├── src └── main │ └── java │ ├── deduper │ ├── Distance.java │ ├── IWordSeg.java │ ├── BinaryWordSeg.java │ ├── HammingDistance.java │ ├── Simhash.java │ ├── HtmlSeg.java │ ├── MurmurHash.java │ └── BKTree.java │ ├── com │ └── yandex │ │ └── burp │ │ └── extensions │ │ ├── config │ │ ├── BurpMollyPackConfig.java │ │ ├── MollyConfig.java │ │ ├── MollyAuthConfig.java │ │ └── BurpMollyScannerConfig.java │ │ ├── modifiers │ │ ├── IMollyModifier.java │ │ ├── HeaderModifier.java │ │ ├── UserAgentModifier.java │ │ └── QsParameterModifier.java │ │ ├── auth │ │ ├── IMollyAuthAdapter.java │ │ └── BasicAuthAdapter.java │ │ ├── MollyProxyListener.java │ │ ├── EntryPointDeduplicator.java │ │ └── MollyRequestResponseHandler.java │ └── burp │ ├── IScopeChangeListener.java │ ├── IHttpRequestResponsePersisted.java │ ├── IIntruderAttack.java │ ├── ITempFile.java │ ├── IExtensionStateListener.java │ ├── IBurpExtender.java │ ├── IScannerListener.java │ ├── IHttpService.java │ ├── ITab.java │ ├── IMenuItemHandler.java │ ├── IProxyListener.java │ ├── IBurpCollaboratorInteraction.java │ ├── IContextMenuFactory.java │ ├── IScannerInsertionPointProvider.java │ ├── IHttpListener.java │ ├── IIntruderPayloadGeneratorFactory.java │ ├── IMessageEditorTabFactory.java │ ├── IHttpRequestResponseWithMarkers.java │ ├── IIntruderPayloadProcessor.java │ ├── IIntruderPayloadGenerator.java │ ├── ICookie.java │ ├── IMessageEditorController.java │ ├── IResponseKeywords.java │ ├── IMessageEditor.java │ ├── ISessionHandlingAction.java │ ├── IResponseVariations.java │ ├── IResponseInfo.java │ ├── IScanQueueItem.java │ ├── IRequestInfo.java │ ├── ITextEditor.java │ ├── IHttpRequestResponse.java │ ├── IParameter.java │ ├── IBurpCollaboratorClientContext.java │ ├── IScannerCheck.java │ ├── IMessageEditorTab.java │ ├── IScanIssue.java │ ├── IInterceptedProxyMessage.java │ ├── IContextMenuInvocation.java │ ├── IScannerInsertionPoint.java │ ├── BurpExtender.java │ └── IExtensionHelpers.java ├── config ├── run.sh ├── burp_molly_config.json ├── burp_user_config.json └── burp_project_config.json ├── .gitignore ├── AUTHORS ├── README.md ├── burp-molly-scanner.iml ├── CONTRIBUTING.md ├── pom.xml └── LICENSE /src/main/java/deduper/Distance.java: -------------------------------------------------------------------------------- 1 | package deduper; 2 | 3 | /** 4 | * @author Josh Clemm 5 | * 6 | */ 7 | public interface Distance { 8 | public int getDistance(Object object1, Object object2); 9 | } 10 | -------------------------------------------------------------------------------- /src/main/java/com/yandex/burp/extensions/config/BurpMollyPackConfig.java: -------------------------------------------------------------------------------- 1 | package com.yandex.burp.extensions.config; 2 | 3 | /** 4 | * Created by a-abakumov on 08/02/2017. 5 | */ 6 | public class BurpMollyPackConfig { 7 | } 8 | -------------------------------------------------------------------------------- /config/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | MOLLY_CONFIG=/home/molly/burp_molly_config.json /usr/lib/jvm/jre1.8.0_111/bin/java -jar -Xmx2048m -Djava.awt.headless=true burpsuite_pro.jar --user-config-file=/home/molly/burp_user_config.json --config-file=/home/molly/burp_project_config.json 4 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.class 2 | .idea/ 3 | target/ 4 | 5 | # Mobile Tools for Java (J2ME) 6 | .mtj.tmp/ 7 | 8 | # Package Files # 9 | *.jar 10 | *.war 11 | *.ear 12 | 13 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml 14 | hs_err_pid* 15 | -------------------------------------------------------------------------------- /src/main/java/deduper/IWordSeg.java: -------------------------------------------------------------------------------- 1 | /** 2 | * 3 | */ 4 | package deduper; 5 | 6 | import java.util.List; 7 | import java.util.Set; 8 | 9 | /** 10 | * @author zhangcheng 11 | * 12 | */ 13 | public interface IWordSeg { 14 | 15 | public List tokens(String doc); 16 | 17 | public List tokens(String doc, Set stopWords); 18 | } 19 | -------------------------------------------------------------------------------- /src/main/java/com/yandex/burp/extensions/modifiers/IMollyModifier.java: -------------------------------------------------------------------------------- 1 | package com.yandex.burp.extensions.modifiers; 2 | 3 | import burp.IHttpRequestResponse; 4 | 5 | /** 6 | * Created by ezaitov on 08.02.2017. 7 | */ 8 | public interface IMollyModifier { 9 | public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo); 10 | } 11 | -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- 1 | The following authors have created the source code of "burp-molly-scanner" 2 | published and distributed by YANDEX LLC as the owner: 3 | 4 | Eldar Zaitov 5 | Andrey Abakumov 6 | 7 | burp-molly-scanner source code includes third party software created by following persons: 8 | Josh Clemm 9 | Cheng Zhang 10 | -------------------------------------------------------------------------------- /src/main/java/com/yandex/burp/extensions/modifiers/HeaderModifier.java: -------------------------------------------------------------------------------- 1 | package com.yandex.burp.extensions.modifiers; 2 | 3 | import burp.IHttpRequestResponse; 4 | 5 | /** 6 | * Created by ezaitov on 08.02.2017. 7 | */ 8 | public class HeaderModifier implements IMollyModifier { 9 | 10 | @Override 11 | public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) { 12 | if (!messageIsRequest) { 13 | return; 14 | } 15 | /* implement your modification here */ 16 | } 17 | } -------------------------------------------------------------------------------- /src/main/java/com/yandex/burp/extensions/auth/IMollyAuthAdapter.java: -------------------------------------------------------------------------------- 1 | package com.yandex.burp.extensions.auth; 2 | 3 | import burp.IHttpRequestResponse; 4 | 5 | /** 6 | * Created by ezaitov on 06.02.2017. 7 | */ 8 | public interface IMollyAuthAdapter { 9 | public boolean isAuthExpected(); 10 | public boolean doAuth(IHttpRequestResponse messageInfo); 11 | public void doLogout(IHttpRequestResponse messageInfo); 12 | public boolean isAuthenticated(IHttpRequestResponse messageInfo); 13 | public boolean isLogoutRequest(IHttpRequestResponse messageInfo); 14 | } 15 | -------------------------------------------------------------------------------- /src/main/java/com/yandex/burp/extensions/config/MollyConfig.java: -------------------------------------------------------------------------------- 1 | package com.yandex.burp.extensions.config; 2 | 3 | import com.google.gson.annotations.Expose; 4 | import com.google.gson.annotations.SerializedName; 5 | 6 | public class MollyConfig { 7 | 8 | @SerializedName("burp-molly-pack") 9 | @Expose 10 | private BurpMollyPackConfig BurpMollyPackConfig; 11 | 12 | @SerializedName("burp-molly-scanner") 13 | @Expose 14 | private BurpMollyScannerConfig BurpActiveScannerConfig; 15 | 16 | public BurpMollyPackConfig getBurpMollyPackConfig() { 17 | return BurpMollyPackConfig; 18 | } 19 | 20 | public BurpMollyScannerConfig getBurpActiveScanner() { 21 | return BurpActiveScannerConfig; 22 | } 23 | 24 | } -------------------------------------------------------------------------------- /src/main/java/deduper/BinaryWordSeg.java: -------------------------------------------------------------------------------- 1 | /** 2 | * 3 | */ 4 | package deduper; 5 | 6 | import java.util.LinkedList; 7 | import java.util.List; 8 | import java.util.Set; 9 | 10 | /** 11 | * @author zhangcheng 12 | * 13 | */ 14 | public class BinaryWordSeg implements IWordSeg { 15 | 16 | @Override 17 | public List tokens(String doc) { 18 | List binaryWords = new LinkedList(); 19 | for(int i = 0; i < doc.length() - 1; i += 1) { 20 | StringBuilder bui = new StringBuilder(); 21 | bui.append(doc.charAt(i)).append(doc.charAt(i + 1)); 22 | binaryWords.add(bui.toString()); 23 | } 24 | return binaryWords; 25 | } 26 | 27 | @Override 28 | public List tokens(String doc, Set stopWords) { 29 | return null; 30 | } 31 | 32 | } 33 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Burp-molly-scanner 2 | 3 | # Overview 4 | The main goal of Burp-molly-scanner is to extend Burp and turn it into headless active scanner. 5 | 6 | # Usage 7 | * Build fat jar with Maven 8 | * Rewrite burp_molly_config.json 9 | * Put path to config in MOLLY_CONFIG Environment variable 10 | * Run Burp Suite in console `java -jar burpsuite_pro.jar` 11 | * Add Plugin in Extender Tab (once) 12 | * Run scanner in headless mode (see run.sh) 13 | * Parse resulting XML report 14 | * Integrate it to your security pipeline 15 | 16 | # Contributing 17 | Contributions to Burp-molly-scanner are always welcome! You can help us in different ways: 18 | * Open an issue with suggestions for improvements and errors you're facing; 19 | * Fork this repository and submit a pull request; 20 | * Improve the documentation. 21 | -------------------------------------------------------------------------------- /src/main/java/burp/IScopeChangeListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScopeChangeListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerScopeChangeListener() to register 15 | * a scope change listener. The listener will be notified whenever a change 16 | * occurs to Burp's suite-wide target scope. 17 | */ 18 | public interface IScopeChangeListener 19 | { 20 | /** 21 | * This method is invoked whenever a change occurs to Burp's suite-wide 22 | * target scope. 23 | */ 24 | void scopeChanged(); 25 | } 26 | -------------------------------------------------------------------------------- /src/main/java/burp/IHttpRequestResponsePersisted.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpRequestResponsePersisted.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used for an 14 | * IHttpRequestResponse object whose request and response messages 15 | * have been saved to temporary files using 16 | * IBurpExtenderCallbacks.saveBuffersToTempFiles(). 17 | */ 18 | public interface IHttpRequestResponsePersisted extends IHttpRequestResponse 19 | { 20 | /** 21 | * This method is deprecated and no longer performs any action. 22 | */ 23 | @Deprecated 24 | void deleteTempFiles(); 25 | } 26 | -------------------------------------------------------------------------------- /src/main/java/burp/IIntruderAttack.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IIntruderAttack.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to hold details about an Intruder attack. 14 | */ 15 | public interface IIntruderAttack 16 | { 17 | /** 18 | * This method is used to retrieve the HTTP service for the attack. 19 | * 20 | * @return The HTTP service for the attack. 21 | */ 22 | IHttpService getHttpService(); 23 | 24 | /** 25 | * This method is used to retrieve the request template for the attack. 26 | * 27 | * @return The request template for the attack. 28 | */ 29 | byte[] getRequestTemplate(); 30 | 31 | } 32 | -------------------------------------------------------------------------------- /src/main/java/burp/ITempFile.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ITempFile.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to hold details of a temporary file that has been 14 | * created via a call to 15 | * IBurpExtenderCallbacks.saveToTempFile(). 16 | * 17 | */ 18 | public interface ITempFile 19 | { 20 | /** 21 | * This method is used to retrieve the contents of the buffer that was saved 22 | * in the temporary file. 23 | * 24 | * @return The contents of the buffer that was saved in the temporary file. 25 | */ 26 | byte[] getBuffer(); 27 | 28 | /** 29 | * This method is deprecated and no longer performs any action. 30 | */ 31 | @Deprecated 32 | void delete(); 33 | } 34 | -------------------------------------------------------------------------------- /src/main/java/burp/IExtensionStateListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IExtensionStateListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerExtensionStateListener() to 15 | * register an extension state listener. The listener will be notified of 16 | * changes to the extension's state. Note: Any extensions that start 17 | * background threads or open system resources (such as files or database 18 | * connections) should register a listener and terminate threads / close 19 | * resources when the extension is unloaded. 20 | */ 21 | public interface IExtensionStateListener 22 | { 23 | /** 24 | * This method is called when the extension is unloaded. 25 | */ 26 | void extensionUnloaded(); 27 | } 28 | -------------------------------------------------------------------------------- /src/main/java/burp/IBurpExtender.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IBurpExtender.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * All extensions must implement this interface. 14 | * 15 | * Implementations must be called BurpExtender, in the package burp, must be 16 | * declared public, and must provide a default (public, no-argument) 17 | * constructor. 18 | */ 19 | public interface IBurpExtender 20 | { 21 | /** 22 | * This method is invoked when the extension is loaded. It registers an 23 | * instance of the 24 | * IBurpExtenderCallbacks interface, providing methods that may 25 | * be invoked by the extension to perform various actions. 26 | * 27 | * @param callbacks An 28 | * IBurpExtenderCallbacks object. 29 | */ 30 | void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks); 31 | } 32 | -------------------------------------------------------------------------------- /src/main/java/burp/IScannerListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScannerListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerScannerListener() to register a 15 | * Scanner listener. The listener will be notified of new issues that are 16 | * reported by the Scanner tool. Extensions can perform custom analysis or 17 | * logging of Scanner issues by registering a Scanner listener. 18 | */ 19 | public interface IScannerListener 20 | { 21 | /** 22 | * This method is invoked when a new issue is added to Burp Scanner's 23 | * results. 24 | * 25 | * @param issue An 26 | * IScanIssue object that the extension can query to obtain 27 | * details about the new issue. 28 | */ 29 | void newScanIssue(IScanIssue issue); 30 | } 31 | -------------------------------------------------------------------------------- /src/main/java/burp/IHttpService.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpService.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to provide details about an HTTP service, to which 14 | * HTTP requests can be sent. 15 | */ 16 | public interface IHttpService 17 | { 18 | /** 19 | * This method returns the hostname or IP address for the service. 20 | * 21 | * @return The hostname or IP address for the service. 22 | */ 23 | String getHost(); 24 | 25 | /** 26 | * This method returns the port number for the service. 27 | * 28 | * @return The port number for the service. 29 | */ 30 | int getPort(); 31 | 32 | /** 33 | * This method returns the protocol for the service. 34 | * 35 | * @return The protocol for the service. Expected values are "http" or 36 | * "https". 37 | */ 38 | String getProtocol(); 39 | } 40 | -------------------------------------------------------------------------------- /src/main/java/deduper/HammingDistance.java: -------------------------------------------------------------------------------- 1 | package deduper; 2 | 3 | /** 4 | * Created by ezaitov on 20.02.2017. 5 | */ 6 | public class HammingDistance implements Distance { 7 | 8 | @Override 9 | public int getDistance(Object object1, Object object2) { 10 | long hash1 = (long) object1; 11 | long hash2 = (long) object2; 12 | 13 | return calcDistance(hash1, hash2); 14 | } 15 | 16 | public static int calcDistance(int hash1, int hash2) { 17 | int i = hash1 ^ hash2; 18 | i = i - ((i >>> 1) & 0x55555555); 19 | i = (i & 0x33333333) + ((i >>> 2) & 0x33333333); 20 | i = (i + (i >>> 4)) & 0x0f0f0f0f; 21 | i = i + (i >>> 8); 22 | i = i + (i >>> 16); 23 | return i & 0x3f; 24 | } 25 | 26 | public static int calcDistance(long hash1, long hash2) { 27 | long i = hash1 ^ hash2; 28 | i = i - ((i >>> 1) & 0x5555555555555555L); 29 | i = (i & 0x3333333333333333L) + ((i >>> 2) & 0x3333333333333333L); 30 | i = (i + (i >>> 4)) & 0x0f0f0f0f0f0f0f0fL; 31 | i = i + (i >>> 8); 32 | i = i + (i >>> 16); 33 | i = i + (i >>> 32); 34 | return (int) i & 0x7f; 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/main/java/burp/ITab.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ITab.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.Component; 13 | 14 | /** 15 | * This interface is used to provide Burp with details of a custom tab that will 16 | * be added to Burp's UI, using a method such as 17 | * IBurpExtenderCallbacks.addSuiteTab(). 18 | */ 19 | public interface ITab 20 | { 21 | /** 22 | * Burp uses this method to obtain the caption that should appear on the 23 | * custom tab when it is displayed. 24 | * 25 | * @return The caption that should appear on the custom tab when it is 26 | * displayed. 27 | */ 28 | String getTabCaption(); 29 | 30 | /** 31 | * Burp uses this method to obtain the component that should be used as the 32 | * contents of the custom tab when it is displayed. 33 | * 34 | * @return The component that should be used as the contents of the custom 35 | * tab when it is displayed. 36 | */ 37 | Component getUiComponent(); 38 | } 39 | -------------------------------------------------------------------------------- /src/main/java/burp/IMenuItemHandler.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMenuItemHandler.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerMenuItem() to register a custom 15 | * context menu item. 16 | * 17 | * @deprecated Use 18 | * IContextMenuFactory instead. 19 | */ 20 | @Deprecated 21 | public interface IMenuItemHandler 22 | { 23 | /** 24 | * This method is invoked by Burp Suite when the user clicks on a custom 25 | * menu item which the extension has registered with Burp. 26 | * 27 | * @param menuItemCaption The caption of the menu item which was clicked. 28 | * This parameter enables extensions to provide a single implementation 29 | * which handles multiple different menu items. 30 | * @param messageInfo Details of the HTTP message(s) for which the context 31 | * menu was displayed. 32 | */ 33 | void menuItemClicked( 34 | String menuItemCaption, 35 | IHttpRequestResponse[] messageInfo); 36 | } 37 | -------------------------------------------------------------------------------- /burp-molly-scanner.iml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /src/main/java/deduper/Simhash.java: -------------------------------------------------------------------------------- 1 | /** 2 | * 3 | */ 4 | package deduper; 5 | 6 | import java.util.List; 7 | 8 | /** 9 | * @author zhangcheng 10 | * 11 | */ 12 | public class Simhash { 13 | 14 | private IWordSeg wordSeg; 15 | 16 | public Simhash(IWordSeg wordSeg) { 17 | this.wordSeg = wordSeg; 18 | } 19 | 20 | public long simhash64(String doc) { 21 | int bitLen = 64; 22 | int[] bits = new int[bitLen]; 23 | List tokens = wordSeg.tokens(doc); 24 | for (String t : tokens) { 25 | long v = MurmurHash.hash64(t); 26 | for (int i = bitLen; i >= 1; --i) { 27 | if (((v >> (bitLen - i)) & 1) == 1) 28 | ++bits[i - 1]; 29 | else 30 | --bits[i - 1]; 31 | } 32 | } 33 | long hash = 0x0000000000000000; 34 | long one = 0x0000000000000001; 35 | for (int i = bitLen; i >= 1; --i) { 36 | if (bits[i - 1] > 1) { 37 | hash |= one; 38 | } 39 | one = one << 1; 40 | } 41 | return hash; 42 | } 43 | 44 | public long simhash32(String doc) { 45 | int bitLen = 32; 46 | int[] bits = new int[bitLen]; 47 | List tokens = wordSeg.tokens(doc); 48 | for (String t : tokens) { 49 | int v = MurmurHash.hash32(t); 50 | for (int i = bitLen; i >= 1; --i) { 51 | if (((v >> (bitLen - i)) & 1) == 1) 52 | ++bits[i - 1]; 53 | else 54 | --bits[i - 1]; 55 | } 56 | } 57 | int hash = 0x00000000; 58 | int one = 0x00000001; 59 | for (int i = bitLen; i >= 1; --i) { 60 | if (bits[i - 1] > 1) { 61 | hash |= one; 62 | } 63 | one = one << 1; 64 | } 65 | return hash; 66 | } 67 | } 68 | -------------------------------------------------------------------------------- /src/main/java/burp/IProxyListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IProxyListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerProxyListener() to register a 15 | * Proxy listener. The listener will be notified of requests and responses being 16 | * processed by the Proxy tool. Extensions can perform custom analysis or 17 | * modification of these messages, and control in-UI message interception, by 18 | * registering a proxy listener. 19 | */ 20 | public interface IProxyListener 21 | { 22 | /** 23 | * This method is invoked when an HTTP message is being processed by the 24 | * Proxy. 25 | * 26 | * @param messageIsRequest Indicates whether the HTTP message is a request 27 | * or a response. 28 | * @param message An 29 | * IInterceptedProxyMessage object that extensions can use to 30 | * query and update details of the message, and control whether the message 31 | * should be intercepted and displayed to the user for manual review or 32 | * modification. 33 | */ 34 | void processProxyMessage( 35 | boolean messageIsRequest, 36 | IInterceptedProxyMessage message); 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/burp/IBurpCollaboratorInteraction.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IBurpCollaboratorInteraction.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.Map; 13 | 14 | /** 15 | * This interface represents a network interaction that occurred with the Burp 16 | * Collaborator server. 17 | */ 18 | public interface IBurpCollaboratorInteraction 19 | { 20 | 21 | /** 22 | * This method is used to retrieve a property of the interaction. Properties 23 | * of all interactions are: interaction_id, type, client_ip, and time_stamp. 24 | * Properties of DNS interactions are: query_type and raw_query. The 25 | * raw_query value is Base64-encoded. Properties of HTTP interactions are: 26 | * protocol, request, and response. The request and response values are 27 | * Base64-encoded. 28 | * 29 | * @param name The name of the property to retrieve. 30 | * @return A string representing the property value, or null if not present. 31 | */ 32 | String getProperty(String name); 33 | 34 | /** 35 | * This method is used to retrieve a map containing all properties of the 36 | * interaction. 37 | * 38 | * @return A map containing all properties of the interaction. 39 | */ 40 | Map getProperties(); 41 | } 42 | -------------------------------------------------------------------------------- /src/main/java/burp/IContextMenuFactory.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IContextMenuFactory.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | 13 | import javax.swing.JMenuItem; 14 | import java.util.List; 15 | 16 | /** 17 | * Extensions can implement this interface and then call 18 | * IBurpExtenderCallbacks.registerContextMenuFactory() to register 19 | * a factory for custom context menu items. 20 | */ 21 | public interface IContextMenuFactory 22 | { 23 | /** 24 | * This method will be called by Burp when the user invokes a context menu 25 | * anywhere within Burp. The factory can then provide any custom context 26 | * menu items that should be displayed in the context menu, based on the 27 | * details of the menu invocation. 28 | * 29 | * @param invocation An object that implements the 30 | * IMessageEditorTabFactory interface, which the extension can 31 | * query to obtain details of the context menu invocation. 32 | * @return A list of custom menu items (which may include sub-menus, 33 | * checkbox menu items, etc.) that should be displayed. Extensions may 34 | * return 35 | * null from this method, to indicate that no menu items are 36 | * required. 37 | */ 38 | List createMenuItems(IContextMenuInvocation invocation); 39 | } 40 | -------------------------------------------------------------------------------- /src/main/java/burp/IScannerInsertionPointProvider.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScannerInsertionPointProvider.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * Extensions can implement this interface and then call 16 | * IBurpExtenderCallbacks.registerScannerInsertionPointProvider() 17 | * to register a factory for custom Scanner insertion points. 18 | */ 19 | public interface IScannerInsertionPointProvider 20 | { 21 | /** 22 | * When a request is actively scanned, the Scanner will invoke this method, 23 | * and the provider should provide a list of custom insertion points that 24 | * will be used in the scan. Note: these insertion points are used in 25 | * addition to those that are derived from Burp Scanner's configuration, and 26 | * those provided by any other Burp extensions. 27 | * 28 | * @param baseRequestResponse The base request that will be actively 29 | * scanned. 30 | * @return A list of 31 | * IScannerInsertionPoint objects that should be used in the 32 | * scanning, or 33 | * null if no custom insertion points are applicable for this 34 | * request. 35 | */ 36 | List getInsertionPoints( 37 | IHttpRequestResponse baseRequestResponse); 38 | } 39 | -------------------------------------------------------------------------------- /src/main/java/burp/IHttpListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerHttpListener() to register an 15 | * HTTP listener. The listener will be notified of requests and responses made 16 | * by any Burp tool. Extensions can perform custom analysis or modification of 17 | * these messages by registering an HTTP listener. 18 | */ 19 | public interface IHttpListener 20 | { 21 | /** 22 | * This method is invoked when an HTTP request is about to be issued, and 23 | * when an HTTP response has been received. 24 | * 25 | * @param toolFlag A flag indicating the Burp tool that issued the request. 26 | * Burp tool flags are defined in the 27 | * IBurpExtenderCallbacks interface. 28 | * @param messageIsRequest Flags whether the method is being invoked for a 29 | * request or response. 30 | * @param messageInfo Details of the request / response to be processed. 31 | * Extensions can call the setter methods on this object to update the 32 | * current message and so modify Burp's behavior. 33 | */ 34 | void processHttpMessage(int toolFlag, 35 | boolean messageIsRequest, 36 | IHttpRequestResponse messageInfo); 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/burp/IIntruderPayloadGeneratorFactory.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IIntruderPayloadGeneratorFactory.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerIntruderPayloadGeneratorFactory() 15 | * to register a factory for custom Intruder payloads. 16 | */ 17 | public interface IIntruderPayloadGeneratorFactory 18 | { 19 | /** 20 | * This method is used by Burp to obtain the name of the payload generator. 21 | * This will be displayed as an option within the Intruder UI when the user 22 | * selects to use extension-generated payloads. 23 | * 24 | * @return The name of the payload generator. 25 | */ 26 | String getGeneratorName(); 27 | 28 | /** 29 | * This method is used by Burp when the user starts an Intruder attack that 30 | * uses this payload generator. 31 | * 32 | * @param attack An 33 | * IIntruderAttack object that can be queried to obtain details 34 | * about the attack in which the payload generator will be used. 35 | * @return A new instance of 36 | * IIntruderPayloadGenerator that will be used to generate 37 | * payloads for the attack. 38 | */ 39 | IIntruderPayloadGenerator createNewInstance(IIntruderAttack attack); 40 | } 41 | -------------------------------------------------------------------------------- /src/main/java/burp/IMessageEditorTabFactory.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMessageEditorTabFactory.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerMessageEditorTabFactory() to 15 | * register a factory for custom message editor tabs. This allows extensions to 16 | * provide custom rendering or editing of HTTP messages, within Burp's own HTTP 17 | * editor. 18 | */ 19 | public interface IMessageEditorTabFactory 20 | { 21 | /** 22 | * Burp will call this method once for each HTTP message editor, and the 23 | * factory should provide a new instance of an 24 | * IMessageEditorTab object. 25 | * 26 | * @param controller An 27 | * IMessageEditorController object, which the new tab can query 28 | * to retrieve details about the currently displayed message. This may be 29 | * null for extension-invoked message editors where the 30 | * extension has not provided an editor controller. 31 | * @param editable Indicates whether the hosting editor is editable or 32 | * read-only. 33 | * @return A new 34 | * IMessageEditorTab object for use within the message editor. 35 | */ 36 | IMessageEditorTab createNewInstance(IMessageEditorController controller, 37 | boolean editable); 38 | } 39 | -------------------------------------------------------------------------------- /src/main/java/com/yandex/burp/extensions/config/MollyAuthConfig.java: -------------------------------------------------------------------------------- 1 | package com.yandex.burp.extensions.config; 2 | 3 | import com.google.gson.annotations.SerializedName; 4 | 5 | /** 6 | * Created by ezaitov on 09.02.2017. 7 | */ 8 | public class MollyAuthConfig { 9 | @SerializedName("auth_username") 10 | private String authUsername; 11 | 12 | @SerializedName("auth_password") 13 | private String authPassword; 14 | 15 | @SerializedName("auth_host") 16 | private String authHost; 17 | 18 | @SerializedName("auth_schema") 19 | private String authSchema; 20 | 21 | @SerializedName("auth_provider") 22 | private String authProvider; 23 | 24 | public String getAuthHost() { 25 | return authHost; 26 | } 27 | 28 | public String getAuthUsername() { 29 | return authUsername; 30 | } 31 | 32 | public String getAuthSchema() { 33 | return authSchema; 34 | } 35 | 36 | public String getAuthPassword() { 37 | return authPassword; 38 | } 39 | 40 | public void setAuthHost(String authHost) { 41 | this.authHost = authHost; 42 | } 43 | 44 | public void setAuthPassword(String authPassword) { 45 | this.authPassword = authPassword; 46 | } 47 | 48 | public void setAuthUsername(String authUsername) { 49 | this.authUsername = authUsername; 50 | } 51 | 52 | public void setAuthSchema(String authSchema) { 53 | this.authSchema = authSchema; 54 | } 55 | 56 | public String getAuthProvider() { return authProvider; } 57 | 58 | public void setAuthProvider(String authProvider) { this.authProvider = authProvider; } 59 | } 60 | -------------------------------------------------------------------------------- /src/main/java/deduper/HtmlSeg.java: -------------------------------------------------------------------------------- 1 | package deduper; 2 | 3 | import java.util.Iterator; 4 | import java.util.LinkedList; 5 | import java.util.List; 6 | import java.util.Set; 7 | 8 | import org.jsoup.Jsoup; 9 | import org.jsoup.nodes.Document; 10 | import org.jsoup.nodes.Element; 11 | import org.jsoup.select.Elements; 12 | 13 | /** 14 | * Created by ezaitov on 20.02.2017. 15 | */ 16 | public class HtmlSeg implements IWordSeg { 17 | 18 | @Override 19 | public List tokens(String html) { 20 | Document document; 21 | 22 | try { 23 | document = Jsoup.parse(html); 24 | } catch (Exception e) { 25 | IWordSeg wordSeg = new BinaryWordSeg(); 26 | return wordSeg.tokens(html); 27 | } 28 | 29 | Iterator iterator = document.body().select("*").iterator(); 30 | List binaryWords = new LinkedList(); 31 | 32 | while(iterator.hasNext()){ 33 | Element e = iterator.next(); 34 | binaryWords.add(e.tagName()); 35 | if (e.hasAttr("class")) { 36 | binaryWords.add(e.className()); 37 | } 38 | } 39 | 40 | /* was not able to parse as doc a HTML - parse it as a string */ 41 | if (binaryWords.size() == 0) { 42 | IWordSeg wordSeg = new BinaryWordSeg(); 43 | return wordSeg.tokens(html); 44 | } 45 | 46 | return binaryWords; 47 | } 48 | 49 | @Override 50 | public List tokens(String doc, Set stopWords) { 51 | return null; 52 | } 53 | 54 | } 55 | -------------------------------------------------------------------------------- /src/main/java/burp/IHttpRequestResponseWithMarkers.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpRequestResponseWithMarkers.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * This interface is used for an 16 | * IHttpRequestResponse object that has had markers applied. 17 | * Extensions can create instances of this interface using 18 | * IBurpExtenderCallbacks.applyMarkers(), or provide their own 19 | * implementation. Markers are used in various situations, such as specifying 20 | * Intruder payload positions, Scanner insertion points, and highlights in 21 | * Scanner issues. 22 | */ 23 | public interface IHttpRequestResponseWithMarkers extends IHttpRequestResponse 24 | { 25 | /** 26 | * This method returns the details of the request markers. 27 | * 28 | * @return A list of index pairs representing the offsets of markers for the 29 | * request message. Each item in the list is an int[2] array containing the 30 | * start and end offsets for the marker. The method may return 31 | * null if no request markers are defined. 32 | */ 33 | List getRequestMarkers(); 34 | 35 | /** 36 | * This method returns the details of the response markers. 37 | * 38 | * @return A list of index pairs representing the offsets of markers for the 39 | * response message. Each item in the list is an int[2] array containing the 40 | * start and end offsets for the marker. The method may return 41 | * null if no response markers are defined. 42 | */ 43 | List getResponseMarkers(); 44 | } 45 | -------------------------------------------------------------------------------- /src/main/java/burp/IIntruderPayloadProcessor.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IIntruderPayloadProcessor.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerIntruderPayloadProcessor() to 15 | * register a custom Intruder payload processor. 16 | */ 17 | public interface IIntruderPayloadProcessor 18 | { 19 | /** 20 | * This method is used by Burp to obtain the name of the payload processor. 21 | * This will be displayed as an option within the Intruder UI when the user 22 | * selects to use an extension-provided payload processor. 23 | * 24 | * @return The name of the payload processor. 25 | */ 26 | String getProcessorName(); 27 | 28 | /** 29 | * This method is invoked by Burp each time the processor should be applied 30 | * to an Intruder payload. 31 | * 32 | * @param currentPayload The value of the payload to be processed. 33 | * @param originalPayload The value of the original payload prior to 34 | * processing by any already-applied processing rules. 35 | * @param baseValue The base value of the payload position, which will be 36 | * replaced with the current payload. 37 | * @return The value of the processed payload. This may be 38 | * null to indicate that the current payload should be skipped, 39 | * and the attack will move directly to the next payload. 40 | */ 41 | byte[] processPayload( 42 | byte[] currentPayload, 43 | byte[] originalPayload, 44 | byte[] baseValue); 45 | } 46 | -------------------------------------------------------------------------------- /src/main/java/burp/IIntruderPayloadGenerator.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IIntruderPayloadGenerator.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used for custom Intruder payload generators. Extensions 14 | * that have registered an 15 | * IIntruderPayloadGeneratorFactory must return a new instance of 16 | * this interface when required as part of a new Intruder attack. 17 | */ 18 | public interface IIntruderPayloadGenerator 19 | { 20 | /** 21 | * This method is used by Burp to determine whether the payload generator is 22 | * able to provide any further payloads. 23 | * 24 | * @return Extensions should return 25 | * false when all the available payloads have been used up, 26 | * otherwise 27 | * true. 28 | */ 29 | boolean hasMorePayloads(); 30 | 31 | /** 32 | * This method is used by Burp to obtain the value of the next payload. 33 | * 34 | * @param baseValue The base value of the current payload position. This 35 | * value may be 36 | * null if the concept of a base value is not applicable (e.g. 37 | * in a battering ram attack). 38 | * @return The next payload to use in the attack. 39 | */ 40 | byte[] getNextPayload(byte[] baseValue); 41 | 42 | /** 43 | * This method is used by Burp to reset the state of the payload generator 44 | * so that the next call to 45 | * getNextPayload() returns the first payload again. This 46 | * method will be invoked when an attack uses the same payload generator for 47 | * more than one payload position, for example in a sniper attack. 48 | */ 49 | void reset(); 50 | } 51 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Notice to external contributors 2 | 3 | 4 | 5 | ## General info 6 | 7 | Hello! In order for us (YANDEX LLC) to accept patches and other contributions from you, you will have to adopt our Yandex Contributor License Agreement (the “**CLA**”). The current version of the CLA you may find here: 8 | 1) https://yandex.ru/legal/cla/?lang=en (in English) and 9 | 2) https://yandex.ru/legal/cla/?lang=ru (in Russian). 10 | 11 | By adopting the CLA, you state the following: 12 | 13 | * You obviously wish and are willingly licensing your contributions to us for our open source projects under the terms of the CLA, 14 | * You has read the terms and conditions of the CLA and agree with them in full, 15 | * You are legally able to provide and license your contributions as stated, 16 | * We may use your contributions for our open source projects and for any other our project too, 17 | * We rely on your assurances concerning the rights of third parties in relation to your contributes. 18 | 19 | If you agree with these principles, please read and adopt our CLA. By providing us your contributions, you hereby declare that you has already read and adopt our CLA, and we may freely merge your contributions with our corresponding open source project and use it in futher in accordance with terms and conditions of the CLA. 20 | 21 | ## Provide contributions 22 | 23 | If you have already adopted terms and conditions of the CLA, you are able to provide your contributes. When you submit your pull request, please add the following information into it: 24 | 25 | ` 26 | I hereby agree to the terms of the CLA available at: [link]). 27 | ` 28 | 29 | Replace the bracketed text as follows: 30 | * [link] is the link at the current version of the CLA (you may add here a link https://yandex.ru/legal/cla/?lang=en (in English) or a link https://yandex.ru/legal/cla/?lang=ru (in Russian). 31 | 32 | It is enough to provide us such notification at once. 33 | 34 | ## Other questions 35 | 36 | If you have any questions, please mail us at opensource@yandex-team.ru. 37 | 38 | -------------------------------------------------------------------------------- /src/main/java/burp/ICookie.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ICookie.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.Date; 13 | 14 | /** 15 | * This interface is used to hold details about an HTTP cookie. 16 | */ 17 | public interface ICookie 18 | { 19 | /** 20 | * This method is used to retrieve the domain for which the cookie is in 21 | * scope. 22 | * 23 | * @return The domain for which the cookie is in scope. Note: For 24 | * cookies that have been analyzed from responses (by calling 25 | * IExtensionHelpers.analyzeResponse() and then 26 | * IResponseInfo.getCookies(), the domain will be 27 | * null if the response did not explicitly set a domain 28 | * attribute for the cookie. 29 | */ 30 | String getDomain(); 31 | 32 | /** 33 | * This method is used to retrieve the path for which the cookie is in 34 | * scope. 35 | * 36 | * @return The path for which the cookie is in scope or null if none is set. 37 | */ 38 | String getPath(); 39 | 40 | /** 41 | * This method is used to retrieve the expiration time for the cookie. 42 | * 43 | * @return The expiration time for the cookie, or 44 | * null if none is set (i.e., for non-persistent session 45 | * cookies). 46 | */ 47 | Date getExpiration(); 48 | 49 | /** 50 | * This method is used to retrieve the name of the cookie. 51 | * 52 | * @return The name of the cookie. 53 | */ 54 | String getName(); 55 | 56 | /** 57 | * This method is used to retrieve the value of the cookie. 58 | * @return The value of the cookie. 59 | */ 60 | String getValue(); 61 | } 62 | -------------------------------------------------------------------------------- /src/main/java/burp/IMessageEditorController.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMessageEditorController.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used by an 14 | * IMessageEditor to obtain details about the currently displayed 15 | * message. Extensions that create instances of Burp's HTTP message editor can 16 | * optionally provide an implementation of 17 | * IMessageEditorController, which the editor will invoke when it 18 | * requires further information about the current message (for example, to send 19 | * it to another Burp tool). Extensions that provide custom editor tabs via an 20 | * IMessageEditorTabFactory will receive a reference to an 21 | * IMessageEditorController object for each tab instance they 22 | * generate, which the tab can invoke if it requires further information about 23 | * the current message. 24 | */ 25 | public interface IMessageEditorController 26 | { 27 | /** 28 | * This method is used to retrieve the HTTP service for the current message. 29 | * 30 | * @return The HTTP service for the current message. 31 | */ 32 | IHttpService getHttpService(); 33 | 34 | /** 35 | * This method is used to retrieve the HTTP request associated with the 36 | * current message (which may itself be a response). 37 | * 38 | * @return The HTTP request associated with the current message. 39 | */ 40 | byte[] getRequest(); 41 | 42 | /** 43 | * This method is used to retrieve the HTTP response associated with the 44 | * current message (which may itself be a request). 45 | * 46 | * @return The HTTP response associated with the current message. 47 | */ 48 | byte[] getResponse(); 49 | } 50 | -------------------------------------------------------------------------------- /config/burp_molly_config.json: -------------------------------------------------------------------------------- 1 | { 2 | "burp-molly-pack": { 3 | "activePluginsEnable": [ 4 | "CRLFPlugin", 5 | "HttPoxyPlugin", 6 | "YaExpressExceptionPlugin", 7 | "YaExpressRedirectPlugin", 8 | "JsonpPlugin", 9 | "XXEPlugin", 10 | "YaSSRFPlugin", 11 | "WebsocketOriginPlugin", 12 | "RubySessionDefaultSecretDetectorPlugin", 13 | "YaXFFPlugin" 14 | ], 15 | "passivePluginsEnable": [ 16 | "ClickJackingPlugin", 17 | "ContentSniffingPlugin", 18 | "XXssProtectionPlugin" 19 | ], 20 | "ClickJackingPlugin": { 21 | "ignoreCodes": [ 22 | 404, 23 | 301, 24 | 302, 25 | 500, 26 | 503, 27 | 502, 28 | 403, 29 | 405, 30 | 400, 31 | 304, 32 | 504, 33 | 414 34 | ] 35 | }, 36 | "ContentSniffingPlugin": { 37 | "ignoreCodes": [ 38 | 404, 39 | 403, 40 | 301, 41 | 302, 42 | 405, 43 | 400, 44 | 304, 45 | 401, 46 | 502, 47 | 504, 48 | 503, 49 | 414, 50 | 500 51 | ] 52 | } 53 | }, 54 | "burp-molly-scanner": { 55 | "report_path": "/tmp/out.xml", 56 | "initial_url": "https://example.com/", 57 | "scan_timeout": 45, 58 | "max_issue_samples": 11, 59 | "user_agent": "fake user-agent", 60 | "auth": { 61 | "auth_provider": "BASIC", 62 | "auth_schema": "", 63 | "auth_host": "", 64 | "auth_username": "", 65 | "auth_password": "base64encoded" 66 | }, 67 | "ignore_issues": [16777472, 5243904,6292736,6291968,7340288,6292992,8389120,16777472], 68 | "static_file_extensions": ["js", "png", "gif", "css", "jpg", "jpeg", "ico", "docx", "doc", "exe", "pdf", "xls", "ico", "pkg", "zip"], 69 | "crossdomain_js_whitelist": ["yastatic.net", "mc.yandex.ru"], 70 | "public_cors_whitelist": ["yastatic.net", "mc.yandex.ru"], 71 | "proxy_domain_blacklist": ["mc.yandex.ru", "bs.yandex.ru"], 72 | "crossdomain_xml_whitelist": ["yastatic.net", "mc.yandex.ru", "bs.yandex.ru"] 73 | } 74 | } 75 | -------------------------------------------------------------------------------- /src/main/java/burp/IResponseKeywords.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IResponseKeywords.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * This interface is used to represent the counts of keywords appearing in a 16 | * number of HTTP responses. 17 | */ 18 | public interface IResponseKeywords 19 | { 20 | 21 | /** 22 | * This method is used to obtain the list of keywords whose counts vary 23 | * between the analyzed responses. 24 | * 25 | * @return The keywords whose counts vary between the analyzed responses. 26 | */ 27 | List getVariantKeywords(); 28 | 29 | /** 30 | * This method is used to obtain the list of keywords whose counts do not 31 | * vary between the analyzed responses. 32 | * 33 | * @return The keywords whose counts do not vary between the analyzed 34 | * responses. 35 | */ 36 | List getInvariantKeywords(); 37 | 38 | /** 39 | * This method is used to obtain the number of occurrences of an individual 40 | * keyword in a response. 41 | * 42 | * @param keyword The keyword whose count will be retrieved. 43 | * @param responseIndex The index of the response. Note responses are 44 | * indexed from zero in the order they were originally supplied to the 45 | * IExtensionHelpers.analyzeResponseKeywords() and 46 | * IResponseKeywords.updateWith() methods. 47 | * @return The number of occurrences of the specified keyword for the 48 | * specified response. 49 | */ 50 | int getKeywordCount(String keyword, int responseIndex); 51 | 52 | /** 53 | * This method is used to update the analysis based on additional responses. 54 | * 55 | * @param responses The new responses to include in the analysis. 56 | */ 57 | void updateWith(byte[]... responses); 58 | } 59 | -------------------------------------------------------------------------------- /src/main/java/burp/IMessageEditor.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMessageEditor.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.Component; 13 | 14 | /** 15 | * This interface is used to provide extensions with an instance of Burp's HTTP 16 | * message editor, for the extension to use in its own UI. Extensions should 17 | * call 18 | * IBurpExtenderCallbacks.createMessageEditor() to obtain an 19 | * instance of this interface. 20 | */ 21 | public interface IMessageEditor 22 | { 23 | /** 24 | * This method returns the UI component of the editor, for extensions to add 25 | * to their own UI. 26 | * 27 | * @return The UI component of the editor. 28 | */ 29 | Component getComponent(); 30 | 31 | /** 32 | * This method is used to display an HTTP message in the editor. 33 | * 34 | * @param message The HTTP message to be displayed. 35 | * @param isRequest Flags whether the message is an HTTP request or 36 | * response. 37 | */ 38 | void setMessage(byte[] message, boolean isRequest); 39 | 40 | /** 41 | * This method is used to retrieve the currently displayed message, which 42 | * may have been modified by the user. 43 | * 44 | * @return The currently displayed HTTP message. 45 | */ 46 | byte[] getMessage(); 47 | 48 | /** 49 | * This method is used to determine whether the current message has been 50 | * modified by the user. 51 | * 52 | * @return An indication of whether the current message has been modified by 53 | * the user since it was first displayed. 54 | */ 55 | boolean isMessageModified(); 56 | 57 | /** 58 | * This method returns the data that is currently selected by the user. 59 | * 60 | * @return The data that is currently selected by the user, or 61 | * null if no selection is made. 62 | */ 63 | byte[] getSelectedData(); 64 | } 65 | -------------------------------------------------------------------------------- /src/main/java/com/yandex/burp/extensions/modifiers/UserAgentModifier.java: -------------------------------------------------------------------------------- 1 | package com.yandex.burp.extensions.modifiers; 2 | 3 | import burp.IBurpExtenderCallbacks; 4 | import burp.IExtensionHelpers; 5 | import burp.IHttpRequestResponse; 6 | import burp.IRequestInfo; 7 | import com.yandex.burp.extensions.config.BurpMollyScannerConfig; 8 | 9 | import java.util.ArrayList; 10 | import java.util.List; 11 | 12 | 13 | /** 14 | * Created by ezaitov on 03.02.2017. 15 | */ 16 | public class UserAgentModifier implements IMollyModifier { 17 | private final IBurpExtenderCallbacks callbacks; 18 | private final IExtensionHelpers helpers; 19 | private BurpMollyScannerConfig extConfig; 20 | 21 | public UserAgentModifier(IBurpExtenderCallbacks callbacks, BurpMollyScannerConfig extConfig) { 22 | this.callbacks = callbacks; 23 | this.helpers = callbacks.getHelpers(); 24 | this.extConfig = extConfig; 25 | } 26 | 27 | @Override 28 | public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) { 29 | if (!messageIsRequest) { 30 | return; 31 | } 32 | 33 | if (extConfig.getUserAgent() == null) { 34 | return; 35 | } 36 | 37 | IRequestInfo requestInfo = helpers.analyzeRequest(messageInfo.getRequest()); 38 | List reqHeaders = requestInfo.getHeaders(); 39 | List newHeaders = new ArrayList(); 40 | for (String h : reqHeaders) { 41 | if (!h.toUpperCase().startsWith("USER-AGENT:")) 42 | newHeaders.add(h); 43 | } 44 | newHeaders.add("User-Agent: " + extConfig.getUserAgent()); 45 | 46 | byte[] body; 47 | byte[] modifiedReq; 48 | if (helpers.bytesToString(messageInfo.getRequest()).length() > requestInfo.getBodyOffset()) { 49 | body = helpers.stringToBytes(helpers.bytesToString(messageInfo.getRequest()).substring(requestInfo.getBodyOffset())); 50 | modifiedReq = helpers.buildHttpMessage(newHeaders, body); 51 | } else { 52 | modifiedReq = helpers.buildHttpMessage(newHeaders, "".getBytes()); 53 | } 54 | messageInfo.setRequest(modifiedReq); 55 | } 56 | } -------------------------------------------------------------------------------- /src/main/java/burp/ISessionHandlingAction.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ISessionHandlingAction.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerSessionHandlingAction() to 15 | * register a custom session handling action. Each registered action will be 16 | * available within the session handling rule UI for the user to select as a 17 | * rule action. Users can choose to invoke an action directly in its own right, 18 | * or following execution of a macro. 19 | */ 20 | public interface ISessionHandlingAction 21 | { 22 | /** 23 | * This method is used by Burp to obtain the name of the session handling 24 | * action. This will be displayed as an option within the session handling 25 | * rule editor when the user selects to execute an extension-provided 26 | * action. 27 | * 28 | * @return The name of the action. 29 | */ 30 | String getActionName(); 31 | 32 | /** 33 | * This method is invoked when the session handling action should be 34 | * executed. This may happen as an action in its own right, or as a 35 | * sub-action following execution of a macro. 36 | * 37 | * @param currentRequest The base request that is currently being processed. 38 | * The action can query this object to obtain details about the base 39 | * request. It can issue additional requests of its own if necessary, and 40 | * can use the setter methods on this object to update the base request. 41 | * @param macroItems If the action is invoked following execution of a 42 | * macro, this parameter contains the result of executing the macro. 43 | * Otherwise, it is 44 | * null. Actions can use the details of the macro items to 45 | * perform custom analysis of the macro to derive values of non-standard 46 | * session handling tokens, etc. 47 | */ 48 | void performAction( 49 | IHttpRequestResponse currentRequest, 50 | IHttpRequestResponse[] macroItems); 51 | } 52 | -------------------------------------------------------------------------------- /src/main/java/com/yandex/burp/extensions/MollyProxyListener.java: -------------------------------------------------------------------------------- 1 | package com.yandex.burp.extensions; 2 | 3 | import burp.*; 4 | import com.yandex.burp.extensions.auth.IMollyAuthAdapter; 5 | import com.yandex.burp.extensions.config.BurpMollyScannerConfig; 6 | 7 | import java.io.PrintWriter; 8 | 9 | /** 10 | * Created by ezaitov on 02.03.2017. 11 | */ 12 | public class MollyProxyListener implements IProxyListener { 13 | 14 | private final IBurpExtenderCallbacks callbacks; 15 | private final IExtensionHelpers helpers; 16 | private final BurpMollyScannerConfig extConfig; 17 | private final EntryPointDeduplicator deduper; 18 | private final IMollyAuthAdapter authenticator; 19 | 20 | public MollyProxyListener(IBurpExtenderCallbacks callbacks, BurpMollyScannerConfig extConfig, 21 | IMollyAuthAdapter authenticator, EntryPointDeduplicator deduper) { 22 | this.callbacks = callbacks; 23 | this.helpers = callbacks.getHelpers(); 24 | this.extConfig = extConfig; 25 | this.deduper = deduper; 26 | this.authenticator = authenticator; 27 | } 28 | 29 | @Override 30 | public void processProxyMessage(boolean messageIsRequest, IInterceptedProxyMessage message) { 31 | PrintWriter stdout = new PrintWriter(callbacks.getStdout(), true); 32 | 33 | if (!messageIsRequest) { 34 | return; 35 | } 36 | 37 | IHttpRequestResponse messageInfo = message.getMessageInfo(); 38 | IRequestInfo requestInfo = callbacks.getHelpers().analyzeRequest(messageInfo.getHttpService(), messageInfo.getRequest()); 39 | 40 | for (String host : extConfig.getProxyDomainBlacklist()) { 41 | if (requestInfo.getUrl() == null || requestInfo.getUrl().getHost() == null) { 42 | message.setInterceptAction(IInterceptedProxyMessage.ACTION_DROP); 43 | // stdout.println("Proxy dropped: " + requestInfo.getUrl().toString()); 44 | return; 45 | } 46 | if (host.equals(requestInfo.getUrl().getHost())) { 47 | message.setInterceptAction(IInterceptedProxyMessage.ACTION_DROP); 48 | // stdout.println("Proxy dropped: " + requestInfo.getUrl().toString()); 49 | return; 50 | } 51 | } 52 | // stdout.println("Proxied: " + requestInfo.getUrl().toString()); 53 | 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /src/main/java/com/yandex/burp/extensions/auth/BasicAuthAdapter.java: -------------------------------------------------------------------------------- 1 | package com.yandex.burp.extensions.auth; 2 | 3 | import burp.*; 4 | import com.yandex.burp.extensions.config.MollyAuthConfig; 5 | 6 | import java.util.ArrayList; 7 | import java.util.List; 8 | 9 | /** 10 | * Created by ezaitov on 03.02.2017. 11 | */ 12 | public class BasicAuthAdapter implements IMollyAuthAdapter { 13 | private final int MAX_AUTH_TRIES = 2; 14 | private final MollyAuthConfig authConfig; 15 | private IBurpExtenderCallbacks callbacks; 16 | private IExtensionHelpers helpers; 17 | private List sessionCookies; 18 | private int authFailures; 19 | 20 | public BasicAuthAdapter(IBurpExtenderCallbacks callbacks, MollyAuthConfig authConfig) { 21 | this.callbacks = callbacks; 22 | this.helpers = callbacks.getHelpers(); 23 | this.authConfig = authConfig; 24 | this.authFailures = 0; 25 | this.sessionCookies = new ArrayList<>(); 26 | } 27 | 28 | public boolean isAuthExpected() { 29 | return false; 30 | } 31 | 32 | public boolean doAuth(IHttpRequestResponse messageInfo) { 33 | if (messageInfo == null) return true; 34 | IRequestInfo requestInfo = helpers.analyzeRequest(messageInfo.getRequest()); 35 | List reqHeaders = requestInfo.getHeaders(); 36 | List newHeaders = new ArrayList(); 37 | for (String h : reqHeaders) { 38 | if (!h.toUpperCase().startsWith("AUTHORIZATION:")) 39 | newHeaders.add(h); 40 | } 41 | newHeaders.add("Authorization: " + authConfig.getAuthPassword()); 42 | 43 | byte[] body; 44 | byte[] modifiedReq; 45 | if (helpers.bytesToString(messageInfo.getRequest()).length() > requestInfo.getBodyOffset()) { 46 | body = helpers.stringToBytes(helpers.bytesToString(messageInfo.getRequest()).substring(requestInfo.getBodyOffset())); 47 | modifiedReq = helpers.buildHttpMessage(newHeaders, body); 48 | } else { 49 | modifiedReq = helpers.buildHttpMessage(newHeaders, "".getBytes()); 50 | } 51 | 52 | messageInfo.setRequest(modifiedReq); 53 | return true; 54 | } 55 | 56 | public void doLogout(IHttpRequestResponse messageInfo) { 57 | return; 58 | } 59 | 60 | public boolean isLogoutRequest(IHttpRequestResponse messageInfo) { return false; } 61 | 62 | public boolean isAuthenticated(IHttpRequestResponse messageInfo) { return true; } 63 | } 64 | -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | com.yandex 8 | burp-molly-scanner 9 | 1.0-SNAPSHOT 10 | 11 | 12 | 13 | 14 | 15 | 16 | org.apache.maven.plugins 17 | maven-compiler-plugin 18 | 3.1 19 | 20 | 1.8 21 | 1.8 22 | 23 | 24 | 25 | 26 | org.apache.maven.plugins 27 | maven-assembly-plugin 28 | 2.4.1 29 | 30 | 31 | jar-with-dependencies 32 | 33 | 34 | 35 | 36 | 37 | assemble-all 38 | package 39 | 40 | single 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | com.google.code.gson 52 | gson 53 | 2.3.1 54 | 55 | 56 | com.google.guava 57 | guava 58 | 21.0 59 | 60 | 61 | com.jayway.awaitility 62 | awaitility 63 | 1.6.3 64 | 65 | 66 | org.jsoup 67 | jsoup 68 | 1.7.2 69 | 70 | 71 | -------------------------------------------------------------------------------- /src/main/java/burp/IResponseVariations.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IResponseVariations.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * This interface is used to represent variations between a number HTTP 16 | * responses, according to various attributes. 17 | */ 18 | public interface IResponseVariations 19 | { 20 | 21 | /** 22 | * This method is used to obtain the list of attributes that vary between 23 | * the analyzed responses. 24 | * 25 | * @return The attributes that vary between the analyzed responses. 26 | */ 27 | List getVariantAttributes(); 28 | 29 | /** 30 | * This method is used to obtain the list of attributes that do not vary 31 | * between the analyzed responses. 32 | * 33 | * @return The attributes that do not vary between the analyzed responses. 34 | */ 35 | List getInvariantAttributes(); 36 | 37 | /** 38 | * This method is used to obtain the value of an individual attribute in a 39 | * response. Note that the values of some attributes are intrinsically 40 | * meaningful (e.g. a word count) while the values of others are less so 41 | * (e.g. a checksum of the HTML tag names). 42 | * 43 | * @param attributeName The name of the attribute whose value will be 44 | * retrieved. Extension authors can obtain the list of supported attributes 45 | * by generating an IResponseVariations object for a single 46 | * response and calling 47 | * IResponseVariations.getInvariantAttributes(). 48 | * @param responseIndex The index of the response. Note that responses are 49 | * indexed from zero in the order they were originally supplied to the 50 | * IExtensionHelpers.analyzeResponseVariations() and 51 | * IResponseVariations.updateWith() methods. 52 | * @return The value of the specified attribute for the specified response. 53 | */ 54 | int getAttributeValue(String attributeName, int responseIndex); 55 | 56 | /** 57 | * This method is used to update the analysis based on additional responses. 58 | * 59 | * @param responses The new responses to include in the analysis. 60 | */ 61 | void updateWith(byte[]... responses); 62 | } 63 | -------------------------------------------------------------------------------- /src/main/java/burp/IResponseInfo.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IResponseInfo.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * This interface is used to retrieve key details about an HTTP response. 16 | * Extensions can obtain an 17 | * IResponseInfo object for a given response by calling 18 | * IExtensionHelpers.analyzeResponse(). 19 | */ 20 | public interface IResponseInfo 21 | { 22 | /** 23 | * This method is used to obtain the HTTP headers contained in the response. 24 | * 25 | * @return The HTTP headers contained in the response. 26 | */ 27 | List getHeaders(); 28 | 29 | /** 30 | * This method is used to obtain the offset within the response where the 31 | * message body begins. 32 | * 33 | * @return The offset within the response where the message body begins. 34 | */ 35 | int getBodyOffset(); 36 | 37 | /** 38 | * This method is used to obtain the HTTP status code contained in the 39 | * response. 40 | * 41 | * @return The HTTP status code contained in the response. 42 | */ 43 | short getStatusCode(); 44 | 45 | /** 46 | * This method is used to obtain details of the HTTP cookies set in the 47 | * response. 48 | * 49 | * @return A list of ICookie objects representing the cookies 50 | * set in the response, if any. 51 | */ 52 | List getCookies(); 53 | 54 | /** 55 | * This method is used to obtain the MIME type of the response, as stated in 56 | * the HTTP headers. 57 | * 58 | * @return A textual label for the stated MIME type, or an empty String if 59 | * this is not known or recognized. The possible labels are the same as 60 | * those used in the main Burp UI. 61 | */ 62 | String getStatedMimeType(); 63 | 64 | /** 65 | * This method is used to obtain the MIME type of the response, as inferred 66 | * from the contents of the HTTP message body. 67 | * 68 | * @return A textual label for the inferred MIME type, or an empty String if 69 | * this is not known or recognized. The possible labels are the same as 70 | * those used in the main Burp UI. 71 | */ 72 | String getInferredMimeType(); 73 | } 74 | -------------------------------------------------------------------------------- /src/main/java/burp/IScanQueueItem.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScanQueueItem.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to retrieve details of items in the Burp Scanner 14 | * active scan queue. Extensions can obtain references to scan queue items by 15 | * calling 16 | * IBurpExtenderCallbacks.doActiveScan(). 17 | */ 18 | public interface IScanQueueItem 19 | { 20 | /** 21 | * This method returns a description of the status of the scan queue item. 22 | * 23 | * @return A description of the status of the scan queue item. 24 | */ 25 | String getStatus(); 26 | 27 | /** 28 | * This method returns an indication of the percentage completed for the 29 | * scan queue item. 30 | * 31 | * @return An indication of the percentage completed for the scan queue 32 | * item. 33 | */ 34 | byte getPercentageComplete(); 35 | 36 | /** 37 | * This method returns the number of requests that have been made for the 38 | * scan queue item. 39 | * 40 | * @return The number of requests that have been made for the scan queue 41 | * item. 42 | */ 43 | int getNumRequests(); 44 | 45 | /** 46 | * This method returns the number of network errors that have occurred for 47 | * the scan queue item. 48 | * 49 | * @return The number of network errors that have occurred for the scan 50 | * queue item. 51 | */ 52 | int getNumErrors(); 53 | 54 | /** 55 | * This method returns the number of attack insertion points being used for 56 | * the scan queue item. 57 | * 58 | * @return The number of attack insertion points being used for the scan 59 | * queue item. 60 | */ 61 | int getNumInsertionPoints(); 62 | 63 | /** 64 | * This method allows the scan queue item to be canceled. 65 | */ 66 | void cancel(); 67 | 68 | /** 69 | * This method returns details of the issues generated for the scan queue 70 | * item. Note: different items within the scan queue may contain 71 | * duplicated versions of the same issues - for example, if the same request 72 | * has been scanned multiple times. Duplicated issues are consolidated in 73 | * the main view of scan results. Extensions can register an 74 | * IScannerListener to get details only of unique, newly 75 | * discovered Scanner issues post-consolidation. 76 | * 77 | * @return Details of the issues generated for the scan queue item. 78 | */ 79 | IScanIssue[] getIssues(); 80 | } 81 | -------------------------------------------------------------------------------- /src/main/java/burp/IRequestInfo.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IRequestInfo.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.net.URL; 13 | import java.util.List; 14 | 15 | /** 16 | * This interface is used to retrieve key details about an HTTP request. 17 | * Extensions can obtain an 18 | * IRequestInfo object for a given request by calling 19 | * IExtensionHelpers.analyzeRequest(). 20 | */ 21 | public interface IRequestInfo 22 | { 23 | /** 24 | * Used to indicate that there is no content. 25 | */ 26 | static final byte CONTENT_TYPE_NONE = 0; 27 | /** 28 | * Used to indicate URL-encoded content. 29 | */ 30 | static final byte CONTENT_TYPE_URL_ENCODED = 1; 31 | /** 32 | * Used to indicate multi-part content. 33 | */ 34 | static final byte CONTENT_TYPE_MULTIPART = 2; 35 | /** 36 | * Used to indicate XML content. 37 | */ 38 | static final byte CONTENT_TYPE_XML = 3; 39 | /** 40 | * Used to indicate JSON content. 41 | */ 42 | static final byte CONTENT_TYPE_JSON = 4; 43 | /** 44 | * Used to indicate AMF content. 45 | */ 46 | static final byte CONTENT_TYPE_AMF = 5; 47 | /** 48 | * Used to indicate unknown content. 49 | */ 50 | static final byte CONTENT_TYPE_UNKNOWN = -1; 51 | 52 | /** 53 | * This method is used to obtain the HTTP method used in the request. 54 | * 55 | * @return The HTTP method used in the request. 56 | */ 57 | String getMethod(); 58 | 59 | /** 60 | * This method is used to obtain the URL in the request. 61 | * 62 | * @return The URL in the request. 63 | */ 64 | URL getUrl(); 65 | 66 | /** 67 | * This method is used to obtain the HTTP headers contained in the request. 68 | * 69 | * @return The HTTP headers contained in the request. 70 | */ 71 | List getHeaders(); 72 | 73 | /** 74 | * This method is used to obtain the parameters contained in the request. 75 | * 76 | * @return The parameters contained in the request. 77 | */ 78 | List getParameters(); 79 | 80 | /** 81 | * This method is used to obtain the offset within the request where the 82 | * message body begins. 83 | * 84 | * @return The offset within the request where the message body begins. 85 | */ 86 | int getBodyOffset(); 87 | 88 | /** 89 | * This method is used to obtain the content type of the message body. 90 | * 91 | * @return An indication of the content type of the message body. Available 92 | * types are defined within this interface. 93 | */ 94 | byte getContentType(); 95 | } 96 | -------------------------------------------------------------------------------- /src/main/java/com/yandex/burp/extensions/modifiers/QsParameterModifier.java: -------------------------------------------------------------------------------- 1 | package com.yandex.burp.extensions.modifiers; 2 | 3 | import burp.*; 4 | import com.yandex.burp.extensions.config.BurpMollyScannerConfig; 5 | 6 | import java.io.UnsupportedEncodingException; 7 | import java.net.URLDecoder; 8 | 9 | /** 10 | * Created by ezaitov on 07.02.2017. 11 | */ 12 | public class QsParameterModifier implements IMollyModifier { 13 | private final IBurpExtenderCallbacks callbacks; 14 | private final IExtensionHelpers helpers; 15 | private BurpMollyScannerConfig extConfig; 16 | 17 | public QsParameterModifier(IBurpExtenderCallbacks callbacks, BurpMollyScannerConfig extConfig) { 18 | this.callbacks = callbacks; 19 | this.helpers = callbacks.getHelpers(); 20 | this.extConfig = extConfig; 21 | } 22 | 23 | @Override 24 | public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) { 25 | if (!messageIsRequest) { 26 | return; 27 | } 28 | 29 | if (extConfig.getQsParameters() == null) { 30 | return; 31 | } 32 | 33 | byte [] modifiedReq = messageInfo.getRequest(); 34 | String[] pairs = extConfig.getQsParameters().split("&"); 35 | for (String pair : pairs) { 36 | int idx = pair.indexOf("="); 37 | /* no "=" found */ 38 | if (idx == -1) { 39 | try { 40 | /* do not add param if it already exists */ 41 | if (helpers.getRequestParameter(modifiedReq, URLDecoder.decode(pair, "UTF-8")) != null) { 42 | return; 43 | } 44 | 45 | modifiedReq = helpers.addParameter(modifiedReq, 46 | helpers.buildParameter(URLDecoder.decode(pair, "UTF-8"), "", 47 | IParameter.PARAM_URL)); 48 | } catch (UnsupportedEncodingException e) { 49 | /* TODO: may be handle it one day */ 50 | return; 51 | } 52 | } else { 53 | try { 54 | /* do not add param if it already exists */ 55 | if (helpers.getRequestParameter(modifiedReq, URLDecoder.decode(pair.substring(0, idx), "UTF-8")) != null) { 56 | return; 57 | } 58 | 59 | modifiedReq = helpers.addParameter(modifiedReq, 60 | helpers.buildParameter(URLDecoder.decode(pair.substring(0, idx), "UTF-8"), 61 | URLDecoder.decode(pair.substring(idx + 1), "UTF-8"), 62 | IParameter.PARAM_URL)); 63 | } catch (UnsupportedEncodingException e) { 64 | /* TODO: may be handle it one day */ 65 | return; 66 | } 67 | } 68 | } 69 | 70 | // PrintWriter stdout = new PrintWriter(callbacks.getStdout(), true); 71 | // stdout.println(helpers.bytesToString(modifiedReq)); 72 | messageInfo.setRequest(modifiedReq); 73 | } 74 | } 75 | -------------------------------------------------------------------------------- /src/main/java/burp/ITextEditor.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ITextEditor.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.Component; 13 | 14 | /** 15 | * This interface is used to provide extensions with an instance of Burp's raw 16 | * text editor, for the extension to use in its own UI. Extensions should call 17 | * IBurpExtenderCallbacks.createTextEditor() to obtain an instance 18 | * of this interface. 19 | */ 20 | public interface ITextEditor 21 | { 22 | /** 23 | * This method returns the UI component of the editor, for extensions to add 24 | * to their own UI. 25 | * 26 | * @return The UI component of the editor. 27 | */ 28 | Component getComponent(); 29 | 30 | /** 31 | * This method is used to control whether the editor is currently editable. 32 | * This status can be toggled on and off as required. 33 | * 34 | * @param editable Indicates whether the editor should be currently 35 | * editable. 36 | */ 37 | void setEditable(boolean editable); 38 | 39 | /** 40 | * This method is used to update the currently displayed text in the editor. 41 | * 42 | * @param text The text to be displayed. 43 | */ 44 | void setText(byte[] text); 45 | 46 | /** 47 | * This method is used to retrieve the currently displayed text. 48 | * 49 | * @return The currently displayed text. 50 | */ 51 | byte[] getText(); 52 | 53 | /** 54 | * This method is used to determine whether the user has modified the 55 | * contents of the editor. 56 | * 57 | * @return An indication of whether the user has modified the contents of 58 | * the editor since the last call to 59 | * setText(). 60 | */ 61 | boolean isTextModified(); 62 | 63 | /** 64 | * This method is used to obtain the currently selected text. 65 | * 66 | * @return The currently selected text, or 67 | * null if the user has not made any selection. 68 | */ 69 | byte[] getSelectedText(); 70 | 71 | /** 72 | * This method can be used to retrieve the bounds of the user's selection 73 | * into the displayed text, if applicable. 74 | * 75 | * @return An int[2] array containing the start and end offsets of the 76 | * user's selection within the displayed text. If the user has not made any 77 | * selection in the current message, both offsets indicate the position of 78 | * the caret within the editor. 79 | */ 80 | int[] getSelectionBounds(); 81 | 82 | /** 83 | * This method is used to update the search expression that is shown in the 84 | * search bar below the editor. The editor will automatically highlight any 85 | * regions of the displayed text that match the search expression. 86 | * 87 | * @param expression The search expression. 88 | */ 89 | void setSearchExpression(String expression); 90 | } 91 | -------------------------------------------------------------------------------- /src/main/java/burp/IHttpRequestResponse.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpRequestResponse.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to retrieve and update details about HTTP messages. 14 | * 15 | * Note: The setter methods generally can only be used before the message 16 | * has been processed, and not in read-only contexts. The getter methods 17 | * relating to response details can only be used after the request has been 18 | * issued. 19 | */ 20 | public interface IHttpRequestResponse 21 | { 22 | /** 23 | * This method is used to retrieve the request message. 24 | * 25 | * @return The request message. 26 | */ 27 | byte[] getRequest(); 28 | 29 | /** 30 | * This method is used to update the request message. 31 | * 32 | * @param message The new request message. 33 | */ 34 | void setRequest(byte[] message); 35 | 36 | /** 37 | * This method is used to retrieve the response message. 38 | * 39 | * @return The response message. 40 | */ 41 | byte[] getResponse(); 42 | 43 | /** 44 | * This method is used to update the response message. 45 | * 46 | * @param message The new response message. 47 | */ 48 | void setResponse(byte[] message); 49 | 50 | /** 51 | * This method is used to retrieve the user-annotated comment for this item, 52 | * if applicable. 53 | * 54 | * @return The user-annotated comment for this item, or null if none is set. 55 | */ 56 | String getComment(); 57 | 58 | /** 59 | * This method is used to update the user-annotated comment for this item. 60 | * 61 | * @param comment The comment to be assigned to this item. 62 | */ 63 | void setComment(String comment); 64 | 65 | /** 66 | * This method is used to retrieve the user-annotated highlight for this 67 | * item, if applicable. 68 | * 69 | * @return The user-annotated highlight for this item, or null if none is 70 | * set. 71 | */ 72 | String getHighlight(); 73 | 74 | /** 75 | * This method is used to update the user-annotated highlight for this item. 76 | * 77 | * @param color The highlight color to be assigned to this item. Accepted 78 | * values are: red, orange, yellow, green, cyan, blue, pink, magenta, gray, 79 | * or a null String to clear any existing highlight. 80 | */ 81 | void setHighlight(String color); 82 | 83 | /** 84 | * This method is used to retrieve the HTTP service for this request / 85 | * response. 86 | * 87 | * @return An 88 | * IHttpService object containing details of the HTTP service. 89 | */ 90 | IHttpService getHttpService(); 91 | 92 | /** 93 | * This method is used to update the HTTP service for this request / 94 | * response. 95 | * 96 | * @param httpService An 97 | * IHttpService object containing details of the new HTTP 98 | * service. 99 | */ 100 | void setHttpService(IHttpService httpService); 101 | 102 | } 103 | -------------------------------------------------------------------------------- /src/main/java/deduper/MurmurHash.java: -------------------------------------------------------------------------------- 1 | /** 2 | * 3 | */ 4 | package deduper; 5 | 6 | import java.nio.ByteBuffer; 7 | import java.nio.charset.Charset; 8 | 9 | /** 10 | * @author zhangcheng 11 | * 12 | */ 13 | public class MurmurHash { 14 | 15 | public static int hash32(String doc) { 16 | byte[] buffer = doc.getBytes(Charset.forName("utf-8")); 17 | ByteBuffer data = ByteBuffer.wrap(buffer); 18 | return hash32(data, 0, buffer.length, 0); 19 | } 20 | 21 | public static int hash32(ByteBuffer data, int offset, int length, int seed) { 22 | int m = 0x5bd1e995; 23 | int r = 24; 24 | 25 | int h = seed ^ length; 26 | 27 | int len_4 = length >> 2; 28 | 29 | for (int i = 0; i < len_4; i++) { 30 | int i_4 = i << 2; 31 | int k = data.get(offset + i_4 + 3); 32 | k = k << 8; 33 | k = k | (data.get(offset + i_4 + 2) & 0xff); 34 | k = k << 8; 35 | k = k | (data.get(offset + i_4 + 1) & 0xff); 36 | k = k << 8; 37 | k = k | (data.get(offset + i_4 + 0) & 0xff); 38 | k *= m; 39 | k ^= k >>> r; 40 | k *= m; 41 | h *= m; 42 | h ^= k; 43 | } 44 | 45 | // avoid calculating modulo 46 | int len_m = len_4 << 2; 47 | int left = length - len_m; 48 | 49 | if (left != 0) { 50 | if (left >= 3) { 51 | h ^= (int) data.get(offset + length - 3) << 16; 52 | } 53 | if (left >= 2) { 54 | h ^= (int) data.get(offset + length - 2) << 8; 55 | } 56 | if (left >= 1) { 57 | h ^= (int) data.get(offset + length - 1); 58 | } 59 | 60 | h *= m; 61 | } 62 | 63 | h ^= h >>> 13; 64 | h *= m; 65 | h ^= h >>> 15; 66 | 67 | return h; 68 | } 69 | 70 | public static long hash64(String doc) { 71 | byte[] buffer = doc.getBytes(Charset.forName("utf-8")); 72 | ByteBuffer data = ByteBuffer.wrap(buffer); 73 | return hash64(data, 0, buffer.length, 0); 74 | } 75 | 76 | public static long hash64(ByteBuffer key, int offset, int length, long seed) { 77 | long m64 = 0xc6a4a7935bd1e995L; 78 | int r64 = 47; 79 | 80 | long h64 = (seed & 0xffffffffL) ^ (m64 * length); 81 | 82 | int lenLongs = length >> 3; 83 | 84 | for (int i = 0; i < lenLongs; ++i) { 85 | int i_8 = i << 3; 86 | 87 | long k64 = ((long) key.get(offset + i_8 + 0) & 0xff) 88 | + (((long) key.get(offset + i_8 + 1) & 0xff) << 8) 89 | + (((long) key.get(offset + i_8 + 2) & 0xff) << 16) 90 | + (((long) key.get(offset + i_8 + 3) & 0xff) << 24) 91 | + (((long) key.get(offset + i_8 + 4) & 0xff) << 32) 92 | + (((long) key.get(offset + i_8 + 5) & 0xff) << 40) 93 | + (((long) key.get(offset + i_8 + 6) & 0xff) << 48) 94 | + (((long) key.get(offset + i_8 + 7) & 0xff) << 56); 95 | 96 | k64 *= m64; 97 | k64 ^= k64 >>> r64; 98 | k64 *= m64; 99 | 100 | h64 ^= k64; 101 | h64 *= m64; 102 | } 103 | 104 | int rem = length & 0x7; 105 | 106 | switch (rem) { 107 | case 0: 108 | break; 109 | case 7: 110 | h64 ^= (long) key.get(offset + length - rem + 6) << 48; 111 | case 6: 112 | h64 ^= (long) key.get(offset + length - rem + 5) << 40; 113 | case 5: 114 | h64 ^= (long) key.get(offset + length - rem + 4) << 32; 115 | case 4: 116 | h64 ^= (long) key.get(offset + length - rem + 3) << 24; 117 | case 3: 118 | h64 ^= (long) key.get(offset + length - rem + 2) << 16; 119 | case 2: 120 | h64 ^= (long) key.get(offset + length - rem + 1) << 8; 121 | case 1: 122 | h64 ^= (long) key.get(offset + length - rem); 123 | h64 *= m64; 124 | } 125 | 126 | h64 ^= h64 >>> r64; 127 | h64 *= m64; 128 | h64 ^= h64 >>> r64; 129 | 130 | return h64; 131 | } 132 | } -------------------------------------------------------------------------------- /src/main/java/burp/IParameter.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IParameter.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to hold details about an HTTP request parameter. 14 | */ 15 | public interface IParameter 16 | { 17 | /** 18 | * Used to indicate a parameter within the URL query string. 19 | */ 20 | static final byte PARAM_URL = 0; 21 | /** 22 | * Used to indicate a parameter within the message body. 23 | */ 24 | static final byte PARAM_BODY = 1; 25 | /** 26 | * Used to indicate an HTTP cookie. 27 | */ 28 | static final byte PARAM_COOKIE = 2; 29 | /** 30 | * Used to indicate an item of data within an XML structure. 31 | */ 32 | static final byte PARAM_XML = 3; 33 | /** 34 | * Used to indicate the value of a tag attribute within an XML structure. 35 | */ 36 | static final byte PARAM_XML_ATTR = 4; 37 | /** 38 | * Used to indicate the value of a parameter attribute within a multi-part 39 | * message body (such as the name of an uploaded file). 40 | */ 41 | static final byte PARAM_MULTIPART_ATTR = 5; 42 | /** 43 | * Used to indicate an item of data within a JSON structure. 44 | */ 45 | static final byte PARAM_JSON = 6; 46 | 47 | /** 48 | * This method is used to retrieve the parameter type. 49 | * 50 | * @return The parameter type. The available types are defined within this 51 | * interface. 52 | */ 53 | byte getType(); 54 | 55 | /** 56 | * This method is used to retrieve the parameter name. 57 | * 58 | * @return The parameter name. 59 | */ 60 | String getName(); 61 | 62 | /** 63 | * This method is used to retrieve the parameter value. 64 | * 65 | * @return The parameter value. 66 | */ 67 | String getValue(); 68 | 69 | /** 70 | * This method is used to retrieve the start offset of the parameter name 71 | * within the HTTP request. 72 | * 73 | * @return The start offset of the parameter name within the HTTP request, 74 | * or -1 if the parameter is not associated with a specific request. 75 | */ 76 | int getNameStart(); 77 | 78 | /** 79 | * This method is used to retrieve the end offset of the parameter name 80 | * within the HTTP request. 81 | * 82 | * @return The end offset of the parameter name within the HTTP request, or 83 | * -1 if the parameter is not associated with a specific request. 84 | */ 85 | int getNameEnd(); 86 | 87 | /** 88 | * This method is used to retrieve the start offset of the parameter value 89 | * within the HTTP request. 90 | * 91 | * @return The start offset of the parameter value within the HTTP request, 92 | * or -1 if the parameter is not associated with a specific request. 93 | */ 94 | int getValueStart(); 95 | 96 | /** 97 | * This method is used to retrieve the end offset of the parameter value 98 | * within the HTTP request. 99 | * 100 | * @return The end offset of the parameter value within the HTTP request, or 101 | * -1 if the parameter is not associated with a specific request. 102 | */ 103 | int getValueEnd(); 104 | } 105 | -------------------------------------------------------------------------------- /src/main/java/burp/IBurpCollaboratorClientContext.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IBurpCollaboratorClientContext.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * This interface represents an instance of a Burp Collaborator client context, 16 | * which can be used to generate Burp Collaborator payloads and poll the 17 | * Collaborator server for any network interactions that result from using those 18 | * payloads. Extensions can obtain new instances of this class by calling 19 | * IBurpExtenderCallbacks.createBurpCollaboratorClientContext(). 20 | * Note that each Burp Collaborator client context is tied to the Collaborator 21 | * server configuration that was in place at the time the context was created. 22 | */ 23 | public interface IBurpCollaboratorClientContext 24 | { 25 | 26 | /** 27 | * This method is used to generate new Burp Collaborator payloads. 28 | * 29 | * @param includeCollaboratorServerLocation Specifies whether to include the 30 | * Collaborator server location in the generated payload. 31 | * @return The payload that was generated. 32 | */ 33 | String generatePayload(boolean includeCollaboratorServerLocation); 34 | 35 | /** 36 | * This method is used to retrieve all interactions received by the 37 | * Collaborator server resulting from payloads that were generated for this 38 | * context. 39 | * 40 | * @return The Collaborator interactions that have occurred resulting from 41 | * payloads that were generated for this context. 42 | */ 43 | List fetchAllCollaboratorInteractions(); 44 | 45 | /** 46 | * This method is used to retrieve interactions received by the Collaborator 47 | * server resulting from a single payload that was generated for this 48 | * context. 49 | * 50 | * @param payload The payload for which interactions will be retrieved. 51 | * @return The Collaborator interactions that have occurred resulting from 52 | * the given payload. 53 | */ 54 | List fetchCollaboratorInteractionsFor(String payload); 55 | 56 | /** 57 | * This method is used to retrieve all interactions made by Burp Infiltrator 58 | * instrumentation resulting from payloads that were generated for this 59 | * context. 60 | * 61 | * @return The interactions triggered by the Burp Infiltrator 62 | * instrumentation that have occurred resulting from payloads that were 63 | * generated for this context. 64 | */ 65 | List fetchAllInfiltratorInteractions(); 66 | 67 | /** 68 | * This method is used to retrieve interactions made by Burp Infiltrator 69 | * instrumentation resulting from a single payload that was generated for 70 | * this context. 71 | * 72 | * @param payload The payload for which interactions will be retrieved. 73 | * @return The interactions triggered by the Burp Infiltrator 74 | * instrumentation that have occurred resulting from the given payload. 75 | */ 76 | List fetchInfiltratorInteractionsFor(String payload); 77 | 78 | /** 79 | * This method is used to retrieve the network location of the Collaborator 80 | * server. 81 | * 82 | * @return The hostname or IP address of the Collaborator server. 83 | */ 84 | String getCollaboratorServerLocation(); 85 | } 86 | -------------------------------------------------------------------------------- /src/main/java/burp/IScannerCheck.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScannerCheck.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * Extensions can implement this interface and then call 16 | * IBurpExtenderCallbacks.registerScannerCheck() to register a 17 | * custom Scanner check. When performing scanning, Burp will ask the check to 18 | * perform active or passive scanning on the base request, and report any 19 | * Scanner issues that are identified. 20 | */ 21 | public interface IScannerCheck 22 | { 23 | 24 | /** 25 | * The Scanner invokes this method for each base request / response that is 26 | * passively scanned. Note: Extensions should only analyze the 27 | * HTTP messages provided during passive scanning, and should not make any 28 | * new HTTP requests of their own. 29 | * 30 | * @param baseRequestResponse The base HTTP request / response that should 31 | * be passively scanned. 32 | * @return A list of IScanIssue objects, or null 33 | * if no issues are identified. 34 | */ 35 | List doPassiveScan(IHttpRequestResponse baseRequestResponse); 36 | 37 | /** 38 | * The Scanner invokes this method for each insertion point that is actively 39 | * scanned. Extensions may issue HTTP requests as required to carry out 40 | * active scanning, and should use the 41 | * IScannerInsertionPoint object provided to build scan 42 | * requests for particular payloads. 43 | * Note: 44 | * Scan checks should submit raw non-encoded payloads to insertion points, 45 | * and the insertion point has responsibility for performing any data 46 | * encoding that is necessary given the nature and location of the insertion 47 | * point. 48 | * 49 | * @param baseRequestResponse The base HTTP request / response that should 50 | * be actively scanned. 51 | * @param insertionPoint An IScannerInsertionPoint object that 52 | * can be queried to obtain details of the insertion point being tested, and 53 | * can be used to build scan requests for particular payloads. 54 | * @return A list of IScanIssue objects, or null 55 | * if no issues are identified. 56 | */ 57 | List doActiveScan( 58 | IHttpRequestResponse baseRequestResponse, 59 | IScannerInsertionPoint insertionPoint); 60 | 61 | /** 62 | * The Scanner invokes this method when the custom Scanner check has 63 | * reported multiple issues for the same URL path. This can arise either 64 | * because there are multiple distinct vulnerabilities, or because the same 65 | * (or a similar) request has been scanned more than once. The custom check 66 | * should determine whether the issues are duplicates. In most cases, where 67 | * a check uses distinct issue names or descriptions for distinct issues, 68 | * the consolidation process will simply be a matter of comparing these 69 | * features for the two issues. 70 | * 71 | * @param existingIssue An issue that was previously reported by this 72 | * Scanner check. 73 | * @param newIssue An issue at the same URL path that has been newly 74 | * reported by this Scanner check. 75 | * @return An indication of which issue(s) should be reported in the main 76 | * Scanner results. The method should return -1 to report the 77 | * existing issue only, 0 to report both issues, and 78 | * 1 to report the new issue only. 79 | */ 80 | int consolidateDuplicateIssues( 81 | IScanIssue existingIssue, 82 | IScanIssue newIssue); 83 | } 84 | -------------------------------------------------------------------------------- /src/main/java/burp/IMessageEditorTab.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMessageEditorTab.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.Component; 13 | 14 | /** 15 | * Extensions that register an 16 | * IMessageEditorTabFactory must return instances of this 17 | * interface, which Burp will use to create custom tabs within its HTTP message 18 | * editors. 19 | */ 20 | public interface IMessageEditorTab 21 | { 22 | /** 23 | * This method returns the caption that should appear on the custom tab when 24 | * it is displayed. Note: Burp invokes this method once when the tab 25 | * is first generated, and the same caption will be used every time the tab 26 | * is displayed. 27 | * 28 | * @return The caption that should appear on the custom tab when it is 29 | * displayed. 30 | */ 31 | String getTabCaption(); 32 | 33 | /** 34 | * This method returns the component that should be used as the contents of 35 | * the custom tab when it is displayed. Note: Burp invokes this 36 | * method once when the tab is first generated, and the same component will 37 | * be used every time the tab is displayed. 38 | * 39 | * @return The component that should be used as the contents of the custom 40 | * tab when it is displayed. 41 | */ 42 | Component getUiComponent(); 43 | 44 | /** 45 | * The hosting editor will invoke this method before it displays a new HTTP 46 | * message, so that the custom tab can indicate whether it should be enabled 47 | * for that message. 48 | * 49 | * @param content The message that is about to be displayed, or a zero-length 50 | * array if the existing message is to be cleared. 51 | * @param isRequest Indicates whether the message is a request or a 52 | * response. 53 | * @return The method should return 54 | * true if the custom tab is able to handle the specified 55 | * message, and so will be displayed within the editor. Otherwise, the tab 56 | * will be hidden while this message is displayed. 57 | */ 58 | boolean isEnabled(byte[] content, boolean isRequest); 59 | 60 | /** 61 | * The hosting editor will invoke this method to display a new message or to 62 | * clear the existing message. This method will only be called with a new 63 | * message if the tab has already returned 64 | * true to a call to 65 | * isEnabled() with the same message details. 66 | * 67 | * @param content The message that is to be displayed, or 68 | * null if the tab should clear its contents and disable any 69 | * editable controls. 70 | * @param isRequest Indicates whether the message is a request or a 71 | * response. 72 | */ 73 | void setMessage(byte[] content, boolean isRequest); 74 | 75 | /** 76 | * This method returns the currently displayed message. 77 | * 78 | * @return The currently displayed message. 79 | */ 80 | byte[] getMessage(); 81 | 82 | /** 83 | * This method is used to determine whether the currently displayed message 84 | * has been modified by the user. The hosting editor will always call 85 | * getMessage() before calling this method, so any pending 86 | * edits should be completed within 87 | * getMessage(). 88 | * 89 | * @return The method should return 90 | * true if the user has modified the current message since it 91 | * was first displayed. 92 | */ 93 | boolean isModified(); 94 | 95 | /** 96 | * This method is used to retrieve the data that is currently selected by 97 | * the user. 98 | * 99 | * @return The data that is currently selected by the user. This may be 100 | * null if no selection is currently made. 101 | */ 102 | byte[] getSelectedData(); 103 | } 104 | -------------------------------------------------------------------------------- /src/main/java/burp/IScanIssue.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScanIssue.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to retrieve details of Scanner issues. Extensions can 14 | * obtain details of issues by registering an IScannerListener or 15 | * by calling IBurpExtenderCallbacks.getScanIssues(). Extensions 16 | * can also add custom Scanner issues by registering an 17 | * IScannerCheck or calling 18 | * IBurpExtenderCallbacks.addScanIssue(), and providing their own 19 | * implementations of this interface. Note that issue descriptions and other 20 | * text generated by extensions are subject to an HTML whitelist that allows 21 | * only formatting tags and simple hyperlinks. 22 | */ 23 | public interface IScanIssue 24 | { 25 | 26 | /** 27 | * This method returns the URL for which the issue was generated. 28 | * 29 | * @return The URL for which the issue was generated. 30 | */ 31 | java.net.URL getUrl(); 32 | 33 | /** 34 | * This method returns the name of the issue type. 35 | * 36 | * @return The name of the issue type (e.g. "SQL injection"). 37 | */ 38 | String getIssueName(); 39 | 40 | /** 41 | * This method returns a numeric identifier of the issue type. See the Burp 42 | * Scanner help documentation for a listing of all the issue types. 43 | * 44 | * @return A numeric identifier of the issue type. 45 | */ 46 | int getIssueType(); 47 | 48 | /** 49 | * This method returns the issue severity level. 50 | * 51 | * @return The issue severity level. Expected values are "High", "Medium", 52 | * "Low", "Information" or "False positive". 53 | * 54 | */ 55 | String getSeverity(); 56 | 57 | /** 58 | * This method returns the issue confidence level. 59 | * 60 | * @return The issue confidence level. Expected values are "Certain", "Firm" 61 | * or "Tentative". 62 | */ 63 | String getConfidence(); 64 | 65 | /** 66 | * This method returns a background description for this type of issue. 67 | * 68 | * @return A background description for this type of issue, or 69 | * null if none applies. A limited set of HTML tags may be 70 | * used. 71 | */ 72 | String getIssueBackground(); 73 | 74 | /** 75 | * This method returns a background description of the remediation for this 76 | * type of issue. 77 | * 78 | * @return A background description of the remediation for this type of 79 | * issue, or null if none applies. A limited set of HTML tags 80 | * may be used. 81 | */ 82 | String getRemediationBackground(); 83 | 84 | /** 85 | * This method returns detailed information about this specific instance of 86 | * the issue. 87 | * 88 | * @return Detailed information about this specific instance of the issue, 89 | * or null if none applies. A limited set of HTML tags may be 90 | * used. 91 | */ 92 | String getIssueDetail(); 93 | 94 | /** 95 | * This method returns detailed information about the remediation for this 96 | * specific instance of the issue. 97 | * 98 | * @return Detailed information about the remediation for this specific 99 | * instance of the issue, or null if none applies. A limited 100 | * set of HTML tags may be used. 101 | */ 102 | String getRemediationDetail(); 103 | 104 | /** 105 | * This method returns the HTTP messages on the basis of which the issue was 106 | * generated. 107 | * 108 | * @return The HTTP messages on the basis of which the issue was generated. 109 | * Note: The items in this array should be instances of 110 | * IHttpRequestResponseWithMarkers if applicable, so that 111 | * details of the relevant portions of the request and response messages are 112 | * available. 113 | */ 114 | IHttpRequestResponse[] getHttpMessages(); 115 | 116 | /** 117 | * This method returns the HTTP service for which the issue was generated. 118 | * 119 | * @return The HTTP service for which the issue was generated. 120 | */ 121 | IHttpService getHttpService(); 122 | 123 | } 124 | -------------------------------------------------------------------------------- /src/main/java/burp/IInterceptedProxyMessage.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IInterceptedProxyMessage.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.net.InetAddress; 13 | 14 | /** 15 | * This interface is used to represent an HTTP message that has been intercepted 16 | * by Burp Proxy. Extensions can register an 17 | * IProxyListener to receive details of proxy messages using this 18 | * interface. * 19 | */ 20 | public interface IInterceptedProxyMessage 21 | { 22 | /** 23 | * This action causes Burp Proxy to follow the current interception rules to 24 | * determine the appropriate action to take for the message. 25 | */ 26 | static final int ACTION_FOLLOW_RULES = 0; 27 | /** 28 | * This action causes Burp Proxy to present the message to the user for 29 | * manual review or modification. 30 | */ 31 | static final int ACTION_DO_INTERCEPT = 1; 32 | /** 33 | * This action causes Burp Proxy to forward the message to the remote server 34 | * or client, without presenting it to the user. 35 | */ 36 | static final int ACTION_DONT_INTERCEPT = 2; 37 | /** 38 | * This action causes Burp Proxy to drop the message. 39 | */ 40 | static final int ACTION_DROP = 3; 41 | /** 42 | * This action causes Burp Proxy to follow the current interception rules to 43 | * determine the appropriate action to take for the message, and then make a 44 | * second call to processProxyMessage. 45 | */ 46 | static final int ACTION_FOLLOW_RULES_AND_REHOOK = 0x10; 47 | /** 48 | * This action causes Burp Proxy to present the message to the user for 49 | * manual review or modification, and then make a second call to 50 | * processProxyMessage. 51 | */ 52 | static final int ACTION_DO_INTERCEPT_AND_REHOOK = 0x11; 53 | /** 54 | * This action causes Burp Proxy to skip user interception, and then make a 55 | * second call to processProxyMessage. 56 | */ 57 | static final int ACTION_DONT_INTERCEPT_AND_REHOOK = 0x12; 58 | 59 | /** 60 | * This method retrieves a unique reference number for this 61 | * request/response. 62 | * 63 | * @return An identifier that is unique to a single request/response pair. 64 | * Extensions can use this to correlate details of requests and responses 65 | * and perform processing on the response message accordingly. 66 | */ 67 | int getMessageReference(); 68 | 69 | /** 70 | * This method retrieves details of the intercepted message. 71 | * 72 | * @return An IHttpRequestResponse object containing details of 73 | * the intercepted message. 74 | */ 75 | IHttpRequestResponse getMessageInfo(); 76 | 77 | /** 78 | * This method retrieves the currently defined interception action. The 79 | * default action is 80 | * ACTION_FOLLOW_RULES. If multiple proxy listeners are 81 | * registered, then other listeners may already have modified the 82 | * interception action before it reaches the current listener. This method 83 | * can be used to determine whether this has occurred. 84 | * 85 | * @return The currently defined interception action. Possible values are 86 | * defined within this interface. 87 | */ 88 | int getInterceptAction(); 89 | 90 | /** 91 | * This method is used to update the interception action. 92 | * 93 | * @param interceptAction The new interception action. Possible values are 94 | * defined within this interface. 95 | */ 96 | void setInterceptAction(int interceptAction); 97 | 98 | /** 99 | * This method retrieves the name of the Burp Proxy listener that is 100 | * processing the intercepted message. 101 | * 102 | * @return The name of the Burp Proxy listener that is processing the 103 | * intercepted message. The format is the same as that shown in the Proxy 104 | * Listeners UI - for example, "127.0.0.1:8080". 105 | */ 106 | String getListenerInterface(); 107 | 108 | /** 109 | * This method retrieves the client IP address from which the request for 110 | * the intercepted message was received. 111 | * 112 | * @return The client IP address from which the request for the intercepted 113 | * message was received. 114 | */ 115 | InetAddress getClientIpAddress(); 116 | } 117 | -------------------------------------------------------------------------------- /src/main/java/com/yandex/burp/extensions/EntryPointDeduplicator.java: -------------------------------------------------------------------------------- 1 | package com.yandex.burp.extensions; 2 | 3 | import burp.*; 4 | import com.google.common.base.Splitter; 5 | import com.google.common.hash.BloomFilter; 6 | import com.google.common.hash.Funnels; 7 | import com.google.common.hash.HashFunction; 8 | import com.google.common.hash.Hashing; 9 | import deduper.*; 10 | 11 | import java.io.PrintWriter; 12 | import java.nio.charset.Charset; 13 | import java.util.List; 14 | 15 | /** 16 | * Created by ezaitov on 20.02.2017. 17 | */ 18 | public class EntryPointDeduplicator { 19 | private IBurpExtenderCallbacks callbacks; 20 | private IExtensionHelpers helpers; 21 | 22 | private BKTree dubTree; 23 | private BloomFilter dubBloomFilter; 24 | 25 | public EntryPointDeduplicator(IBurpExtenderCallbacks callbacks) { 26 | this.callbacks = callbacks; 27 | this.helpers = callbacks.getHelpers(); 28 | this.dubBloomFilter = BloomFilter.create(Funnels.stringFunnel(Charset.defaultCharset()), 1000); 29 | this.dubTree = new BKTree<>(new HammingDistance()); 30 | } 31 | 32 | public boolean isFullDuplicate(IHttpRequestResponse messageInfo) { 33 | PrintWriter stdout = new PrintWriter(callbacks.getStdout(), true); 34 | IResponseInfo respInfo = helpers.analyzeResponse(messageInfo.getResponse()); 35 | 36 | if (dubBloomFilter == null) return false; 37 | 38 | HashFunction m_hash = Hashing.murmur3_32(); 39 | if (helpers.bytesToString(messageInfo.getResponse()).length() > respInfo.getBodyOffset()) { 40 | String body = helpers.bytesToString(messageInfo.getResponse()).substring(respInfo.getBodyOffset()); 41 | 42 | /* full-dub detection */ 43 | String dedupHashValue = m_hash.hashBytes(helpers.stringToBytes(body)).toString(); 44 | if (dubBloomFilter.mightContain(dedupHashValue)) { 45 | return true; 46 | } 47 | dubBloomFilter.put(dedupHashValue); 48 | } 49 | 50 | return false; 51 | } 52 | 53 | public boolean isDuplicateURL(IHttpRequestResponse messageInfo) { 54 | if (dubBloomFilter == null) return false; 55 | 56 | IRequestInfo requestInfo = helpers.analyzeRequest(messageInfo.getHttpService(), messageInfo.getRequest()); 57 | if (requestInfo == null) return true; 58 | 59 | HashFunction m_hash = Hashing.murmur3_32(); 60 | /* don't know if Burp has a deduplication here, make it sure */ 61 | String hashInput = requestInfo.getUrl().getPath() + "?"; 62 | if (requestInfo.getUrl().getQuery() != null && requestInfo.getUrl().getQuery().length() > 0) { 63 | List qsList = Splitter.on('&').trimResults().splitToList(requestInfo.getUrl().getQuery()); 64 | if (qsList.size() > 0) { 65 | for (String param : qsList) { 66 | for (String k : Splitter.on("=").splitToList(param)) { 67 | hashInput += "&" + k; 68 | } 69 | } 70 | } 71 | } 72 | 73 | String dedupHashValue = "URL:" + requestInfo.getMethod() + m_hash.hashBytes(helpers.stringToBytes(hashInput)).toString(); 74 | if (dubBloomFilter.mightContain(dedupHashValue)) { 75 | return true; 76 | } 77 | dubBloomFilter.put(dedupHashValue); 78 | return false; 79 | } 80 | 81 | public boolean isHalfDuplicate(IHttpRequestResponse messageInfo) { 82 | /* half-dub detection */ 83 | if (dubTree == null) return false; 84 | 85 | IResponseInfo respInfo = helpers.analyzeResponse(messageInfo.getResponse()); 86 | IRequestInfo requestInfo = helpers.analyzeRequest(messageInfo.getHttpService(), messageInfo.getRequest()); 87 | 88 | if (helpers.bytesToString(messageInfo.getResponse()).length() > respInfo.getBodyOffset()) { 89 | String body = helpers.bytesToString(messageInfo.getResponse()).substring(respInfo.getBodyOffset()); 90 | 91 | Simhash simHash; 92 | if (respInfo.getHeaders().stream().filter(c -> c.toUpperCase() 93 | .contains("HTML")).findFirst().isPresent()) { 94 | simHash = new Simhash(new HtmlSeg()); 95 | } else { 96 | simHash = new Simhash(new BinaryWordSeg()); 97 | } 98 | long docHash = simHash.simhash64(body); 99 | if (dubTree.isEmpty()) { 100 | dubTree.add(docHash); 101 | } else { 102 | if (dubTree.find(docHash) <= 3) { 103 | return true; 104 | } 105 | dubTree.add(docHash); 106 | } 107 | } else { 108 | /* responses with no body will not be sent to active scan */ 109 | /* XXX! this can be bad idea */ 110 | return true; 111 | } 112 | return false; 113 | } 114 | } 115 | -------------------------------------------------------------------------------- /src/main/java/com/yandex/burp/extensions/config/BurpMollyScannerConfig.java: -------------------------------------------------------------------------------- 1 | package com.yandex.burp.extensions.config; 2 | 3 | import com.google.gson.annotations.Expose; 4 | import com.google.gson.annotations.SerializedName; 5 | 6 | import java.net.URL; 7 | import java.util.List; 8 | 9 | /** 10 | * Created by ezaitov on 04.02.2017. 11 | */ 12 | public class BurpMollyScannerConfig { 13 | private URL initialURL; 14 | 15 | @SerializedName("scan_timeout") 16 | private int scanTimeout; 17 | 18 | @SerializedName("max_urls") 19 | private int maxUrls; 20 | 21 | @SerializedName("max_issue_samples") 22 | private int maxIssuesByType; 23 | 24 | @SerializedName("report_path") 25 | private String reportPath; 26 | 27 | @SerializedName("initial_url") 28 | private String entryPoint; 29 | 30 | @SerializedName("user_agent") 31 | private String userAgent; 32 | 33 | @SerializedName("qs_parameters") 34 | private String qsParameters; 35 | 36 | @SerializedName("auth") 37 | @Expose 38 | private MollyAuthConfig authConfig; 39 | 40 | @SerializedName("ignore_issues") 41 | @Expose 42 | private List ignoredIssueIds; 43 | 44 | @SerializedName("crossdomain_js_whitelist") 45 | @Expose 46 | private List crossdomainJsWhitelist; 47 | 48 | @SerializedName("crossdomain_xml_whitelist") 49 | @Expose 50 | private List crossdomainXmlWhitelist; 51 | 52 | @SerializedName("public_cors_whitelist") 53 | @Expose 54 | private List publicCorsWhitelist; 55 | 56 | @SerializedName("static_file_extensions") 57 | @Expose 58 | private List staticFileExt; 59 | 60 | @SerializedName("proxy_domain_blacklist") 61 | @Expose 62 | private List proxyDomainBlacklist; 63 | 64 | public URL getInitialURL() { 65 | return initialURL; 66 | } 67 | 68 | public void setInitialURL(URL initialURL) { 69 | this.initialURL = initialURL; 70 | } 71 | 72 | public void setEntryPoint(String entryPoint) { 73 | this.entryPoint = entryPoint; 74 | } 75 | 76 | public String getEntryPoint() { 77 | return entryPoint; 78 | } 79 | 80 | public int getScanTimeout() { 81 | return scanTimeout; 82 | } 83 | 84 | public void setScanTimeout(int scanTimeout) { 85 | this.scanTimeout = scanTimeout; 86 | } 87 | 88 | public String getUserAgent() { 89 | return userAgent; 90 | } 91 | 92 | public void setUserAgent(String userAgent) { this.userAgent = userAgent; 93 | } 94 | 95 | public void setReportPath(String reportPath) { 96 | this.reportPath = reportPath; 97 | } 98 | 99 | public String getReportPath() { 100 | return reportPath; 101 | } 102 | 103 | public String getQsParameters() { return qsParameters; } 104 | 105 | public void setQsParameters(String qsParameter) { 106 | this.qsParameters = qsParameter; 107 | } 108 | 109 | public MollyAuthConfig getAuthConfig() { 110 | return authConfig; 111 | } 112 | 113 | public void setAuthConfig(MollyAuthConfig authConfig) { 114 | this.authConfig = authConfig; 115 | } 116 | 117 | public List getCrossdomainJsWhitelist() { 118 | return crossdomainJsWhitelist; 119 | } 120 | 121 | public void setCrossdomainJsWhitelist(List crossdomaiJsWhitelist) { 122 | this.crossdomainJsWhitelist = crossdomaiJsWhitelist; 123 | } 124 | 125 | public void setPublicCorsWhitelist(List publicCorsWhitelist) { 126 | this.publicCorsWhitelist = publicCorsWhitelist; 127 | } 128 | 129 | public List getStaticFileExt() { 130 | return staticFileExt; 131 | } 132 | 133 | public void setStaticFileExt(List staticFileExt) { 134 | this.staticFileExt = staticFileExt; 135 | } 136 | 137 | public List getPublicCorsWhitelist() { 138 | return publicCorsWhitelist; 139 | } 140 | 141 | public List getCrossdomainXmlWhitelist() { 142 | return crossdomainXmlWhitelist; 143 | } 144 | 145 | public void setCrossdomainXmlWhitelist(List crossdomainXmlWhitelist) { 146 | this.crossdomainXmlWhitelist = crossdomainXmlWhitelist; 147 | } 148 | 149 | public List getIgnoredIssueIds() { 150 | return ignoredIssueIds; 151 | } 152 | 153 | public void setIgnoredIssueIds(List ignoredIssueIds) { 154 | this.ignoredIssueIds = ignoredIssueIds; 155 | } 156 | 157 | public int getMaxUrls() { 158 | return maxUrls; 159 | } 160 | 161 | public int getMaxIssuesByType() { 162 | return maxIssuesByType; 163 | } 164 | 165 | public void setMaxIssuesByType(int maxIssuesByType) { 166 | this.maxIssuesByType = maxIssuesByType; 167 | } 168 | 169 | public void setMaxUrls(int maxUrl) { 170 | this.maxUrls = maxUrls; 171 | } 172 | 173 | public List getProxyDomainBlacklist() { return proxyDomainBlacklist; } 174 | 175 | public void setProxyDomainBlacklist(List proxyDomainBlacklist) { 176 | this.proxyDomainBlacklist = proxyDomainBlacklist; 177 | } 178 | } 179 | -------------------------------------------------------------------------------- /src/main/java/deduper/BKTree.java: -------------------------------------------------------------------------------- 1 | package deduper; 2 | 3 | import java.util.HashMap; 4 | 5 | /** 6 | * This class in an implementation of a Burkhard-Keller tree in Java. 7 | * The BK-Tree is a tree structure to quickly finding close matches to 8 | * any defined object. 9 | * 10 | * The BK-Tree was first described in the paper: 11 | * "Some Approaches to Best-Match File Searching" by W. A. Burkhard and R. M. Keller 12 | * It is available in the ACM archives. 13 | * 14 | * Another good explanation can be found here: 15 | * http://blog.notdot.net/2007/4/Damn-Cool-Algorithms-Part-1-BK-Trees 16 | * 17 | * Searching the tree yields O(logn), which is a huge upgrade over brute force 18 | * 19 | * @author Josh Clemm 20 | * 21 | */ 22 | public class BKTree { 23 | 24 | private Node root; 25 | private HashMap matches; 26 | private Distance distance; 27 | private E bestTerm; 28 | 29 | public BKTree(Distance distance) { 30 | root = null; 31 | this.distance = distance; 32 | } 33 | 34 | public void add(E term) { 35 | if(root != null) { 36 | root.add(term); 37 | } 38 | else { 39 | root = new Node(term); 40 | } 41 | } 42 | 43 | public boolean isEmpty() { 44 | if (root == null) return true; 45 | return false; 46 | } 47 | 48 | /** 49 | * This method will find all the close matching Objects within 50 | * a certain threshold. For instance, for search for similar 51 | * strings, threshold set to 1 will return all the strings that 52 | * are off by 1 edit distance. 53 | * @param searchObject 54 | * @param threshold 55 | * @return 56 | */ 57 | public HashMap query(E searchObject, int threshold) { 58 | matches = new HashMap(); 59 | root.query(searchObject, threshold, matches); 60 | return matches; 61 | } 62 | 63 | /** 64 | * Attempts to find the closest match to the search term. 65 | * @param term 66 | * @return the edit distance of the best match 67 | */ 68 | public int find(E term) { 69 | return root.findBestMatch(term, Integer.MAX_VALUE); 70 | } 71 | 72 | /** 73 | * Attempts to find the closest match to the search term. 74 | * @param term 75 | * @return a match that is within the best edit distance of the search term. 76 | */ 77 | public E findBestWordMatch(E term) { 78 | root.findBestMatch(term, Integer.MAX_VALUE); 79 | return root.getBestTerm(); 80 | } 81 | 82 | /** 83 | * Attempts to find the closest match to the search term. 84 | * @param term 85 | * @return a match that is within the best edit distance of the search term. 86 | */ 87 | public HashMap findBestWordMatchWithDistance(E term) { 88 | int distance = root.findBestMatch(term, Integer.MAX_VALUE); 89 | HashMap returnMap = new HashMap(); 90 | returnMap.put(root.getBestTerm(), distance); 91 | return returnMap; 92 | } 93 | 94 | private class Node { 95 | 96 | E term; 97 | HashMap children; 98 | 99 | public Node(E term) { 100 | this.term = term; 101 | children = new HashMap(); 102 | } 103 | 104 | public void add(E term) { 105 | int score = distance.getDistance(term, this.term); 106 | 107 | Node child = children.get(score); 108 | if(child != null) { 109 | child.add(term); 110 | } 111 | else { 112 | children.put(score, new Node(term)); 113 | } 114 | } 115 | 116 | public int findBestMatch(E term, int bestDistance) { 117 | int distanceAtNode = distance.getDistance(term, this.term); 118 | 119 | // System.out.println("term = " + term + ", this.term = " + this.term + ", distance = " + distanceAtNode); 120 | 121 | // if(distanceAtNode == 1) { 122 | // return distanceAtNode; 123 | // } 124 | 125 | if(distanceAtNode < bestDistance) { 126 | bestDistance = distanceAtNode; 127 | bestTerm = this.term; 128 | } 129 | 130 | int possibleBest = bestDistance; 131 | 132 | for (Integer score : children.keySet()) { 133 | if(score < distanceAtNode + bestDistance ) { 134 | possibleBest = children.get(score).findBestMatch(term, bestDistance); 135 | if(possibleBest < bestDistance) { 136 | bestDistance = possibleBest; 137 | } 138 | } 139 | } 140 | return bestDistance; 141 | } 142 | 143 | public E getBestTerm() { 144 | return bestTerm; 145 | } 146 | 147 | public void query(E term, int threshold, HashMap collected) { 148 | int distanceAtNode = distance.getDistance(term, this.term); 149 | 150 | if(distanceAtNode == threshold) { 151 | collected.put(this.term, distanceAtNode); 152 | return; 153 | } 154 | 155 | if(distanceAtNode < threshold) { 156 | collected.put(this.term, distanceAtNode); 157 | } 158 | 159 | for (int score = distanceAtNode-threshold; score <= threshold+distanceAtNode; score++) { 160 | Node child = children.get(score); 161 | if(child != null) { 162 | child.query(term, threshold, collected); 163 | } 164 | } 165 | } 166 | } 167 | } 168 | -------------------------------------------------------------------------------- /src/main/java/burp/IContextMenuInvocation.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IContextMenuInvocation.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.event.InputEvent; 13 | 14 | /** 15 | * This interface is used when Burp calls into an extension-provided 16 | * IContextMenuFactory with details of a context menu invocation. 17 | * The custom context menu factory can query this interface to obtain details of 18 | * the invocation event, in order to determine what menu items should be 19 | * displayed. 20 | */ 21 | public interface IContextMenuInvocation 22 | { 23 | /** 24 | * Used to indicate that the context menu is being invoked in a request 25 | * editor. 26 | */ 27 | static final byte CONTEXT_MESSAGE_EDITOR_REQUEST = 0; 28 | /** 29 | * Used to indicate that the context menu is being invoked in a response 30 | * editor. 31 | */ 32 | static final byte CONTEXT_MESSAGE_EDITOR_RESPONSE = 1; 33 | /** 34 | * Used to indicate that the context menu is being invoked in a non-editable 35 | * request viewer. 36 | */ 37 | static final byte CONTEXT_MESSAGE_VIEWER_REQUEST = 2; 38 | /** 39 | * Used to indicate that the context menu is being invoked in a non-editable 40 | * response viewer. 41 | */ 42 | static final byte CONTEXT_MESSAGE_VIEWER_RESPONSE = 3; 43 | /** 44 | * Used to indicate that the context menu is being invoked in the Target 45 | * site map tree. 46 | */ 47 | static final byte CONTEXT_TARGET_SITE_MAP_TREE = 4; 48 | /** 49 | * Used to indicate that the context menu is being invoked in the Target 50 | * site map table. 51 | */ 52 | static final byte CONTEXT_TARGET_SITE_MAP_TABLE = 5; 53 | /** 54 | * Used to indicate that the context menu is being invoked in the Proxy 55 | * history. 56 | */ 57 | static final byte CONTEXT_PROXY_HISTORY = 6; 58 | /** 59 | * Used to indicate that the context menu is being invoked in the Scanner 60 | * results. 61 | */ 62 | static final byte CONTEXT_SCANNER_RESULTS = 7; 63 | /** 64 | * Used to indicate that the context menu is being invoked in the Intruder 65 | * payload positions editor. 66 | */ 67 | static final byte CONTEXT_INTRUDER_PAYLOAD_POSITIONS = 8; 68 | /** 69 | * Used to indicate that the context menu is being invoked in an Intruder 70 | * attack results. 71 | */ 72 | static final byte CONTEXT_INTRUDER_ATTACK_RESULTS = 9; 73 | /** 74 | * Used to indicate that the context menu is being invoked in a search 75 | * results window. 76 | */ 77 | static final byte CONTEXT_SEARCH_RESULTS = 10; 78 | 79 | /** 80 | * This method can be used to retrieve the native Java input event that was 81 | * the trigger for the context menu invocation. 82 | * 83 | * @return The InputEvent that was the trigger for the context 84 | * menu invocation. 85 | */ 86 | InputEvent getInputEvent(); 87 | 88 | /** 89 | * This method can be used to retrieve the Burp tool within which the 90 | * context menu was invoked. 91 | * 92 | * @return A flag indicating the Burp tool within which the context menu was 93 | * invoked. Burp tool flags are defined in the 94 | * IBurpExtenderCallbacks interface. 95 | */ 96 | int getToolFlag(); 97 | 98 | /** 99 | * This method can be used to retrieve the context within which the menu was 100 | * invoked. 101 | * 102 | * @return An index indicating the context within which the menu was 103 | * invoked. The indices used are defined within this interface. 104 | */ 105 | byte getInvocationContext(); 106 | 107 | /** 108 | * This method can be used to retrieve the bounds of the user's selection 109 | * into the current message, if applicable. 110 | * 111 | * @return An int[2] array containing the start and end offsets of the 112 | * user's selection in the current message. If the user has not made any 113 | * selection in the current message, both offsets indicate the position of 114 | * the caret within the editor. If the menu is not being invoked from a 115 | * message editor, the method returns null. 116 | */ 117 | int[] getSelectionBounds(); 118 | 119 | /** 120 | * This method can be used to retrieve details of the HTTP requests / 121 | * responses that were shown or selected by the user when the context menu 122 | * was invoked. 123 | * 124 | * Note: For performance reasons, the objects returned from this 125 | * method are tied to the originating context of the messages within the 126 | * Burp UI. For example, if a context menu is invoked on the Proxy intercept 127 | * panel, then the 128 | * IHttpRequestResponse returned by this method will reflect 129 | * the current contents of the interception panel, and this will change when 130 | * the current message has been forwarded or dropped. If your extension 131 | * needs to store details of the message for which the context menu has been 132 | * invoked, then you should query those details from the 133 | * IHttpRequestResponse at the time of invocation, or you 134 | * should use 135 | * IBurpExtenderCallbacks.saveBuffersToTempFiles() to create a 136 | * persistent read-only copy of the 137 | * IHttpRequestResponse. 138 | * 139 | * @return An array of IHttpRequestResponse objects 140 | * representing the items that were shown or selected by the user when the 141 | * context menu was invoked. This method returns null if no 142 | * messages are applicable to the invocation. 143 | */ 144 | IHttpRequestResponse[] getSelectedMessages(); 145 | 146 | /** 147 | * This method can be used to retrieve details of the Scanner issues that 148 | * were selected by the user when the context menu was invoked. 149 | * 150 | * @return An array of IScanIssue objects representing the 151 | * issues that were selected by the user when the context menu was invoked. 152 | * This method returns null if no Scanner issues are applicable 153 | * to the invocation. 154 | */ 155 | IScanIssue[] getSelectedIssues(); 156 | } 157 | -------------------------------------------------------------------------------- /src/main/java/burp/IScannerInsertionPoint.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScannerInsertionPoint.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to define an insertion point for use by active Scanner 14 | * checks. Extensions can obtain instances of this interface by registering an 15 | * IScannerCheck, or can create instances for use by Burp's own 16 | * scan checks by registering an 17 | * IScannerInsertionPointProvider. 18 | */ 19 | public interface IScannerInsertionPoint 20 | { 21 | 22 | /** 23 | * Used to indicate where the payload is inserted into the value of a URL 24 | * parameter. 25 | */ 26 | static final byte INS_PARAM_URL = 0x00; 27 | /** 28 | * Used to indicate where the payload is inserted into the value of a body 29 | * parameter. 30 | */ 31 | static final byte INS_PARAM_BODY = 0x01; 32 | /** 33 | * Used to indicate where the payload is inserted into the value of an HTTP 34 | * cookie. 35 | */ 36 | static final byte INS_PARAM_COOKIE = 0x02; 37 | /** 38 | * Used to indicate where the payload is inserted into the value of an item 39 | * of data within an XML data structure. 40 | */ 41 | static final byte INS_PARAM_XML = 0x03; 42 | /** 43 | * Used to indicate where the payload is inserted into the value of a tag 44 | * attribute within an XML structure. 45 | */ 46 | static final byte INS_PARAM_XML_ATTR = 0x04; 47 | /** 48 | * Used to indicate where the payload is inserted into the value of a 49 | * parameter attribute within a multi-part message body (such as the name of 50 | * an uploaded file). 51 | */ 52 | static final byte INS_PARAM_MULTIPART_ATTR = 0x05; 53 | /** 54 | * Used to indicate where the payload is inserted into the value of an item 55 | * of data within a JSON structure. 56 | */ 57 | static final byte INS_PARAM_JSON = 0x06; 58 | /** 59 | * Used to indicate where the payload is inserted into the value of an AMF 60 | * parameter. 61 | */ 62 | static final byte INS_PARAM_AMF = 0x07; 63 | /** 64 | * Used to indicate where the payload is inserted into the value of an HTTP 65 | * request header. 66 | */ 67 | static final byte INS_HEADER = 0x20; 68 | /** 69 | * Used to indicate where the payload is inserted into a URL path folder. 70 | */ 71 | static final byte INS_URL_PATH_FOLDER = 0x21; 72 | /** 73 | * Used to indicate where the payload is inserted into a URL path folder. 74 | * This is now deprecated; use INS_URL_PATH_FOLDER instead. 75 | */ 76 | @Deprecated 77 | static final byte INS_URL_PATH_REST = INS_URL_PATH_FOLDER; 78 | /** 79 | * Used to indicate where the payload is inserted into the name of an added 80 | * URL parameter. 81 | */ 82 | static final byte INS_PARAM_NAME_URL = 0x22; 83 | /** 84 | * Used to indicate where the payload is inserted into the name of an added 85 | * body parameter. 86 | */ 87 | static final byte INS_PARAM_NAME_BODY = 0x23; 88 | /** 89 | * Used to indicate where the payload is inserted into the body of the HTTP 90 | * request. 91 | */ 92 | static final byte INS_ENTIRE_BODY = 0x24; 93 | /** 94 | * Used to indicate where the payload is inserted into the URL path 95 | * filename. 96 | */ 97 | static final byte INS_URL_PATH_FILENAME = 0x25; 98 | /** 99 | * Used to indicate where the payload is inserted at a location manually 100 | * configured by the user. 101 | */ 102 | static final byte INS_USER_PROVIDED = 0x40; 103 | /** 104 | * Used to indicate where the insertion point is provided by an 105 | * extension-registered 106 | * IScannerInsertionPointProvider. 107 | */ 108 | static final byte INS_EXTENSION_PROVIDED = 0x41; 109 | /** 110 | * Used to indicate where the payload is inserted at an unknown location 111 | * within the request. 112 | */ 113 | static final byte INS_UNKNOWN = 0x7f; 114 | 115 | /** 116 | * This method returns the name of the insertion point. 117 | * 118 | * @return The name of the insertion point (for example, a description of a 119 | * particular request parameter). 120 | */ 121 | String getInsertionPointName(); 122 | 123 | /** 124 | * This method returns the base value for this insertion point. 125 | * 126 | * @return the base value that appears in this insertion point in the base 127 | * request being scanned, or null if there is no value in the 128 | * base request that corresponds to this insertion point. 129 | */ 130 | String getBaseValue(); 131 | 132 | /** 133 | * This method is used to build a request with the specified payload placed 134 | * into the insertion point. There is no requirement for extension-provided 135 | * insertion points to adjust the Content-Length header in requests if the 136 | * body length has changed, although Burp-provided insertion points will 137 | * always do this and will return a request with a valid Content-Length 138 | * header. 139 | * Note: 140 | * Scan checks should submit raw non-encoded payloads to insertion points, 141 | * and the insertion point has responsibility for performing any data 142 | * encoding that is necessary given the nature and location of the insertion 143 | * point. 144 | * 145 | * @param payload The payload that should be placed into the insertion 146 | * point. 147 | * @return The resulting request. 148 | */ 149 | byte[] buildRequest(byte[] payload); 150 | 151 | /** 152 | * This method is used to determine the offsets of the payload value within 153 | * the request, when it is placed into the insertion point. Scan checks may 154 | * invoke this method when reporting issues, so as to highlight the relevant 155 | * part of the request within the UI. 156 | * 157 | * @param payload The payload that should be placed into the insertion 158 | * point. 159 | * @return An int[2] array containing the start and end offsets of the 160 | * payload within the request, or null if this is not applicable (for 161 | * example, where the insertion point places a payload into a serialized 162 | * data structure, the raw payload may not literally appear anywhere within 163 | * the resulting request). 164 | */ 165 | int[] getPayloadOffsets(byte[] payload); 166 | 167 | /** 168 | * This method returns the type of the insertion point. 169 | * 170 | * @return The type of the insertion point. Available types are defined in 171 | * this interface. 172 | */ 173 | byte getInsertionPointType(); 174 | } 175 | -------------------------------------------------------------------------------- /src/main/java/com/yandex/burp/extensions/MollyRequestResponseHandler.java: -------------------------------------------------------------------------------- 1 | package com.yandex.burp.extensions; 2 | 3 | import burp.*; 4 | 5 | import burp.IBurpExtenderCallbacks; 6 | import burp.IHttpRequestResponse; 7 | 8 | import com.yandex.burp.extensions.auth.IMollyAuthAdapter; 9 | import com.yandex.burp.extensions.config.BurpMollyScannerConfig; 10 | import com.yandex.burp.extensions.modifiers.QsParameterModifier; 11 | import com.yandex.burp.extensions.modifiers.UserAgentModifier; 12 | 13 | import java.io.IOException; 14 | import java.io.OutputStream; 15 | import java.util.Arrays; 16 | import java.util.List; 17 | 18 | public class MollyRequestResponseHandler implements IHttpListener { 19 | private IBurpExtenderCallbacks callbacks; 20 | private IExtensionHelpers helpers; 21 | private BurpMollyScannerConfig extConfig; 22 | 23 | private final EntryPointDeduplicator deduper; 24 | private final List scanners; 25 | private final List postponedEntryPoints; 26 | private IMollyAuthAdapter authenticator; 27 | 28 | public MollyRequestResponseHandler(IBurpExtenderCallbacks callbacks, BurpMollyScannerConfig extConfig, 29 | IMollyAuthAdapter authenticator, List scanners, 30 | EntryPointDeduplicator deduper, 31 | List postponedEntryPoints) { 32 | this.callbacks = callbacks; 33 | this.helpers = callbacks.getHelpers(); 34 | this.extConfig = extConfig; 35 | this.scanners = scanners; 36 | this.deduper = deduper; 37 | this.authenticator = authenticator; 38 | this.postponedEntryPoints = postponedEntryPoints; 39 | } 40 | 41 | private boolean isStaticFile(String fileName) { 42 | List skipFiles = Arrays.asList("/favicon.ico", "/robots.txt"); 43 | 44 | for (String fn : skipFiles) { 45 | if (fileName.equals(fn)) { 46 | return true; 47 | } 48 | } 49 | 50 | for (String ext : extConfig.getStaticFileExt()) { 51 | if (fileName.endsWith("." + ext)) { 52 | return true; 53 | } 54 | } 55 | 56 | return false; 57 | } 58 | 59 | @Override 60 | public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) { 61 | IRequestInfo requestInfo = helpers.analyzeRequest(messageInfo.getHttpService(), messageInfo.getRequest()); 62 | if (!callbacks.isInScope(requestInfo.getUrl())) { 63 | return; 64 | } 65 | 66 | if (messageIsRequest) { 67 | /* Modify User-Agent if required */ 68 | if (extConfig.getUserAgent() != null) { 69 | UserAgentModifier ua = new UserAgentModifier(callbacks, extConfig); 70 | ua.processHttpMessage(toolFlag, true, messageInfo); 71 | } 72 | 73 | /* Add custom GET parameters if required */ 74 | if (extConfig.getQsParameters() != null) { 75 | QsParameterModifier qsm = new QsParameterModifier(callbacks, extConfig); 76 | qsm.processHttpMessage(toolFlag, true, messageInfo); 77 | } 78 | 79 | /* No custom authentication configured */ 80 | if (authenticator == null) { 81 | return; 82 | } 83 | 84 | if (authenticator.isAuthExpected()) { 85 | if (authenticator.isLogoutRequest(messageInfo)) { 86 | messageInfo.setRequest("".getBytes()); 87 | } 88 | 89 | if (authenticator.isAuthenticated(messageInfo)) { 90 | return; 91 | } 92 | 93 | if (!authenticator.doAuth(messageInfo)) { 94 | try { 95 | OutputStream stderr = callbacks.getStderr(); 96 | stderr.write(messageInfo.getRequest()); 97 | stderr.write("\n".getBytes()); 98 | stderr.write(helpers.stringToBytes("Authentication required")); 99 | stderr.write("\n".getBytes()); 100 | } catch (IOException ex) { 101 | /**/ 102 | } 103 | /* ignore auth failures for now 104 | callbacks.exitSuite(false); 105 | */ 106 | } 107 | } 108 | return; 109 | } 110 | 111 | /* No passive or active scans for static files */ 112 | if (isStaticFile(requestInfo.getUrl().getPath())) { 113 | return; 114 | } 115 | 116 | /* From now we process request-response only */ 117 | // PrintWriter stdout = new PrintWriter(callbacks.getStdout(), true); 118 | // stdout.println(helpers.bytesToString(messageInfo.getRequest())); 119 | // stdout.println(helpers.bytesToString(messageInfo.getResponse())); 120 | 121 | callbacks.doPassiveScan( 122 | extConfig.getInitialURL().getHost(), 123 | extConfig.getInitialURL().getPort() == -1 ? 124 | extConfig.getInitialURL().getDefaultPort() : 125 | extConfig.getInitialURL().getPort(), 126 | extConfig.getInitialURL().getProtocol().equals("https"), 127 | messageInfo.getRequest(), 128 | messageInfo.getResponse()); 129 | 130 | /* We process only spider or proxy request-responses */ 131 | if (toolFlag != IBurpExtenderCallbacks.TOOL_SPIDER && 132 | toolFlag != IBurpExtenderCallbacks.TOOL_PROXY) { 133 | return; 134 | } 135 | 136 | if (extConfig.getMaxUrls() > 0 && scanners.size() > extConfig.getMaxUrls()) { 137 | return; 138 | } 139 | 140 | IResponseInfo respInfo = helpers.analyzeResponse(messageInfo.getResponse()); 141 | 142 | /* Do not init active scans for entry points answering 404 */ 143 | List skipScanCodes = Arrays.asList(404, 502, 504); 144 | short statusCode = respInfo.getStatusCode(); 145 | if (skipScanCodes.contains(new Integer(statusCode)) && !requestInfo.getUrl().getPath().equals("/")) { 146 | // stdout.println("Skipping " + statusCode + " URL: " + requestInfo.getUrl().toString()); 147 | return; 148 | } 149 | 150 | /* Full-dub detection */ 151 | if (deduper.isFullDuplicate(messageInfo)) return; 152 | 153 | /* Half-dub detection */ 154 | if (deduper.isHalfDuplicate(messageInfo)) return; 155 | 156 | if (requestInfo.getUrl().getQuery() != null && 157 | requestInfo.getUrl().getQuery().length() == 0 && 158 | scanners.size() > 1 && !requestInfo.getUrl().getPath().equals("/")) { 159 | /* we scan URLs with parameters first */ 160 | synchronized (postponedEntryPoints) { 161 | // stdout.println("Postponing to Active Scanner: " + requestInfo.getUrl().toString()); 162 | postponedEntryPoints.add(messageInfo); 163 | } 164 | return; 165 | } 166 | 167 | /* Do not scan URLs with same parameters twice (?) */ 168 | // XXX: disabled!!! 169 | // if (deduper.isDuplicateURL(messageInfo)) return; 170 | // stdout.println("Sending to Active Scanner: " + requestInfo.getUrl().toString()); 171 | 172 | IScanQueueItem scan = callbacks.doActiveScan( 173 | extConfig.getInitialURL().getHost(), 174 | extConfig.getInitialURL().getPort() == -1 ? extConfig.getInitialURL().getDefaultPort() : extConfig.getInitialURL().getPort(), 175 | extConfig.getInitialURL().getProtocol().equals("https"), 176 | messageInfo.getRequest()); 177 | synchronized (scanners) { 178 | scanners.add(scan); 179 | } 180 | 181 | // stdout.println("Scanners: " + Integer.toString(scanners.size())); 182 | } 183 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2017, YANDEX LLC 2 | 3 | GNU LESSER GENERAL PUBLIC LICENSE 4 | Version 3, 29 June 2007 5 | 6 | Copyright (C) 2007 Free Software Foundation, Inc. 7 | Everyone is permitted to copy and distribute verbatim copies 8 | of this license document, but changing it is not allowed. 9 | 10 | 11 | This version of the GNU Lesser General Public License incorporates 12 | the terms and conditions of version 3 of the GNU General Public 13 | License, supplemented by the additional permissions listed below. 14 | 15 | 0. Additional Definitions. 16 | 17 | As used herein, "this License" refers to version 3 of the GNU Lesser 18 | General Public License, and the "GNU GPL" refers to version 3 of the GNU 19 | General Public License. 20 | 21 | "The Library" refers to a covered work governed by this License, 22 | other than an Application or a Combined Work as defined below. 23 | 24 | An "Application" is any work that makes use of an interface provided 25 | by the Library, but which is not otherwise based on the Library. 26 | Defining a subclass of a class defined by the Library is deemed a mode 27 | of using an interface provided by the Library. 28 | 29 | A "Combined Work" is a work produced by combining or linking an 30 | Application with the Library. The particular version of the Library 31 | with which the Combined Work was made is also called the "Linked 32 | Version". 33 | 34 | The "Minimal Corresponding Source" for a Combined Work means the 35 | Corresponding Source for the Combined Work, excluding any source code 36 | for portions of the Combined Work that, considered in isolation, are 37 | based on the Application, and not on the Linked Version. 38 | 39 | The "Corresponding Application Code" for a Combined Work means the 40 | object code and/or source code for the Application, including any data 41 | and utility programs needed for reproducing the Combined Work from the 42 | Application, but excluding the System Libraries of the Combined Work. 43 | 44 | 1. Exception to Section 3 of the GNU GPL. 45 | 46 | You may convey a covered work under sections 3 and 4 of this License 47 | without being bound by section 3 of the GNU GPL. 48 | 49 | 2. Conveying Modified Versions. 50 | 51 | If you modify a copy of the Library, and, in your modifications, a 52 | facility refers to a function or data to be supplied by an Application 53 | that uses the facility (other than as an argument passed when the 54 | facility is invoked), then you may convey a copy of the modified 55 | version: 56 | 57 | a) under this License, provided that you make a good faith effort to 58 | ensure that, in the event an Application does not supply the 59 | function or data, the facility still operates, and performs 60 | whatever part of its purpose remains meaningful, or 61 | 62 | b) under the GNU GPL, with none of the additional permissions of 63 | this License applicable to that copy. 64 | 65 | 3. Object Code Incorporating Material from Library Header Files. 66 | 67 | The object code form of an Application may incorporate material from 68 | a header file that is part of the Library. You may convey such object 69 | code under terms of your choice, provided that, if the incorporated 70 | material is not limited to numerical parameters, data structure 71 | layouts and accessors, or small macros, inline functions and templates 72 | (ten or fewer lines in length), you do both of the following: 73 | 74 | a) Give prominent notice with each copy of the object code that the 75 | Library is used in it and that the Library and its use are 76 | covered by this License. 77 | 78 | b) Accompany the object code with a copy of the GNU GPL and this license 79 | document. 80 | 81 | 4. Combined Works. 82 | 83 | You may convey a Combined Work under terms of your choice that, 84 | taken together, effectively do not restrict modification of the 85 | portions of the Library contained in the Combined Work and reverse 86 | engineering for debugging such modifications, if you also do each of 87 | the following: 88 | 89 | a) Give prominent notice with each copy of the Combined Work that 90 | the Library is used in it and that the Library and its use are 91 | covered by this License. 92 | 93 | b) Accompany the Combined Work with a copy of the GNU GPL and this license 94 | document. 95 | 96 | c) For a Combined Work that displays copyright notices during 97 | execution, include the copyright notice for the Library among 98 | these notices, as well as a reference directing the user to the 99 | copies of the GNU GPL and this license document. 100 | 101 | d) Do one of the following: 102 | 103 | 0) Convey the Minimal Corresponding Source under the terms of this 104 | License, and the Corresponding Application Code in a form 105 | suitable for, and under terms that permit, the user to 106 | recombine or relink the Application with a modified version of 107 | the Linked Version to produce a modified Combined Work, in the 108 | manner specified by section 6 of the GNU GPL for conveying 109 | Corresponding Source. 110 | 111 | 1) Use a suitable shared library mechanism for linking with the 112 | Library. A suitable mechanism is one that (a) uses at run time 113 | a copy of the Library already present on the user's computer 114 | system, and (b) will operate properly with a modified version 115 | of the Library that is interface-compatible with the Linked 116 | Version. 117 | 118 | e) Provide Installation Information, but only if you would otherwise 119 | be required to provide such information under section 6 of the 120 | GNU GPL, and only to the extent that such information is 121 | necessary to install and execute a modified version of the 122 | Combined Work produced by recombining or relinking the 123 | Application with a modified version of the Linked Version. (If 124 | you use option 4d0, the Installation Information must accompany 125 | the Minimal Corresponding Source and Corresponding Application 126 | Code. If you use option 4d1, you must provide the Installation 127 | Information in the manner specified by section 6 of the GNU GPL 128 | for conveying Corresponding Source.) 129 | 130 | 5. Combined Libraries. 131 | 132 | You may place library facilities that are a work based on the 133 | Library side by side in a single library together with other library 134 | facilities that are not Applications and are not covered by this 135 | License, and convey such a combined library under terms of your 136 | choice, if you do both of the following: 137 | 138 | a) Accompany the combined library with a copy of the same work based 139 | on the Library, uncombined with any other library facilities, 140 | conveyed under the terms of this License. 141 | 142 | b) Give prominent notice with the combined library that part of it 143 | is a work based on the Library, and explaining where to find the 144 | accompanying uncombined form of the same work. 145 | 146 | 6. Revised Versions of the GNU Lesser General Public License. 147 | 148 | The Free Software Foundation may publish revised and/or new versions 149 | of the GNU Lesser General Public License from time to time. Such new 150 | versions will be similar in spirit to the present version, but may 151 | differ in detail to address new problems or concerns. 152 | 153 | Each version is given a distinguishing version number. If the 154 | Library as you received it specifies that a certain numbered version 155 | of the GNU Lesser General Public License "or any later version" 156 | applies to it, you have the option of following the terms and 157 | conditions either of that published version or of any later version 158 | published by the Free Software Foundation. If the Library as you 159 | received it does not specify a version number of the GNU Lesser 160 | General Public License, you may choose any version of the GNU Lesser 161 | General Public License ever published by the Free Software Foundation. 162 | 163 | If the Library as you received it specifies that a proxy can decide 164 | whether future versions of the GNU Lesser General Public License shall 165 | apply, that proxy's public statement of acceptance of any version is 166 | permanent authorization for you to choose that version for the 167 | Library. 168 | -------------------------------------------------------------------------------- /config/burp_user_config.json: -------------------------------------------------------------------------------- 1 | { 2 | "user_options":{ 3 | "connections":{ 4 | "platform_authentication":{ 5 | "credentials":[], 6 | "do_platform_authentication":true, 7 | "prompt_on_authentication_failure":false 8 | }, 9 | "socks_proxy":{ 10 | "dns_over_socks":false, 11 | "host":"", 12 | "password":"", 13 | "port":0, 14 | "use_proxy":false, 15 | "username":"" 16 | }, 17 | "upstream_proxy":{ 18 | "servers":[] 19 | } 20 | }, 21 | "display":{ 22 | "character_sets":{ 23 | "mode":"recognize_automatically" 24 | }, 25 | "html_rendering":{ 26 | "allow_http_requests":true 27 | }, 28 | "http_message_display":{ 29 | "analyze_amf":false, 30 | "font_name":"Courier New", 31 | "font_size":18, 32 | "font_smoothing":true, 33 | "highlight_requests":true, 34 | "highlight_responses":true 35 | }, 36 | "user_interface":{ 37 | "font_size":14, 38 | "look_and_feel":"Nimbus" 39 | } 40 | }, 41 | "extender":{ 42 | "extensions":[ 43 | { 44 | "errors":"console", 45 | "extension_file":"/usr/lib/yandex/burp/burp-molly-scanner-1.0-SNAPSHOT-jar-with-dependencies.jar", 46 | "extension_type":"java", 47 | "loaded":true, 48 | "name":"MollyBurp", 49 | "output":"console" 50 | }, 51 | { 52 | "errors":"console", 53 | "extension_file":"/usr/lib/yandex/burp/burp-molly-pack-1.0-SNAPSHOT-jar-with-dependencies.jar", 54 | "extension_type":"java", 55 | "loaded":true, 56 | "name":"Burp Molly Pack", 57 | "output":"console" 58 | } 59 | ], 60 | "java":{ 61 | "folder_for_loading_library_jar_files":"" 62 | }, 63 | "python":{ 64 | "folder_for_loading_modules":"", 65 | "location_of_jython_standalone_jar_file":"" 66 | }, 67 | "ruby":{ 68 | "location_of_jruby_jar_file":"" 69 | }, 70 | "settings":{ 71 | "automatically_reload_extensions_on_startup":true 72 | } 73 | }, 74 | "misc":{ 75 | "enable_proxy_interception_at_startup":"always", 76 | "hotkeys":[ 77 | { 78 | "action":"send_to_repeater", 79 | "hotkey":"Ctrl+R" 80 | }, 81 | { 82 | "action":"send_to_intruder", 83 | "hotkey":"Ctrl+I" 84 | }, 85 | { 86 | "action":"forward_intercepted_proxy_message", 87 | "hotkey":"Ctrl+F" 88 | }, 89 | { 90 | "action":"toggle_proxy_interception", 91 | "hotkey":"Ctrl+T" 92 | }, 93 | { 94 | "action":"switch_to_target", 95 | "hotkey":"Ctrl+Shift+T" 96 | }, 97 | { 98 | "action":"switch_to_proxy", 99 | "hotkey":"Ctrl+Shift+P" 100 | }, 101 | { 102 | "action":"switch_to_scanner", 103 | "hotkey":"Ctrl+Shift+S" 104 | }, 105 | { 106 | "action":"switch_to_intruder", 107 | "hotkey":"Ctrl+Shift+I" 108 | }, 109 | { 110 | "action":"switch_to_repeater", 111 | "hotkey":"Ctrl+Shift+R" 112 | }, 113 | { 114 | "action":"switch_to_project_options", 115 | "hotkey":"Ctrl+Shift+O" 116 | }, 117 | { 118 | "action":"switch_to_alerts_tab", 119 | "hotkey":"Ctrl+Shift+A" 120 | }, 121 | { 122 | "action":"go_to_previous_tab", 123 | "hotkey":"Ctrl+Minus" 124 | }, 125 | { 126 | "action":"go_to_next_tab", 127 | "hotkey":"Ctrl+Equals" 128 | }, 129 | { 130 | "action":"editor_cut", 131 | "hotkey":"Ctrl+X" 132 | }, 133 | { 134 | "action":"editor_copy", 135 | "hotkey":"Ctrl+C" 136 | }, 137 | { 138 | "action":"editor_paste", 139 | "hotkey":"Ctrl+V" 140 | }, 141 | { 142 | "action":"editor_undo", 143 | "hotkey":"Ctrl+Z" 144 | }, 145 | { 146 | "action":"editor_redo", 147 | "hotkey":"Ctrl+Y" 148 | }, 149 | { 150 | "action":"editor_select_all", 151 | "hotkey":"Ctrl+A" 152 | }, 153 | { 154 | "action":"editor_search", 155 | "hotkey":"Ctrl+S" 156 | }, 157 | { 158 | "action":"editor_go_to_previous_search_match", 159 | "hotkey":"Ctrl+Comma" 160 | }, 161 | { 162 | "action":"editor_go_to_next_search_match", 163 | "hotkey":"Ctrl+Period" 164 | }, 165 | { 166 | "action":"editor_url_decode", 167 | "hotkey":"Ctrl+Shift+U" 168 | }, 169 | { 170 | "action":"editor_url_encode_key_characters", 171 | "hotkey":"Ctrl+U" 172 | }, 173 | { 174 | "action":"editor_html_decode", 175 | "hotkey":"Ctrl+Shift+H" 176 | }, 177 | { 178 | "action":"editor_html_encode_key_characters", 179 | "hotkey":"Ctrl+H" 180 | }, 181 | { 182 | "action":"editor_base64_decode", 183 | "hotkey":"Ctrl+Shift+B" 184 | }, 185 | { 186 | "action":"editor_base64_encode", 187 | "hotkey":"Ctrl+B" 188 | }, 189 | { 190 | "action":"editor_backspace_word", 191 | "hotkey":"Ctrl+Backspace" 192 | }, 193 | { 194 | "action":"editor_delete_word", 195 | "hotkey":"Ctrl+Delete" 196 | }, 197 | { 198 | "action":"editor_delete_line", 199 | "hotkey":"Ctrl+D" 200 | }, 201 | { 202 | "action":"editor_go_to_previous_word", 203 | "hotkey":"Ctrl+Left" 204 | }, 205 | { 206 | "action":"editor_go_to_previous_word_extend_selection", 207 | "hotkey":"Ctrl+Shift+Left" 208 | }, 209 | { 210 | "action":"editor_go_to_next_word", 211 | "hotkey":"Ctrl+Right" 212 | }, 213 | { 214 | "action":"editor_go_to_next_word_extend_selection", 215 | "hotkey":"Ctrl+Shift+Right" 216 | }, 217 | { 218 | "action":"editor_go_to_previous_paragraph", 219 | "hotkey":"Ctrl+Up" 220 | }, 221 | { 222 | "action":"editor_go_to_previous_paragraph_extend_selection", 223 | "hotkey":"Ctrl+Shift+Up" 224 | }, 225 | { 226 | "action":"editor_go_to_next_paragraph", 227 | "hotkey":"Ctrl+Down" 228 | }, 229 | { 230 | "action":"editor_go_to_next_paragraph_extend_selection", 231 | "hotkey":"Ctrl+Shift+Down" 232 | }, 233 | { 234 | "action":"editor_go_to_start_of_document", 235 | "hotkey":"Ctrl+Home" 236 | }, 237 | { 238 | "action":"editor_go_to_start_of_document_extend_selection", 239 | "hotkey":"Ctrl+Shift+Home" 240 | }, 241 | { 242 | "action":"editor_go_to_end_of_document", 243 | "hotkey":"Ctrl+End" 244 | }, 245 | { 246 | "action":"editor_go_to_end_of_document_extend_selection", 247 | "hotkey":"Ctrl+Shift+End" 248 | } 249 | ], 250 | "submit_anonymous_feedback":false, 251 | "temporary_files_location":"" 252 | }, 253 | "repeater":{ 254 | "view":"left_right_split" 255 | }, 256 | "ssl":{ 257 | "client_certificates":{ 258 | "certificates":[] 259 | }, 260 | "negotiation":{ 261 | "disable_sni_extension":false, 262 | "enable_blocked_algorithms":true 263 | } 264 | }, 265 | "target":{ 266 | "view":"left_right_split" 267 | } 268 | } 269 | } 270 | -------------------------------------------------------------------------------- /src/main/java/burp/BurpExtender.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | import com.google.gson.Gson; 4 | import com.google.gson.JsonParseException; 5 | import com.google.gson.JsonSyntaxException; 6 | import com.jayway.awaitility.Awaitility; 7 | import com.jayway.awaitility.core.ConditionTimeoutException; 8 | import com.yandex.burp.extensions.EntryPointDeduplicator; 9 | import com.yandex.burp.extensions.MollyProxyListener; 10 | import com.yandex.burp.extensions.MollyRequestResponseHandler; 11 | import com.yandex.burp.extensions.auth.BasicAuthAdapter; 12 | import com.yandex.burp.extensions.auth.IMollyAuthAdapter; 13 | import com.yandex.burp.extensions.config.BurpMollyScannerConfig; 14 | import com.yandex.burp.extensions.config.MollyAuthConfig; 15 | import com.yandex.burp.extensions.config.MollyConfig; 16 | 17 | import java.io.File; 18 | import java.io.IOException; 19 | import java.io.PrintWriter; 20 | import java.net.MalformedURLException; 21 | import java.net.URL; 22 | import java.nio.charset.StandardCharsets; 23 | import java.nio.file.Files; 24 | import java.nio.file.Paths; 25 | import java.util.*; 26 | import java.util.concurrent.Callable; 27 | import java.util.concurrent.ConcurrentHashMap; 28 | import java.util.concurrent.TimeUnit; 29 | 30 | 31 | public class BurpExtender implements IBurpExtender, 32 | IScannerListener, 33 | IExtensionStateListener { 34 | private IBurpExtenderCallbacks callbacks; 35 | private IExtensionHelpers helpers; 36 | private ArrayList issues; 37 | private ConcurrentHashMap issueStat; 38 | public List scanners; 39 | public EntryPointDeduplicator deduper; 40 | private List postponedEntryPoints; 41 | private int scanTime; 42 | private int totalScanners; 43 | private boolean timeout; 44 | private PrintWriter stdout; 45 | private BurpMollyScannerConfig extConfig; 46 | private static final int timeStep = 15; 47 | private IMollyAuthAdapter authenticator; 48 | 49 | public BurpMollyScannerConfig getExtConfig() { 50 | return extConfig; 51 | } 52 | 53 | public IMollyAuthAdapter getAuthenticator() { 54 | return authenticator; 55 | } 56 | 57 | public void postponeEntryPoint(IHttpRequestResponse messageInfo) { 58 | synchronized (postponedEntryPoints) { 59 | postponedEntryPoints.add(messageInfo); 60 | } 61 | } 62 | 63 | public void trackScanner(IScanQueueItem scan) { 64 | synchronized (scanners) { 65 | scanners.add(scan); 66 | } 67 | } 68 | 69 | // 70 | // implement IBurpExtender 71 | // 72 | @Override 73 | public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) { 74 | // keep a reference to our callbacks object 75 | this.callbacks = callbacks; 76 | this.helpers = callbacks.getHelpers(); 77 | this.timeout = false; 78 | this.totalScanners = 0; 79 | this.scanTime = 0; 80 | 81 | // obtain our output stream 82 | this.stdout = new PrintWriter(callbacks.getStdout(), true); 83 | 84 | // set our extension name 85 | callbacks.setExtensionName("MollyBurp"); 86 | 87 | stdout.println("Extension was loaded"); 88 | 89 | Map env = System.getenv(); 90 | String configPath = env.get("MOLLY_CONFIG"); 91 | 92 | for (String arg : callbacks.getCommandLineArguments()) { 93 | String[] kv = arg.split("=", 2); 94 | if (kv.length != 2) { 95 | continue; 96 | } 97 | if (kv[0].equals("--molly-config")) { 98 | configPath = kv[1]; 99 | } 100 | } 101 | 102 | if (configPath == null || configPath.length() == 0) { 103 | stdout.println("Error loading extension config"); 104 | callbacks.exitSuite(false); 105 | return; 106 | } 107 | 108 | MollyConfig mollyConfig; 109 | try { 110 | String configJSON = new String(Files.readAllBytes(Paths.get(configPath)), StandardCharsets.UTF_8); 111 | mollyConfig = new Gson().fromJson(configJSON, MollyConfig.class); 112 | } catch (IOException e) { 113 | stdout.println("Error loading extension config"); 114 | callbacks.exitSuite(false); 115 | return; 116 | } catch (JsonSyntaxException e) { 117 | stdout.println("Error loading extension config"); 118 | callbacks.exitSuite(false); 119 | return; 120 | } catch (JsonParseException e) { 121 | stdout.println("Error loading extension config"); 122 | callbacks.exitSuite(false); 123 | return; 124 | } 125 | 126 | this.extConfig = mollyConfig.getBurpActiveScanner(); 127 | if (extConfig == null) { 128 | stdout.println("Error loading extension config"); 129 | callbacks.exitSuite(false); 130 | return; 131 | } 132 | 133 | this.issues = new ArrayList<>(); 134 | this.issueStat = new ConcurrentHashMap<>(); 135 | this.scanners = Collections.synchronizedList(new ArrayList()); 136 | this.postponedEntryPoints = new ArrayList<>(); 137 | this.deduper = new EntryPointDeduplicator(callbacks); 138 | 139 | if (extConfig.getReportPath() == null) { 140 | stdout.println("No report path configured"); 141 | callbacks.exitSuite(false); 142 | return; 143 | } 144 | 145 | if (extConfig.getEntryPoint() == null) { 146 | stdout.println("No initial_url configured"); 147 | callbacks.exitSuite(false); 148 | return; 149 | } 150 | 151 | MollyAuthConfig authConfig = extConfig.getAuthConfig(); 152 | /* TODO: use reflections? */ 153 | switch (authConfig.getAuthProvider().toUpperCase()) { 154 | case "BASIC": 155 | authenticator = new BasicAuthAdapter(callbacks, authConfig); 156 | if (authenticator.isAuthExpected()) { 157 | if (!authenticator.doAuth(null)) { 158 | stdout.println("Auth config error. Invalid username/password?"); 159 | callbacks.exitSuite(false); 160 | return; 161 | } 162 | } 163 | break; 164 | default: 165 | break; 166 | } 167 | 168 | try { 169 | extConfig.setInitialURL(new URL(extConfig.getEntryPoint())); 170 | } catch (MalformedURLException e) { 171 | stdout.println("Invalid initial URL " + extConfig.getEntryPoint()); 172 | callbacks.exitSuite(false); 173 | return; 174 | } 175 | 176 | // register custom class as an HTTP listener 177 | this.callbacks.registerHttpListener(new MollyRequestResponseHandler(callbacks, 178 | extConfig, authenticator, scanners, deduper, postponedEntryPoints)); 179 | // register custom class as an Proxy listener 180 | this.callbacks.registerProxyListener(new MollyProxyListener(callbacks, extConfig, 181 | authenticator, deduper)); 182 | 183 | // register ourselves as a Scanner listener 184 | callbacks.registerScannerListener(this); 185 | 186 | // register ourselves as an extension state listener 187 | callbacks.registerExtensionStateListener(this); 188 | 189 | if (!callbacks.isInScope(extConfig.getInitialURL())) { 190 | callbacks.includeInScope(extConfig.getInitialURL()); 191 | } 192 | 193 | callbacks.sendToSpider(extConfig.getInitialURL()); 194 | 195 | int maxTime = extConfig.getScanTimeout() * 60; 196 | 197 | /* Main work happens meanwhile */ 198 | waitForScanners(maxTime); 199 | 200 | /* XXX: scanners count! move max scanners count to config! */ 201 | if (!timeout && ((maxTime-scanTime) > timeStep*2) && totalScanners < 10) { 202 | for (IHttpRequestResponse messageInfo : postponedEntryPoints) { 203 | if (scanners.size() > 20) { 204 | break; 205 | } 206 | /* Full-dub detection */ 207 | if (deduper.isFullDuplicate(messageInfo)) continue; 208 | 209 | /* Half-dub detection */ 210 | if (deduper.isHalfDuplicate(messageInfo)) continue; 211 | 212 | /* Do not scan URLs with same parameters twice (?) */ 213 | if (deduper.isDuplicateURL(messageInfo)) continue; 214 | 215 | IScanQueueItem scan = callbacks.doActiveScan( 216 | extConfig.getInitialURL().getHost(), 217 | extConfig.getInitialURL().getPort() == -1 ? extConfig.getInitialURL().getDefaultPort() : extConfig.getInitialURL().getPort(), 218 | extConfig.getInitialURL().getProtocol().equals("https"), 219 | messageInfo.getRequest()); 220 | synchronized (scanners) { 221 | scanners.add(scan); 222 | } 223 | } 224 | } 225 | 226 | /* wait for postponed entry points to be scanned */ 227 | /* XXX: we can do better */ 228 | waitForScanners((maxTime-scanTime)); 229 | 230 | if (authenticator != null) { 231 | authenticator.doLogout(null); 232 | } 233 | 234 | if (issues != null) { 235 | callbacks.generateScanReport("XML", issues.toArray(new IScanIssue[issues.size()]), 236 | new File(extConfig.getReportPath())); 237 | } 238 | 239 | callbacks.exitSuite(false); 240 | } 241 | 242 | // 243 | // implement IScannerListener 244 | // 245 | @Override 246 | public void newScanIssue(IScanIssue issue) { 247 | if (issue == null) return; 248 | 249 | List ignoreIssueIds = extConfig.getIgnoredIssueIds(); 250 | if (ignoreIssueIds != null && ignoreIssueIds.contains(issue.getIssueType())) return; 251 | IHttpService issueService = issue.getHttpService(); 252 | 253 | /* XXX: test if it really works */ 254 | if (!issueService.getHost().contains(extConfig.getInitialURL().getHost())) { 255 | return; 256 | } 257 | 258 | /* Do not store more than X issues of same type - prevent huuuge reports */ 259 | int existingIssues = issueStat.getOrDefault(issue.getIssueName(), 0); 260 | if (extConfig.getMaxIssuesByType() > 0 && existingIssues >= extConfig.getMaxIssuesByType()) { 261 | return; 262 | } 263 | 264 | switch (issue.getIssueType()) { 265 | // 5244160 = Cross Domain Script include, handle whitelisting here 266 | case 0x00500500: 267 | List wl = extConfig.getCrossdomainJsWhitelist(); 268 | if (wl == null) break; 269 | for (String d : wl) { 270 | stdout.println("whitelisted: " + d); 271 | /* XXX! this is ugly */ 272 | /* TODO: grep URIs then parse and match domains only */ 273 | if (issue.getIssueDetail().contains("https://" + d)) { 274 | return; 275 | } 276 | } 277 | break; 278 | /* handle CORS whitelist here */ 279 | case 0x00200600: 280 | boolean isInteresting = false; 281 | IHttpRequestResponse[] trans = issue.getHttpMessages(); 282 | if (trans == null) return; 283 | for (IHttpRequestResponse t : trans) { 284 | stdout.println(t.getHttpService().getHost()); 285 | stdout.println(issue.getHttpService().getHost()); 286 | if (!extConfig.getPublicCorsWhitelist().contains(t.getHttpService().getHost())) { 287 | isInteresting = true; 288 | break; 289 | } 290 | } 291 | if (!isInteresting) return; 292 | break; 293 | // 2098176 = crossdomain.xml, handle whitelisting here 294 | case 0x200400: 295 | if (extConfig.getCrossdomainXmlWhitelist().contains(issue.getHttpService().getHost())) { 296 | return; 297 | } 298 | break; 299 | default: 300 | break; 301 | } 302 | 303 | issueStat.put(issue.getIssueName(), existingIssues+1); 304 | issues.add(issue); 305 | } 306 | 307 | // 308 | // implement IExtensionStateListener 309 | // 310 | @Override 311 | public void extensionUnloaded() { 312 | stdout.println("Extension was unloaded"); 313 | } 314 | 315 | private void waitForScanners(int maxTime) { 316 | /* XXX!!!!!!!!!!!!!!!!!! */ 317 | if (maxTime == 0) { 318 | maxTime = 3600*2; 319 | } 320 | if (maxTime < timeStep) { 321 | maxTime = timeStep * 2; 322 | } 323 | try { 324 | Awaitility.with().timeout(maxTime, TimeUnit.SECONDS) 325 | .and().with().pollDelay(timeStep, TimeUnit.SECONDS) 326 | .and().with().pollInterval(timeStep, TimeUnit.SECONDS) 327 | .await() 328 | .until(new Callable() { 329 | @Override 330 | public Boolean call() throws Exception { 331 | scanTime += timeStep; 332 | synchronized (scanners) { 333 | Iterator i = scanners.iterator(); 334 | while (i.hasNext()) { 335 | IScanQueueItem scan = i.next(); 336 | if (scan.getStatus().equals("finished")) { 337 | i.remove(); 338 | totalScanners += 1; 339 | } else { 340 | stdout.println("Scanners: " + scanners.size()); 341 | 342 | if (issues != null) { 343 | callbacks.generateScanReport("XML", issues.toArray(new IScanIssue[issues.size()]), 344 | new File(extConfig.getReportPath())); 345 | } 346 | 347 | return false; 348 | } 349 | } 350 | } 351 | return true; 352 | } 353 | }); 354 | } catch (ConditionTimeoutException e) { 355 | /* exiting anyway */ 356 | stdout.println("timeout!"); 357 | timeout = true; 358 | } 359 | } 360 | } -------------------------------------------------------------------------------- /config/burp_project_config.json: -------------------------------------------------------------------------------- 1 | { 2 | "project_options":{ 3 | "connections":{ 4 | "hostname_resolution":[], 5 | "out_of_scope_requests":{ 6 | "drop_all_out_of_scope":false, 7 | "exclude":[ 8 | { 9 | "enabled":true, 10 | "file":"logout", 11 | "protocol":"any" 12 | }, 13 | { 14 | "enabled":true, 15 | "file":"logoff", 16 | "protocol":"any" 17 | }, 18 | { 19 | "enabled":true, 20 | "file":"exit", 21 | "protocol":"any" 22 | }, 23 | { 24 | "enabled":true, 25 | "file":"signout", 26 | "protocol":"any" 27 | } 28 | ], 29 | "include":[], 30 | "scope_option":"suite" 31 | }, 32 | "platform_authentication":{ 33 | "credentials":[], 34 | "do_platform_authentication":true, 35 | "prompt_on_authentication_failure":false, 36 | "use_user_options":true 37 | }, 38 | "socks_proxy":{ 39 | "dns_over_socks":false, 40 | "host":"", 41 | "password":"", 42 | "port":0, 43 | "use_proxy":false, 44 | "use_user_options":true, 45 | "username":"" 46 | }, 47 | "timeouts":{ 48 | "domain_name_resolution_timeout":300000, 49 | "failed_domain_name_resolution_timeout":60000, 50 | "normal_timeout":120000, 51 | "open_ended_response_timeout":10000 52 | }, 53 | "upstream_proxy":{ 54 | "servers":[], 55 | "use_user_options":true 56 | } 57 | }, 58 | "http":{ 59 | "redirections":{ 60 | "understand_3xx_status_code":true, 61 | "understand_any_status_code_with_location_header":false, 62 | "understand_javascript_driven":false, 63 | "understand_meta_refresh_tag":true, 64 | "understand_refresh_header":true 65 | }, 66 | "status_100_responses":{ 67 | "remove_100_continue_responses":false, 68 | "understand_100_continue_responses":true 69 | }, 70 | "streaming_responses":{ 71 | "store":true, 72 | "strip_chunked_encoding_metadata":true, 73 | "urls":[] 74 | } 75 | }, 76 | "misc":{ 77 | "collaborator_server":{ 78 | "location":"", 79 | "poll_over_unencrypted_http":false, 80 | "polling_location":"", 81 | "type":"default" 82 | }, 83 | "logging":{ 84 | "requests":{ 85 | "all_tools":"", 86 | "extender":"", 87 | "intruder":"", 88 | "proxy":"", 89 | "repeater":"", 90 | "scanner":"", 91 | "sequencer":"", 92 | "spider":"" 93 | }, 94 | "responses":{ 95 | "all_tools":"", 96 | "extender":"", 97 | "intruder":"", 98 | "proxy":"", 99 | "repeater":"", 100 | "scanner":"", 101 | "sequencer":"", 102 | "spider":"" 103 | } 104 | }, 105 | "scheduled_tasks":{ 106 | "tasks":[] 107 | } 108 | }, 109 | "sessions":{ 110 | "cookie_jar":{ 111 | "monitor_extender":true, 112 | "monitor_intruder":false, 113 | "monitor_proxy":false, 114 | "monitor_repeater":false, 115 | "monitor_scanner":true, 116 | "monitor_sequencer":false, 117 | "monitor_spider":true 118 | }, 119 | "macros":{ 120 | "macros":[] 121 | }, 122 | "session_handling_rules":{ 123 | "rules":[ 124 | { 125 | "actions":[ 126 | { 127 | "enabled":true, 128 | "match_cookies":"all_except", 129 | "type":"use_cookies" 130 | } 131 | ], 132 | "description":"Use cookies from Burp's cookie jar", 133 | "enabled":true, 134 | "exclude_from_scope":[], 135 | "include_in_scope":[], 136 | "named_params":[], 137 | "restrict_scope_to_named_params":false, 138 | "tools_scope":[ 139 | "Spider", 140 | "Scanner", 141 | "Extender" 142 | ], 143 | "url_scope":"suite" 144 | } 145 | ] 146 | } 147 | }, 148 | "ssl":{ 149 | "client_certificates":{ 150 | "certificates":[], 151 | "use_user_options":true 152 | }, 153 | "negotiation":{ 154 | "allow_unsafe_renegotiation":false, 155 | "automatically_select_compatible_ssl_parameters_on_failure":true, 156 | "enabled_ciphers":[], 157 | "enabled_protocols":[], 158 | "use_platform_default_protocols_and_ciphers":true 159 | } 160 | } 161 | }, 162 | "spider":{ 163 | "crawler":{ 164 | "check_robots_text":false, 165 | "detect_custom_not_found_responses":true, 166 | "ignore_links_to_non_text_content":true, 167 | "make_non_parameterized_request_to_dynamic_pages":true, 168 | "max_link_depth":5, 169 | "max_parameterized_requests_per_url":30, 170 | "request_root_of_all_directories":true 171 | }, 172 | "engine":{ 173 | "add_random_variation_to_throttle":false, 174 | "number_of_retries_on_failure":2, 175 | "number_of_threads":10, 176 | "pause_before_retry_on_failure":2000, 177 | "throttle_between_requests":false, 178 | "throttle_interval":0 179 | } 180 | }, 181 | "proxy":{ 182 | "request_listeners":[ 183 | { 184 | "certificate_mode":"per_host", 185 | "listen_mode":"loopback_only", 186 | "listener_port":8080, 187 | "running":true 188 | } 189 | ] 190 | }, 191 | "scanner":{ 192 | "active_scanning_areas":{ 193 | "csrf":true, 194 | "external_interaction":true, 195 | "file_path_traversal":true, 196 | "header_manipulation":true, 197 | "http_header_injection":true, 198 | "input_retrieval_reflected":false, 199 | "input_retrieval_stored":false, 200 | "ldap_injection":false, 201 | "open_redirection":true, 202 | "os_command_injection":{ 203 | "blind_checks":true, 204 | "enabled":true, 205 | "informed_checks":true 206 | }, 207 | "reflected_dom_issues":true, 208 | "reflected_xss":true, 209 | "server_level_issues":true, 210 | "server_side_code_injection":true, 211 | "server_side_template_injection":true, 212 | "sql_injection":{ 213 | "boolean_condition_checks":true, 214 | "enabled":true, 215 | "error_based_checks":true, 216 | "mssql_checks":true, 217 | "mysql_checks":true, 218 | "oracle_checks":true, 219 | "time_delay_checks":true 220 | }, 221 | "stored_dom_issues":true, 222 | "stored_xss":true, 223 | "xml_soap_injection":true 224 | }, 225 | "active_scanning_engine":{ 226 | "do_throttle":true, 227 | "follow_redirects":true, 228 | "number_of_retries_on_failure":1, 229 | "number_of_threads":10, 230 | "pause_before_retry_on_failure":2000, 231 | "throttle_interval":500, 232 | "throttle_random":true 233 | }, 234 | "active_scanning_optimization":{ 235 | "intelligent_attack_selection":true, 236 | "scan_accuracy":"minimise_false_positives", 237 | "scan_speed":"normal" 238 | }, 239 | "attack_insertion_points":{ 240 | "change_body_to_cookie":false, 241 | "change_body_to_url":false, 242 | "change_cookie_to_body":false, 243 | "change_cookie_to_url":false, 244 | "change_url_to_body":false, 245 | "change_url_to_cookie":false, 246 | "insert_amf_params":false, 247 | "insert_body_params":true, 248 | "insert_cookies":true, 249 | "insert_entire_body":true, 250 | "insert_http_headers":false, 251 | "insert_param_names":true, 252 | "insert_url_params":true, 253 | "insert_url_path_filename":false, 254 | "insert_url_path_folders":false, 255 | "max_insertion_points":20, 256 | "skip_all_tests_for_parameters":[], 257 | "skip_server_side_injection_for_parameters":[ 258 | { 259 | "enabled":true, 260 | "expression":"aspsessionid.*", 261 | "item":"name", 262 | "match_type":"matches_regex", 263 | "parameter":"cookie" 264 | }, 265 | { 266 | "enabled":true, 267 | "expression":"asp.net_sessionid", 268 | "item":"name", 269 | "match_type":"is", 270 | "parameter":"cookie" 271 | }, 272 | { 273 | "enabled":true, 274 | "expression":"__eventtarget", 275 | "item":"name", 276 | "match_type":"is", 277 | "parameter":"body_parameter" 278 | }, 279 | { 280 | "enabled":true, 281 | "expression":"__eventargument", 282 | "item":"name", 283 | "match_type":"is", 284 | "parameter":"body_parameter" 285 | }, 286 | { 287 | "enabled":true, 288 | "expression":"__viewstate", 289 | "item":"name", 290 | "match_type":"is", 291 | "parameter":"body_parameter" 292 | }, 293 | { 294 | "enabled":true, 295 | "expression":"__eventvalidation", 296 | "item":"name", 297 | "match_type":"is", 298 | "parameter":"body_parameter" 299 | }, 300 | { 301 | "enabled":true, 302 | "expression":"jsessionid", 303 | "item":"name", 304 | "match_type":"is", 305 | "parameter":"any_parameter" 306 | }, 307 | { 308 | "enabled":true, 309 | "expression":"cfid", 310 | "item":"name", 311 | "match_type":"is", 312 | "parameter":"cookie" 313 | }, 314 | { 315 | "enabled":true, 316 | "expression":"cftoken", 317 | "item":"name", 318 | "match_type":"is", 319 | "parameter":"cookie" 320 | }, 321 | { 322 | "enabled":true, 323 | "expression":"PHPSESSID", 324 | "item":"name", 325 | "match_type":"is", 326 | "parameter":"cookie" 327 | }, 328 | { 329 | "enabled":true, 330 | "expression":"session_id", 331 | "item":"name", 332 | "match_type":"is", 333 | "parameter":"cookie" 334 | } 335 | ], 336 | "use_nested_insertion_points":true 337 | }, 338 | "live_active_scanning":{ 339 | "exclude":[ 340 | { 341 | "enabled":true, 342 | "file":"logout", 343 | "protocol":"any" 344 | }, 345 | { 346 | "enabled":true, 347 | "file":"logoff", 348 | "protocol":"any" 349 | }, 350 | { 351 | "enabled":true, 352 | "file":"exit", 353 | "protocol":"any" 354 | }, 355 | { 356 | "enabled":true, 357 | "file":"signout", 358 | "protocol":"any" 359 | } 360 | ], 361 | "include":[], 362 | "scope_option":"suite" 363 | }, 364 | "live_passive_scanning":{ 365 | "exclude":[ 366 | { 367 | "enabled":true, 368 | "file":"logout", 369 | "protocol":"any" 370 | }, 371 | { 372 | "enabled":true, 373 | "file":"logoff", 374 | "protocol":"any" 375 | }, 376 | { 377 | "enabled":true, 378 | "file":"exit", 379 | "protocol":"any" 380 | }, 381 | { 382 | "enabled":true, 383 | "file":"signout", 384 | "protocol":"any" 385 | } 386 | ], 387 | "include":[], 388 | "scope_option":"suite" 389 | }, 390 | "passive_scanning_areas":{ 391 | "asp_net_viewstate":false, 392 | "caching":false, 393 | "cookies":true, 394 | "forms":true, 395 | "frameable_responses":false, 396 | "headers":true, 397 | "information_disclosure":true, 398 | "links":true, 399 | "mime_type":true, 400 | "parameters":true, 401 | "server_level_issues":true 402 | }, 403 | "scan_queue":{ 404 | "hide_finished_items":false 405 | }, 406 | "static_code_analysis":{ 407 | "max_time_per_item":120, 408 | "mode":"active_only" 409 | } 410 | } 411 | } 412 | -------------------------------------------------------------------------------- /src/main/java/burp/IExtensionHelpers.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IExtensionHelpers.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.net.URL; 13 | import java.util.List; 14 | 15 | /** 16 | * This interface contains a number of helper methods, which extensions can use 17 | * to assist with various common tasks that arise for Burp extensions. 18 | * 19 | * Extensions can call IBurpExtenderCallbacks.getHelpers to obtain 20 | * an instance of this interface. 21 | */ 22 | public interface IExtensionHelpers 23 | { 24 | 25 | /** 26 | * This method can be used to analyze an HTTP request, and obtain various 27 | * key details about it. 28 | * 29 | * @param request An IHttpRequestResponse object containing the 30 | * request to be analyzed. 31 | * @return An IRequestInfo object that can be queried to obtain 32 | * details about the request. 33 | */ 34 | IRequestInfo analyzeRequest(IHttpRequestResponse request); 35 | 36 | /** 37 | * This method can be used to analyze an HTTP request, and obtain various 38 | * key details about it. 39 | * 40 | * @param httpService The HTTP service associated with the request. This is 41 | * optional and may be null, in which case the resulting 42 | * IRequestInfo object will not include the full request URL. 43 | * @param request The request to be analyzed. 44 | * @return An IRequestInfo object that can be queried to obtain 45 | * details about the request. 46 | */ 47 | IRequestInfo analyzeRequest(IHttpService httpService, byte[] request); 48 | 49 | /** 50 | * This method can be used to analyze an HTTP request, and obtain various 51 | * key details about it. The resulting IRequestInfo object will 52 | * not include the full request URL. To obtain the full URL, use one of the 53 | * other overloaded analyzeRequest() methods. 54 | * 55 | * @param request The request to be analyzed. 56 | * @return An IRequestInfo object that can be queried to obtain 57 | * details about the request. 58 | */ 59 | IRequestInfo analyzeRequest(byte[] request); 60 | 61 | /** 62 | * This method can be used to analyze an HTTP response, and obtain various 63 | * key details about it. 64 | * 65 | * @param response The response to be analyzed. 66 | * @return An IResponseInfo object that can be queried to 67 | * obtain details about the response. 68 | */ 69 | IResponseInfo analyzeResponse(byte[] response); 70 | 71 | /** 72 | * This method can be used to retrieve details of a specified parameter 73 | * within an HTTP request. Note: Use analyzeRequest() to 74 | * obtain details of all parameters within the request. 75 | * 76 | * @param request The request to be inspected for the specified parameter. 77 | * @param parameterName The name of the parameter to retrieve. 78 | * @return An IParameter object that can be queried to obtain 79 | * details about the parameter, or null if the parameter was 80 | * not found. 81 | */ 82 | IParameter getRequestParameter(byte[] request, String parameterName); 83 | 84 | /** 85 | * This method can be used to URL-decode the specified data. 86 | * 87 | * @param data The data to be decoded. 88 | * @return The decoded data. 89 | */ 90 | String urlDecode(String data); 91 | 92 | /** 93 | * This method can be used to URL-encode the specified data. Any characters 94 | * that do not need to be encoded within HTTP requests are not encoded. 95 | * 96 | * @param data The data to be encoded. 97 | * @return The encoded data. 98 | */ 99 | String urlEncode(String data); 100 | 101 | /** 102 | * This method can be used to URL-decode the specified data. 103 | * 104 | * @param data The data to be decoded. 105 | * @return The decoded data. 106 | */ 107 | byte[] urlDecode(byte[] data); 108 | 109 | /** 110 | * This method can be used to URL-encode the specified data. Any characters 111 | * that do not need to be encoded within HTTP requests are not encoded. 112 | * 113 | * @param data The data to be encoded. 114 | * @return The encoded data. 115 | */ 116 | byte[] urlEncode(byte[] data); 117 | 118 | /** 119 | * This method can be used to Base64-decode the specified data. 120 | * 121 | * @param data The data to be decoded. 122 | * @return The decoded data. 123 | */ 124 | byte[] base64Decode(String data); 125 | 126 | /** 127 | * This method can be used to Base64-decode the specified data. 128 | * 129 | * @param data The data to be decoded. 130 | * @return The decoded data. 131 | */ 132 | byte[] base64Decode(byte[] data); 133 | 134 | /** 135 | * This method can be used to Base64-encode the specified data. 136 | * 137 | * @param data The data to be encoded. 138 | * @return The encoded data. 139 | */ 140 | String base64Encode(String data); 141 | 142 | /** 143 | * This method can be used to Base64-encode the specified data. 144 | * 145 | * @param data The data to be encoded. 146 | * @return The encoded data. 147 | */ 148 | String base64Encode(byte[] data); 149 | 150 | /** 151 | * This method can be used to convert data from String form into an array of 152 | * bytes. The conversion does not reflect any particular character set, and 153 | * a character with the hex representation 0xWXYZ will always be converted 154 | * into a byte with the representation 0xYZ. It performs the opposite 155 | * conversion to the method bytesToString(), and byte-based 156 | * data that is converted to a String and back again using these two methods 157 | * is guaranteed to retain its integrity (which may not be the case with 158 | * conversions that reflect a given character set). 159 | * 160 | * @param data The data to be converted. 161 | * @return The converted data. 162 | */ 163 | byte[] stringToBytes(String data); 164 | 165 | /** 166 | * This method can be used to convert data from an array of bytes into 167 | * String form. The conversion does not reflect any particular character 168 | * set, and a byte with the representation 0xYZ will always be converted 169 | * into a character with the hex representation 0x00YZ. It performs the 170 | * opposite conversion to the method stringToBytes(), and 171 | * byte-based data that is converted to a String and back again using these 172 | * two methods is guaranteed to retain its integrity (which may not be the 173 | * case with conversions that reflect a given character set). 174 | * 175 | * @param data The data to be converted. 176 | * @return The converted data. 177 | */ 178 | String bytesToString(byte[] data); 179 | 180 | /** 181 | * This method searches a piece of data for the first occurrence of a 182 | * specified pattern. It works on byte-based data in a way that is similar 183 | * to the way the native Java method String.indexOf() works on 184 | * String-based data. 185 | * 186 | * @param data The data to be searched. 187 | * @param pattern The pattern to be searched for. 188 | * @param caseSensitive Flags whether or not the search is case-sensitive. 189 | * @param from The offset within data where the search should 190 | * begin. 191 | * @param to The offset within data where the search should 192 | * end. 193 | * @return The offset of the first occurrence of the pattern within the 194 | * specified bounds, or -1 if no match is found. 195 | */ 196 | int indexOf(byte[] data, 197 | byte[] pattern, 198 | boolean caseSensitive, 199 | int from, 200 | int to); 201 | 202 | /** 203 | * This method builds an HTTP message containing the specified headers and 204 | * message body. If applicable, the Content-Length header will be added or 205 | * updated, based on the length of the body. 206 | * 207 | * @param headers A list of headers to include in the message. 208 | * @param body The body of the message, of null if the message 209 | * has an empty body. 210 | * @return The resulting full HTTP message. 211 | */ 212 | byte[] buildHttpMessage(List headers, byte[] body); 213 | 214 | /** 215 | * This method creates a GET request to the specified URL. The headers used 216 | * in the request are determined by the Request headers settings as 217 | * configured in Burp Spider's options. 218 | * 219 | * @param url The URL to which the request should be made. 220 | * @return A request to the specified URL. 221 | */ 222 | byte[] buildHttpRequest(URL url); 223 | 224 | /** 225 | * This method adds a new parameter to an HTTP request, and if appropriate 226 | * updates the Content-Length header. 227 | * 228 | * @param request The request to which the parameter should be added. 229 | * @param parameter An IParameter object containing details of 230 | * the parameter to be added. Supported parameter types are: 231 | * PARAM_URL, PARAM_BODY and 232 | * PARAM_COOKIE. 233 | * @return A new HTTP request with the new parameter added. 234 | */ 235 | byte[] addParameter(byte[] request, IParameter parameter); 236 | 237 | /** 238 | * This method removes a parameter from an HTTP request, and if appropriate 239 | * updates the Content-Length header. 240 | * 241 | * @param request The request from which the parameter should be removed. 242 | * @param parameter An IParameter object containing details of 243 | * the parameter to be removed. Supported parameter types are: 244 | * PARAM_URL, PARAM_BODY and 245 | * PARAM_COOKIE. 246 | * @return A new HTTP request with the parameter removed. 247 | */ 248 | byte[] removeParameter(byte[] request, IParameter parameter); 249 | 250 | /** 251 | * This method updates the value of a parameter within an HTTP request, and 252 | * if appropriate updates the Content-Length header. Note: This 253 | * method can only be used to update the value of an existing parameter of a 254 | * specified type. If you need to change the type of an existing parameter, 255 | * you should first call removeParameter() to remove the 256 | * parameter with the old type, and then call addParameter() to 257 | * add a parameter with the new type. 258 | * 259 | * @param request The request containing the parameter to be updated. 260 | * @param parameter An IParameter object containing details of 261 | * the parameter to be updated. Supported parameter types are: 262 | * PARAM_URL, PARAM_BODY and 263 | * PARAM_COOKIE. 264 | * @return A new HTTP request with the parameter updated. 265 | */ 266 | byte[] updateParameter(byte[] request, IParameter parameter); 267 | 268 | /** 269 | * This method can be used to toggle a request's method between GET and 270 | * POST. Parameters are relocated between the URL query string and message 271 | * body as required, and the Content-Length header is created or removed as 272 | * applicable. 273 | * 274 | * @param request The HTTP request whose method should be toggled. 275 | * @return A new HTTP request using the toggled method. 276 | */ 277 | byte[] toggleRequestMethod(byte[] request); 278 | 279 | /** 280 | * This method constructs an IHttpService object based on the 281 | * details provided. 282 | * 283 | * @param host The HTTP service host. 284 | * @param port The HTTP service port. 285 | * @param protocol The HTTP service protocol. 286 | * @return An IHttpService object based on the details 287 | * provided. 288 | */ 289 | IHttpService buildHttpService(String host, int port, String protocol); 290 | 291 | /** 292 | * This method constructs an IHttpService object based on the 293 | * details provided. 294 | * 295 | * @param host The HTTP service host. 296 | * @param port The HTTP service port. 297 | * @param useHttps Flags whether the HTTP service protocol is HTTPS or HTTP. 298 | * @return An IHttpService object based on the details 299 | * provided. 300 | */ 301 | IHttpService buildHttpService(String host, int port, boolean useHttps); 302 | 303 | /** 304 | * This method constructs an IParameter object based on the 305 | * details provided. 306 | * 307 | * @param name The parameter name. 308 | * @param value The parameter value. 309 | * @param type The parameter type, as defined in the IParameter 310 | * interface. 311 | * @return An IParameter object based on the details provided. 312 | */ 313 | IParameter buildParameter(String name, String value, byte type); 314 | 315 | /** 316 | * This method constructs an IScannerInsertionPoint object 317 | * based on the details provided. It can be used to quickly create a simple 318 | * insertion point based on a fixed payload location within a base request. 319 | * 320 | * @param insertionPointName The name of the insertion point. 321 | * @param baseRequest The request from which to build scan requests. 322 | * @param from The offset of the start of the payload location. 323 | * @param to The offset of the end of the payload location. 324 | * @return An IScannerInsertionPoint object based on the 325 | * details provided. 326 | */ 327 | IScannerInsertionPoint makeScannerInsertionPoint( 328 | String insertionPointName, 329 | byte[] baseRequest, 330 | int from, 331 | int to); 332 | 333 | /** 334 | * This method analyzes one or more responses to identify variations in a 335 | * number of attributes and returns an IResponseVariations 336 | * object that can be queried to obtain details of the variations. 337 | * 338 | * @param responses The responses to analyze. 339 | * @return An IResponseVariations object representing the 340 | * variations in the responses. 341 | */ 342 | IResponseVariations analyzeResponseVariations(byte[]... responses); 343 | 344 | /** 345 | * This method analyzes one or more responses to identify the number of 346 | * occurrences of the specified keywords and returns an 347 | * IResponseKeywords object that can be queried to obtain 348 | * details of the number of occurrences of each keyword. 349 | * 350 | * @param keywords The keywords to look for. 351 | * @param responses The responses to analyze. 352 | * @return An IResponseKeywords object representing the counts 353 | * of the keywords appearing in the responses. 354 | */ 355 | IResponseKeywords analyzeResponseKeywords(List keywords, byte[]... responses); 356 | } 357 | --------------------------------------------------------------------------------