STRLCPY/autorize

Merge pull request #12 from Quitten/master
```
Autorize v1.7
```
Hannah-PortSwigger committed with GitHub 12 months ago

6d30c3d5

2 parents
167a30a8
65b5cfdf

■ ■ ■ ■ ■ ■

Autorize.py

1	1		#!/usr/bin/env python
2	2		# -- coding: utf-8 --
3	3
4		-	from burp import IBurpExtender
5		-	from burp import IHttpListener
6		-
	4	+	from burp import IBurpExtender, IHttpListener, IProxyListener
7	5		from authorization.authorization import handle_message
8		-
9	6		from helpers.initiator import Initiator
	7	+	from helpers.filters import handle_proxy_message
10	8
11		-	class BurpExtender(IBurpExtender, IHttpListener):
	9	+	class BurpExtender(IBurpExtender, IHttpListener, IProxyListener):
12	10
13	11		def registerExtenderCallbacks(self, callbacks):
14	12		self._callbacks = callbacks
		skipped 21 lines
36	34		def processHttpMessage(self, toolFlag, messageIsRequest, messageInfo):
37	35		handle_message(self, toolFlag, messageIsRequest, messageInfo)
38	36
	37	+	#
	38	+	# implement IProxyListener
	39	+	#
	40	+	def processProxyMessage(self, messageIsRequest, message):
	41	+	handle_proxy_message(self,message)
	42	+
	43	+

■ ■ ■ ■ ■ ■

BappManifest.bmf

		skipped 1 lines
2	2		ExtensionType: 2
3	3		Name: Autorize
4	4		RepoName: autorize
5		-	ScreenVersion: 1.6
	5	+	ScreenVersion: 1.7
6	6		SerialVersion: 22
7	7		MinPlatformVersion: 0
8	8		ProOnly: False
		skipped 6 lines

■ ■ ■ ■ ■ ■

authorization/authorization.py

		skipped 80 lines
81	81
82	82		message_passed_filters = True
83	83		for i in range(0, self.IFList.getModel().getSize()):
84		-	if self.IFList.getModel().getElementAt(i).split(":")[0] == "Scope items only":
	84	+	interceptionFilter = self.IFList.getModel().getElementAt(i)
	85	+	interceptionFilterTitle = interceptionFilter.split(":")[0]
	86	+	if interceptionFilterTitle == "Scope items only":
85	87		currentURL = URL(urlString)
86	88		if not self._callbacks.isInScope(currentURL):
87	89		message_passed_filters = False
88	90
89		-	if self.IFList.getModel().getElementAt(i).split(":")[0] == "URL Contains (simple string)":
90		-	if self.IFList.getModel().getElementAt(i)[30:] not in urlString:
	91	+	if interceptionFilterTitle == "URL Contains (simple string)":
	92	+	if interceptionFilter[30:] not in urlString:
91	93		message_passed_filters = False
92	94
93		-	if self.IFList.getModel().getElementAt(i).split(":")[0] == "URL Contains (regex)":
94		-	regex_string = self.IFList.getModel().getElementAt(i)[22:]
	95	+	if interceptionFilterTitle == "URL Contains (regex)":
	96	+	regex_string = interceptionFilter[22:]
95	97		if re.search(regex_string, urlString, re.IGNORECASE) is None:
96	98		message_passed_filters = False
97	99
98		-	if self.IFList.getModel().getElementAt(i).split(":")[0] == "URL Not Contains (simple string)":
99		-	if self.IFList.getModel().getElementAt(i)[34:] in urlString:
	100	+	if interceptionFilterTitle == "URL Not Contains (simple string)":
	101	+	if interceptionFilter[34:] in urlString:
100	102		message_passed_filters = False
101	103
102		-	if self.IFList.getModel().getElementAt(i).split(":")[0] == "URL Not Contains (regex)":
103		-	regex_string = self.IFList.getModel().getElementAt(i)[26:]
	104	+	if interceptionFilterTitle == "URL Not Contains (regex)":
	105	+	regex_string = interceptionFilter[26:]
104	106		if not re.search(regex_string, urlString, re.IGNORECASE) is None:
105	107		message_passed_filters = False
106	108
107		-	if self.IFList.getModel().getElementAt(i).split(":")[0] == "Request Body contains (simple string)":
108		-	if self.IFList.getModel().getElementAt(i)[40:] not in bodyStr:
	109	+	if interceptionFilterTitle == "Request Body contains (simple string)":
	110	+	if interceptionFilter[40:] not in bodyStr:
109	111		message_passed_filters = False
110	112
111		-	if self.IFList.getModel().getElementAt(i).split(":")[0] == "Request Body contains (regex)":
112		-	regex_string = self.IFList.getModel().getElementAt(i)[32:]
	113	+	if interceptionFilterTitle == "Request Body contains (regex)":
	114	+	regex_string = interceptionFilter[32:]
113	115		if re.search(regex_string, bodyStr, re.IGNORECASE) is None:
114	116		message_passed_filters = False
115	117
116		-	if self.IFList.getModel().getElementAt(i).split(":")[0] == "Request Body NOT contains (simple string)":
117		-	if self.IFList.getModel().getElementAt(i)[44:] in bodyStr:
	118	+	if interceptionFilterTitle == "Request Body NOT contains (simple string)":
	119	+	if interceptionFilter[44:] in bodyStr:
118	120		message_passed_filters = False
119	121
120		-	if self.IFList.getModel().getElementAt(i).split(":")[0] == "Request Body Not contains (regex)":
121		-	regex_string = self.IFList.getModel().getElementAt(i)[36:]
	122	+	if interceptionFilterTitle == "Request Body Not contains (regex)":
	123	+	regex_string = interceptionFilter[36:]
122	124		if not re.search(regex_string, bodyStr, re.IGNORECASE) is None:
123	125		message_passed_filters = False
124	126
125		-	if self.IFList.getModel().getElementAt(i).split(":")[0] == "Response Body contains (simple string)":
126		-	if self.IFList.getModel().getElementAt(i)[41:] not in resStr:
	127	+	if interceptionFilterTitle == "Response Body contains (simple string)":
	128	+	if interceptionFilter[41:] not in resStr:
127	129		message_passed_filters = False
128	130
129		-	if self.IFList.getModel().getElementAt(i).split(":")[0] == "Response Body contains (regex)":
130		-	regex_string = self.IFList.getModel().getElementAt(i)[33:]
	131	+	if interceptionFilterTitle == "Response Body contains (regex)":
	132	+	regex_string = interceptionFilter[33:]
131	133		if re.search(regex_string, resStr, re.IGNORECASE) is None:
132	134		message_passed_filters = False
133	135
134		-	if self.IFList.getModel().getElementAt(i).split(":")[0] == "Response Body NOT contains (simple string)":
135		-	if self.IFList.getModel().getElementAt(i)[45:] in resStr:
	136	+	if interceptionFilterTitle == "Response Body NOT contains (simple string)":
	137	+	if interceptionFilter[45:] in resStr:
136	138		message_passed_filters = False
137	139
138		-	if self.IFList.getModel().getElementAt(i).split(":")[0] == "Response Body Not contains (regex)":
139		-	regex_string = self.IFList.getModel().getElementAt(i)[37:]
	140	+	if interceptionFilterTitle == "Response Body Not contains (regex)":
	141	+	regex_string = interceptionFilter[37:]
140	142		if not re.search(regex_string, resStr, re.IGNORECASE) is None:
141	143		message_passed_filters = False
142	144
143		-	if self.IFList.getModel().getElementAt(i).split(":")[0] == "Header contains":
	145	+	if interceptionFilterTitle == "Header contains":
144	146		for header in list(resInfo.getHeaders()):
145		-	if self.IFList.getModel().getElementAt(i)[17:] in header:
	147	+	if interceptionFilter[17:] in header:
146	148		message_passed_filters = False
147	149
148		-	if self.IFList.getModel().getElementAt(i).split(":")[0] == "Header doesn't contain":
	150	+	if interceptionFilterTitle == "Header doesn't contain":
149	151		for header in list(resInfo.getHeaders()):
150		-	if not self.IFList.getModel().getElementAt(i)[17:] in header:
	152	+	if not interceptionFilter[17:] in header:
151	153		message_passed_filters = False
152	154
153		-	if self.IFList.getModel().getElementAt(i).split(":")[0] == "Only HTTP methods (newline separated)":
154		-	filterMethods = self.IFList.getModel().getElementAt(i)[39:].split("\n")
	155	+	if interceptionFilterTitle == "Only HTTP methods (newline separated)":
	156	+	filterMethods = interceptionFilter[39:].split("\n")
155	157		filterMethods = [x.lower() for x in filterMethods]
156	158		reqMethod = str(self._helpers.analyzeRequest(messageInfo).getMethod())
157	159		if reqMethod.lower() not in filterMethods:
158	160		message_passed_filters = False
159	161
160		-	if self.IFList.getModel().getElementAt(i).split(":")[0] == "Ignore HTTP methods (newline separated)":
161		-	filterMethods = self.IFList.getModel().getElementAt(i)[41:].split("\n")
	162	+	if interceptionFilterTitle == "Ignore HTTP methods (newline separated)":
	163	+	filterMethods = interceptionFilter[41:].split("\n")
162	164		filterMethods = [x.lower() for x in filterMethods]
163	165		reqMethod = str(self._helpers.analyzeRequest(messageInfo).getMethod())
164	166		if reqMethod.lower() in filterMethods:
165	167		message_passed_filters = False
166	168
167		-	if self.IFList.getModel().getElementAt(i).split(":")[0] == "Ignore OPTIONS requests":
	169	+	if interceptionFilterTitle == "Ignore OPTIONS requests":
168	170		reqMethod = str(self._helpers.analyzeRequest(messageInfo).getMethod())
169	171		if reqMethod == "OPTIONS":
170	172		message_passed_filters = False
		skipped 162 lines

■ ■ ■ ■ ■ ■

gui/interception_filters.py

		skipped 47 lines
48	48		"Ignore spider requests: (Content is not required)",
49	49		"Ignore proxy requests: (Content is not required)",
50	50		"Ignore target requests: (Content is not required)",
51		-	"Ignore OPTIONS requests: (Content is not required)"
	51	+	"Ignore OPTIONS requests: (Content is not required)",
	52	+	"Drop proxy listener ports: (Separated by comma)"
52	53		]
53	54		self._extender.IFType = JComboBox(IFStrings)
54	55		self._extender.IFType.setBounds(80, 10, 430, 30)
		skipped 58 lines

■ ■ ■ ■ ■ ■

gui/table.py

		skipped 13 lines
14	14		from java.lang import Integer
15	15		from java.lang import String
16	16		from java.awt import Color
	17	+	from javax.swing import ListSelectionModel
	18	+	from javax.swing.event import ListSelectionListener
17	19
18	20		from helpers.filters import expand, collapse
19	21
		skipped 72 lines
92	94		def __init__(self, extender):
93	95		self._extender = extender
94	96
	97	+	def removeRows(self, rows):
	98	+	rows.sort(reverse=True)
	99	+	for row in rows:
	100	+	self._extender._log.pop(row)
	101	+	self.fireTableDataChanged()
	102	+
95	103		def getRowCount(self):
96	104		try:
97	105		return self._extender._log.size()
		skipped 44 lines
142	150		return logEntry._enfocementStatusUnauthorized
143	151		return ""
144	152
	153	+	class TableSelectionListener(ListSelectionListener):
	154	+	"""Class Responsible for the multi-row deletion"""
	155	+	def __init__(self, extender):
	156	+	self._extender = extender
	157	+
	158	+	def valueChanged(self, e):
	159	+	rows = [i for i in self._table.getSelectedRows()]
	160	+	self._extender.tableModel.removeRows(rows)
	161	+
145	162		class Table(JTable):
146	163		def __init__(self, extender):
147	164		self._extender = extender
		skipped 2 lines
150	167		self.addMouseListener(Mouseclick(self._extender))
151	168		self.getColumnModel().getColumn(0).setPreferredWidth(450)
152	169		self.setRowSelectionAllowed(True)
	170	+	# Enables multi-row selection
	171	+	self.setSelectionMode(ListSelectionModel.MULTIPLE_INTERVAL_SELECTION)
153	172
154	173		def prepareRenderer(self, renderer, row, col):
155	174		comp = JTable.prepareRenderer(self, renderer, row, col)
156	175		value = self._extender.tableModel.getValueAt(self._extender.logTable.convertRowIndexToModel(row), col)
157		-
158	176		if col == 6 or col == 7:
159	177		if value == self._extender.BYPASSSED_STR:
160	178		comp.setBackground(Color(255, 153, 153))
		skipped 8 lines
169	187		comp.setForeground(Color.BLACK)
170	188		comp.setBackground(Color.WHITE)
171	189
172		-	selectedRow = self._extender.logTable.getSelectedRow()
173		-	if selectedRow == row:
	190	+	selectedRows = self._extender.logTable.getSelectedRows()
	191	+	if row in selectedRows:
174	192		comp.setBackground(Color(201, 215, 255))
175	193		comp.setForeground(Color.BLACK)
176		-
177	194
178	195		return comp
179	196
		skipped 97 lines

■ ■ ■ ■ ■ ■

gui/tabs.py

		skipped 22 lines
23	23
24	24		from thread import start_new_thread
25	25
26		-	from table import Table, LogEntry, TableRowFilter
	26	+	from table import Table, LogEntry, TableRowFilter, UpdateTableEDT
27	27		from helpers.filters import expand, collapse
28	28		from javax.swing import KeyStroke
29	29		from javax.swing import JTable
30	30		from javax.swing import AbstractAction
31	31		from java.awt.event import KeyEvent
32	32		from java.awt.event import InputEvent
	33	+	from javax.swing import SwingUtilities
	34	+	from javax.swing import ListSelectionModel
	35	+	from javax.swing.ListSelectionModel import MULTIPLE_INTERVAL_SELECTION
33	36
34	37
35	38		class ITabImpl(ITab):
		skipped 47 lines
83	86		sendRequestMenu2.addActionListener(SendRequestRepeater(self._extender, self._extender._callbacks, False))
84	87
85	88		# Define the key combination for the shortcut
86		-
87		-	# The keystroke combo is: Mac -> Command + r / Windows control + r
88		-	# This is used to send to the repeater function in burp
89		-	controlR = KeyStroke.getKeyStroke(KeyEvent.VK_R, Toolkit.getDefaultToolkit().getMenuShortcutKeyMaskEx())
	89	+	try:
	90	+	# The keystroke combo is: Mac -> Command + r / Windows control + r
	91	+	# This is used to send to the repeater function in burp
	92	+	controlR = KeyStroke.getKeyStroke(KeyEvent.VK_R, Toolkit.getDefaultToolkit().getMenuShortcutKeyMaskEx())
	93	+	except:
	94	+	controlR = KeyStroke.getKeyStroke(KeyEvent.VK_R, InputEvent.CTRL_DOWN_MASK)
90	95
91	96		# The keystroke combo is: Mac -> Command + c / Windows control + c
92	97		# This is used to copy the URL to the keyboard.
		skipped 31 lines
124	129		self._extender.menu.add(copyURLitem)
125	130		self._extender.menu.add(retestSelecteditem)
126	131		self._extender.menu.add(retestAllitem)
127		-	# self.menu.add(deleteSelectedItem) disabling this feature until bug will be fixed.
	132	+	self._extender.menu.add(deleteSelectedItem) # disabling this feature until bug will be fixed.
128	133		message_editor = MessageEditor(self._extender)
129	134
130	135		self._extender.tabs = JTabbedPane()
		skipped 87 lines
218	223		start_new_thread(retestAllRequests, (self._extender,))
219	224
220	225
221		-	class DeleteSelectedRequest(ActionListener):
	226	+	class DeleteSelectedRequest(AbstractAction):
222	227		def __init__(self, extender):
223	228		self._extender = extender
224	229
225	230		def actionPerformed(self, e):
226		-	# TODO: Implement this function.
227		-	pass
	231	+	# Its ready to delete multiple rows at a time once we can figure out how to select multiple row.
	232	+	rows = self._extender.logTable.getSelectedRows()
	233	+	if len(rows) != 0:
	234	+	rows = [self._extender.logTable.convertRowIndexToModel(row) for row in rows]
	235	+	SwingUtilities.invokeLater(lambda: self._extender.tableModel.removeRows(rows))
228	236
229	237		class CopySelectedURL(ActionListener):
230	238		def __init__(self, extender):
		skipped 71 lines

■ ■ ■ ■ ■ ■

helpers/filters.py

		skipped 1 lines
2	2		# -- coding: utf-8 --
3	3
4	4		from java.awt import GridLayout
	5	+	from burp import IInterceptedProxyMessage
5	6
6	7		def addFilterHelper(typeObj, model, textObj):
7	8		typeName = typeObj.getSelectedItem().split(":")[0]
		skipped 37 lines
45	46		extender.requests_panel.revalidate()
46	47		extender.expanded_requests = 0
47	48
	49	+	def handle_proxy_message(self,message):
	50	+	currentPort = message.getListenerInterface().split(":")[1]
	51	+	for i in range(0, self.IFList.getModel().getSize()):
	52	+	interceptionFilter = self.IFList.getModel().getElementAt(i)
	53	+	interceptionFilterTitle = interceptionFilter.split(":")[0]
	54	+	if interceptionFilterTitle == "Drop proxy listener ports":
	55	+	portsList = interceptionFilter[27:].split(",")
	56	+	portsList = [int(i) for i in portsList]
	57	+	if int(currentPort) in portsList:
	58	+	message.setInterceptAction(IInterceptedProxyMessage.ACTION_DROP)

■ ■ ■ ■ ■ ■

helpers/http.py

		skipped 43 lines
44	44
45	45		for header in headers[:]:
46	46		for removeHeader in removeHeaders:
47		-	if header.startswith(removeHeader):
	47	+	if header.lower().startswith(removeHeader.lower()):
48	48		headers.remove(header)
49	49
50	50		if authorizeOrNot:
		skipped 93 lines

■ ■ ■ ■ ■ ■

helpers/initiator.py

		skipped 18 lines
19	19
20	20		def init_constants(self):
21	21		self.contributors = ["Federico Dotta", "mgeeky", "Marcin Woloszyn", "jpginc", "Eric Harris"]
22		-	self._extender.version = 1.6
	22	+	self._extender.version = 1.7
23	23		self._extender._log = ArrayList()
24	24		self._extender._lock = Lock()
25	25
		skipped 38 lines
64	64		self._extender._callbacks.registerContextMenuFactory(menu)
65	65		self._extender._callbacks.addSuiteTab(itab)
66	66		self._extender._callbacks.registerHttpListener(self._extender)
	67	+	self._extender._callbacks.registerProxyListener(self._extender)
	68	+
67	69
68	70		def init_ui(self):
69	71		self._extender._callbacks.customizeUiComponent(self._extender._splitpane)
		skipped 12 lines

Merge pull request #12 from Quitten/master