public static String getResponseHeaderValue(IResponseInfo responseInfo, String headerName) { headerName = headerName.toLowerCase().replace(":", ""); for (String header : responseInfo.getHeaders()) { if (header.toLowerCase().startsWith(headerName)) { return header.split(":", 0)[1]; } } return null; }
public static String getHeaderValue(IResponseInfo resp, String headerName) { for (String header : resp.getHeaders()) { String[] chunks = header.split(":", 2); if (chunks.length != 2 || !chunks[0].toLowerCase().equals(headerName.toLowerCase())) continue; return chunks[1].trim(); } return null; }
public static String getFileType(IResponseInfo analyzeResponse) { String fileType = null; List<String> headers = analyzeResponse.getHeaders(); for(String header:headers) { if(header.toLowerCase().startsWith("content-type")) { try { fileType= header.substring(header.indexOf("/")+1, header.indexOf(";")); }catch(Exception e) { fileType= header.substring(header.indexOf("/")+1, header.length()); } } } return fileType; }
public static Map<String,String> getCspHeader(IResponseInfo response) { Map<String,String> headers = new HashMap<>(); for(String header : response.getHeaders()) { String headerLower = header.toLowerCase(); for(String cspHeader : CSP_HEADERS) { if (headerLower.startsWith(cspHeader)) { String[] parts = header.split(":",2); if(parts.length>1) { headers.put(cspHeader, parts[1]); } } } } return headers; }
public static int getResponseBodyLength(IResponseInfo responseInfo, byte[] response) { for (String header: responseInfo.getHeaders()) { if (header.toLowerCase().startsWith("content-length:")) { return Integer.parseInt(header.substring(header.indexOf(":") + 1).trim()); } } // if no content-length header returned, let's calculate it manually String resp = new String(response); String body = resp.substring(responseInfo.getBodyOffset()); return body.length(); }
protected List<String> getHeaders() { if (message == null) { return new ArrayList<String>(); } if (isRequest) { IRequestInfo requestInfo = helpers.analyzeRequest(message); return requestInfo.getHeaders(); } else { IResponseInfo responseInfo = helpers.analyzeResponse(message); return responseInfo.getHeaders(); } }
public String getHeaderValueOf(boolean messageIsRequest,IHttpRequestResponse messageInfo, String headerName) { List<String> headers=null; if(messageIsRequest) { IRequestInfo analyzeRequest = helpers.analyzeRequest(messageInfo); headers = analyzeRequest.getHeaders(); }else { IResponseInfo analyzeResponse = helpers.analyzeResponse(messageInfo.getResponse()); headers = analyzeResponse.getHeaders(); } headerName = headerName.toLowerCase().replace(":", ""); for (String header : headers) { if (header.toLowerCase().startsWith(headerName)) { return header.split(":", 0)[1]; } } return null; }
public imageDownloader(IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers, IHttpService httpService,byte[] request) { IHttpRequestResponse message = callbacks.makeHttpRequest(httpService,request); IResponseInfo response = helpers.analyzeResponse(message.getResponse()); List<String> headers = response.getHeaders(); for(String header:headers) { if(header.toLowerCase().startsWith("content-type:")) { fileType= header.substring(header.indexOf("/")+1, header.indexOf(";")); } } int bodyOffset = response.getBodyOffset(); int length = message.getResponse().length; byte[] byte_body = Arrays.copyOfRange(message.getResponse(), bodyOffset, length-1); byte_image = byte_body; }
public String getHeaderString(boolean messageIsRequest,IHttpRequestResponse messageInfo) { List<String> headers =null; StringBuilder headerString = new StringBuilder(); if(messageIsRequest) { IRequestInfo analyzeRequest = helpers.analyzeRequest(messageInfo); headers = analyzeRequest.getHeaders(); }else { IResponseInfo analyzeResponse = helpers.analyzeResponse(messageInfo.getResponse()); headers = analyzeResponse.getHeaders(); } for (String header : headers) { headerString.append(header); } return headerString.toString(); }
public HashMap<String,String> getHeaderHashMap(boolean messageIsRequest,IHttpRequestResponse messageInfo) { List<String> headers=null; HashMap<String,String> result = new HashMap<String, String>(); if(messageIsRequest) { IRequestInfo analyzeRequest = helpers.analyzeRequest(messageInfo); headers = analyzeRequest.getHeaders(); }else { IResponseInfo analyzeResponse = helpers.analyzeResponse(messageInfo.getResponse()); headers = analyzeResponse.getHeaders(); } for (String header : headers) { try { String headerName = header.split(": ", 0)[0]; String headerValue = header.split(": ", 0)[1]; //POST /login.pub HTTP/1.1 the first line of header will tirgger error here result.put(headerName, headerValue); } catch (Exception e) { e.printStackTrace(); } } return result; }
@Override public IScanIssue grep(IHttpRequestResponse baseRequestResponse) { IResponseInfo resp = helpers.analyzeResponse(baseRequestResponse.getResponse()); if (resp == null) return null; if (resp.getStatusCode() != 200) return null; List<String> contentTypes = Arrays.asList("text/html", "application/xml"); List<String> headers = resp.getHeaders(); String contentTypeHeader = Utils.getContentType(resp); if (contentTypeHeader == null) return analyseHeaders(baseRequestResponse, headers); if (contentTypes.contains(contentTypeHeader.toLowerCase())) return analyseHeaders(baseRequestResponse, headers); return null; }
public void cleanJWTHeaders() { List<String> headers; List<String> toOverwriteHeaders = new ArrayList<String>(); int offset; if (isRequest) { IRequestInfo requestInfo = helpers.analyzeRequest(message); headers = requestInfo.getHeaders(); offset = requestInfo.getBodyOffset(); } else { IResponseInfo responseInfo = helpers.analyzeResponse(message); headers = responseInfo.getHeaders(); offset = responseInfo.getBodyOffset(); } for (String header : headers) { if (header.startsWith(Strings.JWTHeaderPrefix)) { toOverwriteHeaders.add(header); } } headers.removeAll(toOverwriteHeaders); this.message = helpers.buildHttpMessage(headers, Arrays.copyOfRange(message, offset, message.length)); }
public void loadResponse(IHttpRequestResponse response){ this.requestResponse = response; IResponseInfo req = burpCallback.getHelpers().analyzeResponse(response.getResponse()); loadData(response.getResponse(), new LinkedList<IParameter>(), req.getHeaders()); }
public void addHeader(String headerToAdd) { List<String> headers; int offset; if (isRequest) { IRequestInfo requestInfo = helpers.analyzeRequest(message); headers = requestInfo.getHeaders(); offset = requestInfo.getBodyOffset(); } else { IResponseInfo responseInfo = helpers.analyzeResponse(message); headers = responseInfo.getHeaders(); offset = responseInfo.getBodyOffset(); } headers.add(headerToAdd); this.message = helpers.buildHttpMessage(headers, Arrays.copyOfRange(message, offset, message.length)); }
public List<String> getHeaderList(boolean messageIsRequest,IHttpRequestResponse messageInfo) { if(messageIsRequest) { IRequestInfo analyzeRequest = helpers.analyzeRequest(messageInfo); List<String> headers = analyzeRequest.getHeaders(); return headers; }else { IResponseInfo analyzeResponse = helpers.analyzeResponse(messageInfo.getResponse()); List<String> headers = analyzeResponse.getHeaders(); return headers; } }
public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { IResponseInfo resp = helpers.analyzeResponse(baseRequestResponse.getResponse()); IRequestInfo req = helpers.analyzeRequest(baseRequestResponse.getRequest()); if (resp == null | req == null) return null; URL url = helpers.analyzeRequest(baseRequestResponse).getUrl(); IHttpService httpService = baseRequestResponse.getHttpService(); List<IScanIssue> issues = new ArrayList<>(); if (!flags.contains(url.getProtocol() + url.getHost())) { IScanIssue res = scanRootDirectory(baseRequestResponse, insertionPoint); if (res != null) issues.add(res); flags.add(url.getProtocol() + url.getHost()); } String uuid = UUID.randomUUID().toString().replaceAll("-", ""); IHttpRequestResponse checkUUID = this.callbacks.makeHttpRequest(httpService, insertionPoint.buildRequest(this.helpers.stringToBytes(uuid))); if (checkUUID == null || checkUUID.getResponse() == null) return null; String respHeaders = String.join("\n", this.helpers.analyzeResponse(checkUUID.getResponse()).getHeaders()); if (respHeaders.contains(uuid)) { for (String payload : CRLFSplitters) { String finalPayload = uuid.substring(0, 5) + payload + CRLFHeader + uuid.substring(6); IHttpRequestResponse attack = this.callbacks.makeHttpRequest(httpService, insertionPoint.buildRequest(this.helpers.stringToBytes(finalPayload))); IScanIssue res = analyzeResponse(attack, insertionPoint, finalPayload); if (res != null) issues.add(res); } } if (issues.size() > 0) return issues; return null; }
@Override public IScanIssue grep(IHttpRequestResponse baseRequestResponse) { IResponseInfo resp = helpers.analyzeResponse(baseRequestResponse.getResponse()); if (resp == null) return null; short statusCode = resp.getStatusCode(); if (ignoreCodes != null && ignoreCodes.contains(new Integer(statusCode))) return null; List<String> contentTypes = Arrays.asList("application/javascript", "text/css", "image/gif", "text/html", "image/x-icon", "image/png", "image/jpg", "image/jpeg", "application/x-javascript"); List<String> headers = resp.getHeaders(); String xContentTypeOptionsHeader = Utils.getHeaderValue(headers, "X-Content-Type-Options"); if (xContentTypeOptionsHeader != null && xContentTypeOptionsHeader.toUpperCase().contains("NOSNIFF")) return null; String contentTypeHeader = Utils.getContentType(resp); if (contentTypeHeader != null && !contentTypes.contains(contentTypeHeader.toLowerCase())) return null; String issueDetails = "The URL <b> " + helpers.analyzeRequest(baseRequestResponse).getUrl().toString() + "</b>\n" + "returned an HTTP response without the recommended HTTP header X-Content-Type-Options"; return new CustomScanIssue(baseRequestResponse.getHttpService(), helpers.analyzeRequest(baseRequestResponse).getUrl(), new IHttpRequestResponse[]{this.callbacks.applyMarkers(baseRequestResponse, null, null)}, issueDetails, ISSUE_TYPE, ISSUE_NAME, SEVERITY, CONFIDENCE, "", "", ""); } }
public IScanIssue analyzeResponse(IHttpRequestResponse requestResponse) { IResponseInfo resp = helpers.analyzeResponse(requestResponse.getResponse()); if (resp == null || resp.getStatusCode() < 300 || resp.getStatusCode() >= 400) return null; List<String> headers = resp.getHeaders(); String locationHeader = Utils.getHeaderValue(headers, "Location"); if (locationHeader == null) return null; Matcher redirectMatcher = REDIRECT_PATTERN.matcher(locationHeader.toUpperCase()); if (redirectMatcher.find()) { String attackDetails = "A open redirect vulnerability was found at: <b>" + helpers.analyzeRequest(requestResponse).getUrl().toString() + "</b>\n"; List responseMarkers = new ArrayList(1); responseMarkers.add(new int[]{helpers.bytesToString(requestResponse.getResponse()).toUpperCase().indexOf("LOCATION"), helpers.bytesToString(requestResponse.getResponse()).toUpperCase().indexOf("LOCATION") + "LOCATION".length()}); return new CustomScanIssue(requestResponse.getHttpService(), this.helpers.analyzeRequest(requestResponse).getUrl(), new IHttpRequestResponse[]{this.callbacks.applyMarkers(requestResponse, null, responseMarkers)}, attackDetails, ISSUE_TYPE, ISSUE_NAME, SEVERITY, CONFIDENCE, "", "", ""); } return null; } }
public IScanIssue analyzeResponse(IHttpRequestResponse requestResponse) { IResponseInfo resp = helpers.analyzeResponse(requestResponse.getResponse()); if (resp == null || resp.getStatusCode() < 300 || resp.getStatusCode() >= 400) return null; List<String> headers = resp.getHeaders(); String locationHeader = Utils.getHeaderValue(headers, "Location"); if (locationHeader == null) return null; for (String redirect : REDIRECTS) { if (locationHeader.toUpperCase().startsWith(redirect)) { String attackDetails = "Open redirect vulnerability was found at: <b>" + helpers.analyzeRequest(requestResponse).getUrl().toString() + "</b>\n"; List responseMarkers = new ArrayList(1); responseMarkers.add(new int[]{helpers.bytesToString(requestResponse.getResponse()).toUpperCase().indexOf("LOCATION"), helpers.bytesToString(requestResponse.getResponse()).toUpperCase().indexOf("LOCATION") + "LOCATION".length()}); return new CustomScanIssue(requestResponse.getHttpService(), this.helpers.analyzeRequest(requestResponse).getUrl(), new IHttpRequestResponse[]{this.callbacks.applyMarkers(requestResponse, null, responseMarkers)}, attackDetails, ISSUE_TYPE, ISSUE_NAME, SEVERITY, CONFIDENCE, "", "", ""); } } return null; } }
public IScanIssue scanRootDirectory(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { IRequestInfo req = helpers.analyzeRequest(baseRequestResponse.getRequest()); IHttpService httpService = baseRequestResponse.getHttpService(); String uuid = UUID.randomUUID().toString().replaceAll("-", ""); String uuidPayload = req.getMethod() + " /" + uuid + " HTTP/1.1"; List<String> reqHeaders = req.getHeaders(); reqHeaders.set(0, uuidPayload); byte[] body = helpers.stringToBytes(helpers.bytesToString(baseRequestResponse.getRequest()).substring(req.getBodyOffset())); byte[] modifiedReq = helpers.buildHttpMessage(reqHeaders, body); IHttpRequestResponse checkUUID = this.callbacks.makeHttpRequest(httpService, modifiedReq); if (checkUUID == null || checkUUID.getResponse() == null) return null; String respHeaders = String.join("\n", this.helpers.analyzeResponse(checkUUID.getResponse()).getHeaders()); if (respHeaders.contains(uuid)) { for (String payload : CRLFSplitters) { String finalPayload = uuid.substring(0, 5) + payload + CRLFHeader + uuid.substring(6); String finalRequestUriBuilder = req.getMethod() + " /" + finalPayload + " HTTP/1.1"; reqHeaders.set(0, finalRequestUriBuilder); body = helpers.stringToBytes(helpers.bytesToString(baseRequestResponse.getRequest()).substring(req.getBodyOffset())); modifiedReq = helpers.buildHttpMessage(reqHeaders, body); IHttpRequestResponse attack = this.callbacks.makeHttpRequest(httpService, modifiedReq); IScanIssue res = analyzeResponse(attack, insertionPoint, finalPayload); if (res != null) return res; } } return null; }