private void secondPass(IExtensionHelpers helpers) {
publish("Second Pass...");
publish(0);
Set<Map<String, CorrelatedParam>> allStats = new HashSet<>();
allStats.add(urlParameters);
allStats.add(bodyParameters);
allStats.add(cookieParameters);
int x = 0;
for (IHttpRequestResponse message : inScopeMessagesWithResponses) {
publish(100 * x / inScopeMessagesWithResponses.size());
x += 1;
String responseString = helpers.bytesToString(message.getResponse());
for (Map<String, CorrelatedParam> paramMap : allStats) {
for (String paramName : paramMap.keySet()) {
publish("Analyzing " + paramName + "...");
for (CorrelatedParam param : paramMap.values()) {
for (String value : param.getUniqueValues()) {
if (responseString.contains(value)) {
param.putSeenParam(value, message);
}
}
}
}
}
}
}
private void doFuzzReq(String urn) {
SlurpUtils utils = SlurpUtils.getInstance();
IHttpRequestResponse req = SlurpHelperCheckDirFuzz.doDirFuzzReq(this, urn);
if (req == null) return;
issuedRequests++;
int code = utils.getCodeFromResponse(req.getResponse());
if (code == 200) {
addFound(utils.getUriFromRequest(req));
this.markAsPositive();
}
}
public HttpMessage(IHttpRequestResponse ihrr) {
host = ihrr.getHost();
port = ihrr.getPort();
try {
protocol = ihrr.getProtocol();
request = ihrr.getRequest();
response = ihrr.getResponse();
statusCode = ihrr.getStatusCode();
url = ihrr.getUrl();
comment = ihrr.getComment();
highlight = ihrr.getHighlight();
} catch (Exception e) {
e.printStackTrace();
throw new RuntimeException(e);
}
}
@Override
public List<IScanIssue> scan(
IBurpExtenderCallbacks callbacks,
IHttpRequestResponse baseRequestResponse,
IScannerInsertionPoint insertionPoint) {
List<IScanIssue> issues = new ArrayList<>();
IExtensionHelpers helpers = callbacks.getHelpers();
stderr = new PrintWriter(callbacks.getStderr(), true);
IRequestInfo reqInfo = helpers.analyzeRequest(baseRequestResponse);
URL url = reqInfo.getUrl();
String host = url.getHost();
int port = url.getPort();
String system = host.concat(Integer.toString(port));
// System not yet tested for this vulnerability
if (!hs.contains(system)) {
hs.add(system);
String protocol = url.getProtocol();
Boolean isSSL = (protocol.equals("https"));
for (String STATUS_SERVLET_PATH : STATUS_SERVLET_PATHS) {
try {
// Test the presence of tomcat console
URL urlToTest = new URL(protocol, url.getHost(), url.getPort(), STATUS_SERVLET_PATH);
byte[] statustest = helpers.buildHttpRequest(urlToTest);
byte[] responseBytes =
callbacks.makeHttpRequest(url.getHost(), url.getPort(), isSSL, statustest);
// look for matches of our active check grep string in the response body
IResponseInfo statusInfo = helpers.analyzeResponse(responseBytes);
/*
* Try basic HTTP Authentication Bruteforcing
*/
if (statusInfo.getStatusCode() == 401) {
issues.add(
new CustomScanIssue(
baseRequestResponse.getHttpService(),
urlToTest,
new CustomHttpRequestResponse(
statustest, responseBytes, baseRequestResponse.getHttpService()),
"HTTP Basic Authentication - Status Servlet",
"A status servlet is protected using HTTP Basic authentication",
REMEDY,
Risk.Low,
Confidence.Certain));
// Test Weak Passwords
CustomHttpRequestResponse httpWeakPasswordResult;
httpWeakPasswordResult = HTTPBasicBruteforce(callbacks, urlToTest);
if (httpWeakPasswordResult != null) {
// Retrieve the weak credentials
String weakCredential = null;
String weakCredentialDescription = "";
try {
IRequestInfo reqInfoPwd =
callbacks
.getHelpers()
.analyzeRequest(
baseRequestResponse.getHttpService(),
httpWeakPasswordResult.getRequest());
weakCredential =
new String(
helpers.base64Decode(HTTPParser.getHTTPBasicCredentials(reqInfoPwd)));
} catch (Exception ex) {
stderr.println("Error during Authorization Header parsing " + ex);
}
if (weakCredential != null) {
weakCredentialDescription +=
String.format(
"<br /><br /> The weak credentials are " + "<b>%s</b><br /><br />",
weakCredential);
}
issues.add(
new CustomScanIssue(
baseRequestResponse.getHttpService(),
urlToTest,
httpWeakPasswordResult,
"Status Servlet Weak Password",
"Status Servlet is installed on the remote system with a default password"
+ weakCredentialDescription,
"Change default/weak password and/or restrict access to the console only from trusted hosts/networks",
Risk.Medium,
Confidence.Certain));
return issues;
}
}
if (statusInfo.getStatusCode() == 200) {
List<int[]> matches_j2ee = getMatches(responseBytes, GREP_STRING_J2EE, helpers);
if (matches_j2ee.size() > 0) {
issues.add(
new CustomScanIssue(
baseRequestResponse.getHttpService(),
helpers.analyzeRequest(baseRequestResponse).getUrl(),
new CustomHttpRequestResponse(
statustest, responseBytes, baseRequestResponse.getHttpService()),
StatusServlet.TITLE,
StatusServlet.DESCRIPTION,
REMEDY,
Risk.Low,
Confidence.Certain));
return issues;
}
List<int[]> matches_httpd = getMatches(responseBytes, GREP_STRING_HTTPD, helpers);
if (matches_httpd.size() > 0) {
issues.add(
new CustomScanIssue(
baseRequestResponse.getHttpService(),
helpers.analyzeRequest(baseRequestResponse).getUrl(),
new CustomHttpRequestResponse(
statustest, responseBytes, baseRequestResponse.getHttpService()),
StatusServlet.TITLE,
StatusServlet.DESCRIPTION,
REMEDY,
Risk.Low,
Confidence.Certain));
return issues;
}
}
} catch (MalformedURLException ex) {
stderr.println("Malformed URL Exception " + ex);
}
}
}
return issues;
}
