🤬
Showing first 55 files as there are too many
  • ■ ■ ■ ■ ■ ■
    .gitignore
     1 +# Compiled class file
     2 +*.class
     3 + 
     4 +# Log file
     5 +*.log
     6 + 
     7 +# BlueJ files
     8 +*.ctxt
     9 + 
     10 +# Mobile Tools for Java (J2ME)
     11 +.mtj.tmp/
     12 + 
     13 +# Package Files #
     14 +*.war
     15 +*.nar
     16 +*.ear
     17 +*.zip
     18 +*.tar.gz
     19 +*.rar
     20 + 
     21 +# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
     22 +hs_err_pid*
     23 + 
     24 +# manually added
     25 +out/
     26 +Burp.iml
     27 +CYS4-SensitiveDiscoverer.iml
     28 +src/build/
     29 +.idea
     30 +*.jar
     31 +*.lst
     32 + 
     33 + 
     34 +target/maven-status/maven-compiler-plugin/compile/default-compile/
  • ■ ■ ■ ■ ■ ■
    LICENSE
     1 +CYS4-SensitiveDiscoverer Public Source License
     2 + 
     3 +The CYS4-SensitiveDiscoverer software (henceforth referred to simply as "CYS4-SensitiveDiscoverer") is dual-licensed - Copyright 2020 CYS4 Srl.
     4 + 
     5 +Cases that include commercialization of CYS4-SensitiveDiscoverer require a commercial, non-free license. Otherwise, CYS4-SensitiveDiscoverer can be used without charge under the terms set out below.
     6 + 
     7 +1. Definitions
     8 + 
     9 +1.1 "License" means this document.
     10 +1.2 "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns CYS4-SensitiveDiscoverer.
     11 +1.3 "CYS4-SensitiveDiscoverer Team" means CYS4-SensitiveDiscoverer’s core developers.
     12 + 
     13 +2. Commercialization
     14 + 
     15 +A commercial use is one intended for commercial advantage or monetary compensation.
     16 + 
     17 +Example cases of commercialization are:
     18 + 
     19 + - Using CYS4-SensitiveDiscoverer to provide commercial managed/Software-as-a-Service services.
     20 + - Distributing CYS4-SensitiveDiscoverer as a commercial product or as part of one.
     21 + - Using CYS4-SensitiveDiscoverer as a value added service/product.
     22 + 
     23 +Example cases which do not require a commercial license, and thus fall under the terms set out below, include (but are not limited to):
     24 + 
     25 + - Penetration testers (or penetration testing organizations) using CYS4-SensitiveDiscoverer as part of their assessment toolkit.
     26 + - Using CYS4-SensitiveDiscoverer to test your own systems.
     27 + - Any non-commercial use of CYS4-SensitiveDiscoverer.
     28 + 
     29 +If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - [email protected].
     30 + 
     31 +Free-use Terms and Conditions;
     32 + 
     33 +3. Redistribution
     34 + 
     35 +Redistribution is permitted under the following conditions:
     36 + 
     37 + - Unmodified License is provided with CYS4-SensitiveDiscoverer.
     38 + - Unmodified Copyright notices are provided with CYS4-SensitiveDiscoverer.
     39 + - Does not conflict with the commercialization clause.
     40 + 
     41 +4. Copying
     42 + 
     43 +Copying is permitted so long as it does not conflict with the Redistribution clause.
     44 + 
     45 +5. Modification
     46 + 
     47 +Modification is permitted so long as it does not conflict with the Redistribution clause.
     48 + 
     49 +6. Contributions
     50 + 
     51 +Any Contributions assume the Contributor grants the CYS4-SensitiveDiscoverer Team the unlimited, non-exclusive right to reuse, modify and relicense the Contributor's content.
     52 + 
     53 +7. Support
     54 + 
     55 +CYS4-SensitiveDiscoverer is provided under an AS-IS basis and without any support, updates or maintenance. Support, updates and maintenance may be given according to the sole discretion of the CYS4-SensitiveDiscoverer Team.
     56 + 
     57 +8. Disclaimer of Warranty
     58 + 
     59 +CYS4-SensitiveDiscoverer is provided under this License on an "as is" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the CYS4-SensitiveDiscoverer is free of defects, merchantable, fit for a particular purpose or non-infringing.
     60 + 
     61 +9. Limitation of Liability
     62 + 
     63 +To the extent permitted under Law, CYS4-SensitiveDiscoverer is provided under an AS-IS basis. The CYS4-SensitiveDiscoverer Team shall never, and without any limit, be liable for any damage, cost, expense or any other payment incurred as a result of CYS4-SensitiveDiscoverer's actions, failure, bugs and/or any other interaction between CYS4-SensitiveDiscoverer and end-equipment, computers, other software or any 3rd party, end-equipment, computer or services.
     64 + 
     65 +10. Disclaimer
     66 + 
     67 +Running CYS4-SensitiveDiscoverer against websites without prior mutual consent may be illegal in your country. The CYS4-SensitiveDiscoverer Team accept no liability and are not responsible for any misuse or damage caused by CYS4-SensitiveDiscoverer.
     68 + 
     69 +11. Trademark
     70 + 
     71 +The "CYS4-SensitiveDiscoverer" term is a registered trademark. This License does not grant the use of the "CYS4-SensitiveDiscoverer" trademark.
  • ■ ■ ■ ■ ■ ■
    README.md
     1 +# CYS4-SensitiveDiscoverer
     2 + 
     3 +## Introduction
     4 + 
     5 +Burp Suite is a useful tool used to do web application security testing. While Burp Suite provides a lot of
     6 +functionalities, it does not offer the opportunity to scan for particular pattern or file extension inside HTTP messages
     7 +and is very tedius to check every message manually.
     8 +CYS4-SensitiveDiscoverer is a Burp Suite tool used to extract Regular Expression or File Extension form HTTP response automatically or
     9 +at the end of all tests or during the test. The plugin will be available with a pre-defined set of Regular Expression
     10 +and File Extension, but the you can choose which of them activate or deacvtivate and also create your own lists.
     11 + 
     12 +## Installation
     13 + 
     14 +To install CYS4-SensitiveDiscoverer manually, you have to:
     15 + 
     16 +1. Download newest CYS4-SensitiveDiscoverer from the Release page
     17 +2. Go to Extender -> Extension. Click Add. Set Extension type to Java. Set the path of the file download at step 1.
     18 + inside Extension file (.jar)
     19 +3. CYS4-SensitiveDiscoverer should appear inside Burp Extension list. Also you will see a new tab.
     20 + 
     21 +## Usage
     22 + 
     23 +The default configuration has a list of regural expression and file extension. To see the predefined list go to Options
     24 +TAB. Here you can choose which of them activate or not or you can choose to insert your own regular expression or file
     25 +extension. For both of them there are a list of actions to interact with them The actions are:
     26 + 
     27 +- **Reset**: the plugin will reset the default list of regular expression or file extension.
     28 +- **New**: a pop-up will appear and offer the opportunity to insert a new regular expression or file extension.
     29 +- **Delete**: after selecting a row, this will be deleted from the list.
     30 +- **Clear**: the plugin will clear the list leave them empty.
     31 +- **Open**: a pop-up will appear and offer the opportunity to insert in bulk a list of regular expression or file
     32 + extension from a file.
     33 +- **Save**: the plugin offer the possibility to save your custom list for future tests. After you have select your own
     34 + desired configuration you can start to find sensitive informations inside HTTP messages. The plugin will be execute in
     35 + two different modes:
     36 + 
     37 +1. **Analyze HTTP History**: the plugin will parse all http history generated from that moment and it will find any
     38 + active pattern
     39 +2. **Live**: the plugin will parse request by request as the user will generates one from his web browser.
     40 + 
     41 +## Credits
     42 + 
     43 +CYS4 was born in 2015 from a collaboration with an Israeli company in the world of Cyber ​​Security, then detaching its team ensuring the focus on innovation and quality towards a national context.
     44 + 
     45 +Check out our [blog](https://blog.cys4.com/) for more information.
     46 + 
     47 +## References
     48 + 
     49 +- [shhgit](https://github.com/eth0izzle/shhgit/blob/master/config.yaml): Regex and File Extension database used in this project.
     50 + 
     51 + 
     52 + 
  • ■ ■ ■ ■ ■ ■
    pom.xml
     1 +<?xml version="1.0" encoding="UTF-8"?>
     2 +<project xmlns="http://maven.apache.org/POM/4.0.0"
     3 + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     4 + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     5 + <modelVersion>4.0.0</modelVersion>
     6 + 
     7 + <groupId>groupId</groupId>
     8 + <artifactId>CYS4-SensitiveDiscoverer</artifactId>
     9 + <version>1.0</version>
     10 + 
     11 + <properties>
     12 + <maven.compiler.source>15</maven.compiler.source>
     13 + <maven.compiler.target>15</maven.compiler.target>
     14 + </properties>
     15 + 
     16 + <dependencies>
     17 + <dependency>
     18 + <groupId>net.portswigger.burp.extender</groupId>
     19 + <artifactId>burp-extender-api</artifactId>
     20 + <version>2.2</version>
     21 + </dependency>
     22 + <dependency>
     23 + <groupId>com.google.code.gson</groupId>
     24 + <artifactId>gson</artifactId>
     25 + <version>2.8.8</version>
     26 + </dependency>
     27 + </dependencies>
     28 + 
     29 + <build>
     30 + <resources>
     31 + <resource>
     32 + <directory>${basedir}/src/main/java/cys4/resources</directory>
     33 + <filtering>false</filtering>
     34 + <includes>
     35 + <include>extension.json</include>
     36 + <include>regex.json</include>
     37 + <include>config.properties</include>
     38 + <include>mime_types.json</include>
     39 + </includes>
     40 + </resource>
     41 + </resources>
     42 + <plugins>
     43 + <!-- any other plugins -->
     44 + <plugin>
     45 + <artifactId>maven-assembly-plugin</artifactId>
     46 + <executions>
     47 + <execution>
     48 + <phase>package</phase>
     49 + <goals>
     50 + <goal>single</goal>
     51 + </goals>
     52 + </execution>
     53 + </executions>
     54 + <configuration>
     55 + <descriptorRefs>
     56 + <descriptorRef>jar-with-dependencies</descriptorRef>
     57 + </descriptorRefs>
     58 + </configuration>
     59 + </plugin>
     60 + </plugins>
     61 + </build>
     62 +</project>
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/BurpExtender.java
     1 +package burp;
     2 + 
     3 +import cys4.ui.MainUI;
     4 +import cys4.model.ExtensionEntity;
     5 +import cys4.model.RegexEntity;
     6 +import cys4.seed.BurpLeaksSeed;
     7 + 
     8 +import java.io.PrintWriter;
     9 +import java.util.ArrayList;
     10 +import java.util.List;
     11 + 
     12 +public class BurpExtender implements IBurpExtender {
     13 + private IBurpExtenderCallbacks callbacks;
     14 + private IExtensionHelpers helpers;
     15 + 
     16 + //private List<LogEntity> _lLogEntries = new ArrayList<>();
     17 + private List<RegexEntity> _lRegexes;
     18 + private List<ExtensionEntity> _lExtensions;
     19 + private MainUI mainUI;
     20 + 
     21 + // Implement default constructor
     22 + public BurpExtender()
     23 + {
     24 + _lRegexes = new ArrayList<>();
     25 + _lExtensions = new ArrayList<>();
     26 + }
     27 + 
     28 + //
     29 + // implement IBurpExtender
     30 + //
     31 + @Override
     32 + public void registerExtenderCallbacks(final IBurpExtenderCallbacks callbacks) {
     33 + 
     34 + 
     35 + // get regexes and extensions
     36 + BurpLeaksSeed bls = new BurpLeaksSeed();
     37 +
     38 + this._lRegexes = BurpLeaksSeed.getRegex();
     39 + this._lExtensions = BurpLeaksSeed.getExtensions();
     40 + 
     41 + // keep a reference to our callbacks object
     42 + this.callbacks = callbacks;
     43 + 
     44 + // obtain an extension helpers object
     45 + this.helpers = callbacks.getHelpers();
     46 + 
     47 + // init the main UI methods
     48 + this.mainUI = new MainUI(_lRegexes, _lExtensions, callbacks);
     49 + this.mainUI.createUI();
     50 + 
     51 + // set our extension name
     52 + callbacks.setExtensionName(mainUI.getNameExtension());
     53 +
     54 + }
     55 +}
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IBurpCollaboratorClientContext.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IBurpCollaboratorClientContext.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +import java.util.List;
     14 +
     15 +/**
     16 + * This interface represents an instance of a Burp Collaborator client context,
     17 + * which can be used to generate Burp Collaborator payloads and poll the
     18 + * Collaborator server for any network interactions that result from using those
     19 + * payloads. Extensions can obtain new instances of this class by calling
     20 + * <code>IBurpExtenderCallbacks.createBurpCollaboratorClientContext()</code>.
     21 + * Note that each Burp Collaborator client context is tied to the Collaborator
     22 + * server configuration that was in place at the time the context was created.
     23 + */
     24 +public interface IBurpCollaboratorClientContext {
     25 +
     26 + /**
     27 + * This method is used to generate new Burp Collaborator payloads.
     28 + *
     29 + * @param includeCollaboratorServerLocation Specifies whether to include the
     30 + * Collaborator server location in the generated payload.
     31 + * @return The payload that was generated.
     32 + * @throws IllegalStateException if Burp Collaborator is disabled
     33 + */
     34 + String generatePayload(boolean includeCollaboratorServerLocation);
     35 +
     36 + /**
     37 + * This method is used to retrieve all interactions received by the
     38 + * Collaborator server resulting from payloads that were generated for this
     39 + * context.
     40 + *
     41 + * @return The Collaborator interactions that have occurred resulting from
     42 + * payloads that were generated for this context.
     43 + * @throws IllegalStateException if Burp Collaborator is disabled
     44 + */
     45 + List<IBurpCollaboratorInteraction> fetchAllCollaboratorInteractions();
     46 +
     47 + /**
     48 + * This method is used to retrieve interactions received by the Collaborator
     49 + * server resulting from a single payload that was generated for this
     50 + * context.
     51 + *
     52 + * @param payload The payload for which interactions will be retrieved.
     53 + * @return The Collaborator interactions that have occurred resulting from
     54 + * the given payload.
     55 + * @throws IllegalStateException if Burp Collaborator is disabled
     56 + */
     57 + List<IBurpCollaboratorInteraction> fetchCollaboratorInteractionsFor(String payload);
     58 +
     59 + /**
     60 + * This method is used to retrieve all interactions made by Burp Infiltrator
     61 + * instrumentation resulting from payloads that were generated for this
     62 + * context.
     63 + *
     64 + * @return The interactions triggered by the Burp Infiltrator
     65 + * instrumentation that have occurred resulting from payloads that were
     66 + * generated for this context.
     67 + * @throws IllegalStateException if Burp Collaborator is disabled
     68 + */
     69 + List<IBurpCollaboratorInteraction> fetchAllInfiltratorInteractions();
     70 +
     71 + /**
     72 + * This method is used to retrieve interactions made by Burp Infiltrator
     73 + * instrumentation resulting from a single payload that was generated for
     74 + * this context.
     75 + *
     76 + * @param payload The payload for which interactions will be retrieved.
     77 + * @return The interactions triggered by the Burp Infiltrator
     78 + * instrumentation that have occurred resulting from the given payload.
     79 + * @throws IllegalStateException if Burp Collaborator is disabled
     80 + */
     81 + List<IBurpCollaboratorInteraction> fetchInfiltratorInteractionsFor(String payload);
     82 +
     83 + /**
     84 + * This method is used to retrieve the network location of the Collaborator
     85 + * server.
     86 + *
     87 + * @return The hostname or IP address of the Collaborator server.
     88 + * @throws IllegalStateException if Burp Collaborator is disabled
     89 + */
     90 + String getCollaboratorServerLocation();
     91 +}
     92 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IBurpCollaboratorInteraction.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IBurpCollaboratorInteraction.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +import java.util.Map;
     14 +
     15 +/**
     16 + * This interface represents a network interaction that occurred with the Burp
     17 + * Collaborator server.
     18 + */
     19 +public interface IBurpCollaboratorInteraction {
     20 +
     21 + /**
     22 + * This method is used to retrieve a property of the interaction. Properties
     23 + * of all interactions are: interaction_id, type, client_ip, and time_stamp.
     24 + * Properties of DNS interactions are: query_type and raw_query. The
     25 + * raw_query value is Base64-encoded. Properties of HTTP interactions are:
     26 + * protocol, request, and response. The request and response values are
     27 + * Base64-encoded.
     28 + *
     29 + * @param name The name of the property to retrieve.
     30 + * @return A string representing the property value, or null if not present.
     31 + */
     32 + String getProperty(String name);
     33 +
     34 + /**
     35 + * This method is used to retrieve a map containing all properties of the
     36 + * interaction.
     37 + *
     38 + * @return A map containing all properties of the interaction.
     39 + */
     40 + Map<String, String> getProperties();
     41 +}
     42 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IBurpExtender.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IBurpExtender.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * All extensions must implement this interface.
     15 + * <p>
     16 + * Implementations must be called BurpExtender, in the package burp, must be
     17 + * declared public, and must provide a default (public, no-argument)
     18 + * constructor.
     19 + */
     20 +public interface IBurpExtender {
     21 + /**
     22 + * This method is invoked when the extension is loaded. It registers an
     23 + * instance of the
     24 + * <code>IBurpExtenderCallbacks</code> interface, providing methods that may
     25 + * be invoked by the extension to perform various actions.
     26 + *
     27 + * @param callbacks An
     28 + * <code>IBurpExtenderCallbacks</code> object.
     29 + */
     30 + void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks);
     31 +}
     32 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IBurpExtenderCallbacks.java
     1 +package burp;
     2 + 
     3 +/*
     4 + * @(#)IBurpExtenderCallbacks.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 + 
     13 +import java.awt.Component;
     14 +import java.io.OutputStream;
     15 +import java.util.List;
     16 +import java.util.Map;
     17 + 
     18 +/**
     19 + * This interface is used by Burp Suite to pass to extensions a set of callback
     20 + * methods that can be used by extensions to perform various actions within
     21 + * Burp.
     22 + * <p>
     23 + * When an extension is loaded, Burp invokes its
     24 + * <code>registerExtenderCallbacks()</code> method and passes an instance of the
     25 + * <code>IBurpExtenderCallbacks</code> interface. The extension may then invoke
     26 + * the methods of this interface as required in order to extend Burp's
     27 + * functionality.
     28 + */
     29 +public interface IBurpExtenderCallbacks {
     30 + 
     31 + /**
     32 + * Flag used to identify Burp Suite as a whole.
     33 + */
     34 + int TOOL_SUITE = 0x00000001;
     35 + /**
     36 + * Flag used to identify the Burp Target tool.
     37 + */
     38 + int TOOL_TARGET = 0x00000002;
     39 + /**
     40 + * Flag used to identify the Burp Proxy tool.
     41 + */
     42 + int TOOL_PROXY = 0x00000004;
     43 + /**
     44 + * Flag used to identify the Burp Spider tool.
     45 + */
     46 + int TOOL_SPIDER = 0x00000008;
     47 + /**
     48 + * Flag used to identify the Burp Scanner tool.
     49 + */
     50 + int TOOL_SCANNER = 0x00000010;
     51 + /**
     52 + * Flag used to identify the Burp Intruder tool.
     53 + */
     54 + int TOOL_INTRUDER = 0x00000020;
     55 + /**
     56 + * Flag used to identify the Burp Repeater tool.
     57 + */
     58 + int TOOL_REPEATER = 0x00000040;
     59 + /**
     60 + * Flag used to identify the Burp Sequencer tool.
     61 + */
     62 + int TOOL_SEQUENCER = 0x00000080;
     63 + /**
     64 + * Flag used to identify the Burp Decoder tool.
     65 + */
     66 + int TOOL_DECODER = 0x00000100;
     67 + /**
     68 + * Flag used to identify the Burp Comparer tool.
     69 + */
     70 + int TOOL_COMPARER = 0x00000200;
     71 + /**
     72 + * Flag used to identify the Burp Extender tool.
     73 + */
     74 + int TOOL_EXTENDER = 0x00000400;
     75 + 
     76 + /**
     77 + * This method is used to set the display name for the current extension,
     78 + * which will be displayed within the user interface for the Extender tool.
     79 + *
     80 + * @param name The extension name.
     81 + */
     82 + void setExtensionName(String name);
     83 + 
     84 + /**
     85 + * This method is used to obtain an <code>IExtensionHelpers</code> object,
     86 + * which can be used by the extension to perform numerous useful tasks.
     87 + *
     88 + * @return An object containing numerous helper methods, for tasks such as
     89 + * building and analyzing HTTP requests.
     90 + */
     91 + IExtensionHelpers getHelpers();
     92 + 
     93 + /**
     94 + * This method is used to obtain the current extension's standard output
     95 + * stream. Extensions should write all output to this stream, allowing the
     96 + * Burp user to configure how that output is handled from within the UI.
     97 + *
     98 + * @return The extension's standard output stream.
     99 + */
     100 + OutputStream getStdout();
     101 + 
     102 + /**
     103 + * This method is used to obtain the current extension's standard error
     104 + * stream. Extensions should write all error messages to this stream,
     105 + * allowing the Burp user to configure how that output is handled from
     106 + * within the UI.
     107 + *
     108 + * @return The extension's standard error stream.
     109 + */
     110 + OutputStream getStderr();
     111 + 
     112 + /**
     113 + * This method prints a line of output to the current extension's standard
     114 + * output stream.
     115 + *
     116 + * @param output The message to print.
     117 + */
     118 + void printOutput(String output);
     119 + 
     120 + /**
     121 + * This method prints a line of output to the current extension's standard
     122 + * error stream.
     123 + *
     124 + * @param error The message to print.
     125 + */
     126 + void printError(String error);
     127 + 
     128 + /**
     129 + * This method is used to register a listener which will be notified of
     130 + * changes to the extension's state. <b>Note:</b> Any extensions that start
     131 + * background threads or open system resources (such as files or database
     132 + * connections) should register a listener and terminate threads / close
     133 + * resources when the extension is unloaded.
     134 + *
     135 + * @param listener An object created by the extension that implements the
     136 + * <code>IExtensionStateListener</code> interface.
     137 + */
     138 + void registerExtensionStateListener(IExtensionStateListener listener);
     139 + 
     140 + /**
     141 + * This method is used to retrieve the extension state listeners that are
     142 + * registered by the extension.
     143 + *
     144 + * @return A list of extension state listeners that are currently registered
     145 + * by this extension.
     146 + */
     147 + List<IExtensionStateListener> getExtensionStateListeners();
     148 + 
     149 + /**
     150 + * This method is used to remove an extension state listener that has been
     151 + * registered by the extension.
     152 + *
     153 + * @param listener The extension state listener to be removed.
     154 + */
     155 + void removeExtensionStateListener(IExtensionStateListener listener);
     156 + 
     157 + /**
     158 + * This method is used to register a listener which will be notified of
     159 + * requests and responses made by any Burp tool. Extensions can perform
     160 + * custom analysis or modification of these messages by registering an HTTP
     161 + * listener.
     162 + *
     163 + * @param listener An object created by the extension that implements the
     164 + * <code>IHttpListener</code> interface.
     165 + */
     166 + void registerHttpListener(IHttpListener listener);
     167 + 
     168 + /**
     169 + * This method is used to retrieve the HTTP listeners that are registered by
     170 + * the extension.
     171 + *
     172 + * @return A list of HTTP listeners that are currently registered by this
     173 + * extension.
     174 + */
     175 + List<IHttpListener> getHttpListeners();
     176 + 
     177 + /**
     178 + * This method is used to remove an HTTP listener that has been registered
     179 + * by the extension.
     180 + *
     181 + * @param listener The HTTP listener to be removed.
     182 + */
     183 + void removeHttpListener(IHttpListener listener);
     184 + 
     185 + /**
     186 + * This method is used to register a listener which will be notified of
     187 + * requests and responses being processed by the Proxy tool. Extensions can
     188 + * perform custom analysis or modification of these messages, and control
     189 + * in-UI message interception, by registering a proxy listener.
     190 + *
     191 + * @param listener An object created by the extension that implements the
     192 + * <code>IProxyListener</code> interface.
     193 + */
     194 + void registerProxyListener(IProxyListener listener);
     195 + 
     196 + /**
     197 + * This method is used to retrieve the Proxy listeners that are registered
     198 + * by the extension.
     199 + *
     200 + * @return A list of Proxy listeners that are currently registered by this
     201 + * extension.
     202 + */
     203 + List<IProxyListener> getProxyListeners();
     204 + 
     205 + /**
     206 + * This method is used to remove a Proxy listener that has been registered
     207 + * by the extension.
     208 + *
     209 + * @param listener The Proxy listener to be removed.
     210 + */
     211 + void removeProxyListener(IProxyListener listener);
     212 + 
     213 + /**
     214 + * This method is used to register a listener which will be notified of new
     215 + * issues that are reported by the Scanner tool. Extensions can perform
     216 + * custom analysis or logging of Scanner issues by registering a Scanner
     217 + * listener.
     218 + *
     219 + * @param listener An object created by the extension that implements the
     220 + * <code>IScannerListener</code> interface.
     221 + */
     222 + void registerScannerListener(IScannerListener listener);
     223 + 
     224 + /**
     225 + * This method is used to retrieve the Scanner listeners that are registered
     226 + * by the extension.
     227 + *
     228 + * @return A list of Scanner listeners that are currently registered by this
     229 + * extension.
     230 + */
     231 + List<IScannerListener> getScannerListeners();
     232 + 
     233 + /**
     234 + * This method is used to remove a Scanner listener that has been registered
     235 + * by the extension.
     236 + *
     237 + * @param listener The Scanner listener to be removed.
     238 + */
     239 + void removeScannerListener(IScannerListener listener);
     240 + 
     241 + /**
     242 + * This method is used to register a listener which will be notified of
     243 + * changes to Burp's suite-wide target scope.
     244 + *
     245 + * @param listener An object created by the extension that implements the
     246 + * <code>IScopeChangeListener</code> interface.
     247 + */
     248 + void registerScopeChangeListener(IScopeChangeListener listener);
     249 + 
     250 + /**
     251 + * This method is used to retrieve the scope change listeners that are
     252 + * registered by the extension.
     253 + *
     254 + * @return A list of scope change listeners that are currently registered by
     255 + * this extension.
     256 + */
     257 + List<IScopeChangeListener> getScopeChangeListeners();
     258 + 
     259 + /**
     260 + * This method is used to remove a scope change listener that has been
     261 + * registered by the extension.
     262 + *
     263 + * @param listener The scope change listener to be removed.
     264 + */
     265 + void removeScopeChangeListener(IScopeChangeListener listener);
     266 + 
     267 + /**
     268 + * This method is used to register a factory for custom context menu items.
     269 + * When the user invokes a context menu anywhere within Burp, the factory
     270 + * will be passed details of the invocation event, and asked to provide any
     271 + * custom context menu items that should be shown.
     272 + *
     273 + * @param factory An object created by the extension that implements the
     274 + * <code>IContextMenuFactory</code> interface.
     275 + */
     276 + void registerContextMenuFactory(IContextMenuFactory factory);
     277 + 
     278 + /**
     279 + * This method is used to retrieve the context menu factories that are
     280 + * registered by the extension.
     281 + *
     282 + * @return A list of context menu factories that are currently registered by
     283 + * this extension.
     284 + */
     285 + List<IContextMenuFactory> getContextMenuFactories();
     286 + 
     287 + /**
     288 + * This method is used to remove a context menu factory that has been
     289 + * registered by the extension.
     290 + *
     291 + * @param factory The context menu factory to be removed.
     292 + */
     293 + void removeContextMenuFactory(IContextMenuFactory factory);
     294 + 
     295 + /**
     296 + * This method is used to register a factory for custom message editor tabs.
     297 + * For each message editor that already exists, or is subsequently created,
     298 + * within Burp, the factory will be asked to provide a new instance of an
     299 + * <code>IMessageEditorTab</code> object, which can provide custom rendering
     300 + * or editing of HTTP messages.
     301 + *
     302 + * @param factory An object created by the extension that implements the
     303 + * <code>IMessageEditorTabFactory</code> interface.
     304 + */
     305 + void registerMessageEditorTabFactory(IMessageEditorTabFactory factory);
     306 + 
     307 + /**
     308 + * This method is used to retrieve the message editor tab factories that are
     309 + * registered by the extension.
     310 + *
     311 + * @return A list of message editor tab factories that are currently
     312 + * registered by this extension.
     313 + */
     314 + List<IMessageEditorTabFactory> getMessageEditorTabFactories();
     315 + 
     316 + /**
     317 + * This method is used to remove a message editor tab factory that has been
     318 + * registered by the extension.
     319 + *
     320 + * @param factory The message editor tab factory to be removed.
     321 + */
     322 + void removeMessageEditorTabFactory(IMessageEditorTabFactory factory);
     323 + 
     324 + /**
     325 + * This method is used to register a provider of Scanner insertion points.
     326 + * For each base request that is actively scanned, Burp will ask the
     327 + * provider to provide any custom scanner insertion points that are
     328 + * appropriate for the request.
     329 + *
     330 + * @param provider An object created by the extension that implements the
     331 + * <code>IScannerInsertionPointProvider</code> interface.
     332 + */
     333 + void registerScannerInsertionPointProvider(
     334 + IScannerInsertionPointProvider provider);
     335 + 
     336 + /**
     337 + * This method is used to retrieve the Scanner insertion point providers
     338 + * that are registered by the extension.
     339 + *
     340 + * @return A list of Scanner insertion point providers that are currently
     341 + * registered by this extension.
     342 + */
     343 + List<IScannerInsertionPointProvider> getScannerInsertionPointProviders();
     344 + 
     345 + /**
     346 + * This method is used to remove a Scanner insertion point provider that has
     347 + * been registered by the extension.
     348 + *
     349 + * @param provider The Scanner insertion point provider to be removed.
     350 + */
     351 + void removeScannerInsertionPointProvider(
     352 + IScannerInsertionPointProvider provider);
     353 + 
     354 + /**
     355 + * This method is used to register a custom Scanner check. When performing
     356 + * scanning, Burp will ask the check to perform active or passive scanning
     357 + * on the base request, and report any Scanner issues that are identified.
     358 + *
     359 + * @param check An object created by the extension that implements the
     360 + * <code>IScannerCheck</code> interface.
     361 + */
     362 + void registerScannerCheck(IScannerCheck check);
     363 + 
     364 + /**
     365 + * This method is used to retrieve the Scanner checks that are registered by
     366 + * the extension.
     367 + *
     368 + * @return A list of Scanner checks that are currently registered by this
     369 + * extension.
     370 + */
     371 + List<IScannerCheck> getScannerChecks();
     372 + 
     373 + /**
     374 + * This method is used to remove a Scanner check that has been registered by
     375 + * the extension.
     376 + *
     377 + * @param check The Scanner check to be removed.
     378 + */
     379 + void removeScannerCheck(IScannerCheck check);
     380 + 
     381 + /**
     382 + * This method is used to register a factory for Intruder payloads. Each
     383 + * registered factory will be available within the Intruder UI for the user
     384 + * to select as the payload source for an attack. When this is selected, the
     385 + * factory will be asked to provide a new instance of an
     386 + * <code>IIntruderPayloadGenerator</code> object, which will be used to
     387 + * generate payloads for the attack.
     388 + *
     389 + * @param factory An object created by the extension that implements the
     390 + * <code>IIntruderPayloadGeneratorFactory</code> interface.
     391 + */
     392 + void registerIntruderPayloadGeneratorFactory(
     393 + IIntruderPayloadGeneratorFactory factory);
     394 + 
     395 + /**
     396 + * This method is used to retrieve the Intruder payload generator factories
     397 + * that are registered by the extension.
     398 + *
     399 + * @return A list of Intruder payload generator factories that are currently
     400 + * registered by this extension.
     401 + */
     402 + List<IIntruderPayloadGeneratorFactory>
     403 + getIntruderPayloadGeneratorFactories();
     404 + 
     405 + /**
     406 + * This method is used to remove an Intruder payload generator factory that
     407 + * has been registered by the extension.
     408 + *
     409 + * @param factory The Intruder payload generator factory to be removed.
     410 + */
     411 + void removeIntruderPayloadGeneratorFactory(
     412 + IIntruderPayloadGeneratorFactory factory);
     413 + 
     414 + /**
     415 + * This method is used to register a custom Intruder payload processor. Each
     416 + * registered processor will be available within the Intruder UI for the
     417 + * user to select as the action for a payload processing rule.
     418 + *
     419 + * @param processor An object created by the extension that implements the
     420 + * <code>IIntruderPayloadProcessor</code> interface.
     421 + */
     422 + void registerIntruderPayloadProcessor(IIntruderPayloadProcessor processor);
     423 + 
     424 + /**
     425 + * This method is used to retrieve the Intruder payload processors that are
     426 + * registered by the extension.
     427 + *
     428 + * @return A list of Intruder payload processors that are currently
     429 + * registered by this extension.
     430 + */
     431 + List<IIntruderPayloadProcessor> getIntruderPayloadProcessors();
     432 + 
     433 + /**
     434 + * This method is used to remove an Intruder payload processor that has been
     435 + * registered by the extension.
     436 + *
     437 + * @param processor The Intruder payload processor to be removed.
     438 + */
     439 + void removeIntruderPayloadProcessor(IIntruderPayloadProcessor processor);
     440 + 
     441 + /**
     442 + * This method is used to register a custom session handling action. Each
     443 + * registered action will be available within the session handling rule UI
     444 + * for the user to select as a rule action. Users can choose to invoke an
     445 + * action directly in its own right, or following execution of a macro.
     446 + *
     447 + * @param action An object created by the extension that implements the
     448 + * <code>ISessionHandlingAction</code> interface.
     449 + */
     450 + void registerSessionHandlingAction(ISessionHandlingAction action);
     451 + 
     452 + /**
     453 + * This method is used to retrieve the session handling actions that are
     454 + * registered by the extension.
     455 + *
     456 + * @return A list of session handling actions that are currently registered
     457 + * by this extension.
     458 + */
     459 + List<ISessionHandlingAction> getSessionHandlingActions();
     460 + 
     461 + /**
     462 + * This method is used to remove a session handling action that has been
     463 + * registered by the extension.
     464 + *
     465 + * @param action The extension session handling action to be removed.
     466 + */
     467 + void removeSessionHandlingAction(ISessionHandlingAction action);
     468 + 
     469 + /**
     470 + * This method is used to unload the extension from Burp Suite.
     471 + */
     472 + void unloadExtension();
     473 + 
     474 + /**
     475 + * This method is used to add a custom tab to the main Burp Suite window.
     476 + *
     477 + * @param tab An object created by the extension that implements the
     478 + * <code>ITab</code> interface.
     479 + */
     480 + void addSuiteTab(ITab tab);
     481 + 
     482 + /**
     483 + * This method is used to remove a previously-added tab from the main Burp
     484 + * Suite window.
     485 + *
     486 + * @param tab An object created by the extension that implements the
     487 + * <code>ITab</code> interface.
     488 + */
     489 + void removeSuiteTab(ITab tab);
     490 + 
     491 + /**
     492 + * This method is used to customize UI components in line with Burp's UI
     493 + * style, including font size, colors, table line spacing, etc. The action
     494 + * is performed recursively on any child components of the passed-in
     495 + * component.
     496 + *
     497 + * @param component The UI component to be customized.
     498 + */
     499 + void customizeUiComponent(Component component);
     500 + 
     501 + /**
     502 + * This method is used to create a new instance of Burp's HTTP message
     503 + * editor, for the extension to use in its own UI.
     504 + *
     505 + * @param controller An object created by the extension that implements the
     506 + * <code>IMessageEditorController</code> interface. This parameter is
     507 + * optional and may be <code>null</code>. If it is provided, then the
     508 + * message editor will query the controller when required to obtain details
     509 + * about the currently displayed message, including the
     510 + * <code>IHttpService</code> for the message, and the associated request or
     511 + * response message. If a controller is not provided, then the message
     512 + * editor will not support context menu actions, such as sending requests to
     513 + * other Burp tools.
     514 + * @param editable Indicates whether the editor created should be editable,
     515 + * or used only for message viewing.
     516 + * @return An object that implements the <code>IMessageEditor</code>
     517 + * interface, and which the extension can use in its own UI.
     518 + */
     519 + IMessageEditor createMessageEditor(IMessageEditorController controller,
     520 + boolean editable);
     521 + 
     522 + /**
     523 + * This method returns the command line arguments that were passed to Burp
     524 + * on startup.
     525 + *
     526 + * @return The command line arguments that were passed to Burp on startup.
     527 + */
     528 + String[] getCommandLineArguments();
     529 + 
     530 + /**
     531 + * This method is used to save configuration settings for the extension in a
     532 + * persistent way that survives reloads of the extension and of Burp Suite.
     533 + * Saved settings can be retrieved using the method
     534 + * <code>loadExtensionSetting()</code>.
     535 + *
     536 + * @param name The name of the setting.
     537 + * @param value The value of the setting. If this value is <code>null</code>
     538 + * then any existing setting with the specified name will be removed.
     539 + */
     540 + void saveExtensionSetting(String name, String value);
     541 + 
     542 + /**
     543 + * This method is used to load configuration settings for the extension that
     544 + * were saved using the method <code>saveExtensionSetting()</code>.
     545 + *
     546 + * @param name The name of the setting.
     547 + * @return The value of the setting, or <code>null</code> if no value is
     548 + * set.
     549 + */
     550 + String loadExtensionSetting(String name);
     551 + 
     552 + /**
     553 + * This method is used to create a new instance of Burp's plain text editor,
     554 + * for the extension to use in its own UI.
     555 + *
     556 + * @return An object that implements the <code>ITextEditor</code> interface,
     557 + * and which the extension can use in its own UI.
     558 + */
     559 + ITextEditor createTextEditor();
     560 + 
     561 + /**
     562 + * This method can be used to send an HTTP request to the Burp Repeater
     563 + * tool. The request will be displayed in the user interface, but will not
     564 + * be issued until the user initiates this action.
     565 + *
     566 + * @param host The hostname of the remote HTTP server.
     567 + * @param port The port of the remote HTTP server.
     568 + * @param useHttps Flags whether the protocol is HTTPS or HTTP.
     569 + * @param request The full HTTP request.
     570 + * @param tabCaption An optional caption which will appear on the Repeater
     571 + * tab containing the request. If this value is <code>null</code> then a
     572 + * default tab index will be displayed.
     573 + */
     574 + void sendToRepeater(
     575 + String host,
     576 + int port,
     577 + boolean useHttps,
     578 + byte[] request,
     579 + String tabCaption);
     580 + 
     581 + /**
     582 + * This method can be used to send an HTTP request to the Burp Intruder
     583 + * tool. The request will be displayed in the user interface, and markers
     584 + * for attack payloads will be placed into default locations within the
     585 + * request.
     586 + *
     587 + * @param host The hostname of the remote HTTP server.
     588 + * @param port The port of the remote HTTP server.
     589 + * @param useHttps Flags whether the protocol is HTTPS or HTTP.
     590 + * @param request The full HTTP request.
     591 + */
     592 + void sendToIntruder(
     593 + String host,
     594 + int port,
     595 + boolean useHttps,
     596 + byte[] request);
     597 + 
     598 + /**
     599 + * This method can be used to send an HTTP request to the Burp Intruder
     600 + * tool. The request will be displayed in the user interface, and markers
     601 + * for attack payloads will be placed into the specified locations within
     602 + * the request.
     603 + *
     604 + * @param host The hostname of the remote HTTP server.
     605 + * @param port The port of the remote HTTP server.
     606 + * @param useHttps Flags whether the protocol is HTTPS or HTTP.
     607 + * @param request The full HTTP request.
     608 + * @param payloadPositionOffsets A list of index pairs representing the
     609 + * payload positions to be used. Each item in the list must be an int[2]
     610 + * array containing the start and end offsets for the payload position.
     611 + */
     612 + void sendToIntruder(
     613 + String host,
     614 + int port,
     615 + boolean useHttps,
     616 + byte[] request,
     617 + List<int[]> payloadPositionOffsets);
     618 + 
     619 + /**
     620 + * This method can be used to send data to the Comparer tool.
     621 + *
     622 + * @param data The data to be sent to Comparer.
     623 + */
     624 + void sendToComparer(byte[] data);
     625 + 
     626 + /**
     627 + * This method can be used to send a seed URL to the Burp Spider tool. If
     628 + * the URL is not within the current Spider scope, the user will be asked if
     629 + * they wish to add the URL to the scope. If the Spider is not currently
     630 + * running, it will be started. The seed URL will be requested, and the
     631 + * Spider will process the application's response in the normal way.
     632 + *
     633 + * @param url The new seed URL to begin spidering from.
     634 + */
     635 + void sendToSpider(
     636 + java.net.URL url);
     637 + 
     638 + /**
     639 + * This method can be used to send an HTTP request to the Burp Scanner tool
     640 + * to perform an active vulnerability scan. If the request is not within the
     641 + * current active scanning scope, the user will be asked if they wish to
     642 + * proceed with the scan.
     643 + *
     644 + * @param host The hostname of the remote HTTP server.
     645 + * @param port The port of the remote HTTP server.
     646 + * @param useHttps Flags whether the protocol is HTTPS or HTTP.
     647 + * @param request The full HTTP request.
     648 + * @return The resulting scan queue item.
     649 + */
     650 + IScanQueueItem doActiveScan(
     651 + String host,
     652 + int port,
     653 + boolean useHttps,
     654 + byte[] request);
     655 + 
     656 + /**
     657 + * This method can be used to send an HTTP request to the Burp Scanner tool
     658 + * to perform an active vulnerability scan, based on a custom list of
     659 + * insertion points that are to be scanned. If the request is not within the
     660 + * current active scanning scope, the user will be asked if they wish to
     661 + * proceed with the scan.
     662 + *
     663 + * @param host The hostname of the remote HTTP server.
     664 + * @param port The port of the remote HTTP server.
     665 + * @param useHttps Flags whether the protocol is HTTPS or HTTP.
     666 + * @param request The full HTTP request.
     667 + * @param insertionPointOffsets A list of index pairs representing the
     668 + * positions of the insertion points that should be scanned. Each item in
     669 + * the list must be an int[2] array containing the start and end offsets for
     670 + * the insertion point.
     671 + * @return The resulting scan queue item.
     672 + */
     673 + IScanQueueItem doActiveScan(
     674 + String host,
     675 + int port,
     676 + boolean useHttps,
     677 + byte[] request,
     678 + List<int[]> insertionPointOffsets);
     679 + 
     680 + /**
     681 + * This method can be used to send an HTTP request to the Burp Scanner tool
     682 + * to perform a passive vulnerability scan.
     683 + *
     684 + * @param host The hostname of the remote HTTP server.
     685 + * @param port The port of the remote HTTP server.
     686 + * @param useHttps Flags whether the protocol is HTTPS or HTTP.
     687 + * @param request The full HTTP request.
     688 + * @param response The full HTTP response.
     689 + */
     690 + void doPassiveScan(
     691 + String host,
     692 + int port,
     693 + boolean useHttps,
     694 + byte[] request,
     695 + byte[] response);
     696 + 
     697 + /**
     698 + * This method can be used to issue HTTP requests and retrieve their
     699 + * responses.
     700 + *
     701 + * @param httpService The HTTP service to which the request should be sent.
     702 + * @param request The full HTTP request.
     703 + * @return An object that implements the <code>IHttpRequestResponse</code>
     704 + * interface, and which the extension can query to obtain the details of the
     705 + * response.
     706 + */
     707 + IHttpRequestResponse makeHttpRequest(IHttpService httpService,
     708 + byte[] request);
     709 + 
     710 + /**
     711 + * This method can be used to issue HTTP requests and retrieve their
     712 + * responses.
     713 + *
     714 + * @param httpService The HTTP service to which the request should be sent.
     715 + * @param request The full HTTP request.
     716 + * @param forceHttp1 If true then HTTP/1 will be used.
     717 + * @return An object that implements the <code>IHttpRequestResponse</code>
     718 + * interface, and which the extension can query to obtain the details of the
     719 + * response.
     720 + */
     721 + IHttpRequestResponse makeHttpRequest(IHttpService httpService,
     722 + byte[] request,
     723 + boolean forceHttp1);
     724 + 
     725 + 
     726 + /**
     727 + * This method can be used to issue HTTP requests and retrieve their
     728 + * responses.
     729 + *
     730 + * @param host The hostname of the remote HTTP server.
     731 + * @param port The port of the remote HTTP server.
     732 + * @param useHttps Flags whether the protocol is HTTPS or HTTP.
     733 + * @param request The full HTTP request.
     734 + * @return The full response retrieved from the remote server.
     735 + */
     736 + byte[] makeHttpRequest(
     737 + String host,
     738 + int port,
     739 + boolean useHttps,
     740 + byte[] request);
     741 + 
     742 + /**
     743 + * This method can be used to issue HTTP requests and retrieve their
     744 + * responses.
     745 + *
     746 + * @param host The hostname of the remote HTTP server.
     747 + * @param port The port of the remote HTTP server.
     748 + * @param useHttps Flags whether the protocol is HTTPS or HTTP.
     749 + * @param request The full HTTP request.
     750 + * @param forceHttp1 If true then HTTP/1 will be used.
     751 + * @return The full response retrieved from the remote server.
     752 + */
     753 + byte[] makeHttpRequest(
     754 + String host,
     755 + int port,
     756 + boolean useHttps,
     757 + byte[] request,
     758 + boolean forceHttp1);
     759 + 
     760 + /**
     761 + * This method can be used to issue HTTP/2 requests and retrieve their
     762 + * responses.
     763 + *
     764 + * @param httpService The HTTP service to which the request should be sent.
     765 + * @param headers The headers of the request.
     766 + * @param body The body of the request.
     767 + * @return The full response retrieved from the remote server.
     768 + */
     769 + byte[] makeHttp2Request(
     770 + IHttpService httpService,
     771 + List<IHttpHeader> headers,
     772 + byte[] body);
     773 + 
     774 + /**
     775 + * This method can be used to issue HTTP/2 requests and retrieve their
     776 + * responses. You can use this to force the network stack to send this
     777 + * request using HTTP/2.
     778 + *
     779 + * @param httpService The HTTP service to which the request should be sent.
     780 + * @param headers The headers of the request.
     781 + * @param body The body of the request.
     782 + * @param forceHttp2 Whether or not to force HTTP/2 for this request.
     783 + * @return The full response retrieved from the remote server.
     784 + */
     785 + byte[] makeHttp2Request(
     786 + IHttpService httpService,
     787 + List<IHttpHeader> headers,
     788 + byte[] body,
     789 + boolean forceHttp2);
     790 + 
     791 + /**
     792 + * This method can be used to query whether a specified URL is within the
     793 + * current Suite-wide scope.
     794 + *
     795 + * @param url The URL to query.
     796 + * @return Returns <code>true</code> if the URL is within the current
     797 + * Suite-wide scope.
     798 + */
     799 + boolean isInScope(java.net.URL url);
     800 + 
     801 + /**
     802 + * This method can be used to include the specified URL in the Suite-wide
     803 + * scope.
     804 + *
     805 + * @param url The URL to include in the Suite-wide scope.
     806 + */
     807 + void includeInScope(java.net.URL url);
     808 + 
     809 + /**
     810 + * This method can be used to exclude the specified URL from the Suite-wide
     811 + * scope.
     812 + *
     813 + * @param url The URL to exclude from the Suite-wide scope.
     814 + */
     815 + void excludeFromScope(java.net.URL url);
     816 + 
     817 + /**
     818 + * This method can be used to display a specified message in the Burp Suite
     819 + * alerts tab.
     820 + *
     821 + * @param message The alert message to display.
     822 + */
     823 + void issueAlert(String message);
     824 + 
     825 + /**
     826 + * This method returns details of all items in the Proxy history.
     827 + *
     828 + * @return The contents of the Proxy history.
     829 + */
     830 + IHttpRequestResponse[] getProxyHistory();
     831 + 
     832 + /**
     833 + * This method returns details of items in the site map.
     834 + *
     835 + * @param urlPrefix This parameter can be used to specify a URL prefix, in
     836 + * order to extract a specific subset of the site map. The method performs a
     837 + * simple case-sensitive text match, returning all site map items whose URL
     838 + * begins with the specified prefix. If this parameter is null, the entire
     839 + * site map is returned.
     840 + * @return Details of items in the site map.
     841 + */
     842 + IHttpRequestResponse[] getSiteMap(String urlPrefix);
     843 + 
     844 + /**
     845 + * This method returns all of the current scan issues for URLs matching the
     846 + * specified literal prefix.
     847 + *
     848 + * @param urlPrefix This parameter can be used to specify a URL prefix, in
     849 + * order to extract a specific subset of scan issues. The method performs a
     850 + * simple case-sensitive text match, returning all scan issues whose URL
     851 + * begins with the specified prefix. If this parameter is null, all issues
     852 + * are returned.
     853 + * @return Details of the scan issues.
     854 + */
     855 + IScanIssue[] getScanIssues(String urlPrefix);
     856 + 
     857 + /**
     858 + * This method is used to generate a report for the specified Scanner
     859 + * issues. The report format can be specified. For all other reporting
     860 + * options, the default settings that appear in the reporting UI wizard are
     861 + * used.
     862 + *
     863 + * @param format The format to be used in the report. Accepted values are
     864 + * HTML and XML.
     865 + * @param issues The Scanner issues to be reported.
     866 + * @param file The file to which the report will be saved.
     867 + */
     868 + void generateScanReport(String format, IScanIssue[] issues,
     869 + java.io.File file);
     870 + 
     871 + /**
     872 + * This method is used to retrieve the contents of Burp's session handling
     873 + * cookie jar. Extensions that provide an
     874 + * <code>ISessionHandlingAction</code> can query and update the cookie jar
     875 + * in order to handle unusual session handling mechanisms.
     876 + *
     877 + * @return A list of <code>ICookie</code> objects representing the contents
     878 + * of Burp's session handling cookie jar.
     879 + */
     880 + List<ICookie> getCookieJarContents();
     881 + 
     882 + /**
     883 + * This method is used to update the contents of Burp's session handling
     884 + * cookie jar. Extensions that provide an
     885 + * <code>ISessionHandlingAction</code> can query and update the cookie jar
     886 + * in order to handle unusual session handling mechanisms.
     887 + *
     888 + * @param cookie An <code>ICookie</code> object containing details of the
     889 + * cookie to be updated. If the cookie jar already contains a cookie that
     890 + * matches the specified domain and name, then that cookie will be updated
     891 + * with the new value and expiration, unless the new value is
     892 + * <code>null</code>, in which case the cookie will be removed. If the
     893 + * cookie jar does not already contain a cookie that matches the specified
     894 + * domain and name, then the cookie will be added.
     895 + */
     896 + void updateCookieJar(ICookie cookie);
     897 + 
     898 + /**
     899 + * This method can be used to add an item to Burp's site map with the
     900 + * specified request/response details. This will overwrite the details of
     901 + * any existing matching item in the site map.
     902 + *
     903 + * @param item Details of the item to be added to the site map
     904 + */
     905 + void addToSiteMap(IHttpRequestResponse item);
     906 + 
     907 + /**
     908 + * This method can be used to restore Burp's state from a specified saved
     909 + * state file. This method blocks until the restore operation is completed,
     910 + * and must not be called from the event dispatch thread.
     911 + *
     912 + * @param file The file containing Burp's saved state.
     913 + * @deprecated State files have been replaced with Burp project files.
     914 + */
     915 + @Deprecated
     916 + void restoreState(java.io.File file);
     917 + 
     918 + /**
     919 + * This method can be used to save Burp's state to a specified file. This
     920 + * method blocks until the save operation is completed, and must not be
     921 + * called from the event dispatch thread.
     922 + *
     923 + * @param file The file to save Burp's state in.
     924 + * @deprecated State files have been replaced with Burp project files.
     925 + */
     926 + @Deprecated
     927 + void saveState(java.io.File file);
     928 + 
     929 + /**
     930 + * This method is no longer supported. Please use saveConfigAsJson() instead.
     931 + *
     932 + * @return A Map of name/value Strings reflecting Burp's current
     933 + * configuration.
     934 + * @deprecated Use <code>saveConfigAsJson()</code> instead.
     935 + */
     936 + @Deprecated
     937 + Map<String, String> saveConfig();
     938 + 
     939 + /**
     940 + * This method is no longer supported. Please use loadConfigFromJson() instead.
     941 + *
     942 + * @param config A map of name/value Strings to use as Burp's new
     943 + * configuration.
     944 + * @deprecated Use <code>loadConfigFromJson()</code> instead.
     945 + */
     946 + @Deprecated
     947 + void loadConfig(Map<String, String> config);
     948 + 
     949 + /**
     950 + * This method causes Burp to save its current project-level configuration
     951 + * in JSON format. This is the same format that can be saved and loaded via
     952 + * the Burp user interface. To include only certain sections of the
     953 + * configuration, you can optionally supply the path to each section that
     954 + * should be included, for example: "project_options.connections". If no
     955 + * paths are provided, then the entire configuration will be saved.
     956 + *
     957 + * @param configPaths A list of Strings representing the path to each
     958 + * configuration section that should be included.
     959 + * @return A String representing the current configuration in JSON format.
     960 + */
     961 + String saveConfigAsJson(String... configPaths);
     962 + 
     963 + /**
     964 + * This method causes Burp to load a new project-level configuration from
     965 + * the JSON String provided. This is the same format that can be saved and
     966 + * loaded via the Burp user interface. Partial configurations are
     967 + * acceptable, and any settings not specified will be left unmodified.
     968 + * <p>
     969 + * Any user-level configuration options contained in the input will be
     970 + * ignored.
     971 + *
     972 + * @param config A JSON String containing the new configuration.
     973 + */
     974 + void loadConfigFromJson(String config);
     975 + 
     976 + /**
     977 + * This method sets the master interception mode for Burp Proxy.
     978 + *
     979 + * @param enabled Indicates whether interception of Proxy messages should be
     980 + * enabled.
     981 + */
     982 + void setProxyInterceptionEnabled(boolean enabled);
     983 + 
     984 + /**
     985 + * This method retrieves information about the version of Burp in which the
     986 + * extension is running. It can be used by extensions to dynamically adjust
     987 + * their behavior depending on the functionality and APIs supported by the
     988 + * current version.
     989 + *
     990 + * @return An array of Strings comprised of: the product name (e.g. Burp
     991 + * Suite Professional), the major version (e.g. 1.5), the minor version
     992 + * (e.g. 03)
     993 + */
     994 + String[] getBurpVersion();
     995 + 
     996 + /**
     997 + * This method retrieves the absolute path name of the file from which the
     998 + * current extension was loaded.
     999 + *
     1000 + * @return The absolute path name of the file from which the current
     1001 + * extension was loaded.
     1002 + */
     1003 + String getExtensionFilename();
     1004 + 
     1005 + /**
     1006 + * This method determines whether the current extension was loaded as a BApp
     1007 + * (a Burp App from the BApp Store).
     1008 + *
     1009 + * @return Returns true if the current extension was loaded as a BApp.
     1010 + */
     1011 + boolean isExtensionBapp();
     1012 + 
     1013 + /**
     1014 + * This method can be used to shut down Burp programmatically, with an
     1015 + * optional prompt to the user. If the method returns, the user canceled the
     1016 + * shutdown prompt.
     1017 + *
     1018 + * @param promptUser Indicates whether to prompt the user to confirm the
     1019 + * shutdown.
     1020 + */
     1021 + void exitSuite(boolean promptUser);
     1022 + 
     1023 + /**
     1024 + * This method is used to create a temporary file on disk containing the
     1025 + * provided data. Extensions can use temporary files for long-term storage
     1026 + * of runtime data, avoiding the need to retain that data in memory.
     1027 + *
     1028 + * @param buffer The data to be saved to a temporary file.
     1029 + * @return An object that implements the <code>ITempFile</code> interface.
     1030 + */
     1031 + ITempFile saveToTempFile(byte[] buffer);
     1032 + 
     1033 + /**
     1034 + * This method is used to save the request and response of an
     1035 + * <code>IHttpRequestResponse</code> object to temporary files, so that they
     1036 + * are no longer held in memory. Extensions can used this method to convert
     1037 + * <code>IHttpRequestResponse</code> objects into a form suitable for
     1038 + * long-term storage.
     1039 + *
     1040 + * @param httpRequestResponse The <code>IHttpRequestResponse</code> object
     1041 + * whose request and response messages are to be saved to temporary files.
     1042 + * @return An object that implements the
     1043 + * <code>IHttpRequestResponsePersisted</code> interface.
     1044 + */
     1045 + IHttpRequestResponsePersisted saveBuffersToTempFiles(
     1046 + IHttpRequestResponse httpRequestResponse);
     1047 + 
     1048 + /**
     1049 + * This method is used to apply markers to an HTTP request or response, at
     1050 + * offsets into the message that are relevant for some particular purpose.
     1051 + * Markers are used in various situations, such as specifying Intruder
     1052 + * payload positions, Scanner insertion points, and highlights in Scanner
     1053 + * issues.
     1054 + *
     1055 + * @param httpRequestResponse The <code>IHttpRequestResponse</code> object
     1056 + * to which the markers should be applied.
     1057 + * @param requestMarkers A list of index pairs representing the offsets of
     1058 + * markers to be applied to the request message. Each item in the list must
     1059 + * be an int[2] array containing the start and end offsets for the marker.
     1060 + * The markers in the list should be in sequence and not overlapping. This
     1061 + * parameter is optional and may be <code>null</code> if no request markers
     1062 + * are required.
     1063 + * @param responseMarkers A list of index pairs representing the offsets of
     1064 + * markers to be applied to the response message. Each item in the list must
     1065 + * be an int[2] array containing the start and end offsets for the marker.
     1066 + * The markers in the list should be in sequence and not overlapping. This
     1067 + * parameter is optional and may be <code>null</code> if no response markers
     1068 + * are required.
     1069 + * @return An object that implements the
     1070 + * <code>IHttpRequestResponseWithMarkers</code> interface.
     1071 + */
     1072 + IHttpRequestResponseWithMarkers applyMarkers(
     1073 + IHttpRequestResponse httpRequestResponse,
     1074 + List<int[]> requestMarkers,
     1075 + List<int[]> responseMarkers);
     1076 + 
     1077 + /**
     1078 + * This method is used to obtain the descriptive name for the Burp tool
     1079 + * identified by the tool flag provided.
     1080 + *
     1081 + * @param toolFlag A flag identifying a Burp tool ( <code>TOOL_PROXY</code>,
     1082 + * <code>TOOL_SCANNER</code>, etc.). Tool flags are defined within this
     1083 + * interface.
     1084 + * @return The descriptive name for the specified tool.
     1085 + */
     1086 + String getToolName(int toolFlag);
     1087 + 
     1088 + /**
     1089 + * This method is used to register a new Scanner issue. <b>Note:</b>
     1090 + * Wherever possible, extensions should implement custom Scanner checks
     1091 + * using <code>IScannerCheck</code> and report issues via those checks, so
     1092 + * as to integrate with Burp's user-driven workflow, and ensure proper
     1093 + * consolidation of duplicate reported issues. This method is only designed
     1094 + * for tasks outside of the normal testing workflow, such as importing
     1095 + * results from other scanning tools.
     1096 + *
     1097 + * @param issue An object created by the extension that implements the
     1098 + * <code>IScanIssue</code> interface.
     1099 + */
     1100 + void addScanIssue(IScanIssue issue);
     1101 + 
     1102 + /**
     1103 + * This method is used to create a new Burp Collaborator client context,
     1104 + * which can be used to generate Burp Collaborator payloads and poll the
     1105 + * Collaborator server for any network interactions that result from using
     1106 + * those payloads.
     1107 + *
     1108 + * @return A new instance of <code>IBurpCollaboratorClientContext</code>
     1109 + * that can be used to generate Collaborator payloads and retrieve
     1110 + * interactions.
     1111 + */
     1112 + IBurpCollaboratorClientContext createBurpCollaboratorClientContext();
     1113 + 
     1114 + /**
     1115 + * This method parses the specified request and returns details of each
     1116 + * request parameter.
     1117 + *
     1118 + * @param request The request to be parsed.
     1119 + * @return An array of: <code>String[] { name, value, type }</code>
     1120 + * containing details of the parameters contained within the request.
     1121 + * @deprecated Use <code>IExtensionHelpers.analyzeRequest()</code> instead.
     1122 + */
     1123 + @Deprecated
     1124 + String[][] getParameters(byte[] request);
     1125 + 
     1126 + /**
     1127 + * This method parses the specified request and returns details of each HTTP
     1128 + * header.
     1129 + *
     1130 + * @param message The request to be parsed.
     1131 + * @return An array of HTTP headers.
     1132 + * @deprecated Use <code>IExtensionHelpers.analyzeRequest()</code> or
     1133 + * <code>IExtensionHelpers.analyzeResponse()</code> instead.
     1134 + */
     1135 + @Deprecated
     1136 + String[] getHeaders(byte[] message);
     1137 + 
     1138 + /**
     1139 + * This method can be used to register a new menu item which will appear on
     1140 + * the various context menus that are used throughout Burp Suite to handle
     1141 + * user-driven actions.
     1142 + *
     1143 + * @param menuItemCaption The caption to be displayed on the menu item.
     1144 + * @param menuItemHandler The handler to be invoked when the user clicks on
     1145 + * the menu item.
     1146 + * @deprecated Use <code>registerContextMenuFactory()</code> instead.
     1147 + */
     1148 + @Deprecated
     1149 + void registerMenuItem(
     1150 + String menuItemCaption,
     1151 + IMenuItemHandler menuItemHandler);
     1152 +}
     1153 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IContextMenuFactory.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IContextMenuFactory.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +import javax.swing.JMenuItem;
     14 +import java.util.List;
     15 +
     16 +/**
     17 + * Extensions can implement this interface and then call
     18 + * <code>IBurpExtenderCallbacks.registerContextMenuFactory()</code> to register
     19 + * a factory for custom context menu items.
     20 + */
     21 +public interface IContextMenuFactory {
     22 + /**
     23 + * This method will be called by Burp when the user invokes a context menu
     24 + * anywhere within Burp. The factory can then provide any custom context
     25 + * menu items that should be displayed in the context menu, based on the
     26 + * details of the menu invocation.
     27 + *
     28 + * @param invocation An object that implements the
     29 + * <code>IContextMenuInvocation</code> interface, which the extension can
     30 + * query to obtain details of the context menu invocation.
     31 + * @return A list of custom menu items (which may include sub-menus,
     32 + * checkbox menu items, etc.) that should be displayed. Extensions may
     33 + * return
     34 + * <code>null</code> from this method, to indicate that no menu items are
     35 + * required.
     36 + */
     37 + List<JMenuItem> createMenuItems(IContextMenuInvocation invocation);
     38 +}
     39 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IContextMenuInvocation.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IContextMenuInvocation.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +import java.awt.event.InputEvent;
     14 +
     15 +/**
     16 + * This interface is used when Burp calls into an extension-provided
     17 + * <code>IContextMenuFactory</code> with details of a context menu invocation.
     18 + * The custom context menu factory can query this interface to obtain details of
     19 + * the invocation event, in order to determine what menu items should be
     20 + * displayed.
     21 + */
     22 +public interface IContextMenuInvocation {
     23 + /**
     24 + * Used to indicate that the context menu is being invoked in a request
     25 + * editor.
     26 + */
     27 + static final byte CONTEXT_MESSAGE_EDITOR_REQUEST = 0;
     28 + /**
     29 + * Used to indicate that the context menu is being invoked in a response
     30 + * editor.
     31 + */
     32 + static final byte CONTEXT_MESSAGE_EDITOR_RESPONSE = 1;
     33 + /**
     34 + * Used to indicate that the context menu is being invoked in a non-editable
     35 + * request viewer.
     36 + */
     37 + static final byte CONTEXT_MESSAGE_VIEWER_REQUEST = 2;
     38 + /**
     39 + * Used to indicate that the context menu is being invoked in a non-editable
     40 + * response viewer.
     41 + */
     42 + static final byte CONTEXT_MESSAGE_VIEWER_RESPONSE = 3;
     43 + /**
     44 + * Used to indicate that the context menu is being invoked in the Target
     45 + * site map tree.
     46 + */
     47 + static final byte CONTEXT_TARGET_SITE_MAP_TREE = 4;
     48 + /**
     49 + * Used to indicate that the context menu is being invoked in the Target
     50 + * site map table.
     51 + */
     52 + static final byte CONTEXT_TARGET_SITE_MAP_TABLE = 5;
     53 + /**
     54 + * Used to indicate that the context menu is being invoked in the Proxy
     55 + * history.
     56 + */
     57 + static final byte CONTEXT_PROXY_HISTORY = 6;
     58 + /**
     59 + * Used to indicate that the context menu is being invoked in the Scanner
     60 + * results.
     61 + */
     62 + static final byte CONTEXT_SCANNER_RESULTS = 7;
     63 + /**
     64 + * Used to indicate that the context menu is being invoked in the Intruder
     65 + * payload positions editor.
     66 + */
     67 + static final byte CONTEXT_INTRUDER_PAYLOAD_POSITIONS = 8;
     68 + /**
     69 + * Used to indicate that the context menu is being invoked in an Intruder
     70 + * attack results.
     71 + */
     72 + static final byte CONTEXT_INTRUDER_ATTACK_RESULTS = 9;
     73 + /**
     74 + * Used to indicate that the context menu is being invoked in a search
     75 + * results window.
     76 + */
     77 + static final byte CONTEXT_SEARCH_RESULTS = 10;
     78 +
     79 + /**
     80 + * This method can be used to retrieve the native Java input event that was
     81 + * the trigger for the context menu invocation.
     82 + *
     83 + * @return The <code>InputEvent</code> that was the trigger for the context
     84 + * menu invocation.
     85 + */
     86 + InputEvent getInputEvent();
     87 +
     88 + /**
     89 + * This method can be used to retrieve the Burp tool within which the
     90 + * context menu was invoked.
     91 + *
     92 + * @return A flag indicating the Burp tool within which the context menu was
     93 + * invoked. Burp tool flags are defined in the
     94 + * <code>IBurpExtenderCallbacks</code> interface.
     95 + */
     96 + int getToolFlag();
     97 +
     98 + /**
     99 + * This method can be used to retrieve the context within which the menu was
     100 + * invoked.
     101 + *
     102 + * @return An index indicating the context within which the menu was
     103 + * invoked. The indices used are defined within this interface.
     104 + */
     105 + byte getInvocationContext();
     106 +
     107 + /**
     108 + * This method can be used to retrieve the bounds of the user's selection
     109 + * into the current message, if applicable.
     110 + *
     111 + * @return An int[2] array containing the start and end offsets of the
     112 + * user's selection in the current message. If the user has not made any
     113 + * selection in the current message, both offsets indicate the position of
     114 + * the caret within the editor. If the menu is not being invoked from a
     115 + * message editor, the method returns <code>null</code>.
     116 + */
     117 + int[] getSelectionBounds();
     118 +
     119 + /**
     120 + * This method can be used to retrieve details of the HTTP requests /
     121 + * responses that were shown or selected by the user when the context menu
     122 + * was invoked.
     123 + *
     124 + * <b>Note:</b> For performance reasons, the objects returned from this
     125 + * method are tied to the originating context of the messages within the
     126 + * Burp UI. For example, if a context menu is invoked on the Proxy intercept
     127 + * panel, then the
     128 + * <code>IHttpRequestResponse</code> returned by this method will reflect
     129 + * the current contents of the interception panel, and this will change when
     130 + * the current message has been forwarded or dropped. If your extension
     131 + * needs to store details of the message for which the context menu has been
     132 + * invoked, then you should query those details from the
     133 + * <code>IHttpRequestResponse</code> at the time of invocation, or you
     134 + * should use
     135 + * <code>IBurpExtenderCallbacks.saveBuffersToTempFiles()</code> to create a
     136 + * persistent read-only copy of the
     137 + * <code>IHttpRequestResponse</code>.
     138 + *
     139 + * @return An array of <code>IHttpRequestResponse</code> objects
     140 + * representing the items that were shown or selected by the user when the
     141 + * context menu was invoked. This method returns <code>null</code> if no
     142 + * messages are applicable to the invocation.
     143 + */
     144 + IHttpRequestResponse[] getSelectedMessages();
     145 +
     146 + /**
     147 + * This method can be used to retrieve details of the Scanner issues that
     148 + * were selected by the user when the context menu was invoked.
     149 + *
     150 + * @return An array of <code>IScanIssue</code> objects representing the
     151 + * issues that were selected by the user when the context menu was invoked.
     152 + * This method returns <code>null</code> if no Scanner issues are applicable
     153 + * to the invocation.
     154 + */
     155 + IScanIssue[] getSelectedIssues();
     156 +}
     157 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/ICookie.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)ICookie.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +import java.util.Date;
     14 +
     15 +/**
     16 + * This interface is used to hold details about an HTTP cookie.
     17 + */
     18 +public interface ICookie {
     19 + /**
     20 + * This method is used to retrieve the domain for which the cookie is in
     21 + * scope.
     22 + *
     23 + * @return The domain for which the cookie is in scope. <b>Note:</b> For
     24 + * cookies that have been analyzed from responses (by calling
     25 + * <code>IExtensionHelpers.analyzeResponse()</code> and then
     26 + * <code>IResponseInfo.getCookies()</code>, the domain will be
     27 + * <code>null</code> if the response did not explicitly set a domain
     28 + * attribute for the cookie.
     29 + */
     30 + String getDomain();
     31 +
     32 + /**
     33 + * This method is used to retrieve the path for which the cookie is in
     34 + * scope.
     35 + *
     36 + * @return The path for which the cookie is in scope or null if none is set.
     37 + */
     38 + String getPath();
     39 +
     40 + /**
     41 + * This method is used to retrieve the expiration time for the cookie.
     42 + *
     43 + * @return The expiration time for the cookie, or
     44 + * <code>null</code> if none is set (i.e., for non-persistent session
     45 + * cookies).
     46 + */
     47 + Date getExpiration();
     48 +
     49 + /**
     50 + * This method is used to retrieve the name of the cookie.
     51 + *
     52 + * @return The name of the cookie.
     53 + */
     54 + String getName();
     55 +
     56 + /**
     57 + * This method is used to retrieve the value of the cookie.
     58 + *
     59 + * @return The value of the cookie.
     60 + */
     61 + String getValue();
     62 +}
     63 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IExtensionHelpers.java
     1 +package burp;
     2 + 
     3 +/*
     4 + * @(#)IExtensionHelpers.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 + 
     13 +import java.net.URL;
     14 +import java.util.List;
     15 + 
     16 +/**
     17 + * This interface contains a number of helper methods, which extensions can use
     18 + * to assist with various common tasks that arise for Burp extensions.
     19 + * <p>
     20 + * Extensions can call <code>IBurpExtenderCallbacks.getHelpers</code> to obtain
     21 + * an instance of this interface.
     22 + */
     23 +public interface IExtensionHelpers {
     24 + 
     25 + /**
     26 + * This method can be used to analyze an HTTP request, and obtain various
     27 + * key details about it.
     28 + *
     29 + * @param request An <code>IHttpRequestResponse</code> object containing the
     30 + * request to be analyzed.
     31 + * @return An <code>IRequestInfo</code> object that can be queried to obtain
     32 + * details about the request.
     33 + */
     34 + IRequestInfo analyzeRequest(IHttpRequestResponse request);
     35 + 
     36 + /**
     37 + * This method can be used to analyze an HTTP request, and obtain various
     38 + * key details about it.
     39 + *
     40 + * @param httpService The HTTP service associated with the request. This is
     41 + * optional and may be <code>null</code>, in which case the resulting
     42 + * <code>IRequestInfo</code> object will not include the full request URL.
     43 + * @param request The request to be analyzed.
     44 + * @return An <code>IRequestInfo</code> object that can be queried to obtain
     45 + * details about the request.
     46 + */
     47 + IRequestInfo analyzeRequest(IHttpService httpService, byte[] request);
     48 + 
     49 + /**
     50 + * This method can be used to analyze an HTTP request, and obtain various
     51 + * key details about it. The resulting <code>IRequestInfo</code> object will
     52 + * not include the full request URL. To obtain the full URL, use one of the
     53 + * other overloaded <code>analyzeRequest()</code> methods.
     54 + *
     55 + * @param request The request to be analyzed.
     56 + * @return An <code>IRequestInfo</code> object that can be queried to obtain
     57 + * details about the request.
     58 + */
     59 + IRequestInfo analyzeRequest(byte[] request);
     60 + 
     61 + /**
     62 + * This method can be used to analyze an HTTP response, and obtain various
     63 + * key details about it.
     64 + *
     65 + * @param response The response to be analyzed.
     66 + * @return An <code>IResponseInfo</code> object that can be queried to
     67 + * obtain details about the response.
     68 + */
     69 + IResponseInfo analyzeResponse(byte[] response);
     70 + 
     71 + /**
     72 + * This method can be used to retrieve details of a specified parameter
     73 + * within an HTTP request. <b>Note:</b> Use <code>analyzeRequest()</code> to
     74 + * obtain details of all parameters within the request.
     75 + *
     76 + * @param request The request to be inspected for the specified parameter.
     77 + * @param parameterName The name of the parameter to retrieve.
     78 + * @return An <code>IParameter</code> object that can be queried to obtain
     79 + * details about the parameter, or <code>null</code> if the parameter was
     80 + * not found.
     81 + */
     82 + IParameter getRequestParameter(byte[] request, String parameterName);
     83 + 
     84 + /**
     85 + * This method can be used to URL-decode the specified data.
     86 + *
     87 + * @param data The data to be decoded.
     88 + * @return The decoded data.
     89 + */
     90 + String urlDecode(String data);
     91 + 
     92 + /**
     93 + * This method can be used to URL-encode the specified data. Any characters
     94 + * that do not need to be encoded within HTTP requests are not encoded.
     95 + *
     96 + * @param data The data to be encoded.
     97 + * @return The encoded data.
     98 + */
     99 + String urlEncode(String data);
     100 + 
     101 + /**
     102 + * This method can be used to URL-decode the specified data.
     103 + *
     104 + * @param data The data to be decoded.
     105 + * @return The decoded data.
     106 + */
     107 + byte[] urlDecode(byte[] data);
     108 + 
     109 + /**
     110 + * This method can be used to URL-encode the specified data. Any characters
     111 + * that do not need to be encoded within HTTP requests are not encoded.
     112 + *
     113 + * @param data The data to be encoded.
     114 + * @return The encoded data.
     115 + */
     116 + byte[] urlEncode(byte[] data);
     117 + 
     118 + /**
     119 + * This method can be used to Base64-decode the specified data.
     120 + *
     121 + * @param data The data to be decoded.
     122 + * @return The decoded data.
     123 + */
     124 + byte[] base64Decode(String data);
     125 + 
     126 + /**
     127 + * This method can be used to Base64-decode the specified data.
     128 + *
     129 + * @param data The data to be decoded.
     130 + * @return The decoded data.
     131 + */
     132 + byte[] base64Decode(byte[] data);
     133 + 
     134 + /**
     135 + * This method can be used to Base64-encode the specified data.
     136 + *
     137 + * @param data The data to be encoded.
     138 + * @return The encoded data.
     139 + */
     140 + String base64Encode(String data);
     141 + 
     142 + /**
     143 + * This method can be used to Base64-encode the specified data.
     144 + *
     145 + * @param data The data to be encoded.
     146 + * @return The encoded data.
     147 + */
     148 + String base64Encode(byte[] data);
     149 + 
     150 + /**
     151 + * This method can be used to convert data from String form into an array of
     152 + * bytes. The conversion does not reflect any particular character set, and
     153 + * a character with the hex representation 0xWXYZ will always be converted
     154 + * into a byte with the representation 0xYZ. It performs the opposite
     155 + * conversion to the method <code>bytesToString()</code>, and byte-based
     156 + * data that is converted to a String and back again using these two methods
     157 + * is guaranteed to retain its integrity (which may not be the case with
     158 + * conversions that reflect a given character set).
     159 + *
     160 + * @param data The data to be converted.
     161 + * @return The converted data.
     162 + */
     163 + byte[] stringToBytes(String data);
     164 + 
     165 + /**
     166 + * This method can be used to convert data from an array of bytes into
     167 + * String form. The conversion does not reflect any particular character
     168 + * set, and a byte with the representation 0xYZ will always be converted
     169 + * into a character with the hex representation 0x00YZ. It performs the
     170 + * opposite conversion to the method <code>stringToBytes()</code>, and
     171 + * byte-based data that is converted to a String and back again using these
     172 + * two methods is guaranteed to retain its integrity (which may not be the
     173 + * case with conversions that reflect a given character set).
     174 + *
     175 + * @param data The data to be converted.
     176 + * @return The converted data.
     177 + */
     178 + String bytesToString(byte[] data);
     179 + 
     180 + /**
     181 + * This method searches a piece of data for the first occurrence of a
     182 + * specified pattern. It works on byte-based data in a way that is similar
     183 + * to the way the native Java method <code>String.indexOf()</code> works on
     184 + * String-based data.
     185 + *
     186 + * @param data The data to be searched.
     187 + * @param pattern The pattern to be searched for.
     188 + * @param caseSensitive Flags whether or not the search is case-sensitive.
     189 + * @param from The offset within <code>data</code> where the search should
     190 + * begin.
     191 + * @param to The offset within <code>data</code> where the search should
     192 + * end.
     193 + * @return The offset of the first occurrence of the pattern within the
     194 + * specified bounds, or -1 if no match is found.
     195 + */
     196 + int indexOf(byte[] data,
     197 + byte[] pattern,
     198 + boolean caseSensitive,
     199 + int from,
     200 + int to);
     201 + 
     202 + /**
     203 + * This method builds an HTTP message containing the specified headers and
     204 + * message body. If applicable, the Content-Length header will be added or
     205 + * updated, based on the length of the body.
     206 + *
     207 + * @param headers A list of headers to include in the message.
     208 + * @param body The body of the message, of <code>null</code> if the message
     209 + * has an empty body.
     210 + * @return The resulting full HTTP message.
     211 + */
     212 + byte[] buildHttpMessage(List<String> headers, byte[] body);
     213 + 
     214 + /**
     215 + * This method creates a GET request to the specified URL. The headers used
     216 + * in the request are determined by the Request headers settings as
     217 + * configured in Burp Spider's options.
     218 + *
     219 + * @param url The URL to which the request should be made.
     220 + * @return A request to the specified URL.
     221 + */
     222 + byte[] buildHttpRequest(URL url);
     223 + 
     224 + /**
     225 + * This method adds a new parameter to an HTTP request, and if appropriate
     226 + * updates the Content-Length header.
     227 + *
     228 + * @param request The request to which the parameter should be added.
     229 + * @param parameter An <code>IParameter</code> object containing details of
     230 + * the parameter to be added. Supported parameter types are:
     231 + * <code>PARAM_URL</code>, <code>PARAM_BODY</code> and
     232 + * <code>PARAM_COOKIE</code>.
     233 + * @return A new HTTP request with the new parameter added.
     234 + */
     235 + byte[] addParameter(byte[] request, IParameter parameter);
     236 + 
     237 + /**
     238 + * This method removes a parameter from an HTTP request, and if appropriate
     239 + * updates the Content-Length header.
     240 + *
     241 + * @param request The request from which the parameter should be removed.
     242 + * @param parameter An <code>IParameter</code> object containing details of
     243 + * the parameter to be removed. Supported parameter types are:
     244 + * <code>PARAM_URL</code>, <code>PARAM_BODY</code> and
     245 + * <code>PARAM_COOKIE</code>.
     246 + * @return A new HTTP request with the parameter removed.
     247 + */
     248 + byte[] removeParameter(byte[] request, IParameter parameter);
     249 + 
     250 + /**
     251 + * This method updates the value of a parameter within an HTTP request, and
     252 + * if appropriate updates the Content-Length header. <b>Note:</b> This
     253 + * method can only be used to update the value of an existing parameter of a
     254 + * specified type. If you need to change the type of an existing parameter,
     255 + * you should first call <code>removeParameter()</code> to remove the
     256 + * parameter with the old type, and then call <code>addParameter()</code> to
     257 + * add a parameter with the new type.
     258 + *
     259 + * @param request The request containing the parameter to be updated.
     260 + * @param parameter An <code>IParameter</code> object containing details of
     261 + * the parameter to be updated. Supported parameter types are:
     262 + * <code>PARAM_URL</code>, <code>PARAM_BODY</code> and
     263 + * <code>PARAM_COOKIE</code>.
     264 + * @return A new HTTP request with the parameter updated.
     265 + */
     266 + byte[] updateParameter(byte[] request, IParameter parameter);
     267 + 
     268 + /**
     269 + * This method can be used to toggle a request's method between GET and
     270 + * POST. Parameters are relocated between the URL query string and message
     271 + * body as required, and the Content-Length header is created or removed as
     272 + * applicable.
     273 + *
     274 + * @param request The HTTP request whose method should be toggled.
     275 + * @return A new HTTP request using the toggled method.
     276 + */
     277 + byte[] toggleRequestMethod(byte[] request);
     278 + 
     279 + /**
     280 + * This method constructs an <code>IHttpService</code> object based on the
     281 + * details provided.
     282 + *
     283 + * @param host The HTTP service host.
     284 + * @param port The HTTP service port.
     285 + * @param protocol The HTTP service protocol.
     286 + * @return An <code>IHttpService</code> object based on the details
     287 + * provided.
     288 + */
     289 + IHttpService buildHttpService(String host, int port, String protocol);
     290 + 
     291 + /**
     292 + * This method constructs an <code>IHttpService</code> object based on the
     293 + * details provided.
     294 + *
     295 + * @param host The HTTP service host.
     296 + * @param port The HTTP service port.
     297 + * @param useHttps Flags whether the HTTP service protocol is HTTPS or HTTP.
     298 + * @return An <code>IHttpService</code> object based on the details
     299 + * provided.
     300 + */
     301 + IHttpService buildHttpService(String host, int port, boolean useHttps);
     302 + 
     303 + /**
     304 + * This method constructs an <code>IParameter</code> object based on the
     305 + * details provided.
     306 + *
     307 + * @param name The parameter name.
     308 + * @param value The parameter value.
     309 + * @param type The parameter type, as defined in the <code>IParameter</code>
     310 + * interface.
     311 + * @return An <code>IParameter</code> object based on the details provided.
     312 + */
     313 + IParameter buildParameter(String name, String value, byte type);
     314 + 
     315 + /**
     316 + * This method constructs an <code>IHttpHeader</code> object based on the
     317 + * details provided.
     318 + *
     319 + * @param name The header name.
     320 + * @param value The header value.
     321 + * @return An <code>IHttpHeader</code> object based on the details provided.
     322 + */
     323 + IHttpHeader buildHeader(String name, String value);
     324 + 
     325 + /**
     326 + * This method constructs an <code>IScannerInsertionPoint</code> object
     327 + * based on the details provided. It can be used to quickly create a simple
     328 + * insertion point based on a fixed payload location within a base request.
     329 + *
     330 + * @param insertionPointName The name of the insertion point.
     331 + * @param baseRequest The request from which to build scan requests.
     332 + * @param from The offset of the start of the payload location.
     333 + * @param to The offset of the end of the payload location.
     334 + * @return An <code>IScannerInsertionPoint</code> object based on the
     335 + * details provided.
     336 + */
     337 + IScannerInsertionPoint makeScannerInsertionPoint(
     338 + String insertionPointName,
     339 + byte[] baseRequest,
     340 + int from,
     341 + int to);
     342 + 
     343 + /**
     344 + * This method analyzes one or more responses to identify variations in a
     345 + * number of attributes and returns an <code>IResponseVariations</code>
     346 + * object that can be queried to obtain details of the variations.
     347 + *
     348 + * @param responses The responses to analyze.
     349 + * @return An <code>IResponseVariations</code> object representing the
     350 + * variations in the responses.
     351 + */
     352 + IResponseVariations analyzeResponseVariations(byte[]... responses);
     353 + 
     354 + /**
     355 + * This method analyzes one or more responses to identify the number of
     356 + * occurrences of the specified keywords and returns an
     357 + * <code>IResponseKeywords</code> object that can be queried to obtain
     358 + * details of the number of occurrences of each keyword.
     359 + *
     360 + * @param keywords The keywords to look for.
     361 + * @param responses The responses to analyze.
     362 + * @return An <code>IResponseKeywords</code> object representing the counts
     363 + * of the keywords appearing in the responses.
     364 + */
     365 + IResponseKeywords analyzeResponseKeywords(List<String> keywords, byte[]... responses);
     366 +}
     367 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IExtensionStateListener.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IExtensionStateListener.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * Extensions can implement this interface and then call
     15 + * <code>IBurpExtenderCallbacks.registerExtensionStateListener()</code> to
     16 + * register an extension state listener. The listener will be notified of
     17 + * changes to the extension's state. <b>Note:</b> Any extensions that start
     18 + * background threads or open system resources (such as files or database
     19 + * connections) should register a listener and terminate threads / close
     20 + * resources when the extension is unloaded.
     21 + */
     22 +public interface IExtensionStateListener {
     23 + /**
     24 + * This method is called when the extension is unloaded.
     25 + */
     26 + void extensionUnloaded();
     27 +}
     28 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IHttpHeader.java
     1 +package burp;
     2 + 
     3 +public interface IHttpHeader {
     4 + /**
     5 + * This method is used to retrieve the name of the header.
     6 + *
     7 + * @return The name of the header.
     8 + */
     9 + String getName();
     10 + 
     11 + /**
     12 + * This method is used to retrieve the value of the header.
     13 + *
     14 + * @return The value of the header.
     15 + */
     16 + String getValue();
     17 +}
     18 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IHttpListener.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IHttpListener.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * Extensions can implement this interface and then call
     15 + * <code>IBurpExtenderCallbacks.registerHttpListener()</code> to register an
     16 + * HTTP listener. The listener will be notified of requests and responses made
     17 + * by any Burp tool. Extensions can perform custom analysis or modification of
     18 + * these messages by registering an HTTP listener.
     19 + */
     20 +public interface IHttpListener {
     21 + /**
     22 + * This method is invoked when an HTTP request is about to be issued, and
     23 + * when an HTTP response has been received.
     24 + *
     25 + * @param toolFlag A flag indicating the Burp tool that issued the request.
     26 + * Burp tool flags are defined in the
     27 + * <code>IBurpExtenderCallbacks</code> interface.
     28 + * @param messageIsRequest Flags whether the method is being invoked for a
     29 + * request or response.
     30 + * @param messageInfo Details of the request / response to be processed.
     31 + * Extensions can call the setter methods on this object to update the
     32 + * current message and so modify Burp's behavior.
     33 + */
     34 + void processHttpMessage(int toolFlag,
     35 + boolean messageIsRequest,
     36 + IHttpRequestResponse messageInfo);
     37 +}
     38 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IHttpRequestResponse.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IHttpRequestResponse.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * This interface is used to retrieve and update details about HTTP messages.
     15 + *
     16 + * <b>Note:</b> The setter methods generally can only be used before the message
     17 + * has been processed, and not in read-only contexts. The getter methods
     18 + * relating to response details can only be used after the request has been
     19 + * issued.
     20 + */
     21 +public interface IHttpRequestResponse {
     22 + /**
     23 + * This method is used to retrieve the request message.
     24 + *
     25 + * @return The request message.
     26 + */
     27 + byte[] getRequest();
     28 +
     29 + /**
     30 + * This method is used to update the request message.
     31 + *
     32 + * @param message The new request message.
     33 + */
     34 + void setRequest(byte[] message);
     35 +
     36 + /**
     37 + * This method is used to retrieve the response message.
     38 + *
     39 + * @return The response message.
     40 + */
     41 + byte[] getResponse();
     42 +
     43 + /**
     44 + * This method is used to update the response message.
     45 + *
     46 + * @param message The new response message.
     47 + */
     48 + void setResponse(byte[] message);
     49 +
     50 + /**
     51 + * This method is used to retrieve the user-annotated comment for this item,
     52 + * if applicable.
     53 + *
     54 + * @return The user-annotated comment for this item, or null if none is set.
     55 + */
     56 + String getComment();
     57 +
     58 + /**
     59 + * This method is used to update the user-annotated comment for this item.
     60 + *
     61 + * @param comment The comment to be assigned to this item.
     62 + */
     63 + void setComment(String comment);
     64 +
     65 + /**
     66 + * This method is used to retrieve the user-annotated highlight for this
     67 + * item, if applicable.
     68 + *
     69 + * @return The user-annotated highlight for this item, or null if none is
     70 + * set.
     71 + */
     72 + String getHighlight();
     73 +
     74 + /**
     75 + * This method is used to update the user-annotated highlight for this item.
     76 + *
     77 + * @param color The highlight color to be assigned to this item. Accepted
     78 + * values are: red, orange, yellow, green, cyan, blue, pink, magenta, gray,
     79 + * or a null String to clear any existing highlight.
     80 + */
     81 + void setHighlight(String color);
     82 +
     83 + /**
     84 + * This method is used to retrieve the HTTP service for this request /
     85 + * response.
     86 + *
     87 + * @return An
     88 + * <code>IHttpService</code> object containing details of the HTTP service.
     89 + */
     90 + IHttpService getHttpService();
     91 +
     92 + /**
     93 + * This method is used to update the HTTP service for this request /
     94 + * response.
     95 + *
     96 + * @param httpService An
     97 + * <code>IHttpService</code> object containing details of the new HTTP
     98 + * service.
     99 + */
     100 + void setHttpService(IHttpService httpService);
     101 +
     102 +}
     103 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IHttpRequestResponsePersisted.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IHttpRequestResponsePersisted.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * This interface is used for an
     15 + * <code>IHttpRequestResponse</code> object whose request and response messages
     16 + * have been saved to temporary files using
     17 + * <code>IBurpExtenderCallbacks.saveBuffersToTempFiles()</code>.
     18 + */
     19 +public interface IHttpRequestResponsePersisted extends IHttpRequestResponse {
     20 + /**
     21 + * This method is deprecated and no longer performs any action.
     22 + */
     23 + @Deprecated
     24 + void deleteTempFiles();
     25 +}
     26 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IHttpRequestResponseWithMarkers.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IHttpRequestResponseWithMarkers.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +import java.util.List;
     14 +
     15 +/**
     16 + * This interface is used for an
     17 + * <code>IHttpRequestResponse</code> object that has had markers applied.
     18 + * Extensions can create instances of this interface using
     19 + * <code>IBurpExtenderCallbacks.applyMarkers()</code>, or provide their own
     20 + * implementation. Markers are used in various situations, such as specifying
     21 + * Intruder payload positions, Scanner insertion points, and highlights in
     22 + * Scanner issues.
     23 + */
     24 +public interface IHttpRequestResponseWithMarkers extends IHttpRequestResponse {
     25 + /**
     26 + * This method returns the details of the request markers.
     27 + *
     28 + * @return A list of index pairs representing the offsets of markers for the
     29 + * request message. Each item in the list is an int[2] array containing the
     30 + * start and end offsets for the marker. The method may return
     31 + * <code>null</code> if no request markers are defined.
     32 + */
     33 + List<int[]> getRequestMarkers();
     34 +
     35 + /**
     36 + * This method returns the details of the response markers.
     37 + *
     38 + * @return A list of index pairs representing the offsets of markers for the
     39 + * response message. Each item in the list is an int[2] array containing the
     40 + * start and end offsets for the marker. The method may return
     41 + * <code>null</code> if no response markers are defined.
     42 + */
     43 + List<int[]> getResponseMarkers();
     44 +}
     45 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IHttpService.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IHttpService.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * This interface is used to provide details about an HTTP service, to which
     15 + * HTTP requests can be sent.
     16 + */
     17 +public interface IHttpService {
     18 + /**
     19 + * This method returns the hostname or IP address for the service.
     20 + *
     21 + * @return The hostname or IP address for the service.
     22 + */
     23 + String getHost();
     24 +
     25 + /**
     26 + * This method returns the port number for the service.
     27 + *
     28 + * @return The port number for the service.
     29 + */
     30 + int getPort();
     31 +
     32 + /**
     33 + * This method returns the protocol for the service.
     34 + *
     35 + * @return The protocol for the service. Expected values are "http" or
     36 + * "https".
     37 + */
     38 + String getProtocol();
     39 +}
     40 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IInterceptedProxyMessage.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IInterceptedProxyMessage.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +import java.net.InetAddress;
     14 +
     15 +/**
     16 + * This interface is used to represent an HTTP message that has been intercepted
     17 + * by Burp Proxy. Extensions can register an
     18 + * <code>IProxyListener</code> to receive details of proxy messages using this
     19 + * interface. *
     20 + */
     21 +public interface IInterceptedProxyMessage {
     22 + /**
     23 + * This action causes Burp Proxy to follow the current interception rules to
     24 + * determine the appropriate action to take for the message.
     25 + */
     26 + static final int ACTION_FOLLOW_RULES = 0;
     27 + /**
     28 + * This action causes Burp Proxy to present the message to the user for
     29 + * manual review or modification.
     30 + */
     31 + static final int ACTION_DO_INTERCEPT = 1;
     32 + /**
     33 + * This action causes Burp Proxy to forward the message to the remote server
     34 + * or client, without presenting it to the user.
     35 + */
     36 + static final int ACTION_DONT_INTERCEPT = 2;
     37 + /**
     38 + * This action causes Burp Proxy to drop the message.
     39 + */
     40 + static final int ACTION_DROP = 3;
     41 + /**
     42 + * This action causes Burp Proxy to follow the current interception rules to
     43 + * determine the appropriate action to take for the message, and then make a
     44 + * second call to processProxyMessage.
     45 + */
     46 + static final int ACTION_FOLLOW_RULES_AND_REHOOK = 0x10;
     47 + /**
     48 + * This action causes Burp Proxy to present the message to the user for
     49 + * manual review or modification, and then make a second call to
     50 + * processProxyMessage.
     51 + */
     52 + static final int ACTION_DO_INTERCEPT_AND_REHOOK = 0x11;
     53 + /**
     54 + * This action causes Burp Proxy to skip user interception, and then make a
     55 + * second call to processProxyMessage.
     56 + */
     57 + static final int ACTION_DONT_INTERCEPT_AND_REHOOK = 0x12;
     58 +
     59 + /**
     60 + * This method retrieves a unique reference number for this
     61 + * request/response.
     62 + *
     63 + * @return An identifier that is unique to a single request/response pair.
     64 + * Extensions can use this to correlate details of requests and responses
     65 + * and perform processing on the response message accordingly.
     66 + */
     67 + int getMessageReference();
     68 +
     69 + /**
     70 + * This method retrieves details of the intercepted message.
     71 + *
     72 + * @return An <code>IHttpRequestResponse</code> object containing details of
     73 + * the intercepted message.
     74 + */
     75 + IHttpRequestResponse getMessageInfo();
     76 +
     77 + /**
     78 + * This method retrieves the currently defined interception action. The
     79 + * default action is
     80 + * <code>ACTION_FOLLOW_RULES</code>. If multiple proxy listeners are
     81 + * registered, then other listeners may already have modified the
     82 + * interception action before it reaches the current listener. This method
     83 + * can be used to determine whether this has occurred.
     84 + *
     85 + * @return The currently defined interception action. Possible values are
     86 + * defined within this interface.
     87 + */
     88 + int getInterceptAction();
     89 +
     90 + /**
     91 + * This method is used to update the interception action.
     92 + *
     93 + * @param interceptAction The new interception action. Possible values are
     94 + * defined within this interface.
     95 + */
     96 + void setInterceptAction(int interceptAction);
     97 +
     98 + /**
     99 + * This method retrieves the name of the Burp Proxy listener that is
     100 + * processing the intercepted message.
     101 + *
     102 + * @return The name of the Burp Proxy listener that is processing the
     103 + * intercepted message. The format is the same as that shown in the Proxy
     104 + * Listeners UI - for example, "127.0.0.1:8080".
     105 + */
     106 + String getListenerInterface();
     107 +
     108 + /**
     109 + * This method retrieves the client IP address from which the request for
     110 + * the intercepted message was received.
     111 + *
     112 + * @return The client IP address from which the request for the intercepted
     113 + * message was received.
     114 + */
     115 + InetAddress getClientIpAddress();
     116 +}
     117 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IIntruderAttack.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IIntruderAttack.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * This interface is used to hold details about an Intruder attack.
     15 + */
     16 +public interface IIntruderAttack {
     17 + /**
     18 + * This method is used to retrieve the HTTP service for the attack.
     19 + *
     20 + * @return The HTTP service for the attack.
     21 + */
     22 + IHttpService getHttpService();
     23 +
     24 + /**
     25 + * This method is used to retrieve the request template for the attack.
     26 + *
     27 + * @return The request template for the attack.
     28 + */
     29 + byte[] getRequestTemplate();
     30 +
     31 +}
     32 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IIntruderPayloadGenerator.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IIntruderPayloadGenerator.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * This interface is used for custom Intruder payload generators. Extensions
     15 + * that have registered an
     16 + * <code>IIntruderPayloadGeneratorFactory</code> must return a new instance of
     17 + * this interface when required as part of a new Intruder attack.
     18 + */
     19 +public interface IIntruderPayloadGenerator {
     20 + /**
     21 + * This method is used by Burp to determine whether the payload generator is
     22 + * able to provide any further payloads.
     23 + *
     24 + * @return Extensions should return
     25 + * <code>false</code> when all the available payloads have been used up,
     26 + * otherwise
     27 + * <code>true</code>.
     28 + */
     29 + boolean hasMorePayloads();
     30 +
     31 + /**
     32 + * This method is used by Burp to obtain the value of the next payload.
     33 + *
     34 + * @param baseValue The base value of the current payload position. This
     35 + * value may be
     36 + * <code>null</code> if the concept of a base value is not applicable (e.g.
     37 + * in a battering ram attack).
     38 + * @return The next payload to use in the attack.
     39 + */
     40 + byte[] getNextPayload(byte[] baseValue);
     41 +
     42 + /**
     43 + * This method is used by Burp to reset the state of the payload generator
     44 + * so that the next call to
     45 + * <code>getNextPayload()</code> returns the first payload again. This
     46 + * method will be invoked when an attack uses the same payload generator for
     47 + * more than one payload position, for example in a sniper attack.
     48 + */
     49 + void reset();
     50 +}
     51 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IIntruderPayloadGeneratorFactory.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IIntruderPayloadGeneratorFactory.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * Extensions can implement this interface and then call
     15 + * <code>IBurpExtenderCallbacks.registerIntruderPayloadGeneratorFactory()</code>
     16 + * to register a factory for custom Intruder payloads.
     17 + */
     18 +public interface IIntruderPayloadGeneratorFactory {
     19 + /**
     20 + * This method is used by Burp to obtain the name of the payload generator.
     21 + * This will be displayed as an option within the Intruder UI when the user
     22 + * selects to use extension-generated payloads.
     23 + *
     24 + * @return The name of the payload generator.
     25 + */
     26 + String getGeneratorName();
     27 +
     28 + /**
     29 + * This method is used by Burp when the user starts an Intruder attack that
     30 + * uses this payload generator.
     31 + *
     32 + * @param attack An
     33 + * <code>IIntruderAttack</code> object that can be queried to obtain details
     34 + * about the attack in which the payload generator will be used.
     35 + * @return A new instance of
     36 + * <code>IIntruderPayloadGenerator</code> that will be used to generate
     37 + * payloads for the attack.
     38 + */
     39 + IIntruderPayloadGenerator createNewInstance(IIntruderAttack attack);
     40 +}
     41 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IIntruderPayloadProcessor.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IIntruderPayloadProcessor.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * Extensions can implement this interface and then call
     15 + * <code>IBurpExtenderCallbacks.registerIntruderPayloadProcessor()</code> to
     16 + * register a custom Intruder payload processor.
     17 + */
     18 +public interface IIntruderPayloadProcessor {
     19 + /**
     20 + * This method is used by Burp to obtain the name of the payload processor.
     21 + * This will be displayed as an option within the Intruder UI when the user
     22 + * selects to use an extension-provided payload processor.
     23 + *
     24 + * @return The name of the payload processor.
     25 + */
     26 + String getProcessorName();
     27 +
     28 + /**
     29 + * This method is invoked by Burp each time the processor should be applied
     30 + * to an Intruder payload.
     31 + *
     32 + * @param currentPayload The value of the payload to be processed.
     33 + * @param originalPayload The value of the original payload prior to
     34 + * processing by any already-applied processing rules.
     35 + * @param baseValue The base value of the payload position, which will be
     36 + * replaced with the current payload.
     37 + * @return The value of the processed payload. This may be
     38 + * <code>null</code> to indicate that the current payload should be skipped,
     39 + * and the attack will move directly to the next payload.
     40 + */
     41 + byte[] processPayload(
     42 + byte[] currentPayload,
     43 + byte[] originalPayload,
     44 + byte[] baseValue);
     45 +}
     46 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IMenuItemHandler.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IMenuItemHandler.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * Extensions can implement this interface and then call
     15 + * <code>IBurpExtenderCallbacks.registerMenuItem()</code> to register a custom
     16 + * context menu item.
     17 + *
     18 + * @deprecated Use
     19 + * <code>IContextMenuFactory</code> instead.
     20 + */
     21 +@Deprecated
     22 +public interface IMenuItemHandler {
     23 + /**
     24 + * This method is invoked by Burp Suite when the user clicks on a custom
     25 + * menu item which the extension has registered with Burp.
     26 + *
     27 + * @param menuItemCaption The caption of the menu item which was clicked.
     28 + * This parameter enables extensions to provide a single implementation
     29 + * which handles multiple different menu items.
     30 + * @param messageInfo Details of the HTTP message(s) for which the context
     31 + * menu was displayed.
     32 + */
     33 + void menuItemClicked(
     34 + String menuItemCaption,
     35 + IHttpRequestResponse[] messageInfo);
     36 +}
     37 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IMessageEditor.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IMessageEditor.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +import java.awt.Component;
     14 +
     15 +/**
     16 + * This interface is used to provide extensions with an instance of Burp's HTTP
     17 + * message editor, for the extension to use in its own UI. Extensions should
     18 + * call <code>IBurpExtenderCallbacks.createMessageEditor()</code> to obtain an
     19 + * instance of this interface.
     20 + */
     21 +public interface IMessageEditor {
     22 +
     23 + /**
     24 + * This method returns the UI component of the editor, for extensions to add
     25 + * to their own UI.
     26 + *
     27 + * @return The UI component of the editor.
     28 + */
     29 + Component getComponent();
     30 +
     31 + /**
     32 + * This method is used to display an HTTP message in the editor.
     33 + *
     34 + * @param message The HTTP message to be displayed.
     35 + * @param isRequest Flags whether the message is an HTTP request or
     36 + * response.
     37 + */
     38 + void setMessage(byte[] message, boolean isRequest);
     39 +
     40 + /**
     41 + * This method is used to retrieve the currently displayed message, which
     42 + * may have been modified by the user.
     43 + *
     44 + * @return The currently displayed HTTP message.
     45 + */
     46 + byte[] getMessage();
     47 +
     48 + /**
     49 + * This method is used to determine whether the current message has been
     50 + * modified by the user.
     51 + *
     52 + * @return An indication of whether the current message has been modified by
     53 + * the user since it was first displayed.
     54 + */
     55 + boolean isMessageModified();
     56 +
     57 + /**
     58 + * This method returns the data that is currently selected by the user.
     59 + *
     60 + * @return The data that is currently selected by the user, or
     61 + * <code>null</code> if no selection is made.
     62 + */
     63 + byte[] getSelectedData();
     64 +
     65 + /**
     66 + * This method can be used to retrieve the bounds of the user's selection
     67 + * into the displayed message, if applicable.
     68 + *
     69 + * @return An int[2] array containing the start and end offsets of the
     70 + * user's selection within the displayed message. If the user has not made
     71 + * any selection in the current message, both offsets indicate the position
     72 + * of the caret within the editor. For some editor views, the concept of
     73 + * selection within the message does not apply, in which case this method
     74 + * returns null.
     75 + */
     76 + int[] getSelectionBounds();
     77 +}
     78 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IMessageEditorController.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IMessageEditorController.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * This interface is used by an
     15 + * <code>IMessageEditor</code> to obtain details about the currently displayed
     16 + * message. Extensions that create instances of Burp's HTTP message editor can
     17 + * optionally provide an implementation of
     18 + * <code>IMessageEditorController</code>, which the editor will invoke when it
     19 + * requires further information about the current message (for example, to send
     20 + * it to another Burp tool). Extensions that provide custom editor tabs via an
     21 + * <code>IMessageEditorTabFactory</code> will receive a reference to an
     22 + * <code>IMessageEditorController</code> object for each tab instance they
     23 + * generate, which the tab can invoke if it requires further information about
     24 + * the current message.
     25 + */
     26 +public interface IMessageEditorController {
     27 + /**
     28 + * This method is used to retrieve the HTTP service for the current message.
     29 + *
     30 + * @return The HTTP service for the current message.
     31 + */
     32 + IHttpService getHttpService();
     33 +
     34 + /**
     35 + * This method is used to retrieve the HTTP request associated with the
     36 + * current message (which may itself be a response).
     37 + *
     38 + * @return The HTTP request associated with the current message.
     39 + */
     40 + byte[] getRequest();
     41 +
     42 + /**
     43 + * This method is used to retrieve the HTTP response associated with the
     44 + * current message (which may itself be a request).
     45 + *
     46 + * @return The HTTP response associated with the current message.
     47 + */
     48 + byte[] getResponse();
     49 +}
     50 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IMessageEditorTab.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IMessageEditorTab.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +import java.awt.Component;
     14 +
     15 +/**
     16 + * Extensions that register an
     17 + * <code>IMessageEditorTabFactory</code> must return instances of this
     18 + * interface, which Burp will use to create custom tabs within its HTTP message
     19 + * editors.
     20 + */
     21 +public interface IMessageEditorTab {
     22 + /**
     23 + * This method returns the caption that should appear on the custom tab when
     24 + * it is displayed. <b>Note:</b> Burp invokes this method once when the tab
     25 + * is first generated, and the same caption will be used every time the tab
     26 + * is displayed.
     27 + *
     28 + * @return The caption that should appear on the custom tab when it is
     29 + * displayed.
     30 + */
     31 + String getTabCaption();
     32 +
     33 + /**
     34 + * This method returns the component that should be used as the contents of
     35 + * the custom tab when it is displayed. <b>Note:</b> Burp invokes this
     36 + * method once when the tab is first generated, and the same component will
     37 + * be used every time the tab is displayed.
     38 + *
     39 + * @return The component that should be used as the contents of the custom
     40 + * tab when it is displayed.
     41 + */
     42 + Component getUiComponent();
     43 +
     44 + /**
     45 + * The hosting editor will invoke this method before it displays a new HTTP
     46 + * message, so that the custom tab can indicate whether it should be enabled
     47 + * for that message.
     48 + *
     49 + * @param content The message that is about to be displayed, or a zero-length
     50 + * array if the existing message is to be cleared.
     51 + * @param isRequest Indicates whether the message is a request or a
     52 + * response.
     53 + * @return The method should return
     54 + * <code>true</code> if the custom tab is able to handle the specified
     55 + * message, and so will be displayed within the editor. Otherwise, the tab
     56 + * will be hidden while this message is displayed.
     57 + */
     58 + boolean isEnabled(byte[] content, boolean isRequest);
     59 +
     60 + /**
     61 + * The hosting editor will invoke this method to display a new message or to
     62 + * clear the existing message. This method will only be called with a new
     63 + * message if the tab has already returned
     64 + * <code>true</code> to a call to
     65 + * <code>isEnabled()</code> with the same message details.
     66 + *
     67 + * @param content The message that is to be displayed, or
     68 + * <code>null</code> if the tab should clear its contents and disable any
     69 + * editable controls.
     70 + * @param isRequest Indicates whether the message is a request or a
     71 + * response.
     72 + */
     73 + void setMessage(byte[] content, boolean isRequest);
     74 +
     75 + /**
     76 + * This method returns the currently displayed message.
     77 + *
     78 + * @return The currently displayed message.
     79 + */
     80 + byte[] getMessage();
     81 +
     82 + /**
     83 + * This method is used to determine whether the currently displayed message
     84 + * has been modified by the user. The hosting editor will always call
     85 + * <code>getMessage()</code> before calling this method, so any pending
     86 + * edits should be completed within
     87 + * <code>getMessage()</code>.
     88 + *
     89 + * @return The method should return
     90 + * <code>true</code> if the user has modified the current message since it
     91 + * was first displayed.
     92 + */
     93 + boolean isModified();
     94 +
     95 + /**
     96 + * This method is used to retrieve the data that is currently selected by
     97 + * the user.
     98 + *
     99 + * @return The data that is currently selected by the user. This may be
     100 + * <code>null</code> if no selection is currently made.
     101 + */
     102 + byte[] getSelectedData();
     103 +}
     104 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IMessageEditorTabFactory.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IMessageEditorTabFactory.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * Extensions can implement this interface and then call
     15 + * <code>IBurpExtenderCallbacks.registerMessageEditorTabFactory()</code> to
     16 + * register a factory for custom message editor tabs. This allows extensions to
     17 + * provide custom rendering or editing of HTTP messages, within Burp's own HTTP
     18 + * editor.
     19 + */
     20 +public interface IMessageEditorTabFactory {
     21 + /**
     22 + * Burp will call this method once for each HTTP message editor, and the
     23 + * factory should provide a new instance of an
     24 + * <code>IMessageEditorTab</code> object.
     25 + *
     26 + * @param controller An
     27 + * <code>IMessageEditorController</code> object, which the new tab can query
     28 + * to retrieve details about the currently displayed message. This may be
     29 + * <code>null</code> for extension-invoked message editors where the
     30 + * extension has not provided an editor controller.
     31 + * @param editable Indicates whether the hosting editor is editable or
     32 + * read-only.
     33 + * @return A new
     34 + * <code>IMessageEditorTab</code> object for use within the message editor.
     35 + */
     36 + IMessageEditorTab createNewInstance(IMessageEditorController controller,
     37 + boolean editable);
     38 +}
     39 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IParameter.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IParameter.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * This interface is used to hold details about an HTTP request parameter.
     15 + */
     16 +public interface IParameter {
     17 + /**
     18 + * Used to indicate a parameter within the URL query string.
     19 + */
     20 + static final byte PARAM_URL = 0;
     21 + /**
     22 + * Used to indicate a parameter within the message body.
     23 + */
     24 + static final byte PARAM_BODY = 1;
     25 + /**
     26 + * Used to indicate an HTTP cookie.
     27 + */
     28 + static final byte PARAM_COOKIE = 2;
     29 + /**
     30 + * Used to indicate an item of data within an XML structure.
     31 + */
     32 + static final byte PARAM_XML = 3;
     33 + /**
     34 + * Used to indicate the value of a tag attribute within an XML structure.
     35 + */
     36 + static final byte PARAM_XML_ATTR = 4;
     37 + /**
     38 + * Used to indicate the value of a parameter attribute within a multi-part
     39 + * message body (such as the name of an uploaded file).
     40 + */
     41 + static final byte PARAM_MULTIPART_ATTR = 5;
     42 + /**
     43 + * Used to indicate an item of data within a JSON structure.
     44 + */
     45 + static final byte PARAM_JSON = 6;
     46 +
     47 + /**
     48 + * This method is used to retrieve the parameter type.
     49 + *
     50 + * @return The parameter type. The available types are defined within this
     51 + * interface.
     52 + */
     53 + byte getType();
     54 +
     55 + /**
     56 + * This method is used to retrieve the parameter name.
     57 + *
     58 + * @return The parameter name.
     59 + */
     60 + String getName();
     61 +
     62 + /**
     63 + * This method is used to retrieve the parameter value.
     64 + *
     65 + * @return The parameter value.
     66 + */
     67 + String getValue();
     68 +
     69 + /**
     70 + * This method is used to retrieve the start offset of the parameter name
     71 + * within the HTTP request.
     72 + *
     73 + * @return The start offset of the parameter name within the HTTP request,
     74 + * or -1 if the parameter is not associated with a specific request.
     75 + */
     76 + int getNameStart();
     77 +
     78 + /**
     79 + * This method is used to retrieve the end offset of the parameter name
     80 + * within the HTTP request.
     81 + *
     82 + * @return The end offset of the parameter name within the HTTP request, or
     83 + * -1 if the parameter is not associated with a specific request.
     84 + */
     85 + int getNameEnd();
     86 +
     87 + /**
     88 + * This method is used to retrieve the start offset of the parameter value
     89 + * within the HTTP request.
     90 + *
     91 + * @return The start offset of the parameter value within the HTTP request,
     92 + * or -1 if the parameter is not associated with a specific request.
     93 + */
     94 + int getValueStart();
     95 +
     96 + /**
     97 + * This method is used to retrieve the end offset of the parameter value
     98 + * within the HTTP request.
     99 + *
     100 + * @return The end offset of the parameter value within the HTTP request, or
     101 + * -1 if the parameter is not associated with a specific request.
     102 + */
     103 + int getValueEnd();
     104 +}
     105 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IProxyListener.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IProxyListener.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * Extensions can implement this interface and then call
     15 + * <code>IBurpExtenderCallbacks.registerProxyListener()</code> to register a
     16 + * Proxy listener. The listener will be notified of requests and responses being
     17 + * processed by the Proxy tool. Extensions can perform custom analysis or
     18 + * modification of these messages, and control in-UI message interception, by
     19 + * registering a proxy listener.
     20 + */
     21 +public interface IProxyListener {
     22 + /**
     23 + * This method is invoked when an HTTP message is being processed by the
     24 + * Proxy.
     25 + *
     26 + * @param messageIsRequest Indicates whether the HTTP message is a request
     27 + * or a response.
     28 + * @param message An
     29 + * <code>IInterceptedProxyMessage</code> object that extensions can use to
     30 + * query and update details of the message, and control whether the message
     31 + * should be intercepted and displayed to the user for manual review or
     32 + * modification.
     33 + */
     34 + void processProxyMessage(
     35 + boolean messageIsRequest,
     36 + IInterceptedProxyMessage message);
     37 +}
     38 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IRequestInfo.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IRequestInfo.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +import java.net.URL;
     14 +import java.util.List;
     15 +
     16 +/**
     17 + * This interface is used to retrieve key details about an HTTP request.
     18 + * Extensions can obtain an
     19 + * <code>IRequestInfo</code> object for a given request by calling
     20 + * <code>IExtensionHelpers.analyzeRequest()</code>.
     21 + */
     22 +public interface IRequestInfo {
     23 + /**
     24 + * Used to indicate that there is no content.
     25 + */
     26 + static final byte CONTENT_TYPE_NONE = 0;
     27 + /**
     28 + * Used to indicate URL-encoded content.
     29 + */
     30 + static final byte CONTENT_TYPE_URL_ENCODED = 1;
     31 + /**
     32 + * Used to indicate multi-part content.
     33 + */
     34 + static final byte CONTENT_TYPE_MULTIPART = 2;
     35 + /**
     36 + * Used to indicate XML content.
     37 + */
     38 + static final byte CONTENT_TYPE_XML = 3;
     39 + /**
     40 + * Used to indicate JSON content.
     41 + */
     42 + static final byte CONTENT_TYPE_JSON = 4;
     43 + /**
     44 + * Used to indicate AMF content.
     45 + */
     46 + static final byte CONTENT_TYPE_AMF = 5;
     47 + /**
     48 + * Used to indicate unknown content.
     49 + */
     50 + static final byte CONTENT_TYPE_UNKNOWN = -1;
     51 +
     52 + /**
     53 + * This method is used to obtain the HTTP method used in the request.
     54 + *
     55 + * @return The HTTP method used in the request.
     56 + */
     57 + String getMethod();
     58 +
     59 + /**
     60 + * This method is used to obtain the URL in the request.
     61 + *
     62 + * @return The URL in the request.
     63 + */
     64 + URL getUrl();
     65 +
     66 + /**
     67 + * This method is used to obtain the HTTP headers contained in the request.
     68 + *
     69 + * @return The HTTP headers contained in the request.
     70 + */
     71 + List<String> getHeaders();
     72 +
     73 + /**
     74 + * This method is used to obtain the parameters contained in the request.
     75 + *
     76 + * @return The parameters contained in the request.
     77 + */
     78 + List<IParameter> getParameters();
     79 +
     80 + /**
     81 + * This method is used to obtain the offset within the request where the
     82 + * message body begins.
     83 + *
     84 + * @return The offset within the request where the message body begins.
     85 + */
     86 + int getBodyOffset();
     87 +
     88 + /**
     89 + * This method is used to obtain the content type of the message body.
     90 + *
     91 + * @return An indication of the content type of the message body. Available
     92 + * types are defined within this interface.
     93 + */
     94 + byte getContentType();
     95 +}
     96 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IResponseInfo.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IResponseInfo.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +import java.util.List;
     14 +
     15 +/**
     16 + * This interface is used to retrieve key details about an HTTP response.
     17 + * Extensions can obtain an
     18 + * <code>IResponseInfo</code> object for a given response by calling
     19 + * <code>IExtensionHelpers.analyzeResponse()</code>.
     20 + */
     21 +public interface IResponseInfo {
     22 + /**
     23 + * This method is used to obtain the HTTP headers contained in the response.
     24 + *
     25 + * @return The HTTP headers contained in the response.
     26 + */
     27 + List<String> getHeaders();
     28 +
     29 + /**
     30 + * This method is used to obtain the offset within the response where the
     31 + * message body begins.
     32 + *
     33 + * @return The offset within the response where the message body begins.
     34 + */
     35 + int getBodyOffset();
     36 +
     37 + /**
     38 + * This method is used to obtain the HTTP status code contained in the
     39 + * response.
     40 + *
     41 + * @return The HTTP status code contained in the response.
     42 + */
     43 + short getStatusCode();
     44 +
     45 + /**
     46 + * This method is used to obtain details of the HTTP cookies set in the
     47 + * response.
     48 + *
     49 + * @return A list of <code>ICookie</code> objects representing the cookies
     50 + * set in the response, if any.
     51 + */
     52 + List<ICookie> getCookies();
     53 +
     54 + /**
     55 + * This method is used to obtain the MIME type of the response, as stated in
     56 + * the HTTP headers.
     57 + *
     58 + * @return A textual label for the stated MIME type, or an empty String if
     59 + * this is not known or recognized. The possible labels are the same as
     60 + * those used in the main Burp UI.
     61 + */
     62 + String getStatedMimeType();
     63 +
     64 + /**
     65 + * This method is used to obtain the MIME type of the response, as inferred
     66 + * from the contents of the HTTP message body.
     67 + *
     68 + * @return A textual label for the inferred MIME type, or an empty String if
     69 + * this is not known or recognized. The possible labels are the same as
     70 + * those used in the main Burp UI.
     71 + */
     72 + String getInferredMimeType();
     73 +}
     74 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IResponseKeywords.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IResponseKeywords.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +import java.util.List;
     14 +
     15 +/**
     16 + * This interface is used to represent the counts of keywords appearing in a
     17 + * number of HTTP responses.
     18 + */
     19 +public interface IResponseKeywords {
     20 +
     21 + /**
     22 + * This method is used to obtain the list of keywords whose counts vary
     23 + * between the analyzed responses.
     24 + *
     25 + * @return The keywords whose counts vary between the analyzed responses.
     26 + */
     27 + List<String> getVariantKeywords();
     28 +
     29 + /**
     30 + * This method is used to obtain the list of keywords whose counts do not
     31 + * vary between the analyzed responses.
     32 + *
     33 + * @return The keywords whose counts do not vary between the analyzed
     34 + * responses.
     35 + */
     36 + List<String> getInvariantKeywords();
     37 +
     38 + /**
     39 + * This method is used to obtain the number of occurrences of an individual
     40 + * keyword in a response.
     41 + *
     42 + * @param keyword The keyword whose count will be retrieved.
     43 + * @param responseIndex The index of the response. Note responses are
     44 + * indexed from zero in the order they were originally supplied to the
     45 + * <code>IExtensionHelpers.analyzeResponseKeywords()</code> and
     46 + * <code>IResponseKeywords.updateWith()</code> methods.
     47 + * @return The number of occurrences of the specified keyword for the
     48 + * specified response.
     49 + */
     50 + int getKeywordCount(String keyword, int responseIndex);
     51 +
     52 + /**
     53 + * This method is used to update the analysis based on additional responses.
     54 + *
     55 + * @param responses The new responses to include in the analysis.
     56 + */
     57 + void updateWith(byte[]... responses);
     58 +}
     59 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IResponseVariations.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IResponseVariations.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +import java.util.List;
     14 +
     15 +/**
     16 + * This interface is used to represent variations between a number HTTP
     17 + * responses, according to various attributes.
     18 + */
     19 +public interface IResponseVariations {
     20 +
     21 + /**
     22 + * This method is used to obtain the list of attributes that vary between
     23 + * the analyzed responses.
     24 + *
     25 + * @return The attributes that vary between the analyzed responses.
     26 + */
     27 + List<String> getVariantAttributes();
     28 +
     29 + /**
     30 + * This method is used to obtain the list of attributes that do not vary
     31 + * between the analyzed responses.
     32 + *
     33 + * @return The attributes that do not vary between the analyzed responses.
     34 + */
     35 + List<String> getInvariantAttributes();
     36 +
     37 + /**
     38 + * This method is used to obtain the value of an individual attribute in a
     39 + * response. Note that the values of some attributes are intrinsically
     40 + * meaningful (e.g. a word count) while the values of others are less so
     41 + * (e.g. a checksum of the HTML tag names).
     42 + *
     43 + * @param attributeName The name of the attribute whose value will be
     44 + * retrieved. Extension authors can obtain the list of supported attributes
     45 + * by generating an <code>IResponseVariations</code> object for a single
     46 + * response and calling
     47 + * <code>IResponseVariations.getInvariantAttributes()</code>.
     48 + * @param responseIndex The index of the response. Note that responses are
     49 + * indexed from zero in the order they were originally supplied to the
     50 + * <code>IExtensionHelpers.analyzeResponseVariations()</code> and
     51 + * <code>IResponseVariations.updateWith()</code> methods.
     52 + * @return The value of the specified attribute for the specified response.
     53 + */
     54 + int getAttributeValue(String attributeName, int responseIndex);
     55 +
     56 + /**
     57 + * This method is used to update the analysis based on additional responses.
     58 + *
     59 + * @param responses The new responses to include in the analysis.
     60 + */
     61 + void updateWith(byte[]... responses);
     62 +}
     63 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IScanIssue.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IScanIssue.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * This interface is used to retrieve details of Scanner issues. Extensions can
     15 + * obtain details of issues by registering an <code>IScannerListener</code> or
     16 + * by calling <code>IBurpExtenderCallbacks.getScanIssues()</code>. Extensions
     17 + * can also add custom Scanner issues by registering an
     18 + * <code>IScannerCheck</code> or calling
     19 + * <code>IBurpExtenderCallbacks.addScanIssue()</code>, and providing their own
     20 + * implementations of this interface. Note that issue descriptions and other
     21 + * text generated by extensions are subject to an HTML whitelist that allows
     22 + * only formatting tags and simple hyperlinks.
     23 + */
     24 +public interface IScanIssue {
     25 +
     26 + /**
     27 + * This method returns the URL for which the issue was generated.
     28 + *
     29 + * @return The URL for which the issue was generated.
     30 + */
     31 + java.net.URL getUrl();
     32 +
     33 + /**
     34 + * This method returns the name of the issue type.
     35 + *
     36 + * @return The name of the issue type (e.g. "SQL injection").
     37 + */
     38 + String getIssueName();
     39 +
     40 + /**
     41 + * This method returns a numeric identifier of the issue type. See the Burp
     42 + * Scanner documentation for a listing of all the issue types.
     43 + *
     44 + * @return A numeric identifier of the issue type.
     45 + */
     46 + int getIssueType();
     47 +
     48 + /**
     49 + * This method returns the issue severity level.
     50 + *
     51 + * @return The issue severity level. Expected values are "High", "Medium",
     52 + * "Low", "Information" or "False positive".
     53 + */
     54 + String getSeverity();
     55 +
     56 + /**
     57 + * This method returns the issue confidence level.
     58 + *
     59 + * @return The issue confidence level. Expected values are "Certain", "Firm"
     60 + * or "Tentative".
     61 + */
     62 + String getConfidence();
     63 +
     64 + /**
     65 + * This method returns a background description for this type of issue.
     66 + *
     67 + * @return A background description for this type of issue, or
     68 + * <code>null</code> if none applies. A limited set of HTML tags may be
     69 + * used.
     70 + */
     71 + String getIssueBackground();
     72 +
     73 + /**
     74 + * This method returns a background description of the remediation for this
     75 + * type of issue.
     76 + *
     77 + * @return A background description of the remediation for this type of
     78 + * issue, or <code>null</code> if none applies. A limited set of HTML tags
     79 + * may be used.
     80 + */
     81 + String getRemediationBackground();
     82 +
     83 + /**
     84 + * This method returns detailed information about this specific instance of
     85 + * the issue.
     86 + *
     87 + * @return Detailed information about this specific instance of the issue,
     88 + * or <code>null</code> if none applies. A limited set of HTML tags may be
     89 + * used.
     90 + */
     91 + String getIssueDetail();
     92 +
     93 + /**
     94 + * This method returns detailed information about the remediation for this
     95 + * specific instance of the issue.
     96 + *
     97 + * @return Detailed information about the remediation for this specific
     98 + * instance of the issue, or <code>null</code> if none applies. A limited
     99 + * set of HTML tags may be used.
     100 + */
     101 + String getRemediationDetail();
     102 +
     103 + /**
     104 + * This method returns the HTTP messages on the basis of which the issue was
     105 + * generated.
     106 + *
     107 + * @return The HTTP messages on the basis of which the issue was generated.
     108 + * <b>Note:</b> The items in this array should be instances of
     109 + * <code>IHttpRequestResponseWithMarkers</code> if applicable, so that
     110 + * details of the relevant portions of the request and response messages are
     111 + * available.
     112 + */
     113 + IHttpRequestResponse[] getHttpMessages();
     114 +
     115 + /**
     116 + * This method returns the HTTP service for which the issue was generated.
     117 + *
     118 + * @return The HTTP service for which the issue was generated.
     119 + */
     120 + IHttpService getHttpService();
     121 +
     122 +}
     123 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IScanQueueItem.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IScanQueueItem.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * This interface is used to retrieve details of items in the Burp Scanner
     15 + * active scan queue. Extensions can obtain references to scan queue items by
     16 + * calling
     17 + * <code>IBurpExtenderCallbacks.doActiveScan()</code>.
     18 + */
     19 +public interface IScanQueueItem {
     20 + /**
     21 + * This method returns a description of the status of the scan queue item.
     22 + *
     23 + * @return A description of the status of the scan queue item.
     24 + */
     25 + String getStatus();
     26 +
     27 + /**
     28 + * This method returns an indication of the percentage completed for the
     29 + * scan queue item.
     30 + *
     31 + * @return An indication of the percentage completed for the scan queue
     32 + * item.
     33 + */
     34 + @Deprecated
     35 + byte getPercentageComplete();
     36 +
     37 + /**
     38 + * This method returns the number of requests that have been made for the
     39 + * scan queue item.
     40 + *
     41 + * @return The number of requests that have been made for the scan queue
     42 + * item.
     43 + */
     44 + int getNumRequests();
     45 +
     46 + /**
     47 + * This method returns the number of network errors that have occurred for
     48 + * the scan queue item.
     49 + *
     50 + * @return The number of network errors that have occurred for the scan
     51 + * queue item.
     52 + */
     53 + int getNumErrors();
     54 +
     55 + /**
     56 + * This method returns the number of attack insertion points being used for
     57 + * the scan queue item.
     58 + *
     59 + * @return The number of attack insertion points being used for the scan
     60 + * queue item.
     61 + */
     62 + int getNumInsertionPoints();
     63 +
     64 + /**
     65 + * This method allows the scan queue item to be canceled.
     66 + */
     67 + void cancel();
     68 +
     69 + /**
     70 + * This method returns details of the issues generated for the scan queue
     71 + * item. <b>Note:</b> different items within the scan queue may contain
     72 + * duplicated versions of the same issues - for example, if the same request
     73 + * has been scanned multiple times. Duplicated issues are consolidated in
     74 + * the main view of scan results. Extensions can register an
     75 + * <code>IScannerListener</code> to get details only of unique, newly
     76 + * discovered Scanner issues post-consolidation.
     77 + *
     78 + * @return Details of the issues generated for the scan queue item.
     79 + */
     80 + IScanIssue[] getIssues();
     81 +}
     82 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IScannerCheck.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IScannerCheck.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +import java.util.List;
     14 +
     15 +/**
     16 + * Extensions can implement this interface and then call
     17 + * <code>IBurpExtenderCallbacks.registerScannerCheck()</code> to register a
     18 + * custom Scanner check. When performing scanning, Burp will ask the check to
     19 + * perform active or passive scanning on the base request, and report any
     20 + * Scanner issues that are identified.
     21 + */
     22 +public interface IScannerCheck {
     23 +
     24 + /**
     25 + * The Scanner invokes this method for each base request / response that is
     26 + * passively scanned. <b>Note:</b> Extensions should only analyze the
     27 + * HTTP messages provided during passive scanning, and should not make any
     28 + * new HTTP requests of their own.
     29 + *
     30 + * @param baseRequestResponse The base HTTP request / response that should
     31 + * be passively scanned.
     32 + * @return A list of <code>IScanIssue</code> objects, or <code>null</code>
     33 + * if no issues are identified.
     34 + */
     35 + List<IScanIssue> doPassiveScan(IHttpRequestResponse baseRequestResponse);
     36 +
     37 + /**
     38 + * The Scanner invokes this method for each insertion point that is actively
     39 + * scanned. Extensions may issue HTTP requests as required to carry out
     40 + * active scanning, and should use the
     41 + * <code>IScannerInsertionPoint</code> object provided to build scan
     42 + * requests for particular payloads.
     43 + * <b>Note:</b>
     44 + * Scan checks should submit raw non-encoded payloads to insertion points,
     45 + * and the insertion point has responsibility for performing any data
     46 + * encoding that is necessary given the nature and location of the insertion
     47 + * point.
     48 + *
     49 + * @param baseRequestResponse The base HTTP request / response that should
     50 + * be actively scanned.
     51 + * @param insertionPoint An <code>IScannerInsertionPoint</code> object that
     52 + * can be queried to obtain details of the insertion point being tested, and
     53 + * can be used to build scan requests for particular payloads.
     54 + * @return A list of <code>IScanIssue</code> objects, or <code>null</code>
     55 + * if no issues are identified.
     56 + */
     57 + List<IScanIssue> doActiveScan(
     58 + IHttpRequestResponse baseRequestResponse,
     59 + IScannerInsertionPoint insertionPoint);
     60 +
     61 + /**
     62 + * The Scanner invokes this method when the custom Scanner check has
     63 + * reported multiple issues for the same URL path. This can arise either
     64 + * because there are multiple distinct vulnerabilities, or because the same
     65 + * (or a similar) request has been scanned more than once. The custom check
     66 + * should determine whether the issues are duplicates. In most cases, where
     67 + * a check uses distinct issue names or descriptions for distinct issues,
     68 + * the consolidation process will simply be a matter of comparing these
     69 + * features for the two issues.
     70 + *
     71 + * @param existingIssue An issue that was previously reported by this
     72 + * Scanner check.
     73 + * @param newIssue An issue at the same URL path that has been newly
     74 + * reported by this Scanner check.
     75 + * @return An indication of which issue(s) should be reported in the main
     76 + * Scanner results. The method should return <code>-1</code> to report the
     77 + * existing issue only, <code>0</code> to report both issues, and
     78 + * <code>1</code> to report the new issue only.
     79 + */
     80 + int consolidateDuplicateIssues(
     81 + IScanIssue existingIssue,
     82 + IScanIssue newIssue);
     83 +}
     84 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IScannerInsertionPoint.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IScannerInsertionPoint.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * This interface is used to define an insertion point for use by active Scanner
     15 + * checks. Extensions can obtain instances of this interface by registering an
     16 + * <code>IScannerCheck</code>, or can create instances for use by Burp's own
     17 + * scan checks by registering an
     18 + * <code>IScannerInsertionPointProvider</code>.
     19 + */
     20 +public interface IScannerInsertionPoint {
     21 +
     22 + /**
     23 + * Used to indicate where the payload is inserted into the value of a URL
     24 + * parameter.
     25 + */
     26 + static final byte INS_PARAM_URL = 0x00;
     27 + /**
     28 + * Used to indicate where the payload is inserted into the value of a body
     29 + * parameter.
     30 + */
     31 + static final byte INS_PARAM_BODY = 0x01;
     32 + /**
     33 + * Used to indicate where the payload is inserted into the value of an HTTP
     34 + * cookie.
     35 + */
     36 + static final byte INS_PARAM_COOKIE = 0x02;
     37 + /**
     38 + * Used to indicate where the payload is inserted into the value of an item
     39 + * of data within an XML data structure.
     40 + */
     41 + static final byte INS_PARAM_XML = 0x03;
     42 + /**
     43 + * Used to indicate where the payload is inserted into the value of a tag
     44 + * attribute within an XML structure.
     45 + */
     46 + static final byte INS_PARAM_XML_ATTR = 0x04;
     47 + /**
     48 + * Used to indicate where the payload is inserted into the value of a
     49 + * parameter attribute within a multi-part message body (such as the name of
     50 + * an uploaded file).
     51 + */
     52 + static final byte INS_PARAM_MULTIPART_ATTR = 0x05;
     53 + /**
     54 + * Used to indicate where the payload is inserted into the value of an item
     55 + * of data within a JSON structure.
     56 + */
     57 + static final byte INS_PARAM_JSON = 0x06;
     58 + /**
     59 + * Used to indicate where the payload is inserted into the value of an AMF
     60 + * parameter.
     61 + */
     62 + static final byte INS_PARAM_AMF = 0x07;
     63 + /**
     64 + * Used to indicate where the payload is inserted into the value of an HTTP
     65 + * request header.
     66 + */
     67 + static final byte INS_HEADER = 0x20;
     68 + /**
     69 + * Used to indicate where the payload is inserted into a URL path folder.
     70 + */
     71 + static final byte INS_URL_PATH_FOLDER = 0x21;
     72 + /**
     73 + * Used to indicate where the payload is inserted into a URL path folder.
     74 + * This is now deprecated; use <code>INS_URL_PATH_FOLDER</code> instead.
     75 + */
     76 + @Deprecated
     77 + static final byte INS_URL_PATH_REST = INS_URL_PATH_FOLDER;
     78 + /**
     79 + * Used to indicate where the payload is inserted into the name of an added
     80 + * URL parameter.
     81 + */
     82 + static final byte INS_PARAM_NAME_URL = 0x22;
     83 + /**
     84 + * Used to indicate where the payload is inserted into the name of an added
     85 + * body parameter.
     86 + */
     87 + static final byte INS_PARAM_NAME_BODY = 0x23;
     88 + /**
     89 + * Used to indicate where the payload is inserted into the body of the HTTP
     90 + * request.
     91 + */
     92 + static final byte INS_ENTIRE_BODY = 0x24;
     93 + /**
     94 + * Used to indicate where the payload is inserted into the URL path
     95 + * filename.
     96 + */
     97 + static final byte INS_URL_PATH_FILENAME = 0x25;
     98 + /**
     99 + * Used to indicate where the payload is inserted at a location manually
     100 + * configured by the user.
     101 + */
     102 + static final byte INS_USER_PROVIDED = 0x40;
     103 + /**
     104 + * Used to indicate where the insertion point is provided by an
     105 + * extension-registered
     106 + * <code>IScannerInsertionPointProvider</code>.
     107 + */
     108 + static final byte INS_EXTENSION_PROVIDED = 0x41;
     109 + /**
     110 + * Used to indicate where the payload is inserted at an unknown location
     111 + * within the request.
     112 + */
     113 + static final byte INS_UNKNOWN = 0x7f;
     114 +
     115 + /**
     116 + * This method returns the name of the insertion point.
     117 + *
     118 + * @return The name of the insertion point (for example, a description of a
     119 + * particular request parameter).
     120 + */
     121 + String getInsertionPointName();
     122 +
     123 + /**
     124 + * This method returns the base value for this insertion point.
     125 + *
     126 + * @return the base value that appears in this insertion point in the base
     127 + * request being scanned, or <code>null</code> if there is no value in the
     128 + * base request that corresponds to this insertion point.
     129 + */
     130 + String getBaseValue();
     131 +
     132 + /**
     133 + * This method is used to build a request with the specified payload placed
     134 + * into the insertion point. There is no requirement for extension-provided
     135 + * insertion points to adjust the Content-Length header in requests if the
     136 + * body length has changed, although Burp-provided insertion points will
     137 + * always do this and will return a request with a valid Content-Length
     138 + * header.
     139 + * <b>Note:</b>
     140 + * Scan checks should submit raw non-encoded payloads to insertion points,
     141 + * and the insertion point has responsibility for performing any data
     142 + * encoding that is necessary given the nature and location of the insertion
     143 + * point.
     144 + *
     145 + * @param payload The payload that should be placed into the insertion
     146 + * point.
     147 + * @return The resulting request.
     148 + */
     149 + byte[] buildRequest(byte[] payload);
     150 +
     151 + /**
     152 + * This method is used to determine the offsets of the payload value within
     153 + * the request, when it is placed into the insertion point. Scan checks may
     154 + * invoke this method when reporting issues, so as to highlight the relevant
     155 + * part of the request within the UI.
     156 + *
     157 + * @param payload The payload that should be placed into the insertion
     158 + * point.
     159 + * @return An int[2] array containing the start and end offsets of the
     160 + * payload within the request, or null if this is not applicable (for
     161 + * example, where the insertion point places a payload into a serialized
     162 + * data structure, the raw payload may not literally appear anywhere within
     163 + * the resulting request).
     164 + */
     165 + int[] getPayloadOffsets(byte[] payload);
     166 +
     167 + /**
     168 + * This method returns the type of the insertion point.
     169 + *
     170 + * @return The type of the insertion point. Available types are defined in
     171 + * this interface.
     172 + */
     173 + byte getInsertionPointType();
     174 +}
     175 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IScannerInsertionPointProvider.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IScannerInsertionPointProvider.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +import java.util.List;
     14 +
     15 +/**
     16 + * Extensions can implement this interface and then call
     17 + * <code>IBurpExtenderCallbacks.registerScannerInsertionPointProvider()</code>
     18 + * to register a factory for custom Scanner insertion points.
     19 + */
     20 +public interface IScannerInsertionPointProvider {
     21 + /**
     22 + * When a request is actively scanned, the Scanner will invoke this method,
     23 + * and the provider should provide a list of custom insertion points that
     24 + * will be used in the scan. <b>Note:</b> these insertion points are used in
     25 + * addition to those that are derived from Burp Scanner's configuration, and
     26 + * those provided by any other Burp extensions.
     27 + *
     28 + * @param baseRequestResponse The base request that will be actively
     29 + * scanned.
     30 + * @return A list of
     31 + * <code>IScannerInsertionPoint</code> objects that should be used in the
     32 + * scanning, or
     33 + * <code>null</code> if no custom insertion points are applicable for this
     34 + * request.
     35 + */
     36 + List<IScannerInsertionPoint> getInsertionPoints(
     37 + IHttpRequestResponse baseRequestResponse);
     38 +}
     39 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IScannerListener.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IScannerListener.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * Extensions can implement this interface and then call
     15 + * <code>IBurpExtenderCallbacks.registerScannerListener()</code> to register a
     16 + * Scanner listener. The listener will be notified of new issues that are
     17 + * reported by the Scanner tool. Extensions can perform custom analysis or
     18 + * logging of Scanner issues by registering a Scanner listener.
     19 + */
     20 +public interface IScannerListener {
     21 + /**
     22 + * This method is invoked when a new issue is added to Burp Scanner's
     23 + * results.
     24 + *
     25 + * @param issue An
     26 + * <code>IScanIssue</code> object that the extension can query to obtain
     27 + * details about the new issue.
     28 + */
     29 + void newScanIssue(IScanIssue issue);
     30 +}
     31 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/IScopeChangeListener.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)IScopeChangeListener.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * Extensions can implement this interface and then call
     15 + * <code>IBurpExtenderCallbacks.registerScopeChangeListener()</code> to register
     16 + * a scope change listener. The listener will be notified whenever a change
     17 + * occurs to Burp's suite-wide target scope.
     18 + */
     19 +public interface IScopeChangeListener {
     20 + /**
     21 + * This method is invoked whenever a change occurs to Burp's suite-wide
     22 + * target scope.
     23 + */
     24 + void scopeChanged();
     25 +}
     26 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/ISessionHandlingAction.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)ISessionHandlingAction.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * Extensions can implement this interface and then call
     15 + * <code>IBurpExtenderCallbacks.registerSessionHandlingAction()</code> to
     16 + * register a custom session handling action. Each registered action will be
     17 + * available within the session handling rule UI for the user to select as a
     18 + * rule action. Users can choose to invoke an action directly in its own right,
     19 + * or following execution of a macro.
     20 + */
     21 +public interface ISessionHandlingAction {
     22 + /**
     23 + * This method is used by Burp to obtain the name of the session handling
     24 + * action. This will be displayed as an option within the session handling
     25 + * rule editor when the user selects to execute an extension-provided
     26 + * action.
     27 + *
     28 + * @return The name of the action.
     29 + */
     30 + String getActionName();
     31 +
     32 + /**
     33 + * This method is invoked when the session handling action should be
     34 + * executed. This may happen as an action in its own right, or as a
     35 + * sub-action following execution of a macro.
     36 + *
     37 + * @param currentRequest The base request that is currently being processed.
     38 + * The action can query this object to obtain details about the base
     39 + * request. It can issue additional requests of its own if necessary, and
     40 + * can use the setter methods on this object to update the base request.
     41 + * @param macroItems If the action is invoked following execution of a
     42 + * macro, this parameter contains the result of executing the macro.
     43 + * Otherwise, it is
     44 + * <code>null</code>. Actions can use the details of the macro items to
     45 + * perform custom analysis of the macro to derive values of non-standard
     46 + * session handling tokens, etc.
     47 + */
     48 + void performAction(
     49 + IHttpRequestResponse currentRequest,
     50 + IHttpRequestResponse[] macroItems);
     51 +}
     52 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/ITab.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)ITab.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +import java.awt.Component;
     14 +
     15 +/**
     16 + * This interface is used to provide Burp with details of a custom tab that will
     17 + * be added to Burp's UI, using a method such as
     18 + * <code>IBurpExtenderCallbacks.addSuiteTab()</code>.
     19 + */
     20 +public interface ITab {
     21 + /**
     22 + * Burp uses this method to obtain the caption that should appear on the
     23 + * custom tab when it is displayed.
     24 + *
     25 + * @return The caption that should appear on the custom tab when it is
     26 + * displayed.
     27 + */
     28 + String getTabCaption();
     29 +
     30 + /**
     31 + * Burp uses this method to obtain the component that should be used as the
     32 + * contents of the custom tab when it is displayed.
     33 + *
     34 + * @return The component that should be used as the contents of the custom
     35 + * tab when it is displayed.
     36 + */
     37 + Component getUiComponent();
     38 +}
     39 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/ITempFile.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)ITempFile.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +/**
     14 + * This interface is used to hold details of a temporary file that has been
     15 + * created via a call to
     16 + * <code>IBurpExtenderCallbacks.saveToTempFile()</code>.
     17 + */
     18 +public interface ITempFile {
     19 + /**
     20 + * This method is used to retrieve the contents of the buffer that was saved
     21 + * in the temporary file.
     22 + *
     23 + * @return The contents of the buffer that was saved in the temporary file.
     24 + */
     25 + byte[] getBuffer();
     26 +
     27 + /**
     28 + * This method is deprecated and no longer performs any action.
     29 + */
     30 + @Deprecated
     31 + void delete();
     32 +}
     33 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/ITextEditor.java
     1 +package burp;
     2 +
     3 +/*
     4 + * @(#)ITextEditor.java
     5 + *
     6 + * Copyright PortSwigger Ltd. All rights reserved.
     7 + *
     8 + * This code may be used to extend the functionality of Burp Suite Community Edition
     9 + * and Burp Suite Professional, provided that this usage does not violate the
     10 + * license terms for those products.
     11 + */
     12 +
     13 +import java.awt.Component;
     14 +
     15 +/**
     16 + * This interface is used to provide extensions with an instance of Burp's raw
     17 + * text editor, for the extension to use in its own UI. Extensions should call
     18 + * <code>IBurpExtenderCallbacks.createTextEditor()</code> to obtain an instance
     19 + * of this interface.
     20 + */
     21 +public interface ITextEditor {
     22 + /**
     23 + * This method returns the UI component of the editor, for extensions to add
     24 + * to their own UI.
     25 + *
     26 + * @return The UI component of the editor.
     27 + */
     28 + Component getComponent();
     29 +
     30 + /**
     31 + * This method is used to control whether the editor is currently editable.
     32 + * This status can be toggled on and off as required.
     33 + *
     34 + * @param editable Indicates whether the editor should be currently
     35 + * editable.
     36 + */
     37 + void setEditable(boolean editable);
     38 +
     39 + /**
     40 + * This method is used to update the currently displayed text in the editor.
     41 + *
     42 + * @param text The text to be displayed.
     43 + */
     44 + void setText(byte[] text);
     45 +
     46 + /**
     47 + * This method is used to retrieve the currently displayed text.
     48 + *
     49 + * @return The currently displayed text.
     50 + */
     51 + byte[] getText();
     52 +
     53 + /**
     54 + * This method is used to determine whether the user has modified the
     55 + * contents of the editor.
     56 + *
     57 + * @return An indication of whether the user has modified the contents of
     58 + * the editor since the last call to
     59 + * <code>setText()</code>.
     60 + */
     61 + boolean isTextModified();
     62 +
     63 + /**
     64 + * This method is used to obtain the currently selected text.
     65 + *
     66 + * @return The currently selected text, or
     67 + * <code>null</code> if the user has not made any selection.
     68 + */
     69 + byte[] getSelectedText();
     70 +
     71 + /**
     72 + * This method can be used to retrieve the bounds of the user's selection
     73 + * into the displayed text, if applicable.
     74 + *
     75 + * @return An int[2] array containing the start and end offsets of the
     76 + * user's selection within the displayed text. If the user has not made any
     77 + * selection in the current message, both offsets indicate the position of
     78 + * the caret within the editor.
     79 + */
     80 + int[] getSelectionBounds();
     81 +
     82 + /**
     83 + * This method is used to update the search expression that is shown in the
     84 + * search bar below the editor. The editor will automatically highlight any
     85 + * regions of the displayed text that match the search expression.
     86 + *
     87 + * @param expression The search expression.
     88 + */
     89 + void setSearchExpression(String expression);
     90 +}
     91 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/burp/SpringUtilities.java
     1 +/*
     2 + * Copyright (c) 1995, 2008, Oracle and/or its affiliates. All rights reserved.
     3 + *
     4 + * Redistribution and use in source and binary forms, with or without
     5 + * modification, are permitted provided that the following conditions
     6 + * are met:
     7 + *
     8 + * - Redistributions of source code must retain the above copyright
     9 + * notice, this list of conditions and the following disclaimer.
     10 + *
     11 + * - Redistributions in binary form must reproduce the above copyright
     12 + * notice, this list of conditions and the following disclaimer in the
     13 + * documentation and/or other materials provided with the distribution.
     14 + *
     15 + * - Neither the name of Oracle or the names of its
     16 + * contributors may be used to endorse or promote products derived
     17 + * from this software without specific prior written permission.
     18 + *
     19 + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
     20 + * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
     21 + * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     22 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
     23 + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
     24 + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
     25 + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
     26 + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
     27 + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
     28 + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
     29 + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     30 + */
     31 +package burp;
     32 + 
     33 +import javax.swing.*;
     34 +import java.awt.*;
     35 + 
     36 +/**
     37 + * A 1.4 file that provides utility methods for
     38 + * creating form- or grid-style layouts with SpringLayout.
     39 + * These utilities are used by several programs, such as
     40 + * SpringBox and SpringCompactGrid.
     41 + */
     42 +public class SpringUtilities {
     43 + /**
     44 + * A debugging utility that prints to stdout the component's
     45 + * minimum, preferred, and maximum sizes.
     46 + */
     47 + public static void printSizes(Component c) {
     48 + System.out.println("minimumSize = " + c.getMinimumSize());
     49 + System.out.println("preferredSize = " + c.getPreferredSize());
     50 + System.out.println("maximumSize = " + c.getMaximumSize());
     51 + }
     52 + 
     53 + /**
     54 + * Aligns the first <code>rows</code> * <code>cols</code>
     55 + * components of <code>parent</code> in
     56 + * a grid. Each component is as big as the maximum
     57 + * preferred width and height of the components.
     58 + * The parent is made just big enough to fit them all.
     59 + *
     60 + * @param rows number of rows
     61 + * @param cols number of columns
     62 + * @param initialX x location to start the grid at
     63 + * @param initialY y location to start the grid at
     64 + * @param xPad x padding between cells
     65 + * @param yPad y padding between cells
     66 + */
     67 + public static void makeGrid(Container parent,
     68 + int rows, int cols,
     69 + int initialX, int initialY,
     70 + int xPad, int yPad) {
     71 + SpringLayout layout;
     72 + try {
     73 + layout = (SpringLayout) parent.getLayout();
     74 + } catch (ClassCastException exc) {
     75 + System.err.println("The first argument to makeGrid must use SpringLayout.");
     76 + return;
     77 + }
     78 + Spring xPadSpring = Spring.constant(xPad);
     79 + Spring yPadSpring = Spring.constant(yPad);
     80 + Spring initialXSpring = Spring.constant(initialX);
     81 + Spring initialYSpring = Spring.constant(initialY);
     82 + int max = rows * cols;
     83 + //Calculate Springs that are the max of the width/height so that all
     84 + //cells have the same size.
     85 + Spring maxWidthSpring = layout.getConstraints(parent.getComponent(0)).
     86 + getWidth();
     87 + Spring maxHeightSpring = layout.getConstraints(parent.getComponent(0)).
     88 + getHeight();
     89 + for (int i = 1; i < max; i++) {
     90 + SpringLayout.Constraints cons = layout.getConstraints(
     91 + parent.getComponent(i));
     92 + maxWidthSpring = Spring.max(maxWidthSpring, cons.getWidth());
     93 + maxHeightSpring = Spring.max(maxHeightSpring, cons.getHeight());
     94 + }
     95 + //Apply the new width/height Spring. This forces all the
     96 + //components to have the same size.
     97 + for (int i = 0; i < max; i++) {
     98 + SpringLayout.Constraints cons = layout.getConstraints(
     99 + parent.getComponent(i));
     100 + cons.setWidth(maxWidthSpring);
     101 + cons.setHeight(maxHeightSpring);
     102 + }
     103 + //Then adjust the x/y constraints of all the cells so that they
     104 + //are aligned in a grid.
     105 + SpringLayout.Constraints lastCons = null;
     106 + SpringLayout.Constraints lastRowCons = null;
     107 + for (int i = 0; i < max; i++) {
     108 + SpringLayout.Constraints cons = layout.getConstraints(
     109 + parent.getComponent(i));
     110 + if (i % cols == 0) { //start of new row
     111 + lastRowCons = lastCons;
     112 + cons.setX(initialXSpring);
     113 + } else { //x position depends on previous component
     114 + cons.setX(Spring.sum(lastCons.getConstraint(SpringLayout.EAST),
     115 + xPadSpring));
     116 + }
     117 + if (i / cols == 0) { //first row
     118 + cons.setY(initialYSpring);
     119 + } else { //y position depends on previous row
     120 + cons.setY(Spring.sum(lastRowCons.getConstraint(SpringLayout.SOUTH),
     121 + yPadSpring));
     122 + }
     123 + lastCons = cons;
     124 + }
     125 + //Set the parent's size.
     126 + SpringLayout.Constraints pCons = layout.getConstraints(parent);
     127 + pCons.setConstraint(SpringLayout.SOUTH,
     128 + Spring.sum(
     129 + Spring.constant(yPad),
     130 + lastCons.getConstraint(SpringLayout.SOUTH)));
     131 + pCons.setConstraint(SpringLayout.EAST,
     132 + Spring.sum(
     133 + Spring.constant(xPad),
     134 + lastCons.getConstraint(SpringLayout.EAST)));
     135 + }
     136 + 
     137 + /* Used by makeCompactGrid. */
     138 + private static SpringLayout.Constraints getConstraintsForCell(
     139 + int row, int col,
     140 + Container parent,
     141 + int cols) {
     142 + SpringLayout layout = (SpringLayout) parent.getLayout();
     143 + Component c = parent.getComponent(row * cols + col);
     144 + return layout.getConstraints(c);
     145 + }
     146 + 
     147 + /**
     148 + * Aligns the first <code>rows</code> * <code>cols</code>
     149 + * components of <code>parent</code> in
     150 + * a grid. Each component in a column is as wide as the maximum
     151 + * preferred width of the components in that column;
     152 + * height is similarly determined for each row.
     153 + * The parent is made just big enough to fit them all.
     154 + *
     155 + * @param rows number of rows
     156 + * @param cols number of columns
     157 + * @param initialX x location to start the grid at
     158 + * @param initialY y location to start the grid at
     159 + * @param xPad x padding between cells
     160 + * @param yPad y padding between cells
     161 + */
     162 + public static void makeCompactGrid(Container parent,
     163 + int rows, int cols,
     164 + int initialX, int initialY,
     165 + int xPad, int yPad) {
     166 + SpringLayout layout;
     167 + try {
     168 + layout = (SpringLayout) parent.getLayout();
     169 + } catch (ClassCastException exc) {
     170 + System.err.println("The first argument to makeCompactGrid must use SpringLayout.");
     171 + return;
     172 + }
     173 + //Align all cells in each column and make them the same width.
     174 + Spring x = Spring.constant(initialX);
     175 + for (int c = 0; c < cols; c++) {
     176 + Spring width = Spring.constant(0);
     177 + for (int r = 0; r < rows; r++) {
     178 + width = Spring.max(width,
     179 + getConstraintsForCell(r, c, parent, cols).
     180 + getWidth());
     181 + }
     182 + for (int r = 0; r < rows; r++) {
     183 + SpringLayout.Constraints constraints =
     184 + getConstraintsForCell(r, c, parent, cols);
     185 + constraints.setX(x);
     186 + constraints.setWidth(width);
     187 + }
     188 + x = Spring.sum(x, Spring.sum(width, Spring.constant(xPad)));
     189 + }
     190 + //Align all cells in each row and make them the same height.
     191 + Spring y = Spring.constant(initialY);
     192 + for (int r = 0; r < rows; r++) {
     193 + Spring height = Spring.constant(0);
     194 + for (int c = 0; c < cols; c++) {
     195 + height = Spring.max(height,
     196 + getConstraintsForCell(r, c, parent, cols).
     197 + getHeight());
     198 + }
     199 + for (int c = 0; c < cols; c++) {
     200 + SpringLayout.Constraints constraints =
     201 + getConstraintsForCell(r, c, parent, cols);
     202 + constraints.setY(y);
     203 + constraints.setHeight(height);
     204 + }
     205 + y = Spring.sum(y, Spring.sum(height, Spring.constant(yPad)));
     206 + }
     207 + //Set the parent's size.
     208 + SpringLayout.Constraints pCons = layout.getConstraints(parent);
     209 + pCons.setConstraint(SpringLayout.SOUTH, y);
     210 + pCons.setConstraint(SpringLayout.EAST, x);
     211 + }
     212 +}
  • ■ ■ ■ ■ ■ ■
    src/main/java/cys4/controller/Utils.java
     1 +/*
     2 +Copyright (C) 2021 CYS4 Srl
     3 +See the file 'LICENSE' for copying permission
     4 +*/
     5 +package cys4.controller;
     6 + 
     7 +import cys4.seed.BurpLeaksSeed;
     8 + 
     9 +import java.io.ByteArrayOutputStream;
     10 +import java.io.IOException;
     11 +import java.io.InputStream;
     12 + 
     13 + 
     14 +public class Utils {
     15 + 
     16 + public static String readResourceFile(String STRING_Filename)
     17 + {
     18 + String STRING_ReadBuffer = null;
     19 + // load the prop files
     20 + try (InputStream input = BurpLeaksSeed.class.getClassLoader().getResourceAsStream(STRING_Filename)) {
     21 + assert (input != null);
     22 + 
     23 + ByteArrayOutputStream result = new ByteArrayOutputStream();
     24 + byte[] buffer = new byte[1024];
     25 + for (int length; (length = input.read(buffer)) != -1; ) {
     26 + result.write(buffer, 0, length);
     27 + }
     28 + // StandardCharsets.UTF_8.name() > JDK 7
     29 + STRING_ReadBuffer = result.toString("UTF-8");
     30 + 
     31 + } catch (IOException ex) {
     32 + ex.printStackTrace();
     33 + }
     34 + return STRING_ReadBuffer;
     35 + }
     36 +}
     37 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/cys4/model/ExtensionEntity.java
     1 +/*
     2 +Copyright (C) 2021 CYS4 Srl
     3 +See the file 'LICENSE' for copying permission
     4 +*/
     5 +package cys4.model;
     6 + 
     7 +import java.util.regex.Matcher;
     8 +import java.util.regex.Pattern;
     9 + 
     10 + 
     11 +public class ExtensionEntity {
     12 + private Boolean active;
     13 + private final String extension;
     14 + private final String description;
     15 + 
     16 + public ExtensionEntity(String description, String extension) {
     17 + this.active = true;
     18 + this.extension = extension;
     19 + this.description = description;
     20 + }
     21 + 
     22 + public boolean isActive() {
     23 + return active;
     24 + }
     25 + 
     26 + public void setActive(boolean value) {
     27 + this.active = value;
     28 + }
     29 + 
     30 + public String getDescription() {
     31 + return this.description;
     32 + }
     33 + 
     34 + public String getExtension() {
     35 + return this.extension;
     36 + }
     37 + 
     38 + //
     39 + // function to check if the extensions added are in the form of <Description,.Extension>
     40 + //
     41 + public static boolean extIsInCorrectFormat(String lineWithRegex) {
     42 + String regex = "^[\"|'].*[\"|'],(\\s)?[\"|'](^)?\\..+[\"|']$";
     43 + Pattern regex_pattern = Pattern.compile(regex);
     44 + Matcher regex_matcher = regex_pattern.matcher(lineWithRegex);
     45 + return regex_matcher.find();
     46 + }
     47 +}
  • ■ ■ ■ ■ ■ ■
    src/main/java/cys4/model/LogEntity.java
     1 +/*
     2 +Copyright (C) 2021 CYS4 Srl
     3 +See the file 'LICENSE' for copying permission
     4 +*/
     5 + 
     6 +package cys4.model;
     7 + 
     8 +import burp.IHttpRequestResponsePersisted;
     9 + 
     10 +import java.net.URL;
     11 +import java.util.concurrent.atomic.AtomicInteger;
     12 + 
     13 +public class LogEntity {
     14 + private int idRequest;
     15 + private final static AtomicInteger counter = new AtomicInteger(0);
     16 + private final IHttpRequestResponsePersisted requestResponse;
     17 + private final URL url;
     18 + private final String regex;
     19 + private final String match; //string from the body that matches
     20 + private final String host;
     21 + private final int port;
     22 + private final String protocol;
     23 + private final boolean isSSL;
     24 + 
     25 + public LogEntity(IHttpRequestResponsePersisted requestResponse, URL url, String regex, String match) {
     26 + this.idRequest = getCounterIdRequest();
     27 + 
     28 + incrementCounter();
     29 + 
     30 + this.requestResponse = requestResponse;
     31 + this.url = url;
     32 + this.regex = regex;
     33 + this.match = match;
     34 + this.host = requestResponse.getHttpService().getHost();
     35 + this.protocol = requestResponse.getHttpService().getProtocol();
     36 + this.port = requestResponse.getHttpService().getPort();
     37 + this.isSSL = this.protocol.equals("https");
     38 + }
     39 + 
     40 + public int getIdRequest() {
     41 + return this.idRequest;
     42 + }
     43 + 
     44 + public URL getURL() {
     45 + return this.url;
     46 + }
     47 + 
     48 + public IHttpRequestResponsePersisted getRequestResponse() {
     49 + return requestResponse;
     50 + }
     51 + 
     52 + public String getRegex() {
     53 + return regex;
     54 + }
     55 + 
     56 + public String getMatch() {
     57 + return match;
     58 + }
     59 + 
     60 + public String getHost() {
     61 + return host;
     62 + }
     63 + 
     64 + public int getPort() {
     65 + return port;
     66 + }
     67 + 
     68 + public String getProtocol() {
     69 + return protocol;
     70 + }
     71 + 
     72 + public boolean isSSL() {
     73 + return isSSL;
     74 + }
     75 + 
     76 + // return the current value of our counter
     77 + public static int getCounterIdRequest() {
     78 + return counter.get();
     79 + }
     80 + 
     81 + // increment the counter in thread safe mode
     82 + private static void incrementCounter() {
     83 + while (true) {
     84 + int existingValue = getCounterIdRequest();
     85 + int newValue = existingValue + 1;
     86 + if (counter.compareAndSet(existingValue, newValue)) {
     87 + return;
     88 + }
     89 + }
     90 + }
     91 + 
     92 + // reset the counter
     93 + public static void setIdRequest(int counterParam) {
     94 + int existingValue = getCounterIdRequest();
     95 + if (existingValue != counterParam) {
     96 + while (true) {
     97 + if (counter.compareAndSet(existingValue, counterParam)) {
     98 + return;
     99 + }
     100 + }
     101 + }
     102 + }
     103 + 
     104 + @Override
     105 + public boolean equals(Object o) {
     106 + if (o == this) {
     107 + return true;
     108 + }
     109 + if (o instanceof LogEntity) {
     110 + String firstUrl;
     111 + String secondUrl;
     112 + 
     113 + // avoiding useless entry of the same matches on the same site by confronting the non-query part of urls
     114 + if (this.url.getQuery() != null) {
     115 + firstUrl = this.url.toString().replace(this.url.getQuery(), "");
     116 + } else {
     117 + firstUrl = this.url.toString();
     118 + }
     119 + if (((LogEntity) o).url.getQuery() != null) {
     120 + secondUrl = ((LogEntity) o).url.toString().replace(((LogEntity) o).url.getQuery(), "");
     121 + } else {
     122 + secondUrl = ((LogEntity) o).url.toString();
     123 + }
     124 + 
     125 + return (((LogEntity) o).regex.equals(this.regex)) &&
     126 + firstUrl.equals(secondUrl) &&
     127 + ((LogEntity) o).match.equals(this.match);
     128 + }
     129 + return false;
     130 + }
     131 +}
  • ■ ■ ■ ■ ■ ■
    src/main/java/cys4/model/RegexEntity.java
     1 +/*
     2 +Copyright (C) 2021 CYS4 Srl
     3 +See the file 'LICENSE' for copying permission
     4 +*/
     5 + 
     6 +package cys4.model;
     7 + 
     8 +import java.util.regex.Matcher;
     9 +import java.util.regex.Pattern;
     10 + 
     11 +public class RegexEntity {
     12 + private Boolean active;
     13 + private final String regular_expression;
     14 + private final String description;
     15 + 
     16 + public RegexEntity(String description, String regex) {
     17 + this.active = true;
     18 + this.regular_expression = regex;
     19 + this.description = description;
     20 + }
     21 + 
     22 + public RegexEntity(String description, String regex, Boolean active) {
     23 + this.active = active;
     24 + this.regular_expression = regex;
     25 + this.description = description;
     26 + }
     27 + 
     28 + public Boolean isActive() {
     29 + return this.active;
     30 + }
     31 + 
     32 + public String getRegex() {
     33 + return regular_expression;
     34 + }
     35 + 
     36 + public String getDescription() {
     37 + return description;
     38 + }
     39 + 
     40 + public void setActive(Boolean value) {
     41 + this.active = value;
     42 + }
     43 + 
     44 + // Overriding equals() to compare two Complex objects
     45 + @Override
     46 + public boolean equals(Object o) {
     47 + 
     48 + // If the object is compared with itself then return true
     49 + if (o == this) {
     50 + return true;
     51 + }
     52 + 
     53 + /* Check if o is an instance of Complex or not
     54 + "null instanceof [type]" also returns false */
     55 + if (!(o instanceof RegexEntity)) {
     56 + return false;
     57 + }
     58 + 
     59 + // Compare the data members and return accordingly
     60 + return this.getRegex().equals(((RegexEntity) o).getRegex());
     61 + }
     62 + 
     63 + //
     64 + // function to check if the regexes added are in the form of <Description; Regex>
     65 + //
     66 + public static boolean regexIsInCorrectFormat(String lineWithRegex) {
     67 + String regex = "^[\"|'].*[\"|'],(\\s)?[\"|'].+[\"|']$";
     68 + Pattern regex_pattern = Pattern.compile(regex);
     69 + Matcher regex_matcher = regex_pattern.matcher(lineWithRegex);
     70 + return regex_matcher.find();
     71 + }
     72 + 
     73 +}
  • ■ ■ ■ ■ ■
    src/main/java/cys4/resources/config.properties
     1 +ui.name.extension_name=CYS4-SensitiveDiscoverer
  • ■ ■ ■ ■ ■ ■
    src/main/java/cys4/resources/extension.json
     1 +[{"description":"Potential cryptographic private key", "extension":"\\.pem"},
     2 + {"description":"Log file", "extension":"\\.log"},
     3 + {"description":"Potential cryptographic key bundle", "extension":"\\.pkcs12"},
     4 + {"description":"Potential cryptographic key bundle", "extension":"\\.p12"},
     5 + {"description":"Potential cryptographic key bundle", "extension":"\\.pfx"},
     6 + {"description":"Potential cryptographic key bundle", "extension":"\\.asc"},
     7 + {"description":"Potential private key", "extension":"otr.private_key"},
     8 + {"description":"OpenVPN client configuration file", "extension":"\\.ovpn"},
     9 + {"description":"Azure service configuration schema file", "extension":"\\.cscfg"},
     10 + {"description":"Remote Desktop connection file", "extension":"\\.rdp"},
     11 + {"description":"Microsoft SQL database file", "extension":"\\.mdf"},
     12 + {"description":"Microsoft SQL server compact database file", "extension":"\\.sdf"},
     13 + {"description":"SQLite database file", "extension":"\\.sqlite"},
     14 + {"description":"SQLite3 database file", "extension":"\\.sqlite3"},
     15 + {"description":"Microsoft BitLocker recovery key file", "extension":"\\.bek"},
     16 + {"description":"Microsoft BitLocker Trusted Platform Module password file", "extension":"\\.tpm"},
     17 + {"description":"Windows BitLocker full volume encrypted data file", "extension":"\\.fve"},
     18 + {"description":"Java keystore file", "extension":"\\.jks"},
     19 + {"description":"Password Safe database file", "extension":"\\.psafe3"},
     20 + {"description":"Ruby On Rails file", "extension":"\\.rb"},
     21 + {"description":"Potential configuration file", "extension":"\\.yml"},
     22 + {"description":"Python file", "extension":"\\.py"},
     23 + {"description":"1Password password manager database file", "extension":"\\.agilekeychain"},
     24 + {"description":"Apple Keychain database file", "extension":"\\.keychain"},
     25 + {"description":"Network traffic capture file", "extension":"\\.pcap"},
     26 + {"description":"GnuCash database file", "extension":"\\.gnucash"},
     27 + {"description":"XML file", "extension":"\\.xml"},
     28 + {"description":"KDE Wallet Manager database file", "extension":"\\.kwallet"},
     29 + {"description":"PHP file", "extension":"\\.php"},
     30 + {"description":"Tunnelblick VPN configuration file", "extension":"\\.tblk"},
     31 + {"description":"Sequel Pro MySQL database manager bookmark file", "extension":"\\.plist"},
     32 + {"description":"Little Snitch firewall configuration file", "extension":"\\.xpl"},
     33 + {"description":"Day One journal file", "extension":"\\.dayone"},
     34 + {"description":"Text file", "extension":"\\.txt"},
     35 + {"description":"Terraform variable config file", "extension":"\\terraform.tfvars"},
     36 + {"description":"Shell configuration file", "extension":"\\.exports"},
     37 + {"description":"Shell configuration file", "extension":"\\.functions"},
     38 + {"description":"Shell configuration file", "extension":"\\.extra"},
     39 + {"description":"ASP configuration file", "extension":"\\.asa"},
     40 + {"description":"Include file", "extension":"\\.inc"},
     41 + {"description":"Configuration file", "extension":"\\.config"},
     42 + {"description":"Compressed archive file", "extension":"\\.zip"},
     43 + {"description":"Compressed archive file", "extension":"\\.tar"},
     44 + {"description":"Compressed archive file", "extension":"\\.gz"},
     45 + {"description":"Compressed archive file", "extension":"\\.tgz"},
     46 + {"description":"Compressed archive file", "extension":"\\.rar"},
     47 + {"description":"Java file", "extension":"\\.java"},
     48 + {"description":"PDF file", "extension":"\\.pdf"},
     49 + {"description":"Document file", "extension":"\\.docx"},
     50 + {"description":"Document file", "extension":"\\.doc"},
     51 + {"description":"Document file", "extension":"\\.rtf"},
     52 + {"description":"Excel file", "extension":"\\.xlsx"},
     53 + {"description":"Excel file", "extension":"\\.xls"},
     54 + {"description":"Excel file", "extension":"\\.csv"},
     55 + {"description":"Presentation file", "extension":"\\.pptx"},
     56 + {"description":"Presentation file", "extension":"\\.ppt"},
     57 + {"description":"Backupt file", "extension":"\\.bak"},
     58 + {"description":"Old file", "extension":"\\.old"},
     59 + {"description":"Temporary file", "extension":"\\.tmp"},
     60 + {"description":"Certificate file", "extension":"\\.cer"},
     61 + {"description":"Certificate file", "extension":"\\.crt"},
     62 + {"description":"Certificate file", "extension":"\\.p7b"}]
  • ■ ■ ■ ■ ■ ■
    src/main/java/cys4/resources/mime_types.json
     1 +[
     2 + "APNG",
     3 + "PNG",
     4 + "APNG",
     5 + "AVIF",
     6 + "AAC",
     7 + "ABW",
     8 + "ARC",
     9 + "AVI",
     10 + "AZW",
     11 + "BIN",
     12 + "BMP",
     13 + "BZ",
     14 + "BZ2",
     15 + "CDA",
     16 + "CSH",
     17 + "DOC",
     18 + "DOCX",
     19 + "EOT",
     20 + "EPUB",
     21 + "GZ",
     22 + "ICO",
     23 + "JAR",
     24 + "JPG",
     25 + "MID",
     26 + "MIDI",
     27 + "MP3",
     28 + "MP4",
     29 + "MPEG",
     30 + "MPKG",
     31 + "ODP",
     32 + "ODS",
     33 + "OGV",
     34 + "OGX",
     35 + "OPUS",
     36 + "OTF",
     37 + "PDF",
     38 + "PPT",
     39 + "PPTX",
     40 + "RAR",
     41 + "RTF",
     42 + "SWF",
     43 + "TAR",
     44 + "TIF",
     45 + "TIFF",
     46 + "TS",
     47 + "TTF",
     48 + "VSD",
     49 + "WAV",
     50 + "WEBA",
     51 + "WEBM",
     52 + "XLS",
     53 + "XLSX",
     54 + "XUL",
     55 + "ZIP",
     56 + "3GP",
     57 + "3G2",
     58 + "7Z",
     59 + "JPEG",
     60 + "SVG",
     61 + "GIF",
     62 + "WEBP",
     63 + "TTF",
     64 + "WOFF",
     65 + "WOFF2",
     66 + "AUDIO",
     67 + "VIDEO",
     68 + "APPLICATION",
     69 + "IMAGE",
     70 + "FONT"
     71 +]
Please wait...
Page is in error, reload to recover