■ ■ ■ ■ ■ ■
src/burp/MutationGuesser.java
| skipped 10 lines |
11 | 11 | | private ParamAttack attack; |
12 | 12 | | private IHttpService service; |
13 | 13 | | public HashMap<String, IHttpRequestResponse[]> evidence; |
| 14 | + | private String[][] testHeaders; |
14 | 15 | | |
15 | 16 | | MutationGuesser(IHttpRequestResponse req, ParamAttack attack, ConfigurableSettings config) { |
16 | 17 | | this.req = req; |
| skipped 1 lines |
18 | 19 | | this.config = config; |
19 | 20 | | this.service = this.attack.getBaseRequestResponse().getHttpService(); |
20 | 21 | | this.evidence = new HashMap<String, IHttpRequestResponse[]>(); |
| 22 | + | |
| 23 | + | this.testHeaders = new String[][]{ |
| 24 | + | {"Content-Length: 0", "Content-Length: z"}, |
| 25 | + | {"Range: bytes=0-", "Range: z"} |
| 26 | + | }; |
21 | 27 | | } |
22 | 28 | | |
23 | 29 | | // Returns the mutation names used by HeaderMutator |
| skipped 15 lines |
39 | 45 | | |
40 | 46 | | // Test all the mutations to find back-end errors |
41 | 47 | | HeaderMutator mutator = new HeaderMutator(); |
42 | | - | Iterator<String> iterator = mutator.mutations.iterator(); |
43 | | - | String testHeaderInvalid = "Content-Length: z"; |
44 | | - | String testHeaderValid = "Content-Length: 0"; |
45 | | - | while(iterator.hasNext()) { |
46 | | - | String mutation = iterator.next(); |
47 | | - | byte[] mutated = mutator.mutate(testHeaderInvalid, mutation); |
48 | | - | IHttpRequestResponse testReqResp = this.requestHeader(baseReq, mutated); |
49 | | - | byte[] testReq = testReqResp.getResponse(); |
| 48 | + | for (int i = 0; i< this.testHeaders.length; i++) { |
| 49 | + | Iterator<String> iterator = mutator.mutations.iterator(); |
| 50 | + | String testHeaderValid = this.testHeaders[i][0]; |
| 51 | + | String testHeaderInvalid = this.testHeaders[i][1]; |
| 52 | + | while (iterator.hasNext()) { |
| 53 | + | String mutation = iterator.next(); |
| 54 | + | if (ret.contains(mutation)) { |
| 55 | + | continue; |
| 56 | + | } |
| 57 | + | byte[] mutated = mutator.mutate(testHeaderInvalid, mutation); |
| 58 | + | IHttpRequestResponse testReqResp = this.requestHeader(baseReq, mutated); |
| 59 | + | byte[] testReq = testReqResp.getResponse(); |
50 | 60 | | |
51 | | - | // Check that: |
52 | | - | // 1. We have a different error than the front-end error |
53 | | - | // 2. We have an error at all (i.e. not the same as the base request |
54 | | - | // In this case, confirm that we get no error (i.e. the base response) with mutation(CL: 0) |
55 | | - | if (!this.requestMatch(frontError, testReq) && !this.requestMatch(noErr, testReq)) { |
56 | | - | mutated = mutator.mutate(testHeaderValid, mutation); |
57 | | - | IHttpRequestResponse validReqResp = this.requestHeader(baseReq, mutated); |
58 | | - | byte[] validResp = validReqResp.getResponse(); |
59 | | - | if (this.requestMatch(noErr, validResp)) { |
60 | | - | ret.add(mutation); |
61 | | - | IHttpRequestResponse[] reqs = new IHttpRequestResponse[4]; |
62 | | - | reqs[0] = frontErrReq; |
63 | | - | reqs[1] = noErrReq; |
64 | | - | reqs[2] = testReqResp; |
65 | | - | reqs[3] = validReqResp; |
66 | | - | this.evidence.put(mutation, reqs); |
| 61 | + | // Check that: |
| 62 | + | // 1. We have a different error than the front-end error |
| 63 | + | // 2. We have an error at all (i.e. not the same as the base request |
| 64 | + | // In this case, confirm that we get no error (i.e. the base response) with mutation(CL: 0) |
| 65 | + | if (!this.requestMatch(frontError, testReq) && !this.requestMatch(noErr, testReq)) { |
| 66 | + | mutated = mutator.mutate(testHeaderValid, mutation); |
| 67 | + | IHttpRequestResponse validReqResp = this.requestHeader(baseReq, mutated); |
| 68 | + | byte[] validResp = validReqResp.getResponse(); |
| 69 | + | if (this.requestMatch(noErr, validResp)) { |
| 70 | + | ret.add(mutation); |
| 71 | + | IHttpRequestResponse[] reqs = new IHttpRequestResponse[4]; |
| 72 | + | reqs[0] = frontErrReq; |
| 73 | + | reqs[1] = noErrReq; |
| 74 | + | reqs[2] = testReqResp; |
| 75 | + | reqs[3] = validReqResp; |
| 76 | + | this.evidence.put(mutation, reqs); |
| 77 | + | } |
67 | 78 | | } |
68 | 79 | | } |
69 | 80 | | } |
| skipped 68 lines |