-
Notifications
You must be signed in to change notification settings - Fork 0
/
BurpExtender.java
216 lines (182 loc) · 5.31 KB
/
BurpExtender.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
package burp;
import java.net.URL;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.net.MalformedURLException;
import java.util.ArrayList;
import java.util.List;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.nodes.Element;
import org.jsoup.select.Elements;
public class BurpExtender implements IBurpExtender, IScannerCheck
{
private IBurpExtenderCallbacks callbacks;
private IExtensionHelpers helpers;
//
// implement IBurpExtender
//
@Override
public void registerExtenderCallbacks(final IBurpExtenderCallbacks callbacks)
{
// keep a reference to our callbacks object
this.callbacks = callbacks;
// obtain an extension helpers object
helpers = callbacks.getHelpers();
// set our extension name
callbacks.setExtensionName("pwnx");
// register ourselves as a custom scanner check
callbacks.registerScannerCheck(this);
}
//doesNXDomain is a helper function that extracts
//a domain name from a JavaScript include URL
//and returns true if that domain name is not currently
//registered to an IP address.
private boolean doesNXDomain(String scriptSource)
{
try {
URL url = new URL(scriptSource);
InetAddress.getByName(url.getHost());
return false;
} catch(UnknownHostException ex) {
return true;
} catch(MalformedURLException ex) {
return false;
}
}
//
// implement IScannerCheck
//
@Override
public List<IScanIssue> doPassiveScan(IHttpRequestResponse baseRequestResponse)
{
byte[] responseBytes = baseRequestResponse.getResponse();
IResponseInfo responseInfo = helpers.analyzeResponse(responseBytes);
int offset = responseInfo.getBodyOffset();
String httpBody = new String(responseBytes).substring(offset);
Document doc = Jsoup.parse(httpBody);
Elements elems = doc.select("script");
if (elems.isEmpty()) {
return null;
}
List<IScanIssue> issues = new ArrayList<>();
for (Element elem : elems) {
if (elem.hasAttr("src")) {
String scriptSource = elem.attr("src");
if (scriptSource.charAt(0) == '/') {
continue;
}
if (doesNXDomain(scriptSource)) {
int start = httpBody.indexOf(scriptSource) + offset;
int end = start + scriptSource.length();
List<int[]> markers = new ArrayList<int[]>();
markers.add(new int[] { start, end });
issues.add(new CustomScanIssue(
baseRequestResponse.getHttpService(),
helpers.analyzeRequest(baseRequestResponse).getUrl(),
new IHttpRequestResponse[] { callbacks.applyMarkers(baseRequestResponse, null, markers) },
"Included JavaScript from NX Domain",
"NX Domain for loaded JavaScript file: " + scriptSource,
"High"));
}
}
}
return issues;
}
@Override
public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint)
{
return null;
}
@Override
public int consolidateDuplicateIssues(IScanIssue existingIssue, IScanIssue newIssue)
{
//NOTE(kkl): Uncertain if I want to filter duplicate issues. I feel it may lead to false negatives.
return 0;
}
}
//
// class implementing IScanIssue to hold our custom scan issue details
//
class CustomScanIssue implements IScanIssue
{
private IHttpService httpService;
private URL url;
private IHttpRequestResponse[] httpMessages;
private String name;
private String detail;
private String severity;
public CustomScanIssue(
IHttpService httpService,
URL url,
IHttpRequestResponse[] httpMessages,
String name,
String detail,
String severity)
{
this.httpService = httpService;
this.url = url;
this.httpMessages = httpMessages;
this.name = name;
this.detail = detail;
this.severity = severity;
}
@Override
public URL getUrl()
{
return url;
}
@Override
public String getIssueName()
{
return name;
}
@Override
public int getIssueType()
{
return 0;
}
@Override
public String getSeverity()
{
return severity;
}
@Override
public String getConfidence()
{
return "Certain";
}
@Override
public String getIssueBackground()
{
return "The application is loading JavaScript into its origin " +
"from a unresolvable domain. It is possible that this " +
"domain could be registered by an attacker and used to" +
" host malicous JavaScript.";
}
@Override
public String getRemediationBackground()
{
return null;
}
@Override
public String getIssueDetail()
{
return detail;
}
@Override
public String getRemediationDetail()
{
return null;
}
@Override
public IHttpRequestResponse[] getHttpMessages()
{
return httpMessages;
}
@Override
public IHttpService getHttpService()
{
return httpService;
}
}