def testInsertionPointHeaderBuildRequest(self):
callbacks = GenericMock()
request = String("GET / HTTP/1.1\r\nHost: lelele\r\n\r\n").getBytes()
sip = ScannerInsertionPoint(callbacks, request, "Host", "lelele", IScannerInsertionPoint.INS_HEADER, 22, 28)
sip.updateContentLength = lambda x: x
ret = sip.buildRequest(String("lol").getBytes())
self.assertTrue("Host: lol" in str(String(ret)))
def testBuildRequestUpdatesContentLength(self):
callbacks = GenericMock()
request = String("POST / HTTP/1.1\r\nHost:lelele\r\nContent-length: 16\r\n\r\n{\"param\":1234}\r\n").getBytes()
callbacks.helpers.updateParameter.raise = UnsupportedOperationException
sip = ScannerInsertionPoint(callbacks, request, "name", "value", IScannerInsertionPoint.INS_PARAM_JSON, 61, 65)
sip.updateContentLength = GenericMock()
ret = sip.buildRequest(String("lol").getBytes())
self.assertEquals(sip.updateContentLength.call_count, 1)
def testBuildRequestXmlAttr(self):
callbacks = GenericMock()
request = String("POST / HTTP/1.1\r\nHost:lelele\r\nContent-length: lelel\r\n\r\n<xml a=\"lol\">whatever</xml>\r\n").getBytes()
callbacks.helpers.updateParameter.raise = UnsupportedOperationException
sip = ScannerInsertionPoint(callbacks, request, "name", "value", IScannerInsertionPoint.INS_PARAM_XML_ATTR, 63, 66)
sip.updateContentLength = lambda x: x
ret = sip.buildRequest(String("evil <awfafw ''\"").getBytes())
self.assertTrue("<xml a=\"evil <awfafw ''"\">whatever</xml>" in str(String(ret)))
def testBuildRequestJsonNumbers(self):
callbacks = GenericMock()
request = String("POST / HTTP/1.1\r\nHost:lelele\r\nContent-length: 16\r\n\r\n{\"param\":1234}\r\n").getBytes()
callbacks.helpers.updateParameter.raise = UnsupportedOperationException
sip = ScannerInsertionPoint(callbacks, request, "name", "value", IScannerInsertionPoint.INS_PARAM_JSON, 61, 65)
sip.updateContentLength = lambda x: x
ret = sip.buildRequest(String("lol").getBytes())
self.assertTrue('{"param":"lol"}' in str(String(ret)))
ret = sip.buildRequest(String("herecomethe\"quotes").getBytes())
self.assertTrue('{"param":"herecomethe\\"quotes"}' in str(String(ret)))
def getInsertionPoints(self, request, onlyParameters):
"""
Gets IScannerInsertionPoint for indicating active scan parameters. See https://portswigger.net/burp/extender/api/burp/IScannerInsertionPoint.html
Uses a custom implementation of the IScannerInsertionPoint because the default helper function at `makeScannerInsertionPoint` doesn't let you specify the parameter type. The parameter type is necessary to perform modifications to the payload in order to perform proper injection, such as not using unescaped quotes when inserting into a JSON object as this will result in a syntax error.
Args:
request: the request to generate insertion points for.
onlyParameters: whether to fuzz only get and body parameters. Doesn't fuzz cookies, path parameters nor headers. This saves time when running shelling which takes a long time due to a long payload list.
"""
parameters = request.repeatedAnalyzedRequest.parameters
insertionPoints = []
for parameter in parameters:
if parameter.type == IParameter.PARAM_COOKIE and onlyParameters:
continue
insertionPoint = ScannerInsertionPoint(
self.callbacks, request.repeatedHttpRequestResponse.request,
parameter.name, parameter.value, parameter.type,
parameter.valueStart, parameter.valueEnd)
insertionPoints.append(insertionPoint)
if onlyParameters:
return insertionPoints
for pathInsertionPoint in self.getPathInsertionPoints(request):
insertionPoints.append(pathInsertionPoint)
for headerInsertionPoint in self.getHeaderInsertionPoints(request):
insertionPoints.append(headerInsertionPoint)
return insertionPoints
def getHeaderInsertionPoints(self, request):
"""
Gets header insertion points.
This means that for a header like:
```
GET / HTTP/1.1
Host: header.com
Random-header: lel-value
```
It would generate two insertion points corresponding to the headers.
Args:
request: the request to analyze.
"""
headers = request.repeatedAnalyzedRequest.headers
lineStartOffset = 0
insertionPoints = []
for nb, header in enumerate(headers):
if nb > 0:
headerSeparator = ":"
splat = header.split(headerSeparator)
headerName = splat[0]
headerValue = splat[1]
startedWithSpace = headerValue.startswith(" ")
headerValue = headerValue.lstrip()
startOffset = lineStartOffset + len(headerName) + len(
headerSeparator)
if startedWithSpace:
startOffset += 1
endOffset = startOffset + len(headerValue)
insertionPoint = ScannerInsertionPoint(
self.callbacks,
request.repeatedHttpRequestResponse.request, headerName,
headerValue, IScannerInsertionPoint.INS_HEADER,
startOffset, endOffset)
insertionPoints.append(insertionPoint)
lineStartOffset += len(header) + len("\r\n")
return insertionPoints
def getPathInsertionPoints(self, request):
"""
Gets folder insertion points.
This means that for a URL such as /folder/folder/file.php it would generate three insertion points: one for each folder and one for the filename.
Args:
request: the request to generate the insertion points for.
Return:
list: the IScannerInsertionPoint objects.
"""
firstLine = request.repeatedAnalyzedRequest.headers[0]
startOffset = None
endOffset = None
insertionPoints = []
if " / " in firstLine:
return []
for offset, char in enumerate(firstLine):
if char in ["/", " ", "?"]:
if not startOffset:
if char == "/":
startOffset = offset + 1
else:
endOffset = offset
value = firstLine[startOffset:endOffset]
type = IScannerInsertionPoint.INS_URL_PATH_FOLDER if char == "/" else IScannerInsertionPoint.INS_URL_PATH_FILENAME
insertionPoint = ScannerInsertionPoint(
self.callbacks,
request.repeatedHttpRequestResponse.request,
"pathParam", value, type, startOffset, endOffset)
insertionPoints.append(insertionPoint)
startOffset = offset + 1
if char in [" ", "?"]:
break
return insertionPoints