-
Notifications
You must be signed in to change notification settings - Fork 81
/
Copy pathscripts_brief_summary
104 lines (56 loc) · 9.36 KB
/
scripts_brief_summary
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
This ReadMe is just a summary of what each of the scripts do. As I write more (or as you do) please take a few minutes to keep this up to date.
1. Search and fuzz all valid directories on a website - Burp Extensions/common_dir_search.py
This is best enabled AFTER you have browsed the entire application and have a huge number of requests in your proxy history.
Lots of times, directories containing sensitive content are left on the server. As testers, we could scan the server using a web server scanner, and that might search in Webroot for a lot of common directories. What it might not do, is search for those common directories in every single sub directory. Some good scanners might do this, but since I'm trying to integrate everything inside Burp, this was a nice script to write. The script will extract all the requests that contain different directories in their URL path and send them to Intruder, where you can then fuzz them.
Secondly, before starting this extension, send 1 request to Intruder..any 1 request and set your fuzz lists. Then go to Intruder - New Tab behavior - Copy configuration from the first tab. This'll save you a lot of time and you wont have to set payloads for every request (as there'll be a few) :)
2. Detect CSRF tokens in requests - Burp Extensions/csrf_token_detect.py
Give this script the exact name of the token in the requests sent to your application. It'll then search for the absence of that token in every subsequent request and report all such URLs. Does it for GET and POST. It's nothing fancy and you can do this through Burp's filter bar, but Burp's died on me too many times while searching, so I got bored and wrote this.
3. Detecting invalid Referers in case a Referer is used for protecting against CSRF - BurpExtensions/csrf_valid_referer_detect.py
Many times there isn't an AntiCSRF token in place but the site protects against CSRF using Referer headers. This piece of code will detect a page which doesn't have a Referer header. It isn't going to do any kind of manipulation, but it'll flag pages with say no Referer headers, so you can then test them manually.
4. Download all JS files on a site - Burp Extensions/download_all_js_files.py
Many times I've wanted to look at a ton of JS files all at 1 shot. Usually it's filter by extension in Burp and then download one by one, or look ib %TEMP% or Firebug per page. This bit of code looks at the request, sees if it's JS and downloads it using Wget into a directory of your choice. Locations are tweakable. Not fancy again, but it can be useful at times..maybe for grepping through JS throughout the application for sensitive strings.
5. Recording all Set-Cookie headers in a file - Burp Extensions/record_set_cookie_headers.py
Some times an application sets cookie headers in an insecure manner. No secure attribute, no httponly. So Burp Scanner reports this. What happens though is that the application sets that cookie on the very very next page at times even before a successful login. So although the cookie did not have a secure attribute set at 1 point, it's not a valid finding at all. This'll just dump all the Set-Cookie headers into a file so you can manually look at it instead and decide for yourself.
6. Record third party referers - BurpExtensions/third_party_referer_record.py
Sites talk to sites. While talking there's sensitive information which leaks in referers many times. This extension will get all the requests made to third party sites and dump their referers into a file. The engineer can look at this file and decide if there's any leakage. There's ways to make this better but this is a start for sure for a very ignored and boring test case :)
7. Identify candidates for URL redirection, LFI and RFI - BurpExtensions/url_in_parameter_detect.py
Test cases such as URL redirection or LFI/RFI/Code Injection tend to be kinda ignored by me till the end, at which point I realize there's 1 day left and a bunch of test cases pending. Then er..er..you get it. So to make that a little smoother I wrote this extension, it'll look at patterns in parameter values and dump that URL and the parameter in question into a file. The engineer can then look at those URLs and test just those exhaustively instead of worrying about all the URLs that he/she might have missed all through the project.
8. Detect version information leakage in headers or response bodies - BurpExtensions/version_detect.py
Simple extension which just records banners from the Server: response header and also searches through response bodies for a set of common web/app servers. Many times the metadata of reports or other files leaks information and it isn't always caught. This'll help address that to some extent.
9. Remove session cookie and reissue request to check Direct requests - BurpExtensions/direct_request.py
Many times URLs that are accessible after logging in are also accessible directly. This extension strips the session cookie (add your cookie to an array inside code) and reissues the request without the cookie. It then prints the response code and the length of the response so the engineer can see if certain requests behaved differently to others and successfully completed even without a session cookie.
10. Test PUT and DELETE on every single directory that you browse - BurpExtensions/http_method_test.py
This is best used at the end of a test when you have a huge huge list of directories that you have browsed in your proxy history, as that's where the script reads a list from.
Sometimes the PUT and DELETE methods are enabled on the webserver but can be used only on a specific directory due to the permissions in place. This script will upload and delete a dummy file in every single directory that you browse through and record the results.
11. Scan all SSL hosts in Proxy history - BurpExtensions/sslyze_scan.py
This is best enabled AFTER you have browsed the entire application and have a huge number of requests in your proxy history.
Checking SSL configurations of hosts is a very common test. Sometimes though the app you are testing makes connections to other hosts too. These hosts too might be in scope for you. This extension reads your entire proxy history, extracts all hosts that have had SSL connections made to them, and runs the cool tool sslyze against them. It's nothing you can't do by simply running sslyze but since I'm trying to use Burp as a one stop shop for as many tests as possible, this acts as a nice wrapper around them.
12. A couple of per_request_decoders of key parts of the request.
A lot of times we want to URL decode or Base64 decode things. We end up sending bits to Decoder and decoding. While this works, I thought it'd be nice if there was
a per-request TAB which did the decoding instead.
13. Extension which makes Direct requests as a request appears in Proxy History
This one is kinda nice, strips the cookies off and makes a request and does some basic analysis to check if the URL can be directly accessed as well. All in a new
adjoining tab as well, so you don't have to test anything separately.
14. Make requests without some cookies to identify which cookie is useful
Sends requests by removing one cookie at a time. This helps identify which cookies are needed for a specific request so you can focus on trying to steal those as
an attacker.
15. Fuzz the antiCSRF token to check if random tokens are valid
Sends 4 different requests per token to see if the application is checking the validity of the token.
16. One click to set positions for requests in Intruder
Simple one this time, just so you can send a request to Intruder with positions already filled up. You can choose between URL, POST parameters and cookies.
17. Toggle request method for every request and see if anything changes
Sometimes applications behave in a funny manner, if you send a GET instead of a POST and vice-versa. This one does so for every single request in a new tab. The
response is printed out, so you can see what the app did.
18. Clickjacking POC generator
Speaks for itself really. Right click, generate a Clickjacking POC that you can then open up in a browser and test.
19. Wrapper to try and fuzz file upload features
This one isn't complete to be frank, but I've always had trouble fuzzing file uploads using Intruder. So this nearly complete extension is a wrapper. By writing a
couple of lines of Python you can try and fuzz stuff with a large number of files. I'll love it if someone submitted a pull request to handle boundaries in
multipart requests before I get to this some day :)
-------------
1) Request URLs over HTTP - ForceSSL/force_http_req_threaded.py
There's a test case which is in place to request every single HTTPS url over HTTP. Mixed content is dangerous and cookies can be stolen using Firesheep or similar tools. With that in mind I wrote a script which basically takes every single URL from Burp's site map/history/whatever (just need a big bunch of URLs somehow) and requests all of them over HTTP and generates a report. There's a more detailed ReadMe inside the directory.
2) Special Fuzz list - Fuzzlists/*
So there is FuzzDb and its great collection, and there are Burp Pro's own cool lists and features to mangle them. That apart I continuously keep adding my own lists for specific situations. As time goes by I'll keep adding to it.
3) Commonly used functions - modules/modules_functions_readme
Code for all extensions has been modularized. List of functions in modules is present in modules/modules_functions_readme