└── noauth ├── config.py ├── hackhttp.py ├── unit.py ├── Detection.py ├── imgs ├── use01.png ├── use02.png ├── install01.png └── install02.jpg ├── ReadMe.md └── Logical.py /noauth/config.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /noauth/hackhttp.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /noauth/unit.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /noauth/Detection.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /noauth/imgs/use01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xibijj/burpsuiteExtender/master/noauth/imgs/use01.png -------------------------------------------------------------------------------- /noauth/imgs/use02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xibijj/burpsuiteExtender/master/noauth/imgs/use02.png -------------------------------------------------------------------------------- /noauth/imgs/install01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xibijj/burpsuiteExtender/master/noauth/imgs/install01.png -------------------------------------------------------------------------------- /noauth/imgs/install02.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xibijj/burpsuiteExtender/master/noauth/imgs/install02.jpg -------------------------------------------------------------------------------- /noauth/ReadMe.md: -------------------------------------------------------------------------------- 1 | 基于敏感数据IAST模式的Burpsuite检测插件 2 | ======================================= 3 | 4 | # 一、说明 5 | 6 | 基于敏感数据IAST模式的Burpsuite插件,用于甲乙方在做渗透测试或是应用系统安全检测时半自动发现接口返回敏感数据,并对该接口进行未授权、越权等简单测试。当前的检测逻辑还是比较简单的,各位可根据自己的实际业务对检测逻辑进行优化。 7 | 8 | ### 已完成: 9 | 10 | + 敏感信息泄漏检测 11 | + 垂直越权访问检测 12 | + 未授权访问检测 13 | + 水平越权访问检测(解释请求报文,自动遍历int类型的ID) 14 | 15 | ### 计划中: 16 | 17 | + 欢迎提建议,不建议开始潜水 18 | 19 | # 二、部署说明 20 | 21 | 需要安装jython2.7.0,并在burpsuite启用,把浏览器代理设置为burpsuite,然后人工触发应用系统功能即可。 22 | - [下载 jython2.7.0](http://search.maven.org/remotecontent?filepath=org/python/jython-installer/2.7.0/jython-installer-2.7.0.jar) 23 | - ![插件安装](imgs/install01.png) 24 | - ![插件安装](imgs/install02.jpg) 25 | - ![插件使用](imgs/use01.png) 26 | - ![插件使用](imgs/use02.png) 27 | 28 | # 三、目录说明 29 | 30 | . 31 | │─config.py 检测规则配置文件 32 | │─Detection.py 检测逻辑主体 33 | │─hackhttp.py Http请求方法封装模块 34 | │─Logical.py burpsuite插件入口文件 35 | │─unit.py 公共模块 36 | │ 37 | └─vullog 检测出来的漏洞记录文件存放目录,auth_replace:越权访问、PersonalInfo:敏感信息泄漏、Unauthorized:未授权访问、IDOR:水平越权。 38 | 39 | # 四、检测配置`config.py` 40 | 41 | ``` 42 | # 漏洞记录文件存放目录 43 | vullogpath = './vullog/' 44 | 45 | # URL去重检测开关, 开启:True,关闭:False 46 | url_hash = True 47 | 48 | # 自动清除http请求中head中的身份认证字段,大小写敏感 49 | rm_token_keys = ['token', 'Cookie'] 50 | 51 | # 自定义response中json数据类型的敏感信息字段定义,大小写不敏感 52 | personalinfo_json_keys = ['identity', 'phone', 'webchat', 'email', 'qq', 'mobile', 'chargename'] 53 | 54 | # 自定义搜索出来的敏感信息进行过滤字段,大小写不敏感 55 | re_filter_keys = ['dont_delete_this_default_vaule', 'mobileDisplay', 'highSpeedCardNumber', 'payeeBankCode', 'payeeBankType'] 56 | 57 | # 自定义忽略文件类型,小写敏感 58 | filter_files = ['.css', '.js', '.jpg', '.jpeg', '.gif', '.png', '.bmp', '.html', '.htm', '.swf', '.svg'] 59 | 60 | # 自定义一定要进行权限安全检测的URL黑名单,支持正则 61 | black_urls = ['dont_delete_this_default_vaule', '\?auth.\w+'] 62 | 63 | # 自定义替换身份认证信息如:token、Cookie等信息,用于越权测试,支持正则 64 | replace_auth = {'token':{ 65 | 'recmd': 'token: .*?', 66 | 'replace': 'token: fuckyouman...' 67 | } 68 | } 69 | 70 | # 自定义平行越权越权测试规则,支持正则 71 | idor_rule = {'param': '\d+', # ID参数值检测规则,只支持int型 72 | 'result': '(?:1[3-9])\d{9}' # 敏感信息的判断标准 73 | } 74 | ``` 75 | 76 | # 版本 77 | 78 | + 作者: Mr.x 79 | + 版本: 1.2 80 | + 时间: 20190807 -------------------------------------------------------------------------------- /noauth/Logical.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # @Time : 2019/7/21 10:25 3 | # @Author : Mr.x 4 | # @File : Logical.py 5 | 6 | # import sys 7 | 8 | # print sys.path 9 | # sys.path.append('C:\\Python27\\DLLs') 10 | # sys.path.append('C:\\Python27\\lib') 11 | # sys.path.append('C:\\Python27\\lib\\plat-win') 12 | # sys.path.append('C:\\Python27\\lib\\lib-tk') 13 | # sys.path.append('C:\\Python27') 14 | # sys.path.append('C:\\Python27\\lib\\site-packages') 15 | 16 | import re 17 | import imp 18 | from burp import IBurpExtender # 定义插件的基本信息类 19 | from burp import IHttpListener # http流量监听类 20 | 21 | res_path = re.compile(r'(GET|POST) ([^ ]*) HTTP/') 22 | 23 | class BurpExtender(IBurpExtender, IHttpListener): 24 | def registerExtenderCallbacks(self, callbacks): 25 | self._callbacks = callbacks 26 | self._helpers = callbacks.getHelpers() # 通用函数 27 | self._callbacks.setExtensionName("Logical Detection") 28 | print('author: Mr.x 20190807 ver:1.2') 29 | # register ourselves as an HTTP listener 30 | callbacks.registerHttpListener(self) 31 | 32 | def import_module(self, mod_name, mod_path): 33 | ''' 动态调用第三方模块''' 34 | fn_, path, desc = imp.find_module(mod_name, [mod_path]) 35 | mod = imp.load_module(mod_name, fn_, path, desc) 36 | return mod 37 | 38 | def processHttpMessage(self, toolFlag, messageIsRequest, messageInfo): 39 | # if toolFlag == 64: #if tool 64 is repeater 40 | if toolFlag == 4 or toolFlag == 8 or toolFlag == 64: # if tool 4 is Proxy Tab 8 is Spider 41 | if not messageIsRequest: 42 | response = messageInfo.getResponse() # get response 43 | analyzedResponse = self._helpers.analyzeResponse(response) 44 | response_body = response[analyzedResponse.getBodyOffset():] 45 | response_body_string = response_body.tostring() # get response_body 46 | 47 | request = messageInfo.getRequest() 48 | analyzedRequest = self._helpers.analyzeResponse(request) 49 | request_body = request[analyzedRequest.getBodyOffset():] 50 | request_body_string = request_body.tostring() # get response_body 51 | request_header = analyzedRequest.getHeaders() 52 | 53 | trg_url = str(messageInfo.getUrl()) 54 | try: 55 | method = re.findall(r"(GET|POST) ", request_header[0])[0] 56 | except: 57 | return None 58 | 59 | # print analyzedResponse, analyzedRequest, request_header, method, trg_url, body_string 60 | 61 | httpobj = {"request": analyzedRequest, 62 | "response": analyzedResponse, 63 | "request_obj": request, 64 | "response_obj": response, 65 | "head": request_header, 66 | "method": method, 67 | "url": trg_url, 68 | "request_raw": request_body_string, 69 | "response_body": response_body_string, 70 | } 71 | 72 | imp_module = self.import_module("Detection", ".") 73 | t = imp_module.Detect(httpobj) 74 | t.start() 75 | # del imp_module --------------------------------------------------------------------------------