From a10db31379f5e51072fe3898425aad5101cf53e4 Mon Sep 17 00:00:00 2001 From: Matteo Bitussi Date: Mon, 25 Sep 2023 17:21:55 +0200 Subject: [PATCH] Fixed bugs + changed url-decode (again) --- doc/language.md | 2 +- tool/src/main/java/migt/BurpExtender.java | 4 ++-- tool/src/main/java/migt/Check.java | 8 ++++++++ tool/src/main/java/migt/EditOperation.java | 1 + 4 files changed, 12 insertions(+), 3 deletions(-) diff --git a/doc/language.md b/doc/language.md index 161bdcc..559d7c2 100644 --- a/doc/language.md +++ b/doc/language.md @@ -526,7 +526,7 @@ The Checks tag inside an operation has a list of Check elements, which can be de > Note that `check` accepts only the `is present` tag. -> Note that by default, all the values read from a message that contains url-encoded values (only message, not json) are URL-decoded before the checks are executed. You can disable this behaviour by using `url decode` = false +> Note that by default, all the values read from a message are URL-decoded before the checks are executed. You can disable this behaviour by using `url decode` = false. You should disable url-decoding when you are checking values that contains "+" characters, that would be converted to spaces. In passive tests the checks's result are intended as the entire test result, so all the checks has to pass to have a successfull test. diff --git a/tool/src/main/java/migt/BurpExtender.java b/tool/src/main/java/migt/BurpExtender.java index da82d9d..945c997 100644 --- a/tool/src/main/java/migt/BurpExtender.java +++ b/tool/src/main/java/migt/BurpExtender.java @@ -176,11 +176,11 @@ private void processMatchedMsg(MessageType msg_type, // TODO: fix randomly replaced messages // sometimes the bytes of the processed message is different from the original one, but the string // of both messages is equal - if (!Arrays.equals(message.getRequest(), mainPane.act_active_op.processed_message)) { + if (!Arrays.equals(messageInfo.getRequest(), mainPane.act_active_op.processed_message)) { messageInfo.setRequest(mainPane.act_active_op.processed_message); } } else { - if (!Arrays.equals(message.getResponse(), mainPane.act_active_op.processed_message)) { + if (!Arrays.equals(messageInfo.getResponse(), mainPane.act_active_op.processed_message)) { messageInfo.setResponse(mainPane.act_active_op.processed_message); } } diff --git a/tool/src/main/java/migt/Check.java b/tool/src/main/java/migt/Check.java index d6305b5..3bab679 100644 --- a/tool/src/main/java/migt/Check.java +++ b/tool/src/main/java/migt/Check.java @@ -557,12 +557,20 @@ public void execute(List vars) throws ParsingException { // URL-decode matched content // when a string contains a "+" character then, it is replaced with a space. if (url_decode) { + /* Pattern p = Pattern.compile("%[0-9a-fA-F]{2}"); Matcher m = p.matcher(op_val); if (m.find()) { // if the content contains url-encoded characters then, url-decode the content op_val = URLDecoder.decode(op_val, StandardCharsets.UTF_8); } + */ + if (op_val.contains("+")) { + System.err.println("Warning! During a check on the value\"" + op_val + "\" a '+' symbol has been" + + "converted to a space, as it has been interpreted as url-encoded character. If you want to avoid" + + "this behaviour use 'url decode' tag set to false inside the check to disable url-decoding " ); + } + op_val = URLDecoder.decode(op_val, StandardCharsets.UTF_8); } if (imported_api instanceof Operation_API) { diff --git a/tool/src/main/java/migt/EditOperation.java b/tool/src/main/java/migt/EditOperation.java index 2e412a6..12767c9 100644 --- a/tool/src/main/java/migt/EditOperation.java +++ b/tool/src/main/java/migt/EditOperation.java @@ -307,6 +307,7 @@ public void execute(List vars) throws ParsingException { this.result = false; return; } + applicable = true; } else if (sign) { applicable = true; tmp_imported_api.jwt.sign = true;