class BurpExtender(IBurpExtender, IHttpListener, IScannerCheck, IScannerListener, IScanIssue, ITab, IMessageEditorTab):
def registerExtenderCallbacks(self, callbacks):
self._callbacks = callbacks
self.helpers = callbacks.getHelpers()
self._callbacks.setExtensionName("Suggester")
callbacks.registerHttpListener(self)
callbacks.registerScannerListener(self)
callbacks.registerScannerCheck(self)
callbacks.setProxyInterceptionEnabled(False)
############################
# add the custom tab and button to Burp's UI
self._newpanel = Panel()
self._newpanel.setLayout(FlowLayout())
callbacks.customizeUiComponent(self._newpanel)
callbacks.addSuiteTab(self)
return
### IScannerCheck ###
def doPassiveScan(self, baseRequestResponse):
# print "\n"
analyzedResponse = self.helpers.analyzeResponse(baseRequestResponse.getResponse()) # Returns IResponseInfo
analyzedRequest = self.helpers.analyzeRequest(baseRequestResponse)
urlList = analyzedRequest.getUrl()
paramList = analyzedRequest.getParameters()
contenttypeList = analyzedRequest.getContentType()
issues = []
# print "\nURL:"
# print urlList
if self._callbacks.isInScope(urlList):
for param in paramList:
vulnparam=param.getName()
vulncheck(urlList, vulnparam)
# print "\nCT:"
# print contenttypeList
# print "-----------------------------------------------"
return
def getTabCaption(self):
'''Name of our tab'''
return "Suggester"
def getUiComponent(self):
'''return our panel'''
return self._newpanel
class GUI(Helpers):
def gui(self):
x = 10 # panel padding
y = 5 # panel padding
self.panel = Panel()
self.panel.setLayout(None)
self.scn_lbl = JLabel("Enable scanning")
self.scn_lbl.setBounds(x, y, 100, 20)
self.panel.add(self.scn_lbl)
self.enable = JCheckBox()
self.enable.setBounds(x + 120, y, 50, 20)
self.panel.add(self.enable)
self.rand_lbl = JLabel("Randomize payloads")
self.rand_lbl.setBounds(x, y + 15, 100, 20)
self.panel.add(self.rand_lbl)
self.randomize = JCheckBox()
self.randomize.setBounds(x + 120, y + 15, 50, 20)
self.panel.add(self.randomize)
self.pyld_lbl = JLabel("Payloads List (Line separated)")
self.pyld_lbl.setBounds(x, y + 30, 180, 20)
self.panel.add(self.pyld_lbl)
self.payloads_list = JTextArea()
self.pyld_scrl = JScrollPane(self.payloads_list)
self.pyld_scrl.setBounds(x, y + 50, 600, 200)
self.panel.add(self.pyld_scrl)
self.save_btn = JButton("Save", actionPerformed=self.save_settings)
self.save_btn.setBounds(x, y + 250, 100, 30)
self.panel.add(self.save_btn)
# Settings loader from [utils/Helpers/load_settings]
self.load_settings()
return self
class BurpExtender(IBurpExtender, ITab, IScannerCheck, IScannerInsertionPoint):
# definitions
EXTENSION_NAME="CustomScanner"
def registerExtenderCallbacks(self, callbacks):
# keep a reference to our callbacks object
self._callbacks = callbacks
# obtain an extension helpers object
self._helpers = callbacks.getHelpers()
# define stdout writer
self._stdout = PrintWriter(callbacks.getStdout(), True)
self._stdout.println(self.EXTENSION_NAME + ' by @luxcupitor')
self._stdout.println('================================')
self._stdout.println('')
self._stdout.println('TIP: Go to "Custom Scanner" tab and click "Execute on Proxy History"')
self._stdout.println('to run the scanner checks on recently imported session files.')
self._stdout.println('')
# set our extension name
callbacks.setExtensionName(self.EXTENSION_NAME)
callbacks.registerScannerCheck(self)
# add the custom tab and button to Burp's UI
self._newpanel = Panel()
self._newpanel.setLayout(FlowLayout())
self._button = JButton("Execute on Proxy History", actionPerformed=self.checkProxyHistory)
self._newpanel.add(self._button)
callbacks.customizeUiComponent(self._newpanel)
callbacks.addSuiteTab(self)
return
def getTabCaption(self):
'''Name of our tab'''
return self.EXTENSION_NAME
def getUiComponent(self):
'''return our panel and button we setup'''
return self._newpanel
def checkProxyHistory(self,msg):
'''This is what gets executed when the button in our panel is clicked'''
for proxyitem in self._callbacks.getProxyHistory():
self.logScanIssue(proxyitem)
return
def getMatches(self, response, match):
'''This finds our pattern match in the request/response and returns an int array'''
start = 0
count = 0
matches = [array('i')]
while start < len(response):
start=self._helpers.indexOf(response, match, True, start, len(response))
if start == -1:
break
try:
matches[count]
except:
matches.append(array('i'))
matches[count].append(start)
matches[count].append(start+len(match))
start += len(match)
count += 1
return matches
def doPassiveScan(self, baseRequestResponse):
'''This sets up our custom check and returns the issue a list array'''
PATTERN="secretdata"
ISSUE_NAME="Pattern found in HTTP Response"
ISSUE_DETAIL="HTTP Response contains this pattern: " + PATTERN
ISSUE_BACKGROUND="The web site has exposed sensitive information"
REMEDIATION_BACKGROUND="Sensitive information"
REMEDIATION_DETAIL="Ensure sensitive information is only shown to authorized users"
SEVERITY="Information"
CONFIDENCE="Certain"
issue = list()
match = self.getMatches(baseRequestResponse.getResponse(), PATTERN)
if len(match) > 0:
httpmsgs = [self._callbacks.applyMarkers(baseRequestResponse,None,match)]
issue.append(ScanIssue(baseRequestResponse.getHttpService(), self._helpers.analyzeRequest(baseRequestResponse).getUrl(), httpmsgs, ISSUE_NAME, ISSUE_DETAIL, SEVERITY, CONFIDENCE, REMEDIATION_DETAIL, ISSUE_BACKGROUND, REMEDIATION_BACKGROUND))
return issue
def logScanIssue(self, baseRequestResponse):
'''This is redundant (mostly) of the doPassiveScan function'''
PATTERN="BEEFSESSION"
ISSUE_NAME="Pattern found in Cookie header"
ISSUE_DETAIL="HTTP Request contains this pattern: " + PATTERN
ISSUE_BACKGROUND="The web browser might be hooked with BeEF"
REMEDIATION_BACKGROUND="Potential XSS Zombie"
REMEDIATION_DETAIL="Ensure this was from you"
SEVERITY="High"
CONFIDENCE="Tentative"
for header in self._helpers.analyzeRequest(baseRequestResponse).getHeaders():
if "Cookie:" in header and PATTERN in header:
match = self.getMatches(baseRequestResponse.getRequest(), PATTERN)
httpmsgs = [self._callbacks.applyMarkers(baseRequestResponse,match,None)]
issue=ScanIssue(baseRequestResponse.getHttpService(), self._helpers.analyzeRequest(baseRequestResponse).getUrl(), httpmsgs, ISSUE_NAME, ISSUE_DETAIL, SEVERITY, CONFIDENCE, REMEDIATION_DETAIL, ISSUE_BACKGROUND, REMEDIATION_BACKGROUND)
self._callbacks.addScanIssue(issue)
return
def doActiveScan(self, baseRequestResponse, insertionPoint):
INJECTION="id"
PATTERN="uid="
ISSUE_NAME="Command Injection"
ISSUE_DETAIL="Vulnerable to command injection"
ISSUE_BACKGROUND="The web site has responded to command injection attempt"
REMEDIATION_BACKGROUND="Sanitize all inputs"
REMEDIATION_DETAIL="Assume all client supplied inputs are bad."
SEVERITY="High"
CONFIDENCE="Certain"
issue = list()
checkRequest = insertionPoint.buildRequest(INJECTION)
checkRequestResponse = self._callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), checkRequest)
match = self.getMatches(checkRequestResponse.getResponse(), PATTERN)
if len(match) > 0:
requestHighlights = [insertionPoint.getPayloadOffsets(INJECTION)]
httpmsgs = [self._callbacks.applyMarkers(checkRequestResponse, requestHighlights, match)]
issue.append(ScanIssue(baseRequestResponse.getHttpService(), self._helpers.analyzeRequest(baseRequestResponse).getUrl(), httpmsgs,ISSUE_NAME, ISSUE_DETAIL, SEVERITY, CONFIDENCE, REMEDIATION_DETAIL, ISSUE_BACKGROUND, REMEDIATION_BACKGROUND))
return issue
