■ ■ ■ ■ ■ ■
src/burp/ParamGuesser.java
| skipped 30 lines |
31 | 31 | | private ParamGrabber paramGrabber; |
32 | 32 | | private ParamAttack attack; |
33 | 33 | | private ConfigurableSettings config; |
| 34 | + | private boolean forceHttp1; |
34 | 35 | | |
35 | 36 | | private byte[] staticCanary; |
36 | 37 | | |
| skipped 5 lines |
42 | 43 | | this.stop = stop; |
43 | 44 | | this.taskEngine = taskEngine; |
44 | 45 | | this.config = config; |
| 46 | + | this.forceHttp1 = this.config.getBoolean("identify smuggle mutations") && this.type == Utilities.PARAM_HEADER; |
45 | 47 | | staticCanary = config.getString("canary").getBytes(); |
46 | 48 | | } |
47 | 49 | | |
48 | | - | ParamGuesser(ParamAttack attack, ThreadPoolExecutor taskEngine, ConfigurableSettings config) { |
| 50 | + | ParamGuesser(ParamAttack attack, ThreadPoolExecutor taskEngine, ConfigurableSettings config, boolean forceHttp1) { |
49 | 51 | | this.attack = attack; |
50 | 52 | | this.req = attack.getBaseRequestResponse(); |
51 | 53 | | this.taskEngine = taskEngine; |
52 | 54 | | this.config = config; |
| 55 | + | this.forceHttp1 = forceHttp1; |
53 | 56 | | staticCanary = config.getString("canary").getBytes(); |
54 | 57 | | } |
55 | 58 | | |
| skipped 3 lines |
59 | 62 | | if (req.getResponse() == null) { |
60 | 63 | | Utilities.log("Baserequest has no response - fetching..."); |
61 | 64 | | try { |
62 | | - | req = Utilities.callbacks.makeHttpRequest(req.getHttpService(), req.getRequest()); |
| 65 | + | req = Utilities.callbacks.makeHttpRequest(req.getHttpService(), req.getRequest(), this.forceHttp1); |
63 | 66 | | } catch (RuntimeException e) { |
64 | 67 | | Utilities.out("Aborting attack due to failed lookup"); |
65 | 68 | | return; |
| skipped 191 lines |
257 | 260 | | continue; |
258 | 261 | | } |
259 | 262 | | |
260 | | - | Attack WAFCatcher = new Attack(Utilities.attemptRequest(service, Utilities.addOrReplaceHeader(baseRequestResponse.getRequest(), "junk-header", submission))); |
261 | | - | WAFCatcher.addAttack(new Attack(Utilities.attemptRequest(service, Utilities.addOrReplaceHeader(baseRequestResponse.getRequest(), "junk-head", submission)))); |
| 263 | + | Attack WAFCatcher = new Attack(Utilities.attemptRequest(service, Utilities.addOrReplaceHeader(baseRequestResponse.getRequest(), "junk-header", submission), this.forceHttp1)); |
| 264 | + | WAFCatcher.addAttack(new Attack(Utilities.attemptRequest(service, Utilities.addOrReplaceHeader(baseRequestResponse.getRequest(), "junk-head", submission), this.forceHttp1))); |
262 | 265 | | if (!Utilities.similar(WAFCatcher, confirmParamGuess)) { |
263 | 266 | | Probe validParam = new Probe("Found unlinked param: " + submission, 4, submission); |
264 | 267 | | validParam.setEscapeStrings(Keysmith.permute(submission), Keysmith.permute(submission, false)); |
| skipped 55 lines |
320 | 323 | | altBase.addAttack(new Attack(Utilities.callbacks.makeHttpRequest(service, invertedBase))); |
321 | 324 | | injector.probeAttack(submission, mutation); |
322 | 325 | | |
323 | | - | paramGrab = new Attack(Utilities.callbacks.makeHttpRequest(service, invertedBase)); |
| 326 | + | paramGrab = new Attack(Utilities.callbacks.makeHttpRequest(service, invertedBase, this.forceHttp1)); |
324 | 327 | | if (!Utilities.similar(altBase, paramGrab)) { |
325 | 328 | | |
326 | 329 | | if (candidates.size() > 1) { |
| skipped 10 lines |
337 | 340 | | evidence[2] = paramGrab.getFirstRequest(); |
338 | 341 | | Utilities.callbacks.addScanIssue(new CustomScanIssue(service, Utilities.getURL(baseRequestResponse), evidence, "Secret parameter", "Parameter name: '" + candidates + "'. Review the three requests attached in chronological order.", "Medium", "Tentative", "Investigate")); |
339 | 342 | | |
340 | | - | altBase = new Attack(Utilities.callbacks.makeHttpRequest(service, invertedBase)); |
341 | | - | altBase.addAttack(new Attack(Utilities.callbacks.makeHttpRequest(service, invertedBase))); |
342 | | - | altBase.addAttack(new Attack(Utilities.callbacks.makeHttpRequest(service, invertedBase))); |
343 | | - | altBase.addAttack(new Attack(Utilities.callbacks.makeHttpRequest(service, invertedBase))); |
| 343 | + | altBase = new Attack(Utilities.callbacks.makeHttpRequest(service, invertedBase, this.forceHttp1)); |
| 344 | + | altBase.addAttack(new Attack(Utilities.callbacks.makeHttpRequest(service, invertedBase, this.forceHttp1))); |
| 345 | + | altBase.addAttack(new Attack(Utilities.callbacks.makeHttpRequest(service, invertedBase, this.forceHttp1))); |
| 346 | + | altBase.addAttack(new Attack(Utilities.callbacks.makeHttpRequest(service, invertedBase, this.forceHttp1))); |
344 | 347 | | } |
345 | 348 | | } |
346 | 349 | | } |
| skipped 3 lines |
350 | 353 | | |
351 | 354 | | |
352 | 355 | | state.incrStop(); |
353 | | - | taskEngine.execute(new ParamGuesser(state, taskEngine, config)); |
| 356 | + | taskEngine.execute(new ParamGuesser(state, taskEngine, config, this.forceHttp1)); |
354 | 357 | | |
355 | 358 | | return attacks; |
356 | 359 | | } |
| skipped 418 lines |