STRLCPY/param-miner

Added 'Range' test case for smuggling detection
Daniel Thatcher committed 3 years ago

796aea58

1 parent 98fdd47d

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

Total 1 files

■ ■ ■ ■ ■ ■

src/burp/MutationGuesser.java

		skipped 10 lines
11	11		private ParamAttack attack;
12	12		private IHttpService service;
13	13		public HashMap<String, IHttpRequestResponse[]> evidence;
	14	+	private String[][] testHeaders;
14	15
15	16		MutationGuesser(IHttpRequestResponse req, ParamAttack attack, ConfigurableSettings config) {
16	17		this.req = req;
		skipped 1 lines
18	19		this.config = config;
19	20		this.service = this.attack.getBaseRequestResponse().getHttpService();
20	21		this.evidence = new HashMap<String, IHttpRequestResponse[]>();
	22	+
	23	+	this.testHeaders = new String[][]{
	24	+	{"Content-Length: 0", "Content-Length: z"},
	25	+	{"Range: bytes=0-", "Range: z"}
	26	+	};
21	27		}
22	28
23	29		// Returns the mutation names used by HeaderMutator
		skipped 15 lines
39	45
40	46		// Test all the mutations to find back-end errors
41	47		HeaderMutator mutator = new HeaderMutator();
42		-	Iterator<String> iterator = mutator.mutations.iterator();
43		-	String testHeaderInvalid = "Content-Length: z";
44		-	String testHeaderValid = "Content-Length: 0";
45		-	while(iterator.hasNext()) {
46		-	String mutation = iterator.next();
47		-	byte[] mutated = mutator.mutate(testHeaderInvalid, mutation);
48		-	IHttpRequestResponse testReqResp = this.requestHeader(baseReq, mutated);
49		-	byte[] testReq = testReqResp.getResponse();
	48	+	for (int i = 0; i< this.testHeaders.length; i++) {
	49	+	Iterator<String> iterator = mutator.mutations.iterator();
	50	+	String testHeaderValid = this.testHeaders[i][0];
	51	+	String testHeaderInvalid = this.testHeaders[i][1];
	52	+	while (iterator.hasNext()) {
	53	+	String mutation = iterator.next();
	54	+	if (ret.contains(mutation)) {
	55	+	continue;
	56	+	}
	57	+	byte[] mutated = mutator.mutate(testHeaderInvalid, mutation);
	58	+	IHttpRequestResponse testReqResp = this.requestHeader(baseReq, mutated);
	59	+	byte[] testReq = testReqResp.getResponse();
50	60
51		-	// Check that:
52		-	// 1. We have a different error than the front-end error
53		-	// 2. We have an error at all (i.e. not the same as the base request
54		-	// In this case, confirm that we get no error (i.e. the base response) with mutation(CL: 0)
55		-	if (!this.requestMatch(frontError, testReq) && !this.requestMatch(noErr, testReq)) {
56		-	mutated = mutator.mutate(testHeaderValid, mutation);
57		-	IHttpRequestResponse validReqResp = this.requestHeader(baseReq, mutated);
58		-	byte[] validResp = validReqResp.getResponse();
59		-	if (this.requestMatch(noErr, validResp)) {
60		-	ret.add(mutation);
61		-	IHttpRequestResponse[] reqs = new IHttpRequestResponse[4];
62		-	reqs[0] = frontErrReq;
63		-	reqs[1] = noErrReq;
64		-	reqs[2] = testReqResp;
65		-	reqs[3] = validReqResp;
66		-	this.evidence.put(mutation, reqs);
	61	+	// Check that:
	62	+	// 1. We have a different error than the front-end error
	63	+	// 2. We have an error at all (i.e. not the same as the base request
	64	+	// In this case, confirm that we get no error (i.e. the base response) with mutation(CL: 0)
	65	+	if (!this.requestMatch(frontError, testReq) && !this.requestMatch(noErr, testReq)) {
	66	+	mutated = mutator.mutate(testHeaderValid, mutation);
	67	+	IHttpRequestResponse validReqResp = this.requestHeader(baseReq, mutated);
	68	+	byte[] validResp = validReqResp.getResponse();
	69	+	if (this.requestMatch(noErr, validResp)) {
	70	+	ret.add(mutation);
	71	+	IHttpRequestResponse[] reqs = new IHttpRequestResponse[4];
	72	+	reqs[0] = frontErrReq;
	73	+	reqs[1] = noErrReq;
	74	+	reqs[2] = testReqResp;
	75	+	reqs[3] = validReqResp;
	76	+	this.evidence.put(mutation, reqs);
	77	+	}
67	78		}
68	79		}
69	80		}
		skipped 68 lines

Added 'Range' test case for smuggling detection