned by the 72 | * server. This value is null for request messages. 73 | * @param message The full HTTP message. 74 | * @param action An array containing a single integer, allowing the 75 | * implementation to communicate back to Burp Proxy a non-default 76 | * interception action for the message. The default value is 77 | * ACTION_FOLLOW_RULES. Set action[0] to one of 78 | * the other possible values to perform a different action. 79 | * @return Implementations should return either (a) the same object received 80 | * in the message paramater, or (b) a different object 81 | * containing a modified message. 82 | */ 83 | public byte[] processProxyMessage( 84 | int messageReference, 85 | boolean messageIsRequest, 86 | String remoteHost, 87 | int remotePort, 88 | boolean serviceIsHttps, 89 | String httpMethod, 90 | String url, 91 | String resourceType, 92 | String statusCode, 93 | String responseContentType, 94 | byte[] message, 95 | int[] action); 96 | 97 | /** 98 | * Causes Burp Proxy to follow the current interception rules to determine 99 | * the appropriate action to take for the message. 100 | */ 101 | public final static int ACTION_FOLLOW_RULES = 0; 102 | /** 103 | * Causes Burp Proxy to present the message to the user for manual 104 | * review or modification. 105 | */ 106 | public final static int ACTION_DO_INTERCEPT = 1; 107 | /** 108 | * Causes Burp Proxy to forward the message to the remote server or client. 109 | */ 110 | public final static int ACTION_DONT_INTERCEPT = 2; 111 | /** 112 | * Causes Burp Proxy to drop the message and close the client connection. 113 | */ 114 | public final static int ACTION_DROP = 3; 115 | /** 116 | * Causes Burp Proxy to follow the current interception rules to determine 117 | * the appropriate action to take for the message, and then make a second 118 | * call to processProxyMessage. 119 | */ 120 | public final static int ACTION_FOLLOW_RULES_AND_REHOOK = 0x10; 121 | /** 122 | * Causes Burp Proxy to present the message to the user for manual 123 | * review or modification, and then make a second call to 124 | * processProxyMessage. 125 | */ 126 | public final static int ACTION_DO_INTERCEPT_AND_REHOOK = 0x11; 127 | /** 128 | * Causes Burp Proxy to skip user interception, and then make a second call 129 | * to processProxyMessage. 130 | */ 131 | public final static int ACTION_DONT_INTERCEPT_AND_REHOOK = 0x12; 132 | 133 | /** 134 | * This method is invoked on startup. It registers an instance of the 135 | * IBurpExtenderCallbacks interface, providing methods that 136 | * may be invoked by the implementation to perform various actions. 137 | * 138 | * The call to registerExtenderCallbacks need not return, and 139 | * implementations may use the invoking thread for any purpose.

140 | * 141 | * @param callbacks An implementation of the 142 | * IBurpExtenderCallbacks interface. 143 | */ 144 | public void registerExtenderCallbacks(burp.IBurpExtenderCallbacks callbacks); 145 | 146 | /** 147 | * This method is invoked immediately before Burp Suite exits. 148 | * It allows implementations to carry out any clean-up actions necessary 149 | * (e.g. flushing log files or closing database resources). 150 | */ 151 | public void applicationClosing(); 152 | 153 | /** 154 | * This method is invoked whenever any of Burp's tools makes an HTTP request 155 | * or receives a response. It allows extensions to intercept and modify the 156 | * HTTP traffic of all Burp tools. For each request, the method is invoked 157 | * after the request has been fully processed by the invoking tool and is 158 | * about to be made on the network. For each response, the method is invoked 159 | * after the response has been received from the network and before any 160 | * processing is performed by the invoking tool. 161 | * 162 | * @param toolName The name of the Burp tool which is making the request. 163 | * @param messageIsRequest Indicates whether the message is a request or 164 | * response. 165 | * @param messageInfo Details of the HTTP message. 166 | */ 167 | public void processHttpMessage( 168 | String toolName, 169 | boolean messageIsRequest, 170 | IHttpRequestResponse messageInfo); 171 | 172 | /** 173 | * This method is invoked whenever Burp Scanner discovers a new, unique 174 | * issue, and can be used to perform customised reporting or logging of issues. 175 | * 176 | * @param issue Details of the new scan issue. 177 | */ 178 | public void newScanIssue(IScanIssue issue); 179 | 180 | } 181 | -------------------------------------------------------------------------------- /README.rdoc: -------------------------------------------------------------------------------- 1 | buby 2 | by Eric Monti, Timur Duehr 3 | http://tduehr.github.com/buby 4 | 5 | == DESCRIPTION: 6 | 7 | Buby is a mashup of JRuby with the popular commercial web security testing tool Burp Suite from PortSwigger. Burp is driven from and tied to JRuby with a Java extension using the BurpExtender API. This extension aims to add Ruby scriptability to Burp Suite with an interface comparable to the Burp's pure Java extension interface. 8 | 9 | == FEATURES/PROBLEMS: 10 | 11 | * Intercept and log proxied requests and responses via Burp into Ruby and 12 | perform arbitrary processing on them. 13 | 14 | * Modify requests and responses in-line using Ruby scripts. 15 | 16 | * Pass requests and other information from JRuby to various sub-interfaces in 17 | Burp 18 | 19 | * Use the Burp framework for active and passive scanning using arbitrary 20 | requests and responses. 21 | 22 | * Use the Burp framework for making arbitrary HTTP requests 23 | 24 | 25 | Buby is implemented using an abstract Ruby event handler and interface class. The Buby Ruby class is back-ended with a minimal BurpExtender class implemented in Java. The java code is required to conform to nuances in the Burp extension interface and while it's in the pure Java runtime, it acts as 'glue' where deemed appropriate, but otherwise tries to stay out of the way. 26 | 27 | The java BurpExtender included with Buby is an implementation of IBurpExtender which is the interface API supplied by PortSwigger for writing extensions to Burp Suite. It mostly acts as a method proxy between Ruby and Java, doing very little except event handler proxying between the java and ruby runtimes with run-time type conversion as needed. 28 | 29 | 30 | == REQUIREMENTS: 31 | 32 | * JRuby - http://jruby.org 33 | Burp is Java based and the extension is developed specifically around JRuby. 34 | The C version of ruby will not work. 35 | 36 | * Burp (pro or free version): Buby is useless without a copy of Burp. 37 | Buby has been tested successfully with Burp 1.2.x. 38 | 39 | 40 | == BUILD/INSTALL: 41 | 42 | === Gem 43 | You should be able to get up and running with just the gem and a copy of Burp. 44 | I've packaged up a pre-built buby.jar file containing the required classes 45 | minus ofcourse, Burp itself. 46 | 47 | (sudo)? jruby -S gem install buby --source=http://gemcutter.org 48 | 49 | * IMPORTANT: The buby gem doesn't include a copy of Burp! See manual step #5 50 | below. For best results, you'll still want to make your burp.jar available 51 | in the ruby runtime library path. 52 | 53 | 54 | === Manual 55 | Here are manual instructions if you want or need to build things yourself: 56 | 57 | ==== Step 1. Download buby from github 58 | git clone git://github.com/tduehr/buby.git 59 | 60 | ==== Step 2. Compile BurpExtender.java. Include jruby.jar in the classpath: 61 | 62 | cd buby/java/src 63 | javac -classpath (.../jruby/root)/lib/jruby.jar:. BurpExtender.java 64 | 65 | ==== Step 3. Create a new java/buby.jar 66 | 67 | jar cvf ../buby.jar . 68 | 69 | ==== Step 4. Build a local gem and install it 70 | 71 | cd ../../ 72 | jruby -S gem build buby.gemspec 73 | jruby -S gem install --local buby-*.gem 74 | 75 | ==== Step 5. 76 | 77 | The last part is a bit tricky. Burp Suite itself is obviously not included 78 | with buby. You'll want to somehow put your 'burp.jar' in a place where it 79 | is visible in the JRuby RUBY-LIB paths. There are a few other ways of pulling 80 | in Burp during runtime, but this method probably involves the least amount of 81 | hassle in the long run. 82 | 83 | JRuby usually gives you a 'java' lib directory for this kind of thing. Here's 84 | a quick way to see jruby's runtime lib-path: 85 | 86 | jruby -e 'puts $:' 87 | 88 | There is usually a '.../jruby/lib/1.8/java' directory reference in there, 89 | though the actual directory may need to be created. 90 | 91 | Here's how I do it. I have my jruby installation under my home directory. 92 | Your configuration details can be substituted below. 93 | 94 | mkdir ~/jruby-1.1.5/lib/ruby/1.8/java 95 | ln -s ~/tools/burp.jar ~/jruby-1.1.5/lib/ruby/1.8/java/burp.jar 96 | 97 | Now everything should be ready to go. Try at least the first few parts of the 98 | test below to confirm everything is set up. 99 | 100 | == TEST AND USAGE EXAMPLE: 101 | 102 | The gem includes a command-line executable called 'buby'. You can use this to 103 | test your Buby set-up and try out a few features. 104 | 105 | $ buby -h 106 | Usage: buby [options] 107 | -i, --interactive Start IRB 108 | -d, --debug Debug info 109 | -B, --load-burp=PATH Load Burp Jar from PATH 110 | -s, --state=FILE Restore burp state file on startup 111 | -r, --require=LIB load a ruby lib (or jar) after Burp loads 112 | -e, --extend=MOD Extend Buby with a module (loaded via -r?) 113 | -h, --help Show this help message 114 | 115 | $ buby -i -d 116 | [:got_extender, #] 117 | Global $burp is set to # 118 | [:got_callbacks, #<#:0x90 ...>] 119 | irb(main):001:0> 120 | 121 | 122 | Once Burp is running, click on the alerts tab. 123 | 124 | You should see now something like the following in alerts: 125 | 126 | 2:46:01 PM suite method BurpExtender.processProxyMessage() found 127 | 2:46:01 PM suite method BurpExtender.registerExtenderCallbacks() found 128 | 2:46:01 PM suite method BurpExtender.setCommandLineArgs() found 129 | 2:46:01 PM suite method BurpExtender.applicationClosing() found 130 | 2:46:01 PM proxy proxy service started on port 8080 131 | 2:46:01 PM suite [BurpExtender] registering JRuby handler callbacks 132 | 2:46:01 PM suite [JRuby::Buby] registered callback 133 | 134 | Here are some simple test examples using Buby through the IRB shell: 135 | 136 | To confirm you are connected back to Burp in IRB, you can try writing to the 137 | alerts panel with something like the following: 138 | 139 | $burp.alert("hello Burp!") 140 | 141 | Which should produce a new alert: 142 | 143 | 2:47:00 PM suite hello Burp! 144 | 145 | 146 | Next, try making an HTTP request through the proxy. We'll use Net:HTTP right 147 | in IRB for illustration purposes. However, you can just as easily perform this 148 | test through a browser configured to use Burp as its proxy. 149 | 150 | require 'net/http' 151 | p = Net::HTTP::Proxy("localhost", 8080).start("www.example.com") 152 | p.get("/") 153 | 154 | 155 | With $DEBUG = true, you should see the debugging output from Ruby as the proxy 156 | passes your request back to your HTTP client/browser. 157 | 158 | It will look something like the following in IRB: 159 | 160 | >> p.get("/") 161 | [:got_proxy_request, 162 | [:msg_ref, 1], 163 | [:is_req, true], 164 | [:rhost, "www.example.com"], 165 | [:rport, 80], 166 | [:is_https, false], 167 | [:http_meth, "GET"], 168 | [:url, "/"], 169 | [:resourceType, nil], 170 | [:status, nil], 171 | [:req_content_type, nil], 172 | [:message, "GET / HTTP/1.1\r\nAccept:..."], 173 | [:action, 0]] 174 | 175 | You may also see the response right away depending on your intercept settings 176 | in Burp. Back the in Burp proxy's intercept window, turn off interception if 177 | it hasn't already been disabled. Now you should definitely see the response 178 | in IRB as it passes back through the Burp proxy. 179 | 180 | [:got_proxy_response, 181 | [:msg_ref, 1], 182 | [:is_req, false], 183 | [:rhost, "www.example.com"], 184 | [:rport, 80], 185 | [:is_https, false], 186 | [:http_meth, "GET"], 187 | [:url, "/"], 188 | [:resourceType, nil], 189 | [:status, "200"], 190 | [:req_content_type, "text/html; charset=utf-8"], 191 | [:message, "HTTP/1.1 200 OK\r\n..."], 192 | [:action, 0]] 193 | => # 194 | >> 195 | 196 | Note also, the Net::HTTP request should have returned the same result as shown in the proxy. 197 | 198 | Now, lets try something mildly interesting with the proxy. This contrived example will implement a proxy request manipulator to do HTTP request verb tampering on every GET request that goes through the proxy. 199 | 200 | # Note: I'm using 'instance_eval' here only to stay with the flow of the 201 | # existing IRB session. Normally, you'd probably want to implement this as 202 | # an override in your Buby-derived class. 203 | 204 | $burp.instance_eval do 205 | 206 | def evt_proxy_message(*param) 207 | msg_ref, is_req, rhost, rport, is_https, http_meth, url, resourceType, 208 | status, req_content_type, message, action = param 209 | 210 | if is_req and http_meth=="GET" 211 | # Change the HTTP request verb to something silly 212 | message[0,3] = "PET" 213 | 214 | # Forcibly disable interception in the Burp UI 215 | action[0] = Buby::ACTION_DONT_INTERCEPT 216 | 217 | # Return a new instance and still get $DEBUG info 218 | return super(*param).dup 219 | else 220 | # Just get $DEBUG info for all other requests 221 | return super(*param) 222 | end 223 | end 224 | 225 | end 226 | 227 | # Now, make another request using the Net::HTTP client 228 | p.get("/") 229 | 230 | 231 | This should produce a request that looks like the following in IRB: 232 | 233 | [:got_proxy_request, 234 | ... 235 | [:message, 236 | "PET / HTTP/1.1\r\nAccept: */*\r\nUser-Agent: Ruby..."], 237 | [:action, 2]] 238 | 239 | And, assuming 'www.example.com' checks for valid request verbs, you should see something like the following response: 240 | 241 | [:got_proxy_response, 242 | ... 243 | [:http_meth, "PET"], 244 | [:url, "/"], 245 | [:resourceType, nil], 246 | [:status, "400"], 247 | ... 248 | [:message, 249 | "HTTP/1.1 400 Bad Request\r\nContent-Type:..."], 250 | [:action, 0]] 251 | => # 252 | 253 | 254 | == CREDIT: 255 | * Burp and Burp Suite are trademarks of PortSwigger(ltd) 256 | Copyright 2011 PortSwigger Ltd. All rights reserved. 257 | See http://portswigger.net for license terms. 258 | 259 | * This ruby library and the accompanying BurpExtender.java implementation was 260 | originally written by Eric Monti @ Matasano Security. This ruby library is 261 | currently maintained by Timur Duehr @ Matasano Security.Matasano Security claims no 262 | professional or legal affiliation with PortSwigger LTD. 263 | 264 | However, the authors would like to express their personal and professional 265 | respect and admiration to Burp's authors and appreciation to PortSwigger for 266 | the availability of the IBurpExtender extension API. 267 | 268 | The availability of this interface goes a long way to helping make Burp Suite 269 | a truly first-class application. 270 | 271 | == LICENSE: 272 | 273 | * Burp and Burp Suite are trademarks of PortSwigger Ltd. 274 | Copyright 2011 PortSwigger Ltd. All rights reserved. 275 | See http://portswigger.net for license terms. 276 | 277 | * The Buby Ruby library and its accompanying BurpExtender implementation are 278 | both freely available under the terms of the MIT public license: 279 | 280 | (The MIT License) 281 | 282 | Copyright (C) 2009 Eric Monti, Matasano Security 283 | Copyright (C) 2010-2011 Timur Duehr, Matasano Security 284 | 285 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the 'Software'), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 286 | 287 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 288 | 289 | THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 290 | 291 | -------------------------------------------------------------------------------- /java/src/BurpExtender.java: -------------------------------------------------------------------------------- 1 | //import javax.annotation.PostConstruct; 2 | 3 | import burp.IBurpExtender; 4 | import burp.IBurpExtenderCallbacks; 5 | import burp.IScanIssue; 6 | import burp.IHttpRequestResponse; 7 | 8 | import org.jruby.*; 9 | import org.jruby.javasupport.JavaUtil; 10 | import org.jruby.runtime.ThreadContext; 11 | import org.jruby.runtime.builtin.IRubyObject; 12 | 13 | /** 14 | * This is an implementation of the BurpExtender/IBurpExtender interface 15 | * for Burp Suite which provides glue between a Ruby runtime and Burp. 16 | * 17 | * This is a complete implementation of the Burp Extender interfaces available 18 | * as of Burp Suite 1.4 19 | */ 20 | public class BurpExtender implements IBurpExtender { 21 | public final static String INIT_METH = "evt_extender_init"; 22 | public final static String PROXYMSG_METH = "evt_proxy_message_raw"; 23 | public final static String HTTPMSG_METH = "evt_http_message"; 24 | public final static String SCANISSUE_METH = "evt_scan_issue"; 25 | public final static String MAINARGS_METH = "evt_commandline_args"; 26 | public final static String REG_METH = "evt_register_callbacks"; 27 | public final static String CLOSE_METH = "evt_application_closing"; 28 | 29 | // Internal reference to hold the ruby Burp handler 30 | private static IRubyObject r_obj = null; 31 | 32 | /** 33 | * Sets an internal reference to the ruby handler class or module to use 34 | * for proxied BurpExtender events into a ruby runtime. 35 | * 36 | * Generally, this should probably be called before burp.StartBurp.main. 37 | * However, it is also possible to set this afterwards and even swap in 38 | * new objects during runtime. 39 | */ 40 | public static void set_handler(IRubyObject hnd) { r_obj = hnd; } 41 | 42 | /** 43 | * Returns the internal Ruby handler reference. 44 | * 45 | * The handler is the ruby class or module used for proxying BurpExtender 46 | * events into a ruby runtime. 47 | */ 48 | public static IRubyObject get_handler() { return r_obj; } 49 | 50 | 51 | /** 52 | * This constructor is invoked from Burp's extender framework. 53 | * 54 | * This implementation invokes the INIT_METH method 55 | * from the Ruby handler object if one is defined passing it Ruby 56 | * usable reference to the instance. 57 | * 58 | */ 59 | public BurpExtender() { 60 | if (r_obj !=null && r_obj.respondsTo(INIT_METH)) 61 | r_obj.callMethod(ctx(r_obj), INIT_METH, to_ruby(rt(r_obj), this)); 62 | } 63 | 64 | 65 | /** 66 | * This method is invoked immediately after the implementation's constructor 67 | * to pass any command-line arguments that were passed to Burp Suite on 68 | * startup. 69 | * 70 | * This implementation invokes the method defined by 71 | * MAINARGS_METH in the Ruby handler if both the handler 72 | * and its ruby method are defined. 73 | * 74 | * It allows Ruby implementations to control aspects of their behaviour at 75 | * runtime by defining their own command-line arguments. 76 | * 77 | * WARNING: Burp appears to have a bug (as of 1.2 and 1.2.05) which causes 78 | * Burp to exit immediately if arguments are supplied regardless whether 79 | * this handler is used. 80 | * 81 | * @param args The command-line arguments passed to Burp Suite on startup. 82 | */ 83 | public void setCommandLineArgs(String[] args) { 84 | if(r_obj != null && r_obj.respondsTo(MAINARGS_METH)) 85 | r_obj.callMethod(ctx(r_obj), MAINARGS_METH, to_ruby(rt(r_obj), args)); 86 | } 87 | 88 | /** 89 | * This method is invoked on startup. It registers an instance of the 90 | * burp.IBurpExtenderCallbacks interface, providing methods 91 | * that may be invoked by the implementation to perform various actions. 92 | * 93 | * The call to registerExtenderCallbacks need not return, and 94 | * implementations may use the invoking thread for any purpose.

95 | * 96 | * This implementation simply passes a ruby-usable "callbacks" instance to 97 | * the Ruby handler using the method defined by REG_METH if 98 | * both the handler and its ruby method are defined. 99 | * 100 | * @param callbacks An implementation of the 101 | * IBurpExtenderCallbacks interface. 102 | */ 103 | public void registerExtenderCallbacks(IBurpExtenderCallbacks cb) { 104 | if(r_obj != null && r_obj.respondsTo(REG_METH)) { 105 | cb.issueAlert("[BurpExtender] registering JRuby handler callbacks"); 106 | r_obj.callMethod(ctx(r_obj), REG_METH, to_ruby(rt(r_obj), cb)); 107 | } 108 | } 109 | 110 | /** 111 | * This method is invoked by Burp Proxy whenever a client request or server 112 | * response is received. 113 | * 114 | * This implementation simply passes all arguments to the Ruby handler's 115 | * method defined by PROXYMSG_METH if both the handler and 116 | * its ruby method are defined. 117 | * 118 | * This allows Ruby implementations to perform logging functions, modify 119 | * the message, specify an action (intercept, drop, etc.) and perform any 120 | * other arbitrary processing. 121 | * 122 | * @param messageReference An identifier which is unique to a single 123 | * request/response pair. This can be used to correlate details of requests 124 | * and responses and perform processing on the response message accordingly. 125 | * @param messageIsRequest Flags whether the message is a client request or 126 | * a server response. 127 | * @param remoteHost The hostname of the remote HTTP server. 128 | * @param remotePort The port of the remote HTTP server. 129 | * @param serviceIsHttps Flags whether the protocol is HTTPS or HTTP. 130 | * @param httpMethod The method verb used in the client request. 131 | * @param url The requested URL. 132 | * @param resourceType The filetype of the requested resource, or a 133 | * zero-length string if the resource has no filetype. 134 | * @param statusCode The HTTP status code returned by the server. This value 135 | * is null for request messages. 136 | * @param responseContentType The content-type string returned by the 137 | * server. This value is null for request messages. 138 | * @param message The full HTTP message. 139 | * @param action An array containing a single integer, allowing the 140 | * implementation to communicate back to Burp Proxy a non-default 141 | * interception action for the message. The default value is 142 | * ACTION_FOLLOW_RULES. Set action[0] to one of 143 | * the other possible values to perform a different action. 144 | * @return Implementations should return either (a) the same object received 145 | * in the message paramater, or (b) a different object 146 | * containing a modified message. 147 | */ 148 | public byte[] processProxyMessage( 149 | int messageReference, 150 | boolean messageIsRequest, 151 | String remoteHost, 152 | int remotePort, 153 | boolean serviceIsHttps, 154 | String httpMethod, 155 | String url, 156 | String resourceType, 157 | String statusCode, 158 | String responseContentType, 159 | byte[] message, 160 | int[] action ) 161 | { 162 | 163 | if (r_obj != null && r_obj.respondsTo(PROXYMSG_METH)) { 164 | Ruby rt = rt(r_obj); 165 | // prepare an alternate action value to present to ruby 166 | IRubyObject r_action = to_ruby(rt, action); 167 | 168 | // prepare an alternate String message value to present to ruby 169 | //String message_str = new String(message); 170 | IRubyObject r_msg = to_ruby(rt, message); 171 | 172 | IRubyObject pxy_msg[] = { 173 | to_ruby(rt, messageReference), 174 | to_ruby(rt, messageIsRequest), 175 | to_ruby(rt, remoteHost), 176 | to_ruby(rt, remotePort), 177 | to_ruby(rt, serviceIsHttps), 178 | to_ruby(rt, httpMethod), 179 | to_ruby(rt, url), 180 | to_ruby(rt, resourceType), 181 | to_ruby(rt, statusCode), 182 | to_ruby(rt, responseContentType), 183 | r_msg, 184 | r_action 185 | }; 186 | 187 | // slurp back in the action value in-case it's been changed 188 | action[0] = ((int[])r_action.toJava(int[].class))[0]; 189 | 190 | IRubyObject ret = r_obj.callMethod(ctx(r_obj), PROXYMSG_METH, pxy_msg); 191 | if(ret != r_msg) { 192 | return (byte []) ret.toJava(byte[].class); 193 | } 194 | } 195 | 196 | return message; 197 | } 198 | 199 | /** 200 | * Added in Burp 1.2.09 201 | * No javadoc yet but here's what the PortSwigger dev blog has to say: 202 | * 203 | * The processHttpMessage method is invoked whenever any of Burp's tools 204 | * makes an HTTP request or receives a response. This is effectively a 205 | * generalised version of the existing processProxyMessage method, and 206 | * can be used to intercept and modify the HTTP traffic of all Burp 207 | * tools. 208 | */ 209 | public void processHttpMessage( 210 | String toolName, 211 | boolean messageIsRequest, 212 | IHttpRequestResponse messageInfo ) 213 | { 214 | if (r_obj != null && r_obj.respondsTo(HTTPMSG_METH)) { 215 | Ruby rt = rt(r_obj); 216 | IRubyObject http_msg[] = { 217 | to_ruby(rt, toolName), 218 | to_ruby(rt, messageIsRequest), 219 | to_ruby(rt, messageInfo) 220 | }; 221 | 222 | r_obj.callMethod(ctx(r_obj), HTTPMSG_METH, http_msg); 223 | } 224 | } 225 | 226 | /** 227 | * Added in Burp 1.2.09 228 | * 229 | * The newScanIssue method is invoked whenever Burp Scanner discovers a 230 | * new, unique issue, and can be used to perform customised reporting or 231 | * logging of issues. 232 | */ 233 | public void newScanIssue(IScanIssue issue) { 234 | if (r_obj != null && r_obj.respondsTo(SCANISSUE_METH)) 235 | r_obj.callMethod(ctx(r_obj), SCANISSUE_METH, to_ruby(rt(r_obj), issue)); 236 | } 237 | 238 | 239 | /** 240 | * This method is invoked immediately before Burp Suite exits. 241 | * This implementation simply invokes the Ruby handler's method defined 242 | * by CLOSE_METH if both the handler and its ruby method are 243 | * defined. 244 | * 245 | * This allows implementations to carry out any clean-up actions necessary 246 | * (e.g. flushing log files or closing database resources, etc.). 247 | */ 248 | public void applicationClosing() { 249 | if (r_obj != null && r_obj.respondsTo(CLOSE_METH)) 250 | r_obj.callMethod(ctx(r_obj), CLOSE_METH); 251 | } 252 | 253 | // Private method to return the ThreadContext for a given ruby object. 254 | // This is used in the various event proxies 255 | private ThreadContext ctx(IRubyObject obj) { 256 | return rt(obj).getThreadService().getCurrentContext(); 257 | } 258 | 259 | // Private method to return the ruby runtime for a given ruby object. 260 | // This is used in the various event proxies 261 | private Ruby rt(IRubyObject obj) { 262 | return obj.getRuntime(); 263 | } 264 | 265 | // private method to transfer arbitrary java objects into a ruby runtime. 266 | // This is used in the various event proxies to pass arguments to the 267 | // ruby handler object. 268 | private IRubyObject to_ruby(Ruby rt, Object obj) { 269 | return JavaUtil.convertJavaToUsableRubyObject(rt, obj); 270 | } 271 | 272 | /** 273 | * Causes Burp Proxy to follow the current interception rules to determine 274 | * the appropriate action to take for the message. 275 | */ 276 | public final static int ACTION_FOLLOW_RULES = 0; 277 | 278 | /** 279 | * Causes Burp Proxy to present the message to the user for manual 280 | * review or modification. 281 | */ 282 | public final static int ACTION_DO_INTERCEPT = 1; 283 | 284 | /** 285 | * Causes Burp Proxy to forward the message to the remote server or client. 286 | */ 287 | public final static int ACTION_DONT_INTERCEPT = 2; 288 | 289 | /** 290 | * Causes Burp Proxy to drop the message and close the client connection. 291 | */ 292 | public final static int ACTION_DROP = 3; 293 | 294 | /** 295 | * Causes Burp Proxy to follow the current interception rules to determine 296 | * the appropriate action to take for the message, and then make a second 297 | * call to processProxyMessage. 298 | */ 299 | public final static int ACTION_FOLLOW_RULES_AND_REHOOK = 0x10; 300 | /** 301 | * Causes Burp Proxy to present the message to the user for manual 302 | * review or modification, and then make a second call to 303 | * processProxyMessage. 304 | */ 305 | public final static int ACTION_DO_INTERCEPT_AND_REHOOK = 0x11; 306 | /** 307 | * Causes Burp Proxy to skip user interception, and then make a second call 308 | * to processProxyMessage. 309 | */ 310 | public final static int ACTION_DONT_INTERCEPT_AND_REHOOK = 0x12; 311 | } 312 | 313 | -------------------------------------------------------------------------------- /java/src/burp/IBurpExtenderCallbacks.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | import java.util.List; 4 | import java.util.Map; 5 | 6 | /* 7 | * @(#)IBurpExtenderCallbacks.java 8 | * 9 | * Copyright PortSwigger Ltd. All rights reserved. 10 | * 11 | * This code may be used to extend the functionality of Burp Suite and Burp 12 | * Suite Professional, provided that this usage does not violate the 13 | * license terms for those products. 14 | */ 15 | 16 | /** 17 | * This interface is used by Burp Suite to pass to implementations of the 18 | * IBurpExtender interface a set of callback methods which can 19 | * be used by implementations to perform various actions within Burp Suite. 20 | * 21 | * If an implementation of IBurpExtender is loaded then on startup 22 | * Burp Suite will invoke the implementation's 23 | * registerExtenderCallbacks method (if present) and pass to 24 | * the implementation an instance of the IBurpExtenderCallbacks 25 | * interface. The implementation may then invoke the methods of this instance 26 | * as it sees fit in order to extend Burp Suite's functionality.

27 | */ 28 | 29 | public interface IBurpExtenderCallbacks 30 | { 31 | /** 32 | * This method can be used to issue arbitrary HTTP requests and retrieve 33 | * their responses. 34 | * 35 | * @param host The hostname of the remote HTTP server. 36 | * @param port The port of the remote HTTP server. 37 | * @param useHttps Flags whether the protocol is HTTPS or HTTP. 38 | * @param request The full HTTP request. 39 | * @return The full response retrieved from the remote server. 40 | * @throws java.lang.Exception 41 | */ 42 | public byte[] makeHttpRequest( 43 | String host, 44 | int port, 45 | boolean useHttps, 46 | byte[] request) throws Exception; 47 | 48 | /** 49 | * This method can be used to send an HTTP request to the Burp Repeater 50 | * tool. The request will be displayed in the user interface, but will not 51 | * be issued until the user initiates this action. 52 | * 53 | * @param host The hostname of the remote HTTP server. 54 | * @param port The port of the remote HTTP server. 55 | * @param useHttps Flags whether the protocol is HTTPS or HTTP. 56 | * @param request The full HTTP request. 57 | * @param tabCaption An optional caption which will appear on the Repeater 58 | * tab containing the request. If this value is null then a 59 | * default tab index will be displayed. 60 | * @throws java.lang.Exception 61 | */ 62 | public void sendToRepeater( 63 | String host, 64 | int port, 65 | boolean useHttps, 66 | byte[] request, 67 | String tabCaption) throws Exception; 68 | 69 | /** 70 | * This method can be used to send an HTTP request to the Burp Intruder 71 | * tool. The request will be displayed in the user interface, and markers 72 | * for attack payloads will be placed into default locations within the 73 | * request. 74 | * 75 | * @param host The hostname of the remote HTTP server. 76 | * @param port The port of the remote HTTP server. 77 | * @param useHttps Flags whether the protocol is HTTPS or HTTP. 78 | * @param request The full HTTP request. 79 | * @throws java.lang.Exception 80 | */ 81 | public void sendToIntruder( 82 | String host, 83 | int port, 84 | boolean useHttps, 85 | byte[] request) throws Exception; 86 | 87 | 88 | /** 89 | * This method can be used to send an HTTP request to the Burp Intruder 90 | * tool. The request will be displayed in the user interface, and markers 91 | * for attack payloads will be placed into the specified locations within 92 | * the request. 93 | * 94 | * @param host The hostname of the remote HTTP server. 95 | * @param port The port of the remote HTTP server. 96 | * @param useHttps Flags whether the protocol is HTTPS or HTTP. 97 | * @param request The full HTTP request. 98 | * @param payloadPositionOffsets A list of index pairs representing the 99 | * payload positions to be used. Each item in the list must be an int[2] 100 | * array containing the start and end offset for the payload position. 101 | * @throws java.lang.Exception 102 | */ 103 | public void sendToIntruder( 104 | String host, 105 | int port, 106 | boolean useHttps, 107 | byte[] request, 108 | List payloadPositionOffsets) throws Exception; 109 | 110 | /** 111 | * This method can be used to send a seed URL to the Burp Spider tool. If 112 | * the URL is not within the current Spider scope, the user will be asked 113 | * if they wish to add the URL to the scope. If the Spider is not currently 114 | * running, it will be started. The seed URL will be requested, and the 115 | * Spider will process the application's response in the normal way. 116 | * 117 | * @param url The new seed URL to begin spidering from. 118 | * @throws java.lang.Exception 119 | */ 120 | public void sendToSpider( 121 | java.net.URL url) throws Exception; 122 | 123 | /** 124 | * This method can be used to send an HTTP request to the Burp Scanner 125 | * tool to perform an active vulnerability scan. If the request is not 126 | * within the current active scanning scope, the user will be asked if 127 | * they wish to proceed with the scan. 128 | * 129 | * @param host The hostname of the remote HTTP server. 130 | * @param port The port of the remote HTTP server. 131 | * @param useHttps Flags whether the protocol is HTTPS or HTTP. 132 | * @param request The full HTTP request. 133 | * @return The resulting scan queue item. 134 | * @throws java.lang.Exception 135 | */ 136 | public IScanQueueItem doActiveScan( 137 | String host, 138 | int port, 139 | boolean useHttps, 140 | byte[] request) throws Exception; 141 | 142 | /** 143 | * This method can be used to send an HTTP request to the Burp Scanner 144 | * tool to perform an active vulnerability scan, based on a custom list 145 | * of insertion points that are to be scanned. If the request is not 146 | * within the current active scanning scope, the user will be asked if 147 | * they wish to proceed with the scan. 148 | * 149 | * @param host The hostname of the remote HTTP server. 150 | * @param port The port of the remote HTTP server. 151 | * @param useHttps Flags whether the protocol is HTTPS or HTTP. 152 | * @param request The full HTTP request. 153 | * @param insertionPointOffsets A list of index pairs representing the 154 | * positions of the insertion points that should be scanned. Each item in 155 | * the list must be an int[2] array containing the start and end offsets 156 | * for the insertion point. 157 | * @return The resulting scan queue item. 158 | * @throws java.lang.Exception 159 | */ 160 | public IScanQueueItem doActiveScan( 161 | String host, 162 | int port, 163 | boolean useHttps, 164 | byte[] request, 165 | List insertionPointOffsets) throws Exception; 166 | 167 | /** 168 | * This method can be used to send an HTTP request to the Burp Scanner 169 | * tool to perform a passive vulnerability scan. 170 | * 171 | * @param host The hostname of the remote HTTP server. 172 | * @param port The port of the remote HTTP server. 173 | * @param useHttps Flags whether the protocol is HTTPS or HTTP. 174 | * @param request The full HTTP request. 175 | * @param response The full HTTP response. 176 | * @throws java.lang.Exception 177 | */ 178 | public void doPassiveScan( 179 | String host, 180 | int port, 181 | boolean useHttps, 182 | byte[] request, 183 | byte[] response) throws Exception; 184 | 185 | /** 186 | * This method can be used to query whether a specified URL is within 187 | * the current Suite-wide scope. 188 | * 189 | * @param url The URL to query. 190 | * @return Returns true if the URL is within the current 191 | * Suite-wide scope. 192 | * @throws java.lang.Exception 193 | */ 194 | boolean isInScope(java.net.URL url) throws Exception; 195 | 196 | /** 197 | * This method can be used to include the specified URL in the Suite-wide 198 | * scope. 199 | * 200 | * @param url The URL to include in the Suite-wide scope. 201 | * @throws java.lang.Exception 202 | */ 203 | void includeInScope(java.net.URL url) throws Exception; 204 | 205 | /** 206 | * This method can be used to exclude the specified URL from the Suite-wide 207 | * scope. 208 | * 209 | * @param url The URL to exclude from the Suite-wide scope. 210 | * @throws java.lang.Exception 211 | */ 212 | void excludeFromScope(java.net.URL url) throws Exception; 213 | 214 | /** 215 | * This method can be used to display a specified message in the Burp 216 | * Suite alerts tab. 217 | * 218 | * @param message The alert message to display. 219 | */ 220 | public void issueAlert(String message); 221 | 222 | /** 223 | * This method returns details of all items in the proxy history. 224 | * 225 | * @return The contents of the proxy history. 226 | */ 227 | public IHttpRequestResponse[] getProxyHistory(); 228 | 229 | /** 230 | * This method returns details of items in the site map. 231 | * 232 | * @param urlPrefix This parameter can be used to specify a URL prefix, in 233 | * order to extract a specific subset of the site map. The method performs 234 | * a simple case-sensitive text match, returning all site 235 | * map items whose URL begins with the specified prefix. If this parameter 236 | * is null, the entire site map is returned. 237 | * @return Details of items in the site map. 238 | */ 239 | public IHttpRequestResponse[] getSiteMap(String urlPrefix); 240 | 241 | 242 | /** 243 | * This method can be used to add an item to Burp's site map with the 244 | * specified request/response details. This will overwrite the details 245 | * of any existing matching item in the site map. 246 | * 247 | * @param item Details of the item to be added to the site map 248 | */ 249 | public void addToSiteMap(IHttpRequestResponse item); 250 | 251 | /** 252 | * This method can be used to restore Burp's state from a specified 253 | * saved state file. This method blocks until the restore operation is 254 | * completed, and must not be called from the event thread. 255 | * 256 | * @param file The file containing Burp's saved state. 257 | * @throws java.lang.Exception 258 | */ 259 | public void restoreState(java.io.File file) throws Exception; 260 | 261 | /** 262 | * This method can be used to save Burp's state to a specified file. 263 | * This method blocks until the save operation is completed, and must not be 264 | * called from the event thread. 265 | * 266 | * @param file The file to save Burp's state in. 267 | * @throws java.lang.Exception 268 | */ 269 | public void saveState(java.io.File file) throws Exception; 270 | 271 | /** 272 | * This method parses the specified request and returns details of each 273 | * request parameter. 274 | * 275 | * @param request The request to be parsed. 276 | * @return An array of: 277 | * String[] { name, value, type } 278 | * containing details of the parameters contained within the request. 279 | * @throws java.lang.Exception 280 | */ 281 | public String[][] getParameters(byte[] request) throws Exception; 282 | 283 | /** 284 | * This method parses the specified request and returns details of each 285 | * HTTP header. 286 | * 287 | * @param message The request to be parsed. 288 | * @return An array of HTTP headers. 289 | * @throws java.lang.Exception 290 | */ 291 | public String[] getHeaders(byte[] message) throws Exception; 292 | 293 | /** 294 | * This method returns all of the current scan issues for URLs matching the 295 | * specified literal prefix. 296 | * 297 | * @param urlPrefix This parameter can be used to specify a URL prefix, in 298 | * order to extract a specific subset of scan issues. The method performs 299 | * a simple case-sensitive text match, returning all scan issues whose URL 300 | * begins with the specified prefix. If this parameter is null, all issues 301 | * are returned. 302 | * @return Details of the scan issues. 303 | */ 304 | public IScanIssue[] getScanIssues(String urlPrefix); 305 | 306 | /** 307 | * 308 | * This method can be used to register a new menu item which will appear 309 | * on the various context menus that are used throughout Burp Suite to 310 | * handle user-driven actions. 311 | * 312 | * @param menuItemCaption The caption to be displayed on the menu item. 313 | * @param menuItemHandler The handler to be invoked when the user clicks 314 | * on the menu item. 315 | */ 316 | public void registerMenuItem( 317 | String menuItemCaption, 318 | IMenuItemHandler menuItemHandler); 319 | 320 | /** 321 | * 322 | * This method causes Burp to save all of its current configuration as a 323 | * Map of name/value Strings. 324 | * 325 | * @return A Map of name/value Strings reflecting Burp's current 326 | * configuration. 327 | */ 328 | public Map saveConfig(); 329 | 330 | /** 331 | * 332 | * This method causes Burp to load a new configuration from the Map of 333 | * name/value Strings provided. Any settings not specified in the Map will 334 | * be restored to their default values. To selectively update only some 335 | * settings and leave the rest unchanged, you should first call 336 | * saveConfig to obtain Burp's current configuration, modify 337 | * the relevant items in the Map, and then call loadConfig 338 | * with the same Map. 339 | * 340 | * @param config A map of name/value Strings to use as Burp's new 341 | * configuration. 342 | */ 343 | public void loadConfig(Map config); 344 | 345 | 346 | /** 347 | * 348 | * This method sets the interception mode for Burp Proxy. 349 | * 350 | * @param enabled Indicates whether interception of proxy messages should 351 | * be enabled. 352 | */ 353 | public void setProxyInterceptionEnabled(boolean enabled); 354 | 355 | 356 | /** 357 | * This method can be used to shut down Burp programmatically, with an 358 | * optional prompt to the user. If the method returns, the user cancelled 359 | * the shutdown prompt. 360 | * 361 | * @param promptUser Indicates whether to prompt the user to confirm the 362 | * shutdown. 363 | */ 364 | public void exitSuite(boolean promptUser); 365 | 366 | /** 367 | * This method can be used to determine the version of the loaded burp at runtime. 368 | * This is included in the Javadoc for the extension interfaces but not the supplied interface files. 369 | * @return String array containing the product name, major version, and minor version. 370 | */ 371 | public String[] getBurpVersion(); 372 | 373 | } 374 | -------------------------------------------------------------------------------- /lib/buby.rb: -------------------------------------------------------------------------------- 1 | include Java 2 | 3 | require 'pp' 4 | require "buby.jar" 5 | require 'buby/extends.rb' 6 | 7 | include_class 'BurpExtender' 8 | 9 | # Buby is a mash-up of the commercial security testing web proxy PortSwigger 10 | # Burp Suite(tm) allowing you to add scripting to Burp. Burp is driven from 11 | # and tied to JRuby with a Java extension using the BurpExtender API. 12 | # 13 | # The Buby class is an abstract implementation of a BurpExtender ruby handler. 14 | # Included are several abstract event handlers used from the BurpExtender 15 | # java implementation: 16 | # * evt_extender_init 17 | # * evt_proxy_message 18 | # * evt_command_line_args 19 | # * evt_register_callbacks 20 | # * evt_application_closing 21 | # 22 | # Buby also supports the newer event handlers available in Burp 1.2.09 and up: 23 | # * evt_http_message 24 | # * evt_scan_issue 25 | # 26 | # 27 | # This class also exposes several methods to access Burp functionality 28 | # and user interfaces through the IBurpExtenderCallbacks interface 29 | # (note, several abbreviated aliases also exist for each): 30 | # * doActiveScan 31 | # * doPassiveScan 32 | # * excludeFromScope 33 | # * includeInScope 34 | # * isInScope 35 | # * issueAlert 36 | # * makeHttpRequest 37 | # * sendToIntruder 38 | # * sendToRepeater 39 | # * sendToSpider 40 | # 41 | # Buby also provides front-end ruby methods for the various callback methods 42 | # supported by Burp. New callbacks have been cropping up in newer Burp versions 43 | # frequently. 44 | # 45 | # Available since Burp 1.2.09: 46 | # * getProxyHistory 47 | # * getSiteMap 48 | # * restoreState 49 | # * saveState 50 | # * getParameters 51 | # * getHeaders 52 | # 53 | # Available since Burp 1.2.15: 54 | # * getScanIssues 55 | # 56 | # Available since Burp 1.2.17: 57 | # * exitSuite 58 | # 59 | # If you wish to access any of the IBurpExtenderCallbacks methods directly. 60 | # You can use 'burp_callbacks' to obtain a reference. 61 | # 62 | # Credit: 63 | # * Burp and Burp Suite are trade-marks of PortSwigger Ltd. 64 | # Copyright 2011 PortSwigger Ltd. All rights reserved. 65 | # See http://portswigger.net for license terms. 66 | # 67 | # * This ruby library and the accompanying BurpExtender.java implementation 68 | # were written by Eric Monti @ Matasano Security. 69 | # 70 | # Matasano claims no professional or legal affiliation with PortSwigger LTD. 71 | # nor do we sell or officially endorse any of their products. 72 | # 73 | # However, this author would like to express his personal and professional 74 | # respect and appreciation for their making available the BurpExtender 75 | # extension API. The availability of this interface in an already great tool 76 | # goes a long way to make Burp Suite a truly first-class application. 77 | # 78 | # * Forgive the name. It won out over "Burb" and "BurpRub". It's just easier 79 | # to type and say out-loud. Mike Tracy gets full credit as official 80 | # Buby-namer. 81 | # 82 | class Buby 83 | 84 | VERSION = 85 | if File.file?(f=::File.expand_path(File.join(::File.dirname(__FILE__), "../VERSION"))) 86 | File.read(f).chomp 87 | end 88 | 89 | # :stopdoc: 90 | LIBPATH = ::File.expand_path(::File.dirname(__FILE__)) + ::File::SEPARATOR 91 | PATH = ::File.dirname(LIBPATH) + ::File::SEPARATOR 92 | # :startdoc: 93 | 94 | def initialize(other=nil) 95 | if other 96 | raise "arg 0 must be another kind of Buby" unless other.is_a? Buby 97 | @burp_extender = other.burp_extender 98 | @burp_callbacks = other.burp_callbacks 99 | end 100 | end 101 | 102 | # Makes this handler the active Ruby handler object for the BurpExtender 103 | # Java runtime. (there can be only one!) 104 | def activate! 105 | BurpExtender.set_handler(self) 106 | end 107 | 108 | # Returns the internal reference to the BurpExtender instance. This 109 | # reference gets set from Java through the evt_extender_init method. 110 | def burp_extender; @burp_extender; end 111 | 112 | # Returns the internal reference to the IBupExtenderCallbacks instance. 113 | # This reference gets set from Java through the evt_register_callbacks 114 | # method. It is exposed to allow you to access the IBurpExtenderCallbacks 115 | # instance directly if you so choose. 116 | def burp_callbacks; @burp_callbacks; end 117 | 118 | # Internal method to check for the existence of the burp_callbacks reference 119 | # before doing anything with it. 120 | def _check_cb 121 | @burp_callbacks or raise "Burp callbacks have not been set" 122 | end 123 | 124 | # Send an HTTP request to the Burp Scanner tool to perform an active 125 | # vulnerability scan. 126 | # * host = The hostname of the remote HTTP server. 127 | # * port = The port of the remote HTTP server. 128 | # * https = Flags whether the protocol is HTTPS or HTTP. 129 | # * req = The full HTTP request. (String or Java bytes[]) 130 | # * ip_off = A list of index pairs representing the 131 | # * positions of the insertion points that should be scanned. Each item in 132 | # * the list must be an int[2] array containing the start and end offsets 133 | # * for the insertion point. *1.4+* only 134 | 135 | def doActiveScan(host, port, https, req, ip_off) 136 | req = req.to_java_bytes if req.is_a? String 137 | getBurpVersion ? _check_cb.doActiveScan(host, port, https, req, ip_off) : _check_cb.doActiveScan(host, port, https, req) 138 | end 139 | alias do_active_scan doActiveScan 140 | alias active_scan doActiveScan 141 | 142 | # Send an HTTP request and response to the Burp Scanner tool to perform a 143 | # passive vulnerability scan. 144 | # * host = The hostname of the remote HTTP server. 145 | # * port = The port of the remote HTTP server. 146 | # * https = Flags whether the protocol is HTTPS or HTTP. 147 | # * req = The full HTTP request. (String or Java bytes[]) 148 | # * rsp = The full HTTP response. (String or Java bytes[]) 149 | def doPassiveScan(host, port, https, req, rsp) 150 | req = req.to_java_bytes if req.is_a? String 151 | rsp = rsp.to_java_bytes if rsp.is_a? String 152 | _check_cb.doPassiveScan(host, port, https, req, rsp) 153 | end 154 | alias do_passive_scan doPassiveScan 155 | alias passive_scan doPassiveScan 156 | 157 | # Exclude the specified URL from the Suite-wide scope. 158 | # * url = The URL to exclude from the Suite-wide scope. 159 | def excludeFromScope(url) 160 | url = java.net.URL.new(url) if url.is_a? String 161 | _check_cb.excludeFromScope(url) 162 | end 163 | alias exclude_from_scope excludeFromScope 164 | alias exclude_scope excludeFromScope 165 | 166 | # Include the specified URL in the Suite-wide scope. 167 | # * url = The URL to exclude in the Suite-wide scope. 168 | def includeInScope(url) 169 | url = java.net.URL.new(url) if url.is_a? String 170 | _check_cb.includeInScope(url) 171 | end 172 | alias include_in_scope includeInScope 173 | alias include_scope includeInScope 174 | 175 | # Query whether a specified URL is within the current Suite-wide scope. 176 | # * url = The URL to query 177 | # 178 | # Returns: true / false 179 | def isInScope(url) 180 | url = java.net.URL.new(url) if url.is_a? String 181 | _check_cb.isInScope(url) 182 | end 183 | alias is_in_scope isInScope 184 | alias in_scope? isInScope 185 | 186 | # Display a message in the Burp Suite alerts tab. 187 | # * msg = The alert message to display. 188 | def issueAlert(msg) 189 | _check_cb.issueAlert(msg.to_s) 190 | end 191 | alias issue_alert issueAlert 192 | alias alert issueAlert 193 | 194 | # Issue an arbitrary HTTP request and retrieve its response 195 | # * host = The hostname of the remote HTTP server. 196 | # * port = The port of the remote HTTP server. 197 | # * https = Flags whether the protocol is HTTPS or HTTP. 198 | # * req = The full HTTP request. (String or Java bytes[]) 199 | # 200 | # Returns: The full response retrieved from the remote server. 201 | def makeHttpRequest(host, port, https, req) 202 | req = req.to_java_bytes if req.is_a? String 203 | String.from_java_bytes( _check_cb.makeHttpRequest(host, port, https, req) ) 204 | end 205 | alias make_http_request makeHttpRequest 206 | alias make_request makeHttpRequest 207 | 208 | # Send an HTTP request to the Burp Intruder tool 209 | # * host = The hostname of the remote HTTP server. 210 | # * port = The port of the remote HTTP server. 211 | # * https = Flags whether the protocol is HTTPS or HTTP. 212 | # * req = The full HTTP request. (String or Java bytes[]) 213 | # * ip_off = A list of index pairs representing the 214 | # * positions of the insertion points that should be scanned. Each item in 215 | # * the list must be an int[2] array containing the start and end offsets 216 | # * for the insertion point. *1.4.04+* only 217 | # * 218 | def sendToIntruder(host, port, https, req, ip_off) 219 | req = req.to_java_bytes if req.is_a? String 220 | if self.getBurpVersion.to_a[1..-1].join(".") < "1.4.04" 221 | _check_cb.sendToIntruder(host, port, https, req) 222 | else 223 | _check_cb.sendToIntruder(host, port, https, req, ip_off) 224 | end 225 | end 226 | alias send_to_intruder sendToIntruder 227 | alias intruder sendToIntruder 228 | 229 | # Send an HTTP request to the Burp Repeater tool. 230 | # * host = The hostname of the remote HTTP server. 231 | # * port = The port of the remote HTTP server. 232 | # * https = Flags whether the protocol is HTTPS or HTTP. 233 | # * req = The full HTTP request. (String or Java bytes[]) 234 | # * tab = The tab caption displayed in Repeater. (default: auto-generated) 235 | def sendToRepeater(host, port, https, req, tab=nil) 236 | req = req.to_java_bytes if req.is_a? String 237 | _check_cb.sendToRepeater(host, port, https, req, tab) 238 | end 239 | alias send_to_repeater sendToRepeater 240 | alias repeater sendToRepeater 241 | 242 | # Send a seed URL to the Burp Spider tool. 243 | # * url = The new seed URL to begin spidering from. 244 | def sendToSpider(url) 245 | url = java.net.URL.new(url) if url.is_a? String 246 | _check_cb.sendToSpider(url) 247 | end 248 | alias send_to_spider sendToSpider 249 | alias spider sendToSpider 250 | 251 | # This method is a __send__ callback gate for the IBurpExtenderCallbacks 252 | # reference. It first checks to see if a method is available before calling 253 | # with the specified arguments, and raises an exception if it is unavailable. 254 | # 255 | # * meth = string or symbol name of method 256 | # * args = variable length array of arguments to pass to meth 257 | def _check_and_callback(meth, *args) 258 | cb = _check_cb 259 | unless cb.respond_to?(meth) 260 | raise "#{meth} is not available in your version of Burp" 261 | end 262 | cb.__send__ meth, *args 263 | end 264 | 265 | 266 | # Returns a Java array of IHttpRequestResponse objects pulled directly from 267 | # the Burp proxy history. 268 | def getProxyHistory 269 | HttpRequestResponseList.new(_check_and_callback(:getProxyHistory)) 270 | end 271 | alias proxy_history getProxyHistory 272 | alias get_proxy_history getProxyHistory 273 | 274 | 275 | # Returns a Java array of IHttpRequestResponse objects pulled directly from 276 | # the Burp site map for all urls matching the specified literal prefix. 277 | # The prefix can be nil to return all objects. 278 | def getSiteMap(urlprefix=nil) 279 | HttpRequestResponseList.new(_check_and_callback(:getSiteMap, urlprefix)) 280 | end 281 | alias site_map getSiteMap 282 | alias get_site_map getSiteMap 283 | 284 | 285 | # This method returns all of the current scan issues for URLs matching the 286 | # specified literal prefix. The prefix can be nil to match all issues. 287 | # 288 | # IMPORTANT: This method is only available with Burp 1.2.15 and higher. 289 | def getScanIssues(urlprefix=nil) 290 | ScanIssuesList.new( _check_and_callback(:getScanIssues, urlprefix) ) 291 | end 292 | alias scan_issues getScanIssues 293 | alias get_scan_issues getScanIssues 294 | 295 | 296 | # Restores Burp session state from a previously saved state file. 297 | # See also: saveState 298 | # 299 | # IMPORTANT: This method is only available with Burp 1.2.09 and higher. 300 | # 301 | # * filename = path and filename of the file to restore from 302 | def restoreState(filename) 303 | _check_and_callback(:restoreState, java.io.File.new(filename)) 304 | end 305 | alias restore_state restoreState 306 | 307 | 308 | # Saves the current Burp session to a state file. See also restoreState. 309 | # 310 | # IMPORTANT: This method is only available with Burp 1.2.09 and higher. 311 | # 312 | # * filename = path and filename of the file to save to 313 | def saveState(filename) 314 | _check_and_callback(:saveState, java.io.File.new(filename)) 315 | end 316 | alias save_state saveState 317 | 318 | 319 | # Parses a raw HTTP request message and returns an associative array 320 | # containing parameters as they are structured in the 'Parameters' tab in the 321 | # Burp request UI. 322 | # 323 | # IMPORTANT: This method is only available with Burp 1.2.09 and higher. 324 | # 325 | # req = raw request (String or Java bytes[]) 326 | def getParameters(req) 327 | req = req.to_java_bytes if req.is_a? String 328 | _check_and_callback(:getParameters, req) 329 | end 330 | alias parameters getParameters 331 | alias get_parameters getParameters 332 | 333 | 334 | # Parses a raw HTTP message (request or response ) and returns an associative 335 | # array containing the headers as they are structured in the 'Headers' tab 336 | # in the Burp request/response viewer UI. 337 | # 338 | # IMPORTANT: This method is only available with Burp 1.2.09 and higher. 339 | # 340 | # msg = raw request/response (String or Java bytes[]) 341 | def getHeaders(msg) 342 | msg = msg.to_java_bytes if msg.is_a? String 343 | _check_and_callback(:getHeaders, msg) 344 | end 345 | alias headers getHeaders 346 | alias get_headers getHeaders 347 | 348 | # Shuts down Burp programatically. If the method returns the user cancelled 349 | # the shutdown prompt. 350 | def exitSuite(prompt_user=false) 351 | _check_and_callback(:exitSuite, prompt_user ? true : false) 352 | end 353 | alias exit_suite exitSuite 354 | alias close exitSuite 355 | 356 | # This method can be used to register a new menu item which will appear 357 | # on the various context menus that are used throughout Burp Suite to 358 | # handle user-driven actions. 359 | # 360 | # @param menuItemCaption The caption to be displayed on the menu item. 361 | # @param menuItemHandler The handler to be invoked when the user clicks 362 | # on the menu item. 363 | # 364 | # This method is only available with Burp 1.3.07 and higher. 365 | def registerMenuItem(menuItemCaption, menuItemHandler) 366 | _check_and_callback(:registerMenuItem, menuItemCaption, menuItemHandler) 367 | issueAlert("Handler #{menuItemHandler} registered for \"#{menuItemCaption}\"") 368 | end 369 | alias register_menu_item registerMenuItem 370 | 371 | ### 1.3.09 methods ### 372 | 373 | # This method can be used to add an item to Burp's site map with the 374 | # specified request/response details. This will overwrite the details 375 | # of any existing matching item in the site map. 376 | # 377 | # @param item Details of the item to be added to the site map 378 | # 379 | # This method is only available with Burp 1.3.09+ 380 | def addToSiteMap(item) 381 | _check_and_callback(:addToSiteMap, item) 382 | end 383 | alias add_to_site_map addToSiteMap 384 | 385 | # This method causes Burp to save all of its current configuration as a 386 | # Map of name/value Strings. 387 | # 388 | # @return A Map of name/value Strings reflecting Burp's current 389 | # configuration. 390 | # 391 | # This method is only available with Burp 1.3.09+ 392 | def saveConfig 393 | _check_and_callback(:saveConfig).to_hash 394 | end 395 | alias save_config saveConfig 396 | alias config saveConfig 397 | 398 | # This method causes Burp to load a new configuration from the Map of 399 | # name/value Strings provided. Any settings not specified in the Map will 400 | # be restored to their default values. To selectively update only some 401 | # settings and leave the rest unchanged, you should first call 402 | # saveConfig to obtain Burp's current configuration, modify 403 | # the relevant items in the Map, and then call loadConfig 404 | # with the same Map. 405 | # 406 | # @param config A map of name/value Strings to use as Burp's new 407 | # configuration. 408 | # 409 | # This method is only available with Burp 1.3.09+ 410 | def loadConfig(conf) 411 | _check_and_callback(:loadConfig, conf) 412 | end 413 | alias load_config loadConfig 414 | alias config= loadConfig 415 | 416 | ## 1.4 methods ## 417 | 418 | # This method sets the interception mode for Burp Proxy. 419 | # 420 | # @param enabled Indicates whether interception of proxy messages should 421 | # be enabled. 422 | # 423 | def setProxyInterceptionEnabled(enabled) 424 | _check_and_callback(:setProxyInterceptionEnabled, enabled) 425 | end 426 | alias proxy_interception_enabled setProxyInterceptionEnabled 427 | 428 | # This method can be used to determine the version of the loaded burp at runtime. 429 | # This is included in the Javadoc for the extension interfaces but not the supplied interface files. 430 | # @return String array containing the product name, major version, and minor version. 431 | def getBurpVersion 432 | begin 433 | _check_and_callback(:getBurpVersion) 434 | rescue 435 | nil 436 | end 437 | end 438 | alias burp_version getBurpVersion 439 | 440 | ### Event Handlers ### 441 | 442 | # This method is called by the BurpExtender java implementation upon 443 | # initialization of the BurpExtender instance for Burp. The args parameter 444 | # is passed with a instance of the newly initialized BurpExtender instance 445 | # so that implementations can access and extend its public interfaces. 446 | # 447 | # The return value is ignored. 448 | def evt_extender_init ext 449 | @burp_extender = ext 450 | pp([:got_extender, ext]) if $DEBUG 451 | end 452 | 453 | # This method is called by the BurpExtender implementation Burp startup. 454 | # The args parameter contains main()'s argv command-line arguments array. 455 | # 456 | # Note: This maps to the 'setCommandLineArgs' method in the java 457 | # implementation of BurpExtender. 458 | # 459 | # The return value is ignored. 460 | def evt_command_line_args args 461 | pp([:got_args, args]) if $DEBUG 462 | end 463 | 464 | # This method is called by BurpExtender on startup to register Burp's 465 | # IBurpExtenderCallbacks interface object. 466 | # 467 | # This maps to the 'registerExtenderCallbacks' method in the Java 468 | # implementation of BurpExtender. 469 | # 470 | # The return value is ignored. 471 | def evt_register_callbacks cb 472 | @burp_callbacks = cb 473 | cb.issueAlert("[JRuby::#{self.class}] registered callback") 474 | pp([:got_callbacks, cb]) if $DEBUG 475 | end 476 | 477 | ACTION_FOLLOW_RULES = BurpExtender::ACTION_FOLLOW_RULES 478 | ACTION_DO_INTERCEPT = BurpExtender::ACTION_DO_INTERCEPT 479 | ACTION_DONT_INTERCEPT = BurpExtender::ACTION_DONT_INTERCEPT 480 | ACTION_DROP = BurpExtender::ACTION_DROP 481 | ACTION_FOLLOW_RULES_AND_REHOOK = BurpExtender::ACTION_FOLLOW_RULES_AND_REHOOK 482 | ACTION_DO_INTERCEPT_AND_REHOOK = BurpExtender::ACTION_DO_INTERCEPT_AND_REHOOK 483 | ACTION_DONT_INTERCEPT_AND_REHOOK = BurpExtender::ACTION_DONT_INTERCEPT_AND_REHOOK 484 | 485 | # Seems we need to specifically render our 'message' to a string here in 486 | # ruby. Otherwise there's flakiness when converting certain binary non-ascii 487 | # sequences. As long as we do it here, it should be fine. 488 | # 489 | # Note: This method maps to the 'processProxyMessage' method in the java 490 | # implementation of BurpExtender. 491 | # 492 | # This method just handles the conversion to and from evt_proxy_message 493 | # which expects a message string 494 | def evt_proxy_message_raw msg_ref, is_req, rhost, rport, is_https, http_meth, url, resourceType, status, req_content_type, message, action 495 | pp [:evt_proxy_message_raw_hit, msg_ref, is_req, rhost, rport, is_https, http_meth, url, resourceType, status, req_content_type, message, action ] if $DEBUG 496 | 497 | str_msg = String.from_java_bytes(message) 498 | ret = evt_proxy_message(msg_ref, is_req, rhost, rport, is_https, http_meth, url, resourceType, status, req_content_type, str_msg, action) 499 | 500 | message = ret.to_java_bytes if ret.object_id != str_msg.object_id 501 | return message 502 | end 503 | 504 | # This method is called by BurpExtender while proxying HTTP messages and 505 | # before passing them through the Burp proxy. Implementations can use this 506 | # method to implement arbitrary processing upon HTTP requests and responses 507 | # such as interception, logging, modification, and so on. 508 | # 509 | # The 'is_req' parameter indicates whether it is a response or request. 510 | # 511 | # Note: This method maps to the 'processProxyMessage' method in the java 512 | # implementation of BurpExtender. 513 | # 514 | # See also, evt_proxy_message_raw which is actually called before this 515 | # in the BurpExtender processProxyMessage handler. 516 | # 517 | # Below are the parameters descriptions based on the IBurpExtender 518 | # javadoc. Where applicable, decriptions have been modified for 519 | # local parameter naming and other ruby-specific details added. 520 | # 521 | # * msg_ref: 522 | # An identifier which is unique to a single request/response pair. This 523 | # can be used to correlate details of requests and responses and perform 524 | # processing on the response message accordingly. This number also 525 | # corresponds to the Burp UI's proxy "history" # column. 526 | # 527 | # * is_req: (true/false) 528 | # Flags whether the message is a client request or a server response. 529 | # 530 | # * rhost: 531 | # The hostname of the remote HTTP server. 532 | # 533 | # * rport: 534 | # The port of the remote HTTP server. 535 | # 536 | # * is_https: 537 | # Flags whether the protocol is HTTPS or HTTP. 538 | # 539 | # * http_meth: 540 | # The method verb used in the client request. 541 | # 542 | # * url: 543 | # The requested URL. Set in both the request and response. 544 | # 545 | # * resourceType: 546 | # The filetype of the requested resource, or nil if the resource has no 547 | # filetype. 548 | # 549 | # * status: 550 | # The HTTP status code returned by the server. This value is nil for 551 | # request messages. 552 | # 553 | # * req_content_type: 554 | # The content-type string returned by the server. This value is nil for 555 | # request messages. 556 | # 557 | # * message: 558 | # The full HTTP message. 559 | # **Ruby note: 560 | # For convenience, the message is received and returned as a ruby 561 | # String object. Internally within Burp it is handled as a java byte[] 562 | # array. See also the notes about the return object below. 563 | # 564 | # * action: 565 | # An array containing a single integer, allowing the implementation to 566 | # communicate back to Burp Proxy a non-default interception action for 567 | # the message. The default value is ACTION_FOLLOW_RULES (or 0). 568 | # Possible values include: 569 | # ACTION_FOLLOW_RULES = 0 570 | # ACTION_DO_INTERCEPT = 1 571 | # ACTION_DONT_INTERCEPT = 2 572 | # ACTION_DROP = 3 573 | # 574 | # Refer to the BurpExtender.java source comments for more details. 575 | # 576 | # 577 | # Return Value: 578 | # Implementations should return either (a) the same object received 579 | # in the message paramater, or (b) a different object containing a 580 | # modified message. 581 | # 582 | # **IMPORTANT RUBY NOTE: 583 | # Always be sure to return a new object if making modifications to messages. 584 | # 585 | # Explanation: 586 | # The (a) and (b) convention above is followed rather literally during type 587 | # conversion on the return value back into the java BurpExtender. 588 | # 589 | # When determining whether a change has been made in the message or not, 590 | # the decision is made based on whether the object returned is the same 591 | # as the object submitted in the call to evt_proxy_message. 592 | # 593 | # 594 | # So, for example, using in-place modification of the message using range 595 | # substring assignments or destructive method variations like String.sub!() 596 | # and String.gsub! alone won't work because the same object gets returned 597 | # to BurpExtender. 598 | # 599 | # In short, this means that if you want modifications to be made, be sure 600 | # to return a different String than the one you got in your handler. 601 | # 602 | # So for example this code won't do anything at all: 603 | # 604 | # ... 605 | # message.sub!(/^GET /, "HEAD ") 606 | # return message 607 | # 608 | # Nor this: 609 | # 610 | # message[0..4] = "HEAD " 611 | # return message 612 | # 613 | # But this will 614 | # 615 | # ... 616 | # return message.sub(/^GET /, "HEAD ") 617 | # 618 | # And so will this 619 | # 620 | # ... 621 | # message[0..4] = "HEAD " 622 | # return message.dup 623 | # 624 | def evt_proxy_message msg_ref, is_req, rhost, rport, is_https, http_meth, url, resourceType, status, req_content_type, message, action 625 | pp([ (is_req)? :got_proxy_request : :got_proxy_response, 626 | [:msg_ref, msg_ref], 627 | [:is_req, is_req], 628 | [:rhost, rhost], 629 | [:rport, rport], 630 | [:is_https, is_https], 631 | [:http_meth, http_meth], 632 | [:url, url], 633 | [:resourceType, resourceType], 634 | [:status, status], 635 | [:req_content_type, req_content_type], 636 | [:message, message], 637 | [:action, action[0]] ]) if $DEBUG 638 | 639 | return message 640 | end 641 | 642 | 643 | # This method is invoked whenever any of Burp's tools makes an HTTP request 644 | # or receives a response. This is effectively a generalised version of the 645 | # pre-existing evt_proxy_message method, and can be used to intercept and 646 | # modify the HTTP traffic of all Burp tools. 647 | # 648 | # IMPORTANT: This event handler is only used in Burp version 1.2.09 and 649 | # higher. 650 | # 651 | # Note: this method maps to the processHttpMessage BurpExtender Java method. 652 | # 653 | # This method should be overridden if you wish to implement functionality 654 | # relating to generalized requests and responses from any BurpSuite tool. 655 | # 656 | # You may want to use evt_proxy_message if you only intend to work on 657 | # proxied messages. Note, however, the IHttpRequestResponse Java object is 658 | # not used in evt_proxy_message and gives evt_http_message a somewhat 659 | # nicer interface to work with. 660 | # 661 | # Parameters: 662 | # * tool_name = a string name of the tool that generated the message 663 | # 664 | # * is_request = boolean true = request / false = response 665 | # 666 | # * message_info = an instance of the IHttpRequestResponse Java class with 667 | # methods for accessing and manipulating various attributes of the message. 668 | # 669 | def evt_http_message(tool_name, is_request, message_info) 670 | HttpRequestResponseHelper.implant(message_info) 671 | pp([:got_http_message, tool_name, is_request, message_info]) if $DEBUG 672 | end 673 | 674 | # This method is invoked whenever Burp Scanner discovers a new, unique 675 | # issue, and can be used to perform customised reporting or logging of 676 | # detected issues. 677 | # 678 | # IMPORTANT: This event handler is only used in Burp version 1.2.09 and 679 | # higher. 680 | # 681 | # Note: this method maps to the BurpExtender Java method. 682 | # 683 | # Parameters: 684 | # * issue = an instance of the IScanIssue Java class with methods for viewing 685 | # information on the scan issue that was generated. 686 | def evt_scan_issue(issue) 687 | ScanIssueHelper.implant(issue) 688 | pp([:got_scan_issue, issue]) if $DEBUG 689 | end 690 | 691 | # This method is called by BurpExtender right before closing the 692 | # application. Implementations can use this method to perform cleanup 693 | # tasks such as closing files or databases before exit. 694 | def evt_application_closing 695 | pp([:got_app_close]) if $DEBUG 696 | end 697 | 698 | ### Sugar/Convenience methods 699 | 700 | # This is a convenience wrapper which can load a given burp state file and 701 | # lets its caller to perform actions inside of a block on the site map 702 | # contained in the loaded session. 703 | # 704 | # If a statefile argument isn't specified current burp session state is used. 705 | # 706 | # Yields each entry in the site map to a block. 707 | def with_site_map(urlprefix=nil, statefile=nil) 708 | with_statefile(statefile) do |this| 709 | this.site_map(urlprefix).each {|h| yield h } 710 | end 711 | end 712 | 713 | # This is a convenience wrapper which can load a given burp state file and 714 | # lets its caller to perform actions inside of a block on the proxy history 715 | # contained in the loaded session. 716 | # 717 | # If a statefile argument isn't specified current burp session state is used. 718 | # 719 | # Yields each entry in the proxy history to a block. 720 | def with_proxy_history(statefile=nil) 721 | with_statefile(statefile) do |this| 722 | this.proxy_history.each {|h| yield h } 723 | end 724 | end 725 | 726 | # This is a convenience wrapper which loads a given burp statefile and lets 727 | # its caller perform actions via burp while its loaded on it inside of a 728 | # block. The old state is restored after the block completes. 729 | # 730 | # It can safely be run with a nil statefile argument in which the 731 | # current burp session state is used. 732 | def with_statefile(statefile=nil) 733 | if statefile 734 | # save current state: 735 | old_state=".#{$$}.#{Time.now.to_i}.state.bak" 736 | self.alert "Saving current state to temp statefile: #{old_state}" 737 | self.save_state(old_state) 738 | self.alert "Restoring state: #{statefile}" 739 | self.restore_state(statefile) 740 | end 741 | 742 | yield self 743 | 744 | if statefile 745 | # restore original state 746 | self.alert "Restoring temp statefile: #{old_state}" 747 | self.restore_state old_state 748 | self.alert "Deleting temp state file: #{old_state}" 749 | File.unlink old_state 750 | end 751 | end 752 | 753 | # Searches the proxy history for the url's matched by the specified 754 | # regular expression (returns them all if urlrx is nil). 755 | # 756 | # A statefile to search in can optionally be specified or the existing 757 | # state will be used if statefile is nil. 758 | # 759 | # This method also accepts an optional block which is passed each of the 760 | # matched history members. 761 | def search_proxy_history(statefile=nil, urlrx=nil) 762 | ret = [] 763 | with_proxy_history(statefile) do |r| 764 | if (not urlrx) or r.url.to_s =~ urlrx 765 | ret << r if (not block_given?) or yield(r) 766 | end 767 | end 768 | return ret 769 | end 770 | 771 | # Harvest cookies from a session's proxy history. 772 | # 773 | # Params: 774 | # cookie = optional: name of cookie to harvest 775 | # urlrx = optional: regular expression to match urls against 776 | # statefile = optional: filename for a burp session file to temporarily load 777 | # and harvest from. 778 | # 779 | # Takes an optional block as additional 'select' criteria for cookies. 780 | # The block return value of true/false will determine whether a cookie 781 | # string is selected. 782 | def harvest_cookies_from_history(cookie=nil, urlrx=nil, statefile=nil) 783 | ret = [] 784 | search_proxy_history(statefile, urlrx) do |hrr| 785 | if heads=hrr.rsp_headers 786 | ret += heads.select do |h| 787 | h[0].downcase == 'set-cookie' and (not block_given? or yield(h[1])) 788 | end.map{|h| h[1]} 789 | end 790 | end 791 | return ret 792 | end 793 | 794 | ### Startup stuff 795 | 796 | # Prepares the java BurpExtender implementation with a reference 797 | # to self as the module handler and launches burp suite. 798 | def start_burp(args=[]) 799 | activate!() 800 | Java::Burp::StartBurp.main(args.to_java(:string)) 801 | return self 802 | end 803 | 804 | # Starts burp using a supplied handler class, 805 | # h_class = Buby or a derived class. instance of which will become handler. 806 | # args = arguments to Burp 807 | # init_args = arguments to the handler constructor 808 | # 809 | # Returns the handler instance 810 | def self.start_burp(h_class=nil, init_args=nil, args=nil) 811 | h_class ||= self 812 | init_args ||= [] 813 | args ||= [] 814 | h_class.new(*init_args).start_burp(args) 815 | end 816 | 817 | # Attempts to load burp with require and confirm it provides the required 818 | # class in the Java namespace. 819 | # 820 | # Returns: true/false depending on whether the required jar provides us 821 | # the required class 822 | # 823 | # Raises: may raise the usual require exceptions if jar_path is bad. 824 | def self.load_burp(jar_path) 825 | require jar_path 826 | return burp_loaded? 827 | end 828 | 829 | # Checks the Java namespace to see if Burp has been loaded. 830 | def self.burp_loaded? 831 | begin 832 | include_class 'burp.StartBurp' 833 | return true 834 | rescue NameError 835 | return false 836 | end 837 | end 838 | 839 | ### Extra cruft added by Mr Bones: 840 | 841 | # Returns the library path for the module. If any arguments are given, 842 | # they will be joined to the end of the libray path using 843 | # File.join. 844 | # 845 | def self.libpath( *args ) 846 | args.empty? ? LIBPATH : ::File.join(LIBPATH, args.flatten) 847 | end 848 | 849 | # Returns the lpath for the module. If any arguments are given, 850 | # they will be joined to the end of the path using 851 | # File.join. 852 | # 853 | def self.path( *args ) 854 | args.empty? ? PATH : ::File.join(PATH, args.flatten) 855 | end 856 | 857 | # Utility method used to require all files ending in .rb that lie in the 858 | # directory below this file that has the same name as the filename passed 859 | # in. Optionally, a specific _directory_ name can be passed in such that 860 | # the _filename_ does not have to be equivalent to the directory. 861 | # 862 | def self.require_all_libs_relative_to( fname, dir = nil ) 863 | dir ||= ::File.basename(fname, '.*') 864 | search_me = ::File.expand_path( 865 | ::File.join(::File.dirname(fname), dir, '**', '*.rb')) 866 | 867 | Dir.glob(search_me).sort.each {|rb| require rb} 868 | end 869 | 870 | end # Buby 871 | 872 | 873 | # Try requiring 'burp.jar' from the Ruby lib-path 874 | unless Buby.burp_loaded? 875 | begin require "burp.jar" 876 | rescue LoadError 877 | end 878 | end 879 | 880 | --------------------------------------------------------------------------------