From ba7ca92f55ebc21795ecd8519c9c487566c9a527 Mon Sep 17 00:00:00 2001 From: Johannes Snyman Date: Thu, 23 Nov 2017 09:59:36 +0200 Subject: [PATCH] JS: Changes to fix and improve scanning --- src/main/java/burp/BurpExtender.java | 72 +++++++++++++-------------- src/main/java/burp/RequestSender.java | 48 +++++++++--------- 2 files changed, 58 insertions(+), 62 deletions(-) diff --git a/src/main/java/burp/BurpExtender.java b/src/main/java/burp/BurpExtender.java index fc0d0a1..5f612cd 100644 --- a/src/main/java/burp/BurpExtender.java +++ b/src/main/java/burp/BurpExtender.java @@ -3,6 +3,7 @@ import javax.swing.*; import java.awt.event.ActionEvent; import java.awt.event.ActionListener; +import java.io.IOException; import java.util.*; import java.util.concurrent.*; @@ -42,20 +43,10 @@ public void registerExtenderCallbacks(IBurpExtenderCallbacks iBurpExtenderCallba helpers = iBurpExtenderCallbacks.getHelpers(); } - private List runScannerForRequest(IHttpRequestResponse iHttpRequestResponse) { + private void runScannerForRequest(IHttpRequestResponse iHttpRequestResponse) { + print("runScannerForRequest"); ExecutorService service = Executors.newFixedThreadPool(1); - Future> task = service.submit(new ScannerThread(iHttpRequestResponse)); - List result = null; - - try { - result = task.get(); - } catch(final InterruptedException ex) { - ex.printStackTrace(); - } catch(final ExecutionException ex) { - ex.printStackTrace(); - } - - return result; + service.execute(new ScannerThread(iHttpRequestResponse)); } /** @@ -94,11 +85,7 @@ class MenuItemListener implements ActionListener { @Override public void actionPerformed(ActionEvent e) { for (IHttpRequestResponse message : arr) { - List result = runScannerForRequest(message); - - if (result != null) { - callbacks.addScanIssue(result.get(0)); - } + runScannerForRequest(message); } } } @@ -113,7 +100,8 @@ public List doPassiveScan(IHttpRequestResponse iHttpRequestResponse) @Override public List doActiveScan(IHttpRequestResponse iHttpRequestResponse, IScannerInsertionPoint iScannerInsertionPoint) { - return runScannerForRequest(iHttpRequestResponse); + runScannerForRequest(iHttpRequestResponse); + return new ArrayList<>(); } @Override @@ -123,42 +111,50 @@ public int consolidateDuplicateIssues(IScanIssue existingIssue, IScanIssue newIs } } - class ScannerThread implements Callable> { + class ScannerThread implements Runnable { - private List result = null; private IHttpRequestResponse reqRes; ScannerThread(IHttpRequestResponse reqRes) { this.reqRes = reqRes; } - public List call() { - // Test One: Does appending to the URL return a similar response. - if (RequestSender.initialTest(reqRes)) { - Set fileTypesCached = new HashSet<>(); + @Override + public void run() { + try { + print("run"); - // Test two: Check if caching is done by file type - for (String ext : RequestSender.INITIAL_TEST_EXTENSIONS) { - if (RequestSender.getFileTypeCached(reqRes, ext)) { - fileTypesCached.add(ext); - } - } + // Test One: Does appending to the URL return a similar response. + if (RequestSender.initialTest(reqRes)) { + Set fileTypesCached = new HashSet<>(); - if (fileTypesCached.size() != 0) { - for (String ext : RequestSender.OTHER_TEST_EXTENSIONS) { + // Test two: Check if caching is done by file type + for (String ext : RequestSender.INITIAL_TEST_EXTENSIONS) { if (RequestSender.getFileTypeCached(reqRes, ext)) { fileTypesCached.add(ext); } } - WebCacheIssue issue = new WebCacheIssue(reqRes); - issue.setVulnerableExtensions(fileTypesCached); + if (fileTypesCached.size() > 0) { + for (String ext : RequestSender.OTHER_TEST_EXTENSIONS) { + if (RequestSender.getFileTypeCached(reqRes, ext)) { + fileTypesCached.add(ext); + } + } + + WebCacheIssue issue = new WebCacheIssue(reqRes); + issue.setVulnerableExtensions(fileTypesCached); + callbacks.addScanIssue(issue); + } + } - return Arrays.asList(issue); + } catch (Throwable t) { + try { + callbacks.getStderr().write(t.toString().getBytes()); + } catch (IOException ioe) { + print(t.toString()); } } - - return result; } } } diff --git a/src/main/java/burp/RequestSender.java b/src/main/java/burp/RequestSender.java index ce6bb67..b8d7c2a 100644 --- a/src/main/java/burp/RequestSender.java +++ b/src/main/java/burp/RequestSender.java @@ -16,9 +16,9 @@ class RequestSender { private final static String WORD = "test"; protected final static String[] INITIAL_TEST_EXTENSIONS = {"css", "jpg", "js"}; - protected final static String[] OTHER_TEST_EXTENSIONS = {"html", "htm", "gif", "png", "cgi", "pl", "java", "class", - "php", "php3", "shtm", "shtml", "cfm", "cfml", "doc", "log", "txt", "csv", "ppt", "m4a", "mid", "mp3", "flv", - "m4v", "mov", "tif", "svg", "pdf", "xls", "sql", "bat", "exe", "jsp", "asp", "aspx", "jpeg"}; + protected final static String[] OTHER_TEST_EXTENSIONS = {"html", "gif", "png", "svg", "php", "txt", "pdf", "jsp", "asp"}; +// , "php3", "shtm", "shtml", "cfm", "cfml", "doc", "log", "csv", "ppt", "m4a", "mid", "mp3", "flv", +// "m4v", "mov", "tif", "xls", "sql", "bat", "exe",, "aspx", "jpeg", "htm", "cgi", "pl", "java", "class"}; private static byte[] orgResponse; @@ -29,47 +29,48 @@ class RequestSender { * @return */ protected static boolean initialTest(IHttpRequestResponse message) { - // Send the original request again + // Send the original request again, to get the response byte[] orgRequest = buildHttpRequest(message, null, null, true); - orgResponse = retrieveResponseBody(message.getHttpService(), orgRequest, true); + orgResponse = retrieveResponseBody(message.getHttpService(), orgRequest); // Send an unauthenticated - to root out fp's. Unauthenticated should not be the same as original byte[] unAuthedRequest = buildHttpRequest(message, null, null, false); - byte[] unAuthedResponse = retrieveResponseBody(message.getHttpService(), unAuthedRequest, false); + byte[] unAuthedResponse = retrieveResponseBody(message.getHttpService(), unAuthedRequest); // Test that the original request and an unauthenticated request do not get the same response. // Same here is similar, according to the thresholds set - boolean authed = testSimilar(new String(orgResponse), new String(unAuthedResponse)); - if (authed) { - BurpExtender.print("Request not vulnerable"); + boolean unauthed = testSimilar(new String(orgResponse), new String(unAuthedResponse)); + if (unauthed) { + BurpExtender.print("Request not vulnerable, no auth: "); return false; } // Send with /test appended, check that everything after is ignored byte[] testRequest = buildHttpRequest(message, WORD, null, true); - byte[] testResponse = retrieveResponseBody(message.getHttpService(), testRequest, true); + byte[] testResponse = retrieveResponseBody(message.getHttpService(), testRequest); boolean append = testSimilar(new String(orgResponse), new String(testResponse)); if (!append) { - BurpExtender.print("Request not vulnerable."); + BurpExtender.print("Request not vulnerable, appending to end not similar."); } return append; } - protected static boolean getFileTypeCached(IHttpRequestResponse message, String extension) { + protected static boolean getFileTypeCached(IHttpRequestResponse message, String ext) { // Send with extension, potentially create cached version of resource - byte[] extRequest = buildHttpRequest(message, WORD, extension, true); - byte[] extResponse = retrieveResponseBody(message.getHttpService(), extRequest, false); + byte[] extRequest = buildHttpRequest(message, WORD, ext, true); + byte[] extResponse = retrieveResponseBody(message.getHttpService(), extRequest); // Send an unauthenticated, test if vulnerable - byte[] vulRequest = buildHttpRequest(message, WORD, extension, false); - byte[] vulResponse = retrieveResponseBody(message.getHttpService(), vulRequest, false); + byte[] vulRequest = buildHttpRequest(message, WORD, ext, false); + byte[] vulResponse = retrieveResponseBody(message.getHttpService(), vulRequest); - boolean eq = testSimilar(new String(extResponse), new String(vulResponse)); //= new String(extResponse).equals(new String(vulResponse)); + boolean eq = testSimilar(new String(extResponse), new String(vulResponse)); if (!eq) { - BurpExtender.print("Request is not vulnerable."); + BurpExtender.print(ext + " cached adding extension to list"); + } else { + BurpExtender.print("Request is not vulnerable, no caching."); } - return eq; } @@ -132,14 +133,14 @@ private static byte[] buildHttpRequest(final IHttpRequestResponse reqRes, final return result; } - private static byte[] retrieveResponseBody(IHttpService service, byte[] request, boolean checkResponseCode) { + private static byte[] retrieveResponseBody(IHttpService service, byte[] request) { byte[] result = null; IHttpRequestResponse test = BurpExtender.getCallbacks().makeHttpRequest(service, request); byte[] res = test.getResponse(); IResponseInfo responseInfo = BurpExtender.getHelpers().analyzeResponse(res); - if (checkResponseCode && responseInfo.getStatusCode() == 200) { + if (responseInfo.getBodyOffset() > 0) { int len = res.length - responseInfo.getBodyOffset(); result = new byte[len]; System.arraycopy(res, responseInfo.getBodyOffset(), result, 0, len); @@ -196,8 +197,7 @@ private static String createNewUrl(String url, String additional, String extensi } /** - * Testing if the responses of two requests are similar. This is the not the same as the same, rather there is a - * threshold set in the static parameters of the class. + * Testing if the responses of two requests are similar. This is the not the same as equals, but below a static threshold * @param firstString * @param secondString * @return Test if similar @@ -208,7 +208,7 @@ private static boolean testSimilar(String firstString, String secondString) { int levenDist = StringUtils.getLevenshteinDistance(firstString, secondString); // BurpExtender.print("============================================"); -// BurpExtender.print("Fuzzy Distance:" + fuzzyDist); +// BurpExtender.print(" Fuzzy Distance:" + fuzzyDist); // BurpExtender.print(" Jaro Winkler Distance:" + jaroDist); // BurpExtender.print(" Levenshtein Distance:" + levenDist); // BurpExtender.print("============================================");