├── README.md
└── rexsser.py
/README.md:
--------------------------------------------------------------------------------
1 | # rexsser
2 | This is a burp plugin (python) that extracts keywords from response using regexes and test for reflected XSS on the target scope. Valid parameters reflected, vulnerable parameters are show in results in the rexsser extension tab.
3 |
4 | ### Regexes
5 | - extract all javascript 'var' names from response page
6 | - ...
7 |
8 | ### Screenshots
9 |
10 | 
11 |
12 | ### Requirements
13 | - Jython
14 | - BurpSuite
15 |
16 | ### Todo
17 |
18 | - [ ] Add Multiple regexes to extract words (Example: input elements in the page response)
19 | - [x] Content-Type filter
20 | - [x] Scope checkbox
21 | - [x] Process only given status-codes
22 | - [x] Turn off/on
23 |
--------------------------------------------------------------------------------
/rexsser.py:
--------------------------------------------------------------------------------
1 | from burp import IBurpExtender
2 | from burp import IHttpListener
3 | from burp import IProxyListener
4 | from burp import IExtensionHelpers
5 | from burp import IScannerListener
6 | from burp import IExtensionStateListener
7 | from burp import IParameter
8 | from java.io import PrintWriter
9 | from java.net import URLEncoder
10 | from burp import ITab
11 | from threading import Thread
12 | from burp import IHttpListener
13 | from burp import IMessageEditorController
14 | from java.awt import Component;
15 | from java.io import PrintWriter;
16 | from java.awt.event import MouseAdapter
17 | from java.awt.event import ItemListener
18 | from javax.swing import RowFilter
19 | from java.util import ArrayList;
20 | from java.util import List;
21 | from javax.swing import JScrollPane;
22 | from javax.swing import JSplitPane;
23 | from javax.swing import JTabbedPane;
24 | from javax.swing import JCheckBox
25 | from javax.swing import JTable
26 | from javax.swing import JButton
27 | from javax.swing import JTextArea
28 | from javax.swing import JToggleButton
29 | from javax.swing import JPanel
30 | from javax.swing import JLabel
31 | from javax.swing import SwingUtilities;
32 | from javax.swing import BoxLayout
33 | from javax.swing.table import AbstractTableModel;
34 | from threading import Lock
35 | from java.awt import Color
36 |
37 | import re
38 | import threading
39 |
40 |
41 |
42 | class BurpExtender(IBurpExtender, IHttpListener, IProxyListener, IScannerListener, IExtensionStateListener, ITab, IMessageEditorController, AbstractTableModel):
43 |
44 | def registerExtenderCallbacks(self, callbacks):
45 | # set our extension name
46 | self._callbacks = callbacks
47 | self.ATTRIBUTE_QUOTES = "(\".*\")|(\'.*\')"
48 | callbacks.setExtensionName("Rexsser")
49 | # obtain our output stream
50 | self._stdout = PrintWriter(callbacks.getStdout(), True)
51 | self._helpers = callbacks.getHelpers()
52 | # register ourselves as an HTTP listener
53 |
54 | self._log = ArrayList()
55 | self._lock = Lock()
56 |
57 | # main split pane
58 | self._splitpane = JSplitPane(JSplitPane.VERTICAL_SPLIT)
59 |
60 | # table of log entries
61 | logTable = Table(self)
62 | scrollPane = JScrollPane(logTable)
63 | self.logTable = logTable
64 | self._splitpane.setLeftComponent(scrollPane)
65 |
66 |
67 | splane = JSplitPane(JSplitPane.HORIZONTAL_SPLIT)
68 | btn = JToggleButton("Turn on/off")
69 | self._btn = btn
70 | panel = JPanel()
71 | panel1 = JPanel()
72 |
73 | chxbox = JCheckBox("In Scope Only")
74 | self.chxbox = chxbox
75 | panel1.add(self._btn)
76 | panel1.add(chxbox)
77 | panel.add(panel1)
78 |
79 | panel2 = JPanel()
80 | panel2.setLayout(BoxLayout(panel2, BoxLayout.Y_AXIS))
81 | textarea = JTextArea("text/html\napplication/json")
82 | textarea.setRows(5)
83 | textarea.setColumns(5)
84 | textarea.setLineWrap(1);
85 | panel2.add(JLabel("Content Types: "))
86 | panel2.add(textarea)
87 | panel.add(panel2)
88 | self.content_types = textarea
89 |
90 | panel3 = JPanel()
91 |
92 | panel3.add(JLabel("Status Codes: "))
93 | txtarea = JTextArea("200,500")
94 | txtarea.setRows(3)
95 | txtarea.setLineWrap(1)
96 | self.status_codes = txtarea
97 | panel3.add(txtarea)
98 | panel3.setLayout(BoxLayout(panel3, BoxLayout.Y_AXIS))
99 | panel.add(panel3)
100 |
101 | panel.setLayout(BoxLayout(panel,BoxLayout.Y_AXIS))
102 | tabs = JTabbedPane()
103 | splane.setLeftComponent(panel)
104 |
105 | self._requestViewer = callbacks.createMessageEditor(self, False)
106 | self._responseViewer = callbacks.createMessageEditor(self, False)
107 | tabs.addTab("Request", self._requestViewer.getComponent())
108 | tabs.addTab("Response", self._responseViewer.getComponent())
109 | splane.setRightComponent(tabs)
110 |
111 | self._splitpane.setRightComponent(splane)
112 |
113 | # customize our UI components
114 | callbacks.customizeUiComponent(self._splitpane)
115 | callbacks.customizeUiComponent(logTable)
116 | callbacks.customizeUiComponent(scrollPane)
117 | callbacks.customizeUiComponent(splane)
118 |
119 | # add the custom tab to Burp's UI
120 | callbacks.addSuiteTab(self)
121 | callbacks.registerHttpListener(self)
122 |
123 | return
124 |
125 | def getTabCaption(self):
126 | return "Rexsser"
127 |
128 | def getUiComponent(self):
129 | return self._splitpane
130 |
131 |
132 | def getRowCount(self):
133 | try:
134 | return self._log.size()
135 | except:
136 | return 0
137 |
138 | def getColumnCount(self):
139 | return 4
140 |
141 | def getColumnName(self, columnIndex):
142 | if columnIndex == 0:
143 | return "Detail"
144 | if columnIndex == 1:
145 | return "Parameter"
146 | if columnIndex == 2:
147 | return "URL"
148 | if columnIndex == 3:
149 | return "WAF Status"
150 | return ""
151 |
152 | def getValueAt(self, rowIndex, columnIndex):
153 | logEntry = self._log.get(rowIndex)
154 | if columnIndex == 0:
155 | return logEntry._detail
156 | if columnIndex == 1:
157 | return logEntry._parameter
158 | if columnIndex == 2:
159 | return logEntry._url
160 | if columnIndex == 3:
161 | return logEntry._waf
162 | return ""
163 |
164 |
165 | def getHttpService(self):
166 | return self._currentlyDisplayedItem.getHttpService()
167 |
168 | def getRequest(self):
169 | return self._currentlyDisplayedItem.getRequest()
170 |
171 | def getResponse(self):
172 | return self._currentlyDisplayedItem.getResponse()
173 |
174 | def processHttpMessage(self, toolFlag, messageIsRequest, messageInfo):
175 | if messageIsRequest:
176 | return
177 | if not self._btn.isSelected():
178 | return
179 | code = self._helpers.analyzeResponse(messageInfo.getResponse()).getStatusCode()
180 | content_type = self._helpers.analyzeResponse(messageInfo.getResponse()).getStatedMimeType()
181 | statuscodes = self.status_codes.getText().split(",")
182 | content_types = self.content_types.getText().split("\n")
183 |
184 | cts = [x.split("/")[1].upper() for x in content_types]
185 | print(content_type+str(cts))
186 | if not str(code) in statuscodes:
187 | return
188 | if not content_type in cts:
189 | return
190 | self.toolFlag = toolFlag
191 | patt = "var (\w+).*=.*(.*)"
192 | payloads = ["fixedvaluehopefullyexists","random1'ss","random2\"ss","dummss","duteer
ss"]
193 | for payload in payloads:
194 | if self._callbacks.getToolName(toolFlag) == "Proxy":
195 | self.processTestcases(patt, messageInfo, payload)
196 |
197 | def issues(self, messageInfo, detail, param, waf):
198 | self._lock.acquire()
199 | row = self._log.size()
200 | self._log.add(LogEntry(param, self._callbacks.saveBuffersToTempFiles(messageInfo), self._helpers.analyzeRequest(messageInfo).getUrl(), detail, waf))
201 | self.fireTableRowsInserted(row, row)
202 | self._lock.release()
203 |
204 |
205 |
206 | def processTestcases(self, patt, messageInfo, payload):
207 | irequest = self._helpers.analyzeRequest(messageInfo)
208 | url = irequest.getUrl()
209 | response = messageInfo.getResponse()
210 | httpservice = messageInfo.getHttpService()
211 | inject = URLEncoder.encode(payload, "UTF-8")
212 | inScopeOnly = self.chxbox.isSelected()
213 | if inScopeOnly and not self._callbacks.isInScope(url):
214 | return
215 | if True:
216 | #patt = "var (\w+).*=.*('|\")(.*)('|\")"
217 | words = []
218 | x = re.findall(patt, self._helpers.bytesToString(response))
219 | for y in x:
220 | words.append(y[0])
221 | sortedwords = list(set(words))
222 | requestString = self._helpers.bytesToString(messageInfo.getRequest())
223 | if 'GET /' in requestString:
224 | mthd = 'GET'
225 | elif 'POST /' in requestString:
226 | mthd = 'POST'
227 | else:
228 | mthd = 'GET'
229 | if len(sortedwords) > 0:
230 | for word in sortedwords:
231 | if mthd == 'GET':
232 | param = self._helpers.buildParameter(word, inject , IParameter.PARAM_URL)
233 | elif mthd == 'POST':
234 | param = self._helpers.buildParameter(word, inject, IParameter.PARAM_BODY)
235 | else:
236 | param = self._helpers.buildParameter(word, inject , IParameter.PARAM_URL)
237 | newrequest = self._helpers.addParameter(messageInfo.getRequest(), param)
238 | t = threading.Thread(target=self.makeRequest,args=[messageInfo.getHttpService(), newrequest, word, payload])
239 | t.daemon = True
240 | t.start()
241 |
242 |
243 |
244 | def makeRequest(self, httpservice, requestBytes, word, payload):
245 | #useHttps = 1 if httpservice.getProtocol() == 'https' else 0
246 | #print(self._helpers.bytesToString(requestBytes))
247 | bRequestResponse = self._callbacks.makeHttpRequest(httpservice, requestBytes)
248 | tResp = bRequestResponse.getResponse()
249 | status = self._helpers.analyzeResponse(tResp).getStatusCode()
250 | url = self._helpers.analyzeRequest(bRequestResponse).getUrl()
251 | response = self._helpers.bytesToString(tResp)
252 | if status != 302:
253 | if status == 200:
254 | waf = "Allowed"
255 | else:
256 | waf = "Unknown"
257 | if payload in response:
258 | if payload == 'fixedvaluehopefullyexists':
259 | str1 = word+" is a valid parameter"
260 | str2 = self.definesContext(payload, response)
261 | self.issues(bRequestResponse, str2+" "+str1, word, waf)
262 | if payload == 'random1\'ss':
263 | str1 = word+" single quote reflection allowed"
264 | str2 = self.definesContext(payload, response)
265 | self.issues(bRequestResponse, str2+" "+str1, word, waf)
266 | if payload == 'random2"ss':
267 | str1 = word+" Double quote allowed"
268 | str2 = self.definesContext(payload, response)
269 | self.issues(bRequestResponse, str2+" "+str1, word, waf)
270 | if payload == 'dummss':
271 | str1 = word+" Script tags allowed"
272 | str2 = self.definesContext(payload, response)
273 | self.issues(bRequestResponse, str2+" "+str1, word, waf)
274 | if payload == 'duteer
ss':
275 | str1 = word+" HTML tags allowed"
276 | str2 = self.definesContext(payload, response)
277 | self.issues(bRequestResponse, str2+" "+str1, word, waf)
278 | else:
279 | pass
280 | if status == 403:
281 | self.issues(bRequestResponse, "", word, "Blocked")
282 |
283 |
284 | def definesContext(self, reflection, html):
285 | indx = html.find(reflection)
286 | q = html[indx-1]
287 | q2 = html[indx+len(reflection)]
288 | if q in reflection and q =='"':
289 | return "[Vulnerable][attribute][\"]"
290 | if q in reflection and q =="'":
291 | return "[Vulnerable][attribute][']"
292 | else:
293 | return "[Possible]"
294 |
295 | class Mouseclick(MouseAdapter):
296 | def __init__(self, extender):
297 | self._extender = extender
298 |
299 | def mouseReleased(self, evt):
300 | if evt.button == 3:
301 | self._extender.menu.show(evt.getComponent(), evt.getX(), evt.getY())
302 |
303 | class TabTableFilter(ItemListener):
304 | def __init__(self, extender):
305 | self._extender = extender
306 |
307 | def itemStateChanged(self, e):
308 | self._extender.tableSorter.sort()
309 |
310 |
311 | class Table(JTable):
312 | def __init__(self, extender):
313 | self._extender = extender
314 | self.setModel(extender)
315 | self.getColumnModel().getColumn(0).setPreferredWidth(50)
316 | self.getColumnModel().getColumn(1).setPreferredWidth(50)
317 | self.getColumnModel().getColumn(2).setPreferredWidth(800)
318 | self.getColumnModel().getColumn(3).setPreferredWidth(50)
319 | self.setRowSelectionAllowed(True)
320 |
321 | def changeSelection(self, row, col, toggle, extend):
322 |
323 | # show the log entry for the selected row
324 | logEntry = self._extender._log.get(row)
325 | self._extender._requestViewer.setMessage(logEntry._requestResponse.getRequest(), True)
326 | self._extender._responseViewer.setMessage(logEntry._requestResponse.getResponse(), False)
327 | self._extender._currentlyDisplayedItem = logEntry._requestResponse
328 |
329 | JTable.changeSelection(self, row, col, toggle, extend)
330 |
331 | def prepareRenderer(self, renderer, row, col):
332 | comp = JTable.prepareRenderer(self, renderer, row, col)
333 | value = self.getValueAt(self._extender.logTable.convertRowIndexToModel(row), col)
334 |
335 | if col == 0:
336 | if "Vulnerable" in value:
337 | comp.setBackground(Color(255, 153, 153))
338 | comp.setForeground(Color.BLACK)
339 | elif "Possible" in value:
340 | comp.setBackground(Color(255, 204, 153))
341 | comp.setForeground(Color.BLACK)
342 | else:
343 | comp.setBackground(Color(204, 255, 153))
344 | comp.setForeground(Color.BLACK)
345 | else:
346 | comp.setForeground(Color.BLACK)
347 | comp.setBackground(Color.WHITE)
348 |
349 | selectedRow = self._extender.logTable.getSelectedRow()
350 | if selectedRow == row:
351 | comp.setBackground(Color(201, 215, 255))
352 | comp.setForeground(Color.BLACK)
353 | return comp
354 |
355 |
356 | class LogEntry:
357 | def __init__(self, parameter, requestResponse, url, detail, waf):
358 | self._parameter = parameter
359 | self._requestResponse = requestResponse
360 | self._url = url
361 | self._detail = detail
362 | self._waf = waf
363 |
364 |
365 |
366 |
--------------------------------------------------------------------------------