private String eventDescription(IBurpCollaboratorInteraction event) { if (event.getProperty("type").equalsIgnoreCase("http")) { return "an <strong>HTTP</strong> request to the Collaborator server using the subdomain "; } else if (event.getProperty("type").equalsIgnoreCase("dns")) { return "a <strong>DNS</strong> lookup of type <strong>" + event.getProperty("query_type") + "</strong> to the Collaborator server subdomain "; } else { return "an unknown interaction with the Collaborator server using the subdomain "; } }
private void processInteraction(IBurpCollaboratorInteraction interaction) { String id = interaction.getProperty("interaction_id"); Utilities.out("Got an interaction:"+interaction.getProperties()); MetaRequest metaReq = collab.getRequest(id); IHttpRequestResponse req = metaReq.getRequest(); String type = collab.getType(id); String severity = "High"; String ipAddress = interaction.getProperty("client_ip"); String rawDetail = interaction.getProperty("request"); if (rawDetail == null) { rawDetail = interaction.getProperty("conversation"); rawDetail = interaction.getProperty("raw_query"); long interactionTime = new SimpleDateFormat("yyyy-MMM-dd HH:mm:ss z").parse(interaction.getProperty("time_stamp")).getTime(); long mill = interactionTime - metaReq.getTimestamp(); int seconds = (int) (mill / 1000) % 60; if (collab.isClientIP(interaction.getProperty("client_ip"))) { message += "<b>This interaction appears to have been issued by your IP address</b><br/><br/>"; severity = "Low"; message += "<pre> "+decodedDetail.replace("<", "<").replace("\n", "\n ")+"</pre>"; message += "The payload was sent at "+new Date(metaReq.getTimestamp()).toString() + " and received on " + interaction.getProperty("time_stamp") +"<br/><br/>"; new CustomScanIssue(req.getHttpService(), reqInfo.getUrl(), new IHttpRequestResponse[]{req}, "Collaborator Pingback ("+interaction.getProperty("type")+"): "+type, message+interaction.getProperties().toString(), severity, "Certain", "Panic"));
private String eventDescription(IBurpCollaboratorInteraction event) { if (event.getProperty("type").equalsIgnoreCase("http")) { return "an <strong>HTTP</strong> request to the Collaborator server using the subdomain "; } else if (event.getProperty("type").equalsIgnoreCase("dns")) { return "a <strong>DNS</strong> lookup of type <strong>" + event.getProperty("query_type") + "</strong> to the Collaborator server subdomain "; } else { return "an unknown interaction with the Collaborator server using the subdomain "; } } }
private String buildIssueDetail(String payload, IBurpCollaboratorInteraction event) { return "The application is vulnerable to HTTPoxy attacks.<br><br>" + "The header <strong>" + payload + "</strong> was sent to the application.<br><br>" + "The application made " + eventDescription(event) + "<strong>" + event.getProperty("interaction_id") + "</strong>.<br><br>" + "The " + interactionType(event.getProperty("type")) + " was received from the IP address " + event.getProperty("client_ip") + " at " + event.getProperty("time_stamp") + "."; }
private String buildIssueDetail(String payload, IBurpCollaboratorInteraction event) { return "The application is vulnerable to HTTPoxy attacks.<br><br>" + "The header <strong>" + payload + "</strong> was sent to the application.<br><br>" + "The application made " + eventDescription(event) + "<strong>" + event.getProperty("interaction_id") + "</strong>.<br><br>" + "The " + interactionType(event.getProperty("type")) + " was received from the IP address " + event.getProperty("client_ip") + " at " + event.getProperty("time_stamp") + "."; }
for (IBurpCollaboratorInteraction event : events) { list.append("<li>The application made "); String type = event.getProperty("type"); String desc; if (type.equalsIgnoreCase("http")) { } else if (type.equalsIgnoreCase("dns")) { list.append("a <b>DNS</b> lookup of type <b>") .append(event.getProperty("query_type")).append("</b> to"); desc = "DNS lookup"; } else { .append(event.getProperty("interaction_id")).append("</b>. The ") .append(desc).append(" was received from the IP address ") .append(event.getProperty("client_ip")).append(" at ") .append(event.getProperty("time_stamp")).append(".</li>");
String interactionId = interaction.getProperty("interaction_id"); IHttpRequestResponse requestResponse = processedRequestResponse.get(interactionId + "." + collaboratorContext.getCollaboratorServerLocation()); String dateStr = interaction.getProperty("time_stamp"); SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MMM-dd HH:mm:ss z"); TimeZone tz = TimeZone.getDefault(); switch (interaction.getProperty("type")) { issueDetails = "The Collaborator server received a DNS lookup of type " + interaction.getProperty("query_type") + " for the domain name " + interaction.getProperty("interaction_id") + "." + collaboratorContext.getCollaboratorServerLocation() + "<br /><br />" + "The lookup was received from IP address " + interaction.getProperty("client_ip") + " at " + localTimestamp + "<br /><br />" + "DNS query (encoded in Base64)<br />" + interaction.getProperty("raw_query"); break; issueDetails = "The Collaborator server received an HTTP request for the domain name " + interaction.getProperty("interaction_id") + "." + collaboratorContext.getCollaboratorServerLocation() + ".<br /><br />The request was received from IP address " + interaction.getProperty("client_ip") + " at " + localTimestamp + "<br /><br />" + "Request to collaborator (encoded in Base64)<br />" + interaction.getProperty("request") + "<br /><br />" + "Response from collaborator (encoded in Base64)<br />" + interaction.getProperty("response"); String decodedConversation = new String(Base64.getDecoder().decode(interaction.getProperty("conversation"))); interaction.getProperty("client_ip") + " at " + localTimestamp + "<br /><br />" + "The email details were:<br /><br />From:<br />" + from + "<br /><br />To:<br />" + to + "<br /><br />Message:<br />" + message + "<br /><br />" +
/******************* * Handle Collaborator server interactions for this module. * * @param interaction The Collaborator interaction object. * @return True if the interaction was generated and handled by this module. ******************/ public boolean handleCollaboratorInteraction(IBurpCollaboratorInteraction interaction) { String interactionId = interaction.getProperty("interaction_id"); for (CollaboratorRecord record : _collabRecords) { if (record.getCollaboratorId().equals(interactionId)) { try { _callbacks.addScanIssue(createCollaboratorIssue(record, interaction)); } catch (Exception ex) { dbgLog("FreddyModuleBase[" + _targetName + "]::handleCollaboratorInteraction() exception: " + ex.getMessage()); } return true; } } return false; }
Correlator() { idToRequestID = new HashMap<>(); requests = new HashMap<>(); idToType = new HashMap<>(); burpIdToRequestID = new HashMap<>(); collab = Utilities.callbacks.createBurpCollaboratorClientContext(); client_ips = new HashSet<>(); try { String pollPayload = collab.generatePayload(true); Utilities.callbacks.makeHttpRequest(pollPayload, 80, false, ("GET / HTTP/1.1\r\nHost: " + pollPayload + "\r\n\r\n").getBytes()); for (IBurpCollaboratorInteraction interaction: collab.fetchCollaboratorInteractionsFor(pollPayload)) { client_ips.add(interaction.getProperty("client_ip")); } Utilities.out("Calculated your IPs: "+ client_ips.toString()); } catch (NullPointerException e) { Utilities.out("Unable to calculate client IP - collaborator may not be functional"); } catch (java.lang.IllegalArgumentException e) { Utilities.out("The Collaborator appears to be misconfigured. Please run a health check via Project Options->Misc. Also, note that Collaborator Everywhere does not support the IP-address mode."); } }
String interactionId = interaction.getProperty("interaction_id"); for (Iterator<PendingCollaboratorIssue> iterator = pendingCollaboratorIssues.iterator(); iterator.hasNext();)
"Collaborator interaction if it were unsecurely deserialized using the <strong>" + _targetName + "</strong> library/API. This resulted in a "; if (interaction.getProperty("type").equalsIgnoreCase("dns")) { issueDescription += "DNS " + interaction.getProperty("query_type") + " query for " + record.getHostname(); } else { issueDescription += "HTTP request to " + interaction.getProperty("protocol") + "://" + record.getHostname();
String type = collaboratorInteraction.getProperty("type"); if (type.equalsIgnoreCase("http")) { String attackDetails = "The web server receives a URL <b> " + payload + " </b> " + if (!collaboratorInteractions.isEmpty()) { for (IBurpCollaboratorInteraction collaboratorInteraction : collaboratorInteractions) { String type = collaboratorInteraction.getProperty("type"); if (type.equalsIgnoreCase("http")) { String attackDetails = "The web server receives a URL at <b> " + insertionPoint.getInsertionPointName().toString() +