crash.software
Projects
Pull Requests
Issues
Builds
param-miner
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY param-miner Commits 3ee14bcf
🤬
  • ■ ■ ■ ■ ■
    src/burp/BurpExtender.java
    skipped 141 lines
    142 142   new NormalisedParamScan("normalised param");
    143 143   new NormalisedPathScan("normalised path");
    144 144   new RailsUtmScan("rails param cloaking scan");
     145 + new HeaderMutationScan("identify header smuggling mutations");
    145 146   
    146 147   
    147 148   new BulkScanLauncher(BulkScan.scans);
    skipped 448 lines
  • ■ ■ ■ ■ ■
    src/burp/MutationGuesser.java src/burp/HeaderMutationGuesser.java
    skipped 4 lines
    5 5  import java.util.HashMap;
    6 6  import java.util.Iterator;
    7 7  
    8  -public class MutationGuesser {
     8 +public class HeaderMutationGuesser {
    9 9   private ConfigurableSettings config;
    10 10   private IHttpRequestResponse req;
    11  - private ParamAttack attack;
    12 11   private IHttpService service;
    13 12   public HashMap<String, IHttpRequestResponse[]> evidence;
    14 13   private String[][] testHeaders;
    15 14  
    16  - MutationGuesser(IHttpRequestResponse req, ParamAttack attack, ConfigurableSettings config) {
     15 + HeaderMutationGuesser(IHttpRequestResponse req, ConfigurableSettings config) {
    17 16   this.req = req;
    18  - this.attack = attack;
    19 17   this.config = config;
    20  - this.service = this.attack.getBaseRequestResponse().getHttpService();
     18 + this.service = req.getHttpService();
    21 19   this.evidence = new HashMap<String, IHttpRequestResponse[]>();
    22 20  
    23 21   this.testHeaders = new String[][]{
    skipped 64 lines
    88 86  
    89 87   // TODO: Maybe re-check mutations to deal with inconsistent servers?
    90 88   return ret;
     89 + }
     90 +
     91 + public void reportMutations(ArrayList<String> mutations) {
     92 + Iterator<String> iterator = mutations.iterator();
     93 + while (iterator.hasNext()) {
     94 + String mutation = iterator.next();
     95 + String urlStr = Utilities.getURL(this.req).toString();
     96 + Utilities.out("Found mutation against " + urlStr + ": " + mutation);
     97 + IHttpRequestResponse[] evidence = this.evidence.get(mutation);
     98 + IHttpService service = evidence[0].getHttpService();
     99 + Utilities.callbacks.addScanIssue(new CustomScanIssue(
     100 + service,
     101 + Utilities.helpers.analyzeRequest(service, evidence[0].getRequest()).getUrl(),
     102 + evidence,
     103 + "Header mutation found",
     104 + "Headers can be snuck to a back-end server using the '" + mutation + "' mutation.",
     105 + "Information",
     106 + "Firm",
     107 + "This issue is not exploitable on its own, but interesting headers may be able to be snuck through to backend servers."
     108 + ));
     109 + }
    91 110   }
    92 111  
    93 112   private IHttpRequestResponse requestHeader(byte[] baseReq, String header) {
    skipped 63 lines
  • ■ ■ ■ ■ ■ ■
    src/burp/HeaderMutationScan.java
     1 +package burp;
     2 +
     3 +import java.util.ArrayList;
     4 +import java.util.List;
     5 +
     6 +public class HeaderMutationScan extends Scan {
     7 + HeaderMutationScan(String name) {
     8 + super(name);
     9 + }
     10 +
     11 +
     12 + @Override
     13 + List<IScanIssue> doScan(IHttpRequestResponse req) {
     14 + //new ParamGuesser(req, false, Utilities.PARAM_HEADER, BurpExtender.paramGrabber, null, 2147483647, Utilities.globalSettings).run();
     15 + HeaderMutationGuesser guesser = new HeaderMutationGuesser(req, Utilities.globalSettings);
     16 + ArrayList<String> mutations = guesser.guessMutations();
     17 + guesser.reportMutations(mutations);
     18 + return null;
     19 + }
     20 +}
     21 + 
  • ■ ■ ■ ■ ■
    src/burp/ParamGuesser.java
    1 1  package burp;
    2 2  
    3 3  import org.apache.commons.collections4.queue.CircularFifoQueue;
    4  -import org.graalvm.compiler.core.common.util.Util;
    5 4  
    6  -import java.io.ByteArrayOutputStream;
    7  -import java.io.IOException;
    8  -import java.io.PrintWriter;
    9  -import java.lang.reflect.Array;
    10  -import java.net.MalformedURLException;
    11  -import java.net.URL;
    12 5  import java.util.*;
    13 6  import java.util.concurrent.ThreadPoolExecutor;
    14 7  
    skipped 66 lines
    81 74  
    82 75   // Check for mutations
    83 76   if (this.type == Utilities.PARAM_HEADER && config.getBoolean("identify smuggle mutations")) {
    84  - MutationGuesser mutationGuesser = new MutationGuesser(req, this.attack, this.config);
     77 + HeaderMutationGuesser mutationGuesser = new HeaderMutationGuesser(req, this.config);
    85 78   ArrayList<String> mutations = mutationGuesser.guessMutations();
    86 79   this.attack.setHeaderMutations(mutations);
    87 80  
    skipped 1 lines
    89 82   if (mutations != null) {
    90 83   Iterator<String> iterator = mutations.iterator();
    91 84   while (iterator.hasNext()) {
    92  - String mutation = iterator.next();
    93  - String urlStr = this.attack.getTargetURL();
    94  - Utilities.out("Found mutation against " + urlStr + ": " + mutation);
    95  - IHttpRequestResponse[] evidence = mutationGuesser.evidence.get(mutation);
    96  - IHttpService service = evidence[0].getHttpService();
    97  - Utilities.callbacks.addScanIssue(new CustomScanIssue(
    98  - service,
    99  - Utilities.helpers.analyzeRequest(service, evidence[0].getRequest()).getUrl(),
    100  - evidence,
    101  - "Header mutation found",
    102  - "Headers can be snuck to a back-end server using the '" + mutation + "' mutation.",
    103  - "Information",
    104  - "Firm",
    105  - "This issue is not exploitable on its own, but interesting headers may be able to be snuck through to backend servers."
    106  - ));
     85 + mutationGuesser.reportMutations(mutations);
    107 86   }
    108 87   }
    109 88   }
    skipped 689 lines
Please wait...
Page is in error, reload to recover