def detect_csrf_token(self,messageIsRequest,message):
#Only process requests as that's where the Token should be
request_byte_array=message.getMessageInfo().getRequest()
if messageIsRequest:
t1=[]
t2=[]
flag=0
requestInfo = self._helpers.analyzeRequest(request_byte_array)
#Extract hostname from header
hostname=webcommon.get_host_header_from_request(self,requestInfo)
#Check if the URL is in scope. This is to eliminate stray traffic.
if hostname and hostname[1] in urls_in_scope:
csrf_token_value=self._helpers.getRequestParameter(request_byte_array,anticsrf_token_name)
request_string=self._helpers.bytesToString(request_byte_array)
urlpath=request_string.split("\n")
tmp2=urlpath[0].split(' ')
#If there's no token, check if it's an image, js or css file. In this case, a token isn't needed
if not csrf_token_value:
for tmp3 in excluded_file_extensions:
#Search for file extension. If you want a more complex regex..remember to compile the regex. DO.NOT.FORGET :)
tmp4=re.search(tmp3,tmp2[-2])
if tmp4:
flag=1
#Not to be excluded and the request doesn't contain a token
if flag != 1:
return urlpath[0]
def processProxyMessage(self, messageIsRequest, message):
response_byte_array = message.getMessageInfo().getResponse()
request_http_service = message.getMessageInfo().getHttpService()
request_byte_array = message.getMessageInfo().getRequest()
request_object = self._helpers.analyzeRequest(request_http_service,
request_byte_array)
#Extract hostname from header
hostname = webcommon.get_host_header_from_request(self, request_object)
#hostname=BurpExtender.get_host_header_from_request(self,request_object)
#Check if the URL is in scope. This is to eliminate stray traffic.
if hostname and hostname[1] in urls_in_scope:
if not messageIsRequest:
responseInfo = self._helpers.analyzeResponse(
response_byte_array)
#Extract banner from response
banner = webcommon.get_banner_from_response(self, responseInfo)
if banner not in unique_banners.keys():
unique_banners[banner] = ''
print banner
#Extract platform specific content from response
responseBody = webcommon.get_response_body(
self, response_byte_array, responseInfo)
responseBody_string = self._helpers.bytesToString(responseBody)
for platform_name in list_of_platforms:
regex = re.compile('.{30}%s.{30}' % platform_name,
re.IGNORECASE | re.DOTALL)
m2 = regex.search(responseBody_string)
if m2:
print m2.group(0) + '\n' + '-' * 30 + '\n'
def registerExtenderCallbacks(self,callbacks):
global hostname
list_of_urls=[]
# Get a reference to the Burp helpers object
self._helpers = callbacks.getHelpers()
self._callbacks = callbacks
# set our extension name
callbacks.setExtensionName("HTTP method test")
# Get proxy history
proxyhistory=callbacks.getProxyHistory()
#Read each request in proxy history
for request in proxyhistory:
request_byte_array=request.getRequest()
requestInfo = self._helpers.analyzeRequest(request_byte_array)
#Extract hostname from header
hostname=webcommon.get_host_header_from_request(self,requestInfo)
#Test PUT for each directory in the proxy history
filepath=BurpExtender.test_put(self,callbacks,request_byte_array,hostname,requestInfo)
#Get the file that you just PUT
respcode=BurpExtender.check_file_existence_put(self,filepath)
if respcode=='200':
#Test DELETE for the file you uploaded
BurpExtender.test_delete(self,filepath)
#Get the file that you just DELETED. It should return a 404 if DELETE is enabled
BurpExtender.check_file_existence_delete(self,filepath)
def processProxyMessage(self,messageIsRequest,message):
response_byte_array=message.getMessageInfo().getResponse()
request_http_service=message.getMessageInfo().getHttpService()
request_byte_array=message.getMessageInfo().getRequest()
request_object=self._helpers.analyzeRequest(request_http_service, request_byte_array)
#Extract hostname from header
hostname=webcommon.get_host_header_from_request(self,request_object)
#hostname=BurpExtender.get_host_header_from_request(self,request_object)
#Check if the URL is in scope. This is to eliminate stray traffic.
if hostname and hostname[1] in urls_in_scope:
if not messageIsRequest:
responseInfo = self._helpers.analyzeResponse(response_byte_array)
#Extract banner from response
banner=webcommon.get_banner_from_response(self,responseInfo)
if banner not in unique_banners.keys():
unique_banners[banner]=''
print banner
#Extract platform specific content from response
responseBody=webcommon.get_response_body(self,response_byte_array,responseInfo)
responseBody_string=self._helpers.bytesToString(responseBody)
for platform_name in list_of_platforms:
regex=re.compile('.{30}%s.{30}'%platform_name,re.IGNORECASE|re.DOTALL)
m2=regex.search(responseBody_string)
if m2:
print m2.group(0)+'\n'+'-'*30+'\n'
def setMessage(self, content, isRequest):
if content is None:
self._txtInput.setText(None)
self._txtInput.setEditable(False)
else:
request_byte_array = []
requestInfo = self._extender._helpers.analyzeRequest(content)
hostname = webcommon.get_host_header_from_request(
self, requestInfo)
http_service = self._extender._helpers.buildHttpService(
hostname[1], remote_listening_port, protocol)
r1 = self._extender._callbacks.makeHttpRequest(
http_service, content)
r2 = r1.getResponse()
orig_resp = self._extender._helpers.bytesToString(r2)
request_byte_array, flag, http_service = self.remove_sessioncookie_from_request(
content, http_service)
if flag == 1:
new_resp = self.generate_request(request_byte_array,
http_service)
if len(orig_resp) == len(new_resp):
output = 'Direct requesting without cookies has the same response as the original. This might be a vuln. Here is the request that was sent:\n\n'
output += '-' * 20 + '\n'
output += self._extender._helpers.bytesToString(
request_byte_array)
self._txtInput.setText(output)
self._txtInput.setEditable(self._editable)
self._currentMessage = content
return
def detect_urls_in_parameters(self,messageIsRequest,message):
#Only process requests
if messageIsRequest:
request_http_service=message.getMessageInfo().getHttpService()
request_byte_array=message.getMessageInfo().getRequest()
request_object=self._helpers.analyzeRequest(request_http_service, request_byte_array)
#Extract hostname from header
hostname=webcommon.get_host_header_from_request(self,request_object)
#Check if the URL is in scope. This is to eliminate stray traffic.
if hostname and hostname[1] in urls_in_scope:
request_url=request_object.getUrl()
request_parameters=request_object.getParameters()
#Check if the value of each parameter matches a whitelist or a blacklist. Both lists are defined above as global variables.
for param in request_parameters:
blacklist=0
whitelist=0
for excluded_pattern in excluded_url_patterns:
regex=re.compile('.*%s.*'%excluded_pattern,re.IGNORECASE)
m2=regex.match(str(param.getValue()))
#m3=regex.match(urllib.quote(str(param.getValue())))
if m2:# or m3:
blacklist=1
#If it doesn't match a blacklist
if blacklist == 0:
for pattern in url_patterns:
regex=re.compile('.*%s.*'%pattern,re.IGNORECASE)
m1=regex.match(str(param.getValue()))
#m4=regex.match(urllib.quote_plus(str(param.getValue())))
if m1:# or m4:
whitelist=1
#If the value for the URL parameter matches a pattern print it out
if whitelist==1:
#The moment you detect that a URL matches a pattern you also want to fuzz it. Hence you do the following:
# -- Check if you already sent it to Intruder
# -- If not, mark the positions that you want scanned
# -- Set the payload list, set any other Intruder customizations up
# -- Send the URL to be fuzzed to Intruder
# -- Probably fuzz it as well and save the Intruder results to be imported later
print str(request_url)+"\t\t"+str(param_constant_type_mapping[str(param.getType())])+"\t\t"+str(param.getName())+"\t\t"+str(param.getValue())
else:
response_byte_array=message.getMessageInfo().getResponse()
responseInfo = self._helpers.analyzeResponse(response_byte_array)
responseCode=webcommon.get_response_code_from_headers(self,responseInfo)
location=webcommon.get_location_from_headers(self,responseInfo)
if location:
print str(responseCode[0])+'\t\t'+str(location[1])
def processProxyMessage(self,messageIsRequest,message):
request_http_service=message.getMessageInfo().getHttpService()
request_byte_array=message.getMessageInfo().getRequest()
request_object=self._helpers.analyzeRequest(request_http_service, request_byte_array)
#Extract hostname from header
hostname=webcommon.get_host_header_from_request(self,request_object)
#Check if the URL is NOT in scope. We want to look at referers for the requests that are made to OTHER domains.
if (hostname) and (hostname[1] not in urls_in_scope):
#Extract referer from header
referer=webcommon.get_referer_header_from_request(self,request_object)
if referer:
t1=referer[1].split('/')
if t1[2] in urls_in_scope:
print referer[1]
def setMessage(self, content, isRequest):
if content is None:
self._txtInput.setText(None)
self._txtInput.setEditable(False)
else:
requestInfo= self._extender._helpers.analyzeRequest(content)
hostname= webcommon.get_host_header_from_request(self,requestInfo)
http_service= self._extender._helpers.buildHttpService(hostname[1],remote_listening_port,protocol)
bytes_req= self._extender._helpers.toggleRequestMethod(content)
r1= self._extender._callbacks.makeHttpRequest(http_service, bytes_req)
r2= r1.getResponse()
orig_resp= self._extender._helpers.bytesToString(r2)
self._txtInput.setText(self._extender._helpers.bytesToString(bytes_req)+'-'*10+'\n'+orig_resp)
self._txtInput.setEditable(self._editable)
self._currentMessage= orig_resp
return
def download_all_JS_files(self,messageIsRequest,message):
request_byte_array=message.getMessageInfo().getRequest()
if messageIsRequest:
request_http_service=message.getMessageInfo().getHttpService()
request_byte_array=message.getMessageInfo().getRequest()
request_object=self._helpers.analyzeRequest(request_http_service, request_byte_array)
#Extract hostname from header
hostname=webcommon.get_host_header_from_request(self,request_object)
#Check if the URL is in scope. This is to eliminate stray traffic.
if hostname and hostname[1] in urls_in_scope:
request_url=request_object.getUrl()
if str(request_url).endswith('.js'):
print request_url
os.chdir(download_path)
os.system("wget "+str(request_url))
def detect_valid_referer(self,messageIsRequest,message):
#Only process requests as that's where the valid Referer should be
request_http_service=message.getMessageInfo().getHttpService()
request_byte_array=message.getMessageInfo().getRequest()
requestInfo=self._helpers.analyzeRequest(request_http_service, request_byte_array)
request_url=requestInfo.getUrl()
if messageIsRequest:
#Extract hostname from header
hostname=webcommon.get_host_header_from_request(self,requestInfo)
#Check if the URL is in scope. This is to eliminate stray traffic.
if hostname and hostname[1] in urls_in_scope:
#Extract referer. If it's not a referer from the same site - print it out and let the engineer decide if it is unsafe.
referer=webcommon.get_referer_header_from_request(self,requestInfo)
if not referer[1].startswith(referer_header_value):
print str(request_url)+'\t\t'+str(referer[1])
def remove_sessioncookie_from_request(self, messageIsRequest, message):
request_byte_array = message.getMessageInfo().getRequest()
requestInfo = self._helpers.analyzeRequest(request_byte_array)
# Extract hostname from header
global hostname
hostname = webcommon.get_host_header_from_request(self, requestInfo)
# Check if the URL is in scope. This is to eliminate stray traffic.
if hostname and hostname[1] in urls_in_scope:
request_string = self._helpers.bytesToString(request_byte_array)
# Find and then remove all session cookies
for cookie in session_cookie_names:
regex = re.compile(r"(.*)(%s=\w+)(;*?)" % cookie, re.IGNORECASE | re.DOTALL)
m1 = regex.match(request_string)
if m1:
request_string = re.sub(m1.group(2), "", request_string)
# Restore the manipulated string to the byte array so it can be reused.
request_byte_array = self._helpers.stringToBytes(request_string)
return request_byte_array
def get_all_hosts(self):
unique_list_of_urls=[]
# Get proxy history
proxyhistory=self._callbacks.getProxyHistory()
#Read each request in proxy history
for request in proxyhistory:
request_byte_array=request.getRequest()
request_http_service=request.getHttpService()
requestInfo = self._helpers.analyzeRequest(request_http_service,request_byte_array)
t1=str(requestInfo.getUrl())
t2=t1.split('/')
url=t2[0]+'//'+t2[2]
#Extract hostname from header
hostname=webcommon.get_host_header_from_request(self,requestInfo)
if url not in unique_list_of_urls:
unique_list_of_urls.append(url)
return unique_list_of_urls
def get_all_hosts(self):
unique_list_of_urls=[]
# Get proxy history
proxyhistory=self._callbacks.getProxyHistory()
#Read each request in proxy history
for request in proxyhistory:
request_byte_array=request.getRequest()
request_http_service=request.getHttpService()
requestInfo = self._helpers.analyzeRequest(request_http_service,request_byte_array)
t1=str(requestInfo.getUrl())
t2=t1.split('/')
url=t2[0]+'//'+t2[2]
#Extract hostname from header
hostname=webcommon.get_host_header_from_request(self,requestInfo)
if url not in unique_list_of_urls:
unique_list_of_urls.append(url)
return unique_list_of_urls
def remove_sessioncookie_from_request(self,messageIsRequest,message):
request_byte_array=message.getMessageInfo().getRequest()
requestInfo = self._helpers.analyzeRequest(request_byte_array)
#Extract hostname from header
global hostname
hostname=webcommon.get_host_header_from_request(self,requestInfo)
#Check if the URL is in scope. This is to eliminate stray traffic.
if hostname and hostname[1] in urls_in_scope:
request_string=self._helpers.bytesToString(request_byte_array)
#Find and then remove all session cookies
for cookie in session_cookie_names:
regex=re.compile(r'(.*)(%s=\w+)(;*?)'%cookie,re.IGNORECASE|re.DOTALL)
m1=regex.match(request_string)
if m1:
request_string=re.sub(m1.group(2),'',request_string)
#Restore the manipulated string to the byte array so it can be reused.
request_byte_array = self._helpers.stringToBytes(request_string)
return request_byte_array
