private void secondPass(IExtensionHelpers helpers) { publish("Second Pass..."); publish(0); Set<Map<String, CorrelatedParam>> allStats = new HashSet<>(); allStats.add(urlParameters); allStats.add(bodyParameters); allStats.add(cookieParameters); int x = 0; for (IHttpRequestResponse message : inScopeMessagesWithResponses) { publish(100 * x / inScopeMessagesWithResponses.size()); x += 1; String responseString = helpers.bytesToString(message.getResponse()); for (Map<String, CorrelatedParam> paramMap : allStats) { for (String paramName : paramMap.keySet()) { publish("Analyzing " + paramName + "..."); for (CorrelatedParam param : paramMap.values()) { for (String value : param.getUniqueValues()) { if (responseString.contains(value)) { param.putSeenParam(value, message); } } } } } } }
private void doFuzzReq(String urn) { SlurpUtils utils = SlurpUtils.getInstance(); IHttpRequestResponse req = SlurpHelperCheckDirFuzz.doDirFuzzReq(this, urn); if (req == null) return; issuedRequests++; int code = utils.getCodeFromResponse(req.getResponse()); if (code == 200) { addFound(utils.getUriFromRequest(req)); this.markAsPositive(); } }
public HttpMessage(IHttpRequestResponse ihrr) { host = ihrr.getHost(); port = ihrr.getPort(); try { protocol = ihrr.getProtocol(); request = ihrr.getRequest(); response = ihrr.getResponse(); statusCode = ihrr.getStatusCode(); url = ihrr.getUrl(); comment = ihrr.getComment(); highlight = ihrr.getHighlight(); } catch (Exception e) { e.printStackTrace(); throw new RuntimeException(e); } }
@Override public List<IScanIssue> scan( IBurpExtenderCallbacks callbacks, IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { List<IScanIssue> issues = new ArrayList<>(); IExtensionHelpers helpers = callbacks.getHelpers(); stderr = new PrintWriter(callbacks.getStderr(), true); IRequestInfo reqInfo = helpers.analyzeRequest(baseRequestResponse); URL url = reqInfo.getUrl(); String host = url.getHost(); int port = url.getPort(); String system = host.concat(Integer.toString(port)); // System not yet tested for this vulnerability if (!hs.contains(system)) { hs.add(system); String protocol = url.getProtocol(); Boolean isSSL = (protocol.equals("https")); for (String STATUS_SERVLET_PATH : STATUS_SERVLET_PATHS) { try { // Test the presence of tomcat console URL urlToTest = new URL(protocol, url.getHost(), url.getPort(), STATUS_SERVLET_PATH); byte[] statustest = helpers.buildHttpRequest(urlToTest); byte[] responseBytes = callbacks.makeHttpRequest(url.getHost(), url.getPort(), isSSL, statustest); // look for matches of our active check grep string in the response body IResponseInfo statusInfo = helpers.analyzeResponse(responseBytes); /* * Try basic HTTP Authentication Bruteforcing */ if (statusInfo.getStatusCode() == 401) { issues.add( new CustomScanIssue( baseRequestResponse.getHttpService(), urlToTest, new CustomHttpRequestResponse( statustest, responseBytes, baseRequestResponse.getHttpService()), "HTTP Basic Authentication - Status Servlet", "A status servlet is protected using HTTP Basic authentication", REMEDY, Risk.Low, Confidence.Certain)); // Test Weak Passwords CustomHttpRequestResponse httpWeakPasswordResult; httpWeakPasswordResult = HTTPBasicBruteforce(callbacks, urlToTest); if (httpWeakPasswordResult != null) { // Retrieve the weak credentials String weakCredential = null; String weakCredentialDescription = ""; try { IRequestInfo reqInfoPwd = callbacks .getHelpers() .analyzeRequest( baseRequestResponse.getHttpService(), httpWeakPasswordResult.getRequest()); weakCredential = new String( helpers.base64Decode(HTTPParser.getHTTPBasicCredentials(reqInfoPwd))); } catch (Exception ex) { stderr.println("Error during Authorization Header parsing " + ex); } if (weakCredential != null) { weakCredentialDescription += String.format( "<br /><br /> The weak credentials are " + "<b>%s</b><br /><br />", weakCredential); } issues.add( new CustomScanIssue( baseRequestResponse.getHttpService(), urlToTest, httpWeakPasswordResult, "Status Servlet Weak Password", "Status Servlet is installed on the remote system with a default password" + weakCredentialDescription, "Change default/weak password and/or restrict access to the console only from trusted hosts/networks", Risk.Medium, Confidence.Certain)); return issues; } } if (statusInfo.getStatusCode() == 200) { List<int[]> matches_j2ee = getMatches(responseBytes, GREP_STRING_J2EE, helpers); if (matches_j2ee.size() > 0) { issues.add( new CustomScanIssue( baseRequestResponse.getHttpService(), helpers.analyzeRequest(baseRequestResponse).getUrl(), new CustomHttpRequestResponse( statustest, responseBytes, baseRequestResponse.getHttpService()), StatusServlet.TITLE, StatusServlet.DESCRIPTION, REMEDY, Risk.Low, Confidence.Certain)); return issues; } List<int[]> matches_httpd = getMatches(responseBytes, GREP_STRING_HTTPD, helpers); if (matches_httpd.size() > 0) { issues.add( new CustomScanIssue( baseRequestResponse.getHttpService(), helpers.analyzeRequest(baseRequestResponse).getUrl(), new CustomHttpRequestResponse( statustest, responseBytes, baseRequestResponse.getHttpService()), StatusServlet.TITLE, StatusServlet.DESCRIPTION, REMEDY, Risk.Low, Confidence.Certain)); return issues; } } } catch (MalformedURLException ex) { stderr.println("Malformed URL Exception " + ex); } } } return issues; }