static boolean isInPath(IScannerInsertionPoint insertionPoint) { byte type = insertionPoint.getInsertionPointType(); boolean isInPath = (type == IScannerInsertionPoint.INS_URL_PATH_FILENAME || type == IScannerInsertionPoint.INS_URL_PATH_FOLDER); if (!isInPath && type == IScannerInsertionPoint.INS_USER_PROVIDED) { final String injectionCanary = "zxcvcxz"; String path = Utilities.getPathFromRequest(insertionPoint.buildRequest(injectionCanary.getBytes())); if (path.contains(injectionCanary)) { if (path.contains("?")) { if (path.indexOf(injectionCanary) < path.indexOf("?")) { isInPath = true; } } else { isInPath = true; } } } return isInPath; }
Attack probeAttack(String payload) { byte[] request = insertionPoint.buildRequest(payload.getBytes()); //IParameter cacheBuster = burp.Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); //request = burp.Utilities.helpers.addParameter(request, cacheBuster); request = burp.Utilities.appendToQuery(request, Utilities.generateCanary()+"=1"); // todo replace with addCanary method IHttpRequestResponse requestResponse = burp.Utilities.attemptRequest(service, request); return new Attack(requestResponse, null, null, ""); }
IHttpRequestResponse buildRequest(String payload, boolean needCacheBuster) { byte[] request = insertionPoint.buildRequest(payload.getBytes()); if (needCacheBuster) { IParameter cacheBuster = burp.Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); request = burp.Utilities.helpers.addParameter(request, cacheBuster); } IHttpRequestResponse requestResponse = burp.Utilities.attemptRequest(service, request); //Utilities.out("Payload: "+payload+"|"+baseRequestResponse.getHttpService().getHost()); return requestResponse;// Utilities.buildRequest(baseRequestResponse, insertionPoint, payload) }
@Override public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { String hash = DigestUtils.shaHex(helpers.base64Encode(baseRequestResponse.getRequest())); log.info("SSRF_HASH: " + hash); /** * Build new injection payload with provided DNS lookup server and provided Hash */ byte[] request = insertionPoint.buildRequest(helpers.stringToBytes(DNS_LOOKUP_SERVER.replace("{{HASH}}", hash))); IHttpRequestResponse requestResponse = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), request); requestedInsertionPoints.put(hash, requestResponse); /** * Result of request we'll try to find in DNS lookup server later */ return null; }
IHttpRequestResponse buildRequest(String payload, boolean needCacheBuster) { byte[] request = insertionPoint.buildRequest(payload.getBytes()); if (needCacheBuster) { IParameter cacheBuster = burp.Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); request = burp.Utilities.helpers.addParameter(request, cacheBuster); } IHttpRequestResponse requestResponse = burp.Utilities.attemptRequest(baseRequestResponse.getHttpService(), request); return requestResponse;// Utilities.buildRequest(baseRequestResponse, insertionPoint, payload) }
public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { IResponseInfo resp = helpers.analyzeResponse(baseRequestResponse.getResponse()); IRequestInfo req = helpers.analyzeRequest(baseRequestResponse.getRequest()); if (resp == null | req == null) return null; URL url = helpers.analyzeRequest(baseRequestResponse).getUrl(); IHttpService httpService = baseRequestResponse.getHttpService(); List<IScanIssue> issues = new ArrayList<>(); if (!flags.contains(url.getProtocol() + url.getHost())) { IScanIssue res = scanRootDirectory(baseRequestResponse, insertionPoint); if (res != null) issues.add(res); flags.add(url.getProtocol() + url.getHost()); } String uuid = UUID.randomUUID().toString().replaceAll("-", ""); IHttpRequestResponse checkUUID = this.callbacks.makeHttpRequest(httpService, insertionPoint.buildRequest(this.helpers.stringToBytes(uuid))); if (checkUUID == null || checkUUID.getResponse() == null) return null; String respHeaders = String.join("\n", this.helpers.analyzeResponse(checkUUID.getResponse()).getHeaders()); if (respHeaders.contains(uuid)) { for (String payload : CRLFSplitters) { String finalPayload = uuid.substring(0, 5) + payload + CRLFHeader + uuid.substring(6); IHttpRequestResponse attack = this.callbacks.makeHttpRequest(httpService, insertionPoint.buildRequest(this.helpers.stringToBytes(finalPayload))); IScanIssue res = analyzeResponse(attack, insertionPoint, finalPayload); if (res != null) issues.add(res); } } if (issues.size() > 0) return issues; return null; }
private HashSet<String> recordHandling(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint, String probe) { String leftAnchor = Utilities.randomString(3); String middleAnchor = "z"+Integer.toString(Utilities.rnd.nextInt(9)); String rightAnchor = "z"+Utilities.randomString(3); String payload = leftAnchor + "\\\\" + middleAnchor + probe + rightAnchor; IHttpRequestResponse attack = callbacks.makeHttpRequest( baseRequestResponse.getHttpService(), insertionPoint.buildRequest(payload.getBytes())); // Utilities.buildRequest(baseRequestResponse, insertionPoint, payload) return getTransformationResults(leftAnchor + "\\" + middleAnchor, rightAnchor, helpers.stringToBytes(helpers.bytesToString(Utilities.filterResponse(attack.getResponse())))); }
byte[] checkRequest = insertionPoint.buildRequest(INJ);
@Override public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { if (insertionPoint.getInsertionPointType() != IScannerInsertionPoint.INS_PARAM_URL) return null; IResponseInfo resp = helpers.analyzeResponse(baseRequestResponse.getResponse()); IRequestInfo req = helpers.analyzeRequest(baseRequestResponse.getRequest()); if (resp == null | req == null) return null; List<IScanIssue> issues = new ArrayList<>(); IHttpService httpService = baseRequestResponse.getHttpService(); for (String payload : Payloads) { IHttpRequestResponse attack = this.callbacks.makeHttpRequest(httpService, insertionPoint.buildRequest(this.helpers.stringToBytes(payload))); IScanIssue res = analyzeResponse(attack); if (res != null) issues.add(res); } if (issues.size() > 0) return issues; return issues; }
static Attack buildTransformationAttack(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint, String leftAnchor, String payload, String rightAnchor) { IHttpRequestResponse req = attemptRequest(baseRequestResponse.getHttpService(), insertionPoint.buildRequest(helpers.stringToBytes(insertionPoint.getBaseValue() + leftAnchor + payload + rightAnchor))); return new Attack(Utilities.highlightRequestResponse(req, leftAnchor, leftAnchor+payload+rightAnchor, insertionPoint), null, payload, ""); }
IHttpRequestResponse payloadedResponse = callbacks.makeHttpRequest( baseRequestResponse.getHttpService(), insertionPoint.buildRequest(helpers.stringToBytes(payload)) );
static Attack buildTransformationAttack(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint, String leftAnchor, String payload, String rightAnchor) { IHttpRequestResponse req = attemptRequest(baseRequestResponse.getHttpService(), insertionPoint.buildRequest(helpers.stringToBytes(insertionPoint.getBaseValue() + leftAnchor + payload + rightAnchor))); return new Attack(Utilities.highlightRequestResponse(req, leftAnchor, leftAnchor+payload+rightAnchor, insertionPoint), null, payload, ""); }
@Override public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { final byte[] baseValue = helpers.stringToBytes(insertionPoint.getBaseValue()); int[] d = SimpleImageSizeReader.getImageSize(baseValue, 0, baseValue.length); if (d == null) return null; final IHttpService hs = baseRequestResponse.getHttpService(); IBurpCollaboratorClientContext ccc = callbacks.createBurpCollaboratorClientContext(); String host = ccc.generatePayload(true); IHttpRequestResponse response = callbacks.makeHttpRequest(hs, insertionPoint.buildRequest((IMAGETRAGICK_HEAD + "http://" + host + "/a.jpg" + IMAGETRAGICK_TAIL).getBytes())); List<IBurpCollaboratorInteraction> events = ccc.fetchCollaboratorInteractionsFor(host); if (!events.isEmpty()) { return ImageTragickIssue.reportOnCollaborator(response, hrrToUrl(baseRequestResponse), insertionPoint.getInsertionPointName(), host, events); } long baseTime = measureRequest(hs, baseRequestResponse.getRequest()).getKey(); Map.Entry<Long, IHttpRequestResponse> sleepMeasurement = measureRequest(hs, insertionPoint.buildRequest(IMAGETRAGICK_PAYLOAD)); long sleepTime = sleepMeasurement.getKey(); if (Math.abs(sleepTime - baseTime - IMAGETRAGICK_SLEEP_NS) > IMAGETRAGICK_TRESHOLD_NS) return null; return ImageTragickIssue.reportOnTiming( sleepMeasurement.getValue(), hrrToUrl(baseRequestResponse), insertionPoint.getInsertionPointName(), baseTime, sleepTime); }
byte[] checkRequest = insertionPoint.buildRequest(injTest); IHttpRequestResponse checkRequestResponse = callbacks.makeHttpRequest( baseRequestResponse.getHttpService(), checkRequest);
byte[] checkRequest = insertionPoint.buildRequest(INJ_TEST);
byte[] checkRequest = insertionPoint.buildRequest(INJ_TEST); IHttpRequestResponse checkRequestResponse = callbacks.makeHttpRequest( baseRequestResponse.getHttpService(), checkRequest);
IHttpRequestResponse newBase = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), arrayInsertionPoint.buildRequest(newParam.getValue().getBytes()));
private boolean tryStatusCache(PayloadInjector injector, String param, int attackDedication, short get404Code) { String canary = Utilities.generateCanary()+".jpg"; byte[] setPoison200Req = injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(addStatusPayload(param))); setPoison200Req = Utilities.appendToPath(setPoison200Req, canary); byte[] getPoison200Req = injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(addStatusPayload("xyz"+param+"z"))); getPoison200Req = Utilities.appendToPath(getPoison200Req, canary); for(int j=0; j<attackDedication; j++) { Utilities.attemptRequest(injector.getService(), setPoison200Req); } for(int j=0; j<attackDedication; j+=3) { IHttpRequestResponse getPoison200 = Utilities.attemptRequest(injector.getService(), getPoison200Req); short getPoison200Code = Utilities.helpers.analyzeResponse(getPoison200.getResponse()).getStatusCode(); if (getPoison200Code != get404Code) { Utilities.callbacks.addScanIssue(new CustomScanIssue(getPoison200.getHttpService(), Utilities.getURL(getPoison200), getPoison200, "Dubious cache poisoning " + j, "Cache poisoning: '" + param + "'. Diff based cache poisoning. Good luck confirming", "High", "Tentative", "Investigate")); } return true; } return false; }
private boolean tryReflectCache(PayloadInjector injector, String param, IHttpRequestResponse base, int attackDedication, int i, String pathSuffix) { IHttpService service = injector.getService(); byte[] setPoisonReq = Utilities.appendToPath(injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(param)), pathSuffix); IParameter cacheBuster = Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); setPoisonReq = Utilities.helpers.addParameter(setPoisonReq, cacheBuster); for (int j = attackDedication - i; j < attackDedication; j++) { Utilities.attemptRequest(service, setPoisonReq); } for (int j = attackDedication - i; j < attackDedication; j += 3) { IHttpRequestResponse getPoison = Utilities.attemptRequest(service, Utilities.appendToPath(Utilities.helpers.addParameter(base.getRequest(), cacheBuster), pathSuffix)); if (Utilities.containsBytes(getPoison.getResponse(), "wrtqv".getBytes())) { Utilities.log("Successful cache poisoning check"); String title = "Cache poisoning"; byte[] headerSplitReq = Utilities.appendToPath(injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(param + "~zxcv\rvcz")), pathSuffix); cacheBuster = Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); byte[] headerSplitResp = Utilities.attemptRequest(service, Utilities.helpers.addParameter(headerSplitReq, cacheBuster)).getResponse(); if (Utilities.containsBytes(Arrays.copyOfRange(headerSplitResp, 0, Utilities.getBodyStart(headerSplitReq)), "zxcv\rvcz".getBytes())) { title = "Severe cache poisoning"; } title = title + " "+i; Utilities.callbacks.addScanIssue(new CustomScanIssue(getPoison.getHttpService(), Utilities.getURL(getPoison), getPoison, title, "Cache poisoning: '" + param + "'. Disregard the request and look for wrtqv in the response", "High", "Firm", "Investigate")); return true; } } return false; }
Utilities.doActiveScan(Utilities.attemptRequest(injector.getService(), valueInsertionPoint.buildRequest(baseValue.getBytes())), valueInsertionPoint.getPayloadOffsets(baseValue.getBytes()));