Rename scan again, validate TLS on connections to third parties

PortSwigger · Aug 7, 2024 · 2e41c13 · 2e41c13
1 parent bf6b3ea
commit 2e41c13
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 9 deletions.
diff --git a/src/burp/BurpExtender.java b/src/burp/BurpExtender.java
@@ -141,6 +141,9 @@ public void registerExtenderCallbacks(final IBurpExtenderCallbacks callbacks) {
         new CookieGuessScan("Guess cookies");
         new BodyGuessScan("Guess body params");
         new EverythingGuessScan("Guess everything!");
+        new Lenscrack("Detect scoped-SSRF");
+        new Lensmine("Exploit scoped-SSRF");
+        new TimeInjector("Detect server-side injection");
         new PortDOS("port-DoS");
         //new ValueScan("param-value probe");
         new UnkeyedParamScan("Unkeyed param");
@@ -149,9 +152,7 @@ public void registerExtenderCallbacks(final IBurpExtenderCallbacks callbacks) {
         new NormalisedPathScan("normalised path");
         new RailsUtmScan("rails param cloaking scan");
         new HeaderMutationScan("identify header smuggling mutations");
-        new Lenscrack("Detect scoped-SSRF");
-        new Lensmine("Find internal targets");
-        new TimeInjector("Detect server-side injection");
+
 
         new BulkScanLauncher(BulkScan.scans);
 

diff --git a/src/burp/DomainProvider.java b/src/burp/DomainProvider.java
@@ -1,6 +1,7 @@
 package burp;
 
 import burp.Utilities;
+import burp.api.montoya.http.RequestOptions;
 import burp.api.montoya.http.message.HttpRequestResponse;
 import burp.api.montoya.http.message.requests.HttpRequest;
 
@@ -66,7 +67,7 @@ void saveDomainsToFile(String domain, String filePath, byte type) {
         switch (type) {
             case SUBDOMAIN -> {
                 String url =  "https://columbus.elmasy.com/api/lookup/"+domain;
-                HttpRequestResponse apiResp = Utilities.montoyaApi.http().sendRequest(HttpRequest.httpRequestFromUrl(url).withHeader("Accept", "text/plain"));
+                HttpRequestResponse apiResp = Utilities.montoyaApi.http().sendRequest(HttpRequest.httpRequestFromUrl(url).withHeader("Accept", "text/plain"), RequestOptions.requestOptions().withUpstreamTLSVerification());
                 PrintWriter out = null;
                 try {
                     out = new PrintWriter("/tmp/web-"+domain);

diff --git a/src/burp/Lensmine.java b/src/burp/Lensmine.java
@@ -3,6 +3,7 @@
 import burp.api.montoya.MontoyaApi;
 import burp.api.montoya.core.ByteArray;
 import burp.api.montoya.http.HttpService;
+import burp.api.montoya.http.RequestOptions;
 import burp.api.montoya.http.message.HttpHeader;
 import burp.api.montoya.http.message.HttpRequestResponse;
 import burp.api.montoya.http.message.StatusCodeClass;
@@ -41,7 +42,7 @@ static MineFindings mineSubdomains(byte[] req, IHttpService service, String doma
         if (Utilities.globalSettings.getBoolean("external subdomain lookup")) {
             try {
                 String url = "https://columbus.elmasy.com/api/lookup/" + domain;
-                HttpRequestResponse apiResp = Utilities.montoyaApi.http().sendRequest(HttpRequest.httpRequestFromUrl(url).withHeader("Accept", "text/plain"));
+                HttpRequestResponse apiResp = Utilities.montoyaApi.http().sendRequest(HttpRequest.httpRequestFromUrl(url).withHeader("Accept", "text/plain"), RequestOptions.requestOptions().withUpstreamTLSVerification());
                 subdomainProvider.addSourceWords(apiResp.response().toString());
             } catch (Exception e) {
                 Utilities.out("External subdomain lookup failed: "+e.toString());
@@ -70,7 +71,7 @@ static MineFindings mineSubdomains(byte[] req, IHttpService service, String doma
         while ((subdomain = subdomainProvider.getNext()) != null && !Utilities.unloaded.get()) {
             checked += 1;
             if (checked > maxDomainsToCheck) {
-                Utilities.out("Bailing early on "+domain);
+                //Utilities.out("Bailing early on "+domain);
                 break;
             }
 

diff --git a/src/burp/Lensprobe.java b/src/burp/Lensprobe.java
@@ -9,6 +9,7 @@
 import java.util.HashMap;
 
 import static burp.Lenscrack.INJECT;
+import static burp.Scan.request;
 
 public class Lensprobe {
 
@@ -130,11 +131,19 @@ void probe() {
         }
 
         // alternative check for suffix validation, using an overlong label
+        report();
 
         if (Utilities.globalSettings.getBoolean("auto-scan for proxyable destinations")) {
             switch (name) {
                 case "subdomain":
-                    mineFindings = Lensmine.doScan(baseReq, service, domainsToCheck);
+                    try {
+                        mineFindings = Lensmine.doScan(baseReq, service, domainsToCheck);
+                        String report = mineFindings.findingsToString();
+                        Resp req = request(service, baseReq);
+                        Lenscrack.report("Proxyable destinations: "+mineFindings.getTitle(), report, baseReq, req);
+                    } catch (Exception e) {
+                        Utilities.out("Error during scan for proxyable destinations: "+e.getMessage());
+                    }
                     break;
                 case "endswith":
                     // mineForEndsWith();
@@ -144,8 +153,6 @@ void probe() {
                     ;
             }
         }
-
-        report();
     }
 
     void mineForEndsWith() {