diff --git a/README.md b/README.md
index 6ecd5fe..6205b28 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,9 @@
# MIG-T Pentesting Tool
+
MIG-T Pentesting Tool is a plugin for BurpSuite that helps security testers automate their testing activities. It allows the tester to define automations to edit or check correctnees of HTTP messages. It integrates an automated browser used to simulate user actions on a webpage, to trigger specific messages. It uses MIG-L language to define tests to be executed by MIG-T
## Quickstart
+
Details
We suggest you to download the lastest release of the tool from the release page, otherwise you can compile the last version from the source code by following the steps described in the "how to compile the plugin" section.
@@ -10,15 +12,17 @@ We suggest you to download the lastest release of the tool from the release page
1. download from the release page the last version of the tool select the one which ends with `with-dependencies`, or compile the source code.
2. Download the last version of [Burp Suite Community Edition](https://portswigger.net/burp/releases/community/latest)
-3. Start Burp and go in the *Exstensions* tab
-4. Press *Add* button
-5. In the *Extension file (.jar)* select the tool jar you downloaded before
+3. Start Burp and go in the _Exstensions_ tab
+4. Press _Add_ button
+5. In the _Extension file (.jar)_ select the tool jar you downloaded before
6. Now the plugin should be loaded, go to the "MIG-T" tab
## Download and add browser driver
+
Depending on the browser you want to use (firefox or chrome), you will need to specify the corresponding driver. Note that you have to download the driver for the corresponding browser version
To download the driver go to:
+
- [Driver for chrome](https://chromedriver.chromium.org/home)
- [Driver for firefox](https://github.com/mozilla/geckodriver/releases)
@@ -43,6 +47,7 @@ If you want to see the entire history of the messages go to "proxy" tab in Burp,
## How to compile the plugin
+
The project is based on maven, you have two ways of compiling it
### With IntelliJ IDEA
@@ -53,6 +58,7 @@ The folder tool is an intelliJ project, if you open it with intelliJ IDEA it sho
### Without IntelliJ IDEA
+
Details
You don't need to use IDEA to compile the project, you can install maven, go to the project direcotry `tool` mentioned before and type
@@ -72,20 +78,23 @@ Two jar will be generated:
```
You have to use the jar that has "-with-dependencies" in its name, the other will not work in burp.
+
## Documentation
+
You can find the documentation about the language used by the tool in the `doc/` folder. The documentation about the code is not yet finished, but all the functions are documented in the code.
## Known Bugs
-- Sometimes when re-executing a suite of active tests, the messages are not edited. Restart the plugin
-- On windows, the re-signing of the SAML messages sometimes will fail
+- On windows, the re-signing of the SAML messages sometimes will fail
# External / Related projects
+
Extended in the context of the industrial collaboration with IPZS and Futuro&Conoscenza
# License
+
```
Copyright 2023, Fondazione Bruno Kessler
@@ -104,7 +113,12 @@ limitations under the License.
Developed within [Security & Trust](https://st.fbk.eu/) Research Unit at [Fondazione Bruno Kessler](https://www.fbk.eu/en/) (Italy)
-## Other software licenses
-### SAMLRaider License
+## Other software
+
+### SAMLRaider
+
Some parts of the tool that manages SAML certificates has been built by using portions of SAMLRaider code (https://github.com/CompassSecurity/SAMLRaider).
+### nimbus-jose-jwt
+
+https://connect2id.com/products/nimbus-jose-jwt
diff --git a/doc/language.md b/doc/language.md
index 1545e01..0095c98 100644
--- a/doc/language.md
+++ b/doc/language.md
@@ -29,46 +29,28 @@ A test is defined by:
## Operation
-An operation could be a message interception or a session operation, it could also be a validate operation (more info down here).
-The most basic and useful type of operation is the one that makes you able to intercept message that you can then edit, just specify message type and the required tags and you are ready to go.
-The use of the operation tag differ based on the type of test is defined into:
+An operation can be either a message interception or a session operation. The most basic and useful type of operation is message interception, which allows you to intercept messages and then edit them. To do this, you simply need to specify the message type and the required tags
### Message type
-With the tag `message type` it has to be specified to which message execute the given operation. There are various possible standard types:
+The message type tag specifies the message to which the given operation should be applied. Message types can be defined in the msg_def.json file, which is created in the Burp folder at the first execution of the plugin. By default, some OAuth message types are present, but you can add or modify them as needed.
-- `request`, all requests
-- `response`, all responses
-- `oauth request`, all the oauth-related requests
-- `oauth response`, all the oauth-related responses
-
-Other message types can be defined in the file _"msg_def.json"_ which will be created at the first execution of the plugin in the Burp folder. By default, some oauth message types are present, feel free to add or modify them.
-The way a message type is defined is by the use of regex or checks (like in passive tests), the regex or checks are then evaluated over a message, and if the evaluation is successful, the message is then processed.
+A message type is defined by a set of checks. These checks are evaluated against a message, and if all of the checks pass, then the message is processed by the operation.
To define a message type you have to tell:
- The `name`
- `is request` if the message is a request or not (true, false)
-- `response name` (optional) if you want to also associate a name to the response of that message (often useful when you know the request but not the response)
-- `request name` (optional) if you need to intercept a message by its response, but you want do access the request, just put the name of the request to use it in the language. Note that if you intercept the response, you can not edit the request anymore, because it has already been sent.
-- `regex` or `checks` list (see check section for details)
-
-### Operation in passive tests
-
-When an operation in a passive test is defined with the `message type` tag, the other possible tags are (in an exclusive way):
-
-- `regex`: which will specify a regex to be tested to the given `message section` in the message
-- `checks`: which is a list of `check`
+- `response name` (optional) if you want to also associate a name to the response of that message (often useful when you know how a request is, but not the response)
+- `request name` (optional) if you need to intercept a message by its response, but you want to access the request, just put the name of the request to use it in the language. Note that if you intercept the response, you can not edit the request anymore, because it has already been sent.
+- `checks` list (see check section for details)
-To consider a test successful the regex has to match at least one occurrence in the specified `message section`, or all the checks has to be evaluated to true.
-Note that where you are asked to insert a regex you have to backslash (\) all the regex operators such as (?{}.\*) if you need them to be searched instead of executed.
+### Operation tags
-### Operation in active tests
-
-An operation in an active test can be used with these tags:
+An operation can be used with these tags:
- `message type` which specifies a message type
-- `action` The action to be done on this operation, can be `intercept` or `validate` or `clear cookies`
+- `action` The action to be done on this operation, can be `intercept` or `clear cookies`
- `from session` specify which session has to be sniffed to search for the message, default is the standard session
- `then` the action to be done on the intercepted message after the execution of the operation, `forward` or `drop` (default forward)
- `save` saves the intercepted message to the given variable name
@@ -77,29 +59,26 @@ An operation in an active test can be used with these tags:
- `message operations` List of `message operation` to do on the message. See the proper section for details
- `replace request` used with the name of a variable containing a message. It replaces the request of the intercepted message with a saved message.
- `replace response` used with the name of a variable containing a message. It replaces the response of the intercepted message with a saved message.
+- `checks`: which is a list of `check`. To consider an operation successful all the checks has to be evaluated to true.
-Note that in active tests the operations are evaluated sequencially, this means that until an operation has not been finished (i.e. the message is not arrived yet) the next operation will not be available. This eventually means that if you have more message filtering operations, only one at the time is executed.
-
-#### Note for the Validate action
+### Differences between operations inside active and passives tests
-If you use the `validate` action, the only tags you can use are the same as the passives checks, you can use:
+The execution of the operations differs depending on the type of test:
-- `regex`
-- `checks`
- The way they are used is the same as passive checks.
- The purpose of the validate action is to built an oracle, in a way that if all validate operations are evaluated to true, and the result is passed, then the test is passed. Note that all the validate operations are combined with the result, see the result section for more info
+- active tests: The operations are executed sequentially one after the other. This means that until an operation has not been finished (i.e. the message is not arrived yet) the next operation will not be available
+- passive tests: All the operation are executed over all the messages passed trough the proxy
### Operation and session in active tests
There is the possibility to handle different sessions in an active test, for example to replay messages.
-A session has to be defined in the `sessions` tag in a `Test`, then it can be started with an operation with:
+The sessions have to be defined in the `sessions` tag inside a `Test`, then, each session can be started or stopped with an operation having:
- tag `session` associated with the name of which session is reffering to,
- tag `action` the action to do on that session, like _start_, _stop_, _clear cookies_, _pause_, _resume_
-#### Note with sessions in Burp
+#### Note on using sessions in Burp
-Burp has to be manually configured to open more proxy ports, based on the number of contemporary sessions to be executed. To do so, go to the proxy tab in burp, options, and then add enough port for your sessions.
+Each session uses a different port on the proxy, this is done to differentiate the messages inside the proxy. Burp has to be manually configured to open more proxy ports based on the number of contemporary sessions to be executed. To do so, go to the proxy tab in burp, options, and then add enough port for your sessions.
You have also to link each of your sessions to a port, to do so, go to the plugin, after you read your JSON input test suite, in the session config tab write the ports you have previously defined. Note that the port has to be _different for each contemporary session_, otherwise the tests will not work.
## Message section
@@ -107,15 +86,14 @@ You have also to link each of your sessions to a port, to do so, go to the plugi
A message is divided in three parts
- `url` only for requests, is the message whithout head and without body
-- `head` is the message without body and without url
-- `body` is the message without head and without url
+- `head` contains all the message except the body
+- `body` is the message without head
## Message Operations
The message operations are operations to be done on the intercepted message in an operation.
The syntax contains always the `from` tag, which specifies the message section where to search to do the given action (url, body, head). Then we have the possible actions:
-- `decode parameter` where you can decode and do things on a parameter, see dedicated section
- `remove match word` it removes the matched string, can be fed with a regex
- `remove parameter` with value the name of the parameter to be removed. A variant of the previous, it removes the parameter searched with its value
- `edit` edits the given parameter's value, the tag `in` specifies in what has to be edited
@@ -126,6 +104,8 @@ The syntax contains always the `from` tag, which specifies the message section w
An example could be:
+Edit the parameter state inside the url of a message with the new value "newstatecode"
+
```json
"message operations": [
{
@@ -157,43 +137,215 @@ If you choose the body section, the meaning of the tags is different, infact:
- `save` is associated with a regex, it saves what is matched by that regex, saving it in a variable with name specified in `as` tag
- `add`is associated with an empty string, teh value will be appended to the body, the value do add is specified with the tag `this` (or `use` in case of a value from a variable)
-Note that the content lenght of the body section is automatically updated or removed
+Note that the content lenght of the body section is automatically updated or removed if the content of the body is edited.
-### Encoding/Decoding in message operations
+## Decode operation
-In message operations there is the possibility of specifing a parameter to be decoded and to be processed. The HTTP parameter containing the encoded text has to be specified with the `decode param`, if the section of the message is the body the `decode param` takes a regex (for more info see below section). Then, a list of encodings has to be specified with the tag `encoding`, the order of these encodings will be followed while decoding. Note that when the message is encoded, the order will be reversed.
+A list of decode operations can be added to each Operation (passive or active). These operations are used to decode encoded content taken from inside an intercepted message. A decode operation can have its own list of decode operations; these are called recursive decode ops. and they take as input the previously decoded content.
-An example, where we take the parameter `SAMLRequest` from a message's url, and then specifing the encodings (url, base64 and deflate).
+The HTTP parameter containing the content to be decoded has to be specified with the `decode param` If the section of the message is 'body,' the `decode param` takes a regex (for more information, see the section below).
-```json
-"message operations": [
- {
- "from": "url",
- "decode param": "SAMLRequest",
- "encoding": [
- "url",
- "base64",
- "deflate"
- ],
- "type": "xml",
- "xml tag": "samlp:AuthnRequest",
- "edit attribute": "ID",
- "value": "newIDValue"
- }
-]
-```
+Next, a list of encodings (or the `type`) has to be specified. You can specify an encodings list with the tag `encodings` the order of these encodings will be followed while decoding, and when the message is re-encoded, the order will be reversed. With the tag `type` the content is decoded following a fixed set of rules (e.g., jwts or XML). If you specify the `type` tag, the `encodings` tag will be ignored. If you use the `type` tag when using Edit Operations, you may be allowed to use more tags (e.g., with jwts or XML) to edit easily; otherwise, the decoded content will be used as plain text.
+
+In decode operations is possible to use check operations to check the decoded content, depending on the specified type, the allowed check operations differ.
+
+- JWT type -> See 'Checks on JSON content' section
+- No type (encodings used) -> See check section
+
+Needed tags:
+
+- `type` and/or `encodings`
+- `decode param`
+- `from` select from where decode the content (HTTP message section or previous decode output)
+
+optional tags:
+
+- `decode operations`
+- `checks`
+- `edits`
#### Body section
An important note about the body (from) section is that the input of `decode param` has to be a regex, and whatever is matched with that regex is decoded.
An useful regex to match a parameter's value could be `(?<=SAMLResponse=)[^$\n& ]*` which searches the SAMLResponse= string in the body, and matches everything that is not $ or \n or & or whitespace
-### Specific actions for decoded parameters
+#### Decoding JWTs
+
+When decoding a jwt (by using tag type=jwt) it is possible to check the signature of that jwt by providing a public key. To do this, use the `jwt check sig` tag with value the PEM-encoded public key to be used to check.
+
+Note: The supported algorithms for signing are:
+
+- RS256
+- RS512
+
+#### Decoding JWE
+
+Note that when decrypting a JWE, a JWS is expected in the payload. Other payloads are not supproted.
+
+To decrypt a JWE to access the JWT in its payload use these tags
+
+- `jwe decrypt` with the private key in PEM string format
+- `jwe encrypt` with the public key in PEM string format
+
+Note: You can decrypt without specifying encrypt, this will prevent the JWE from being edited (as no encryption key is passed)
+Note: You can't encrypt, without decrypt
+
+Note: Supported algorithms are:
+
+- RSA_OAEP
+- RSA_OAEP_256
+- ECDH_ES_A128KW
+- ECDH_ES_A256KW
+
+## Tag table
+
+In this table you can find a description of all the tags available for this Operation based on the input Module.
+
+| input module (container) | Available tags | Required | value type | allowed values |
+| --------------------------- | ----------------- | -------- | ---------------------- | -------------------------------------- |
+| standard Operation | from | yes | str | head, body, url |
+| | decode param | yes | str | \* |
+| decode Operation (type=jwt) | from | yes | str | jwt header, jwt payload, jwt signature |
+| | decode param | yes | str(JSON path) | \* |
+| \* | type | | str | xml, jwt |
+| | encodings | | list[str] | base64, url, .. |
+| | decode operations | | list[decode Operation] | \* |
+| | checks | | list[check Operation] | \* |
+| | edits | | list[edit Operation] | \* |
+| | jwt check sig | | str(PEM) | PEM-encoded public key |
+| | jwe decrypt | | str(PEM) | PEM-encoded private key |
+| | jwe encrypt | | str(PEM) | PEM-encoded public key |
+
+### Recursive Decode operations
+
+When using the `from` tag in a recursive decode (one that is inside another), you can use - depending on the previous decode type - other sections, such as "jwt header" "jwt payload" ..
+
+Source: standard Operation (HTTP intercepted message)
+
+- `from`: (url, head, body)
+
+Source: decode Operation JWT
+
+- `from`: (jwt header, jwt payload, jwt signature)
+
+in recurdsive decode op, the decode param accepts different inputs, e.g. if previous decoded content is a jwt, decoded content will accept a JSON path
+
+Syntax example of a recursive decode operation:
+
+```json
+"decode operations": [
+ {
+ ...,
+ "decode operations": [
+ {
+ "from": "somwhere in the previous decode",
+ "encodings": "asdasd",
+ }
+ ]
+ }
+]
+```
+
+Example of decoding a jwt from the url of a message in the asd parameter, and then decode the jwt found inside of the jwt.
+
+```json
+"decode operations": [
+ {
+ "from": "url",
+ "type": "jwt",
+ "decode param": "asd",
+ "decode operations": [
+ {
+ "from": "jwt header",
+ "type": "jwt",
+ "decode param": "$.something"
+ }
+ ]
+ }
+]
+```
+
+### Using Edit Operation in Decode Operations
+
+It is possible to edit the decoded content of decode Ops by using edit Operations. A list of edit Operations has to be specified. When using Edit Op. inside Decode Operations, depending on the `type` specified in Decode Operations, you can use different keys.
+
+- `type`: JWT
+ - `jwt from` specifies the section of the jwt to edit (header, payload, signature)
+ - `jwt edit` JSON path of the key to edit
+ - `jwt remove` JSON path of the key to remove
+ - `jwt add` JSON path to the key to add + `value` with name
+ - `jwt save` JSON path to the key to save
+ - `value` used with edit or add, to specify the value of the key
+- `type`: XML
+ - see next XML section
+- no `type` specified, (treated as plain text):
+ - Using `txt remove` the matched text will be removed from the text
+ - Using `txt edit` the matched text will be edited with the text specified in `value` tag
+ - Using `txt add` the text specified in `value` will be inserted at the end of the matched text
+ - Using `txt save` the matched text will be saved in a variable having the name specified in tag `as`
+
+#### JWT type
+
+This type is used to edit decoded JWT tokens. This way is possible to edit, add, save or resign them. The possible actions are:
+
+- `jwt from` Used to specify the section of the token to execute the given action, choose btween:
+ - `header`
+ - `payload`
+ - `signature`
+- `jwt remove` If used on signature removes the entire signature
+- `jwt edit` `value` If used on signature edits the entire signature.
+- `jwt add` `value`
+- `jwt save` `as` if used on sinature saves the entire signature
+- `jwt sign` Specifying a PEM-encoded private key that will be used to sign the jwt
+
+##### Note on signing
+
+When signing a jwt, the supported algorithms are:
+
+- RS256
+- RS512
+
+##### Example
-There is the possibility of manipulating the decoded parameter, various types of languages-types are available, like xml.
-The type of the decoded param has to be specified with tag `type`.
+Edit the scope claim inside an OAuth request jwt
-> Note that for decoded parameters standard message operation actions will not work.
+```json
+"decode operations": [
+ {
+ "from": "url",
+ "type": "jwt",
+ "encodings": [],
+ "decode param": "(?<=authz_request_object=)[^$\n& ]*",
+ "edits": [
+ {
+ "jwt from": "payload",
+ "jwt edit": "$.scope",
+ "value": "wrong_scope"
+ }
+ ]
+ }
+]
+```
+
+Check the scope claim inside an OAuth request jwt
+
+```json
+"decode operations": [
+ {
+ "from": "body",
+ "decode param": "(?<=authz_request_object=)[^$\n& ]*",
+ "encodings": [],
+ "type": "jwt",
+ "checks": [
+ {
+ "in": "payload",
+ "check": "$.scope",
+ "is": "openid"
+ }
+ ]
+ }
+]
+```
#### XML type
@@ -230,18 +382,22 @@ An example:
```json
"message operations": [
- {
- "from": "url",
- "decode param": "SAMLRequest",
- "encoding": [
- "url",
- "base64",
- "deflate"
- ],
- "type": "xml",
+ {
+ "from": "url",
+ "decode param": "SAMLRequest",
+ "encoding": [
+ "url",
+ "base64",
+ "deflate"
+ ],
+ "type": "xml",
+ "edits": [
+ {
"edit tag": "samlp:AuthnRequest",
"value": "new tag value"
- }
+ }
+ ]
+ }
]
```
@@ -255,40 +411,23 @@ in the tag name you have to specify "Something:apple"
#### TXT type
-It is a type used to edit, remove, add, or save pieces of a decoded param that is treated as a text.
-You hae to specify a regex using the parameter "txt ..." with the associated action, the possible usages are:
+It is a type used to edit, remove, add, or save pieces of a decoded content that is treated as a text.
+You have to specify a regex using one of the following tags with the associated action, the possible usages are:
- Using `txt remove` the matched text will be removed from the text
- Using `txt edit` the matched text will be edited with the text specified in `value` tag
- Using `txt add` the text specified in `value` will be inserted at the end of the matched text
- Using `txt save` the matched text will be saved in a variable having the name specified in tag `as`
-#### JWT type
-
-Thi type is used to edit decoded JWT tokens. This way is possible to edit, add, save or resign them. The possible actions are:
-
-- `jwt from` Used to specify the section of the token to execute the given action, choose btween:
- - `header`
- - `payload`
- - `signature`
- - `raw header`
- - `raw payload`
- - `raw signature`
-- `jwt remove` If used on signature removes the entire signature
-- `jwt edit` `value` If used on signature edits the entire signature.
-- `jwt add` `value`
-- `jwt save` `as` if used on sinature saves the entire signature
-- `jwt sign` Used to sign the jwt with another invalid key.
-
#### Note for using saved variables
It is possible to use the tag `use` instead of the tag `value` to use the text saved in the variable specified using the `use` tag.
#### SAML signature
-There's the possibility of remove the signature from a saml request or response and resign it with a test private key, just specify `self-sign`: true in the message operation.
+There's the possibility to remove the signature from a saml request or response and resign it with a test private key, just specify `self-sign`: true in the message operation.
Another possibility is just to remove the signature, using `remove signature` set to true in the message operation.
-Note that this keys are avaiable and applied only on decoded parameters, also if `decode param` is defined.
+Note that these keys are avaiable and applied only on decoded parameters, also if `decode param` is defined.
## Session Operation
@@ -324,8 +463,6 @@ Note that during insertion, the element inserted is always positioned after the
}
```
-Not sure about this ^^^ , not yet implemented ^^^^
-
```json
"session operation": [
{
@@ -365,48 +502,106 @@ Not sure about this ^^^ , not yet implemented ^^^^
## Checks and Check
-The Checks tag is a list of Check elements, which can be defined with:
+The Checks tag inside an operation has a list of Check elements, which can be defined with:
- `in` says were to check the given parameter, can be _head_, _body_, _url_
-- `check` checks if the given string is present in the specified message section
+- `check` checks if the given string is present in the specified message section.
- `check param` specifies the name of the parameter to be checked, depending on the section choosed, the tool will search for the parameter using a pattern. (for the url, it will search for a query parameter, for the head, it will search for a head parameter)
-- The actual check on the value, which are self explanatory. (if none of these are specified, the check will only check if the given parameter is present)
+- `check regex` specify a regex that checks the selected content by matching it.
+ . `use variable` (true or false) set to true if you want to specify a variable name on the following tags, to check wrt to that variable value.
+- `url decode` if you want to disable url decoding in http messages, see the note below for details.
+- The actual check on the value. (if none of these are specified, the check will only check if the given parameter is present)
- `is`
- `not is`
- `contains`
- `not contains`
- `is present` specifying true or false, to check whether is present or not
+ - `is in` the value is between a list of values
+ - `is not in` the value is not between a list of values
+ - `is subset of` used to check that a matched JSON array is a subset of the given array. Is subset means that all the values in the matched array are present in the given array.
+ - `matches regex` when using `check param` or `check` in json, you can use this tag to execute a regex to the matched value of the parameter or the value of the json key specified with the jsonpath
+ - `not matches regex` as `match regex` but the result is true when the regex doesn't match
-you can use `check` OR `check param` tag. If you use the `check` tag, you can use all the other tags to verify the value, otherwise, if you use `check param` you can just use `is present`.
+> Note that you can use `check regex` OR `check` OR `check param`.
+
+> Note that `check` accepts only the `is present` tag.
+
+> Note that by default, all the values read from a message (only message, not json) are URL-decoded before the checks are executed. You can disable this behaviour by using `url decode` = false
In passive tests the checks's result are intended as the entire test result, so all the checks has to pass to have a successfull test.
+### Checks on JSON content
+
+In case a check operation is executed inside an operation that gives a JSON as an output (e.g. decode operations with type=jwt), the check operation is enabled to use JSON paths to identify keys and values specified with `check` tag. The `in` tag specifies the section of the JWT (header, payload, signature). Note that signature is treated as plain text.
+
+Note: when using `check regex` with json content, the specified content will be treated as plain text. e.g the header of a jwt will be treated as plain text, and the regex will be executed over the entire header.
+
+>Note: matched array contents will always be converted to string for simplicity. This means that if you want to check an integer or float, you should write it as a string (e.g. 12.3 -> "12.3")
+
+```json
+"decode operations": [
+ {
+ "tagsofadecode": "decodejwt",
+ "checks": [
+ {
+ "in": "header",
+ "check": "jsonpath",
+ "is": "something"
+ }
+ ]
+ }
+]
+```
+
+#### Note on JSON values types
+
+When checking the value of json keys, you have to consider the type of the value.
+
+- mig-t will convert each int or float type as string, this means that when using the check operators, you should always use a string, not an int or a double.
+- checking a value that is a JSON Array is only allowed when using the `contains` or `not contains` or `is subset of` operators
+- When matching a JSON Array, the values of the array are all converted to string
+
### Note for the active tests
-If you need to do a check on an active test, you have to do a `validate` operation, which is basically an operation when you can do checks and regex
+If you need to do a check on an active test, you have to do a `validate` operation, which is basically an operation where you can do checks
+
+### Examples
+
+Check using a variable value: check that the value of the header "Host" is equal to the value of the variable "var1"
+
+```json
+"checks" : [
+ {
+ "in": "head",
+ "check param": "Host",
+ "use variable": true,
+ "is": "var1"
+ }
+]
+```
## Preconditions
-Preconditions are used in an operation of an active test to check something in the intercepted message before the execution of the message operations. If the checks in the preconditions are evaluated to false, the test is considered unsupported, not failed. Basically preconditions are a list of checks.
+Preconditions are used in an operation of an active test to check something in the intercepted message before the execution of the rest of the operation. If the preconditions are evaluated to false, the test is considered unsupported, not failed. The preconditions are basically a list of checks.
To use a precondition just write
```json
"preconditions" : []
```
-filling the list wit the checks or regex you need.
-Over the list of check or regex a AND operation is made, so all of the checks (or regex) in the list has to be successful to continue the test.
+filling the list wit the checks you need.
+> Note: Over the list of check or regex a AND operation is made, so all of the checks (or regex) in the list has to be successful to continue the test.
## Save
-A message or a string can be saved with this tag. It can be used both in an operation, to save a message, and in a _Message Operation_ to save the value of a found parameter.
+A message or a string can be saved with this tag. It can be used both in an operation, to save a message, in a _Message Operation_ to save the value of a found parameter and also inside Edit operations.
- `Save` associated with the name of the variable
There are two ways of using the value of a variable, depending of its type:
- Using a message-type variable: it can be used in an operation with the tag `action` set to intercept there is the possibility of use `replace request` (or `replace response`) with the name of the variable. This way the intercepted message's request (or response) is replaced with the specified variable value. Note that when a message is replaced, all the message operations in that operation will be ignored.
-- Using a string-type variable: can be used in Message Operations, where you have to add or edit a parameter's value, writing `use` and the name of the variable
+- Using a string-type variable: can be used in Message Operations or Edit Operations, where you have to add or edit a parameter's value, writing `use` and the name of the variable
When saving and using variables, take care to assign a variable before its use
Note that when saving a variable, if the value is empty (no match or no parameter found), the MessageOperation (edit, add, ..) where the variable is used will not be executed, the execution will continue without errors.
@@ -421,8 +616,8 @@ it can be set to:
- `incorrect flow \[sessionname\]` opposite of `correct flow`, the test succedes only if there is an error
- `assert_only` the test result ignores the validation of the session flow but gives a result depending on the assertions defined in the track. This means, that if the execution of the session fails, the result will not take it into account.
-The result can be combined with the result of the checks or regex in an operation with action set to `validate`.
-The succes is evaluated with the Boolean operator AND between the result and all the validates
+The result can be combined with the result of the checks in an operation.
+The succes is evaluated with the Boolean operator AND between the result and all the results of the operations
Note that if correct (or incorrect) flow is used without specifying a session name, all the sessions are checked.
@@ -434,7 +629,7 @@ Note that if you are filling a field where a regex is expected, you have to back
## Test examples
-### Example of with active tests
+### Example of active tests
```json
{
@@ -449,7 +644,7 @@ Note that if you are filling a field where a regex is expected, you have to back
"name": "PKCE plain method",
"description": "Finds an authRequest and remove the parameter code_challenge_method",
"type": "active", // active test type
- "sessions": ["main"],
+ "sessions": ["s1"],
"operations": [
// List of operations to do
{
@@ -474,8 +669,8 @@ Note that if you are filling a field where a regex is expected, you have to back
"result": "correct flow" // it has to be a correct flow for a successful attack
},
"test": {
- "name": "PKCE plain method",
- "description": "Finds an authRequest and remove the parameter code_challenge_method",
+ "name": "replay message parameter to other message",
+ "description": "Find the parameter state in the auth. request in s1 and replace it in the authorization request in s2",
"type": "active",
"sessions": ["s1", "s2"],
"operations": [
@@ -541,7 +736,7 @@ Note that if you are filling a field where a regex is expected, you have to back
### Example of with passive tests
-#### Example 1: PKCE is used
+#### Example 1: PKCE is used (TO BE CHANGED TO NEW LANGUAGE)
This passive test checks whether PKCE is used in an OAuth flow, checking if the authorization grant message contains the parameters "code_challenge" or "code_challenge_method", which are necessary to use PKCE. More precisely, the test:
@@ -555,8 +750,7 @@ This passive test checks whether PKCE is used in an OAuth flow, checking if the
{
"test suite": {
"name": "Test Suite 01",
- "description": "Only Passive Test",
- "metadata": true
+ "description": "Only Passive Test"
},
"tests": [
{
@@ -579,7 +773,7 @@ This passive test checks whether PKCE is used in an OAuth flow, checking if the
}
```
-#### Other passive tests
+#### Other passive tests (TO BE CHANGED TO NEW LANGUAGE)
```json
{
@@ -711,10 +905,25 @@ Examples:
`assert element content is | xpath=/body/div/label | text to match`
`assert element class has | xpath=/body/... | class_to_match`
-### snapshot
-
-// TODO
-
-### Setvar
-
-// TODO
+# Changelog
+
+## v1.4.0
+
+- Added decode operations
+- Removed "decode parameter" from Message Operation
+- Added checks in decode operations
+- Added support for Checks to work with JSON content
+- Changed tag `encoding` in `encodings`
+- Added edit Operation
+- Moved tags used to modify decoded content in Message Operations to Edit Operation inside Decode Operation
+- Removed `raw header` `raw payload` `raw signature` from `jwt from` tag in Decode Operation
+- Added supprot of regex in checks (in future they will substitute existing regex)
+- Remove support for hardcoded standard message types such as oauth request and oauth response
+- Removed support for hardcoded identification of OAuth flow
+- removed `request`, `response`, `oauth request` `oauth response` from Message type
+- removed `regex` and `message section` tag from Message Type, now only checks are available (that contains also regex)
+- removed `regex` from Operation in passive tests
+- Removed validate Operation, now just use checks inside an intercept Operation
+- Removed OAuth metadata tag in test
+- Added signing of decoded jwt with private key inside Edit Operation
+- Added check of signature of jwt inside the decode operation
diff --git a/doc/progress_tracker.md b/doc/progress_tracker.md
index 3b8f516..8870218 100644
--- a/doc/progress_tracker.md
+++ b/doc/progress_tracker.md
@@ -2,128 +2,128 @@
## TO-DO
-- [x] Add messages file as input, instead of the execution of the track
-- [x] Learn the oracle from the previous implementation
-- [x] Define the **variable saving** in the language
-- [x] Define in the language some session-conrol tag, such as: pause, stop, run, resume, clear cookies
-- [x] Define in the language the possible actions associated to the intercept tag (drop, forward,..)
-- [x] Add a tab in the plugin with the metadata of the OAuth authentication server
-- [x] Define all the basic operations for the language
-- [x] Add the buttons to save and load a saved message track for passive tests
-- [x] Add the possibility of negating the search of a string in a check (if string not present)
-- [x] Test the functionality of the GUI and the logic of the buttons
-- [x] Comment code
-- [x] Add and implement the message type "oauth request" "oauth response"
-- [x] Adapt old code to the new parsing for static tests
-- [x] Implement passive tests with new language
-- [x] Add the visualization of messages that maked fail the test
-- [x] Define sessions and active test in the markdown
-- [x] Define all passive tests in JSON
-- [x] Define all the classes for storing the parsed objects
-- [x] Implement active tests with new language
-- [x] Add new message types for filtering messages (define them)
-- [x] Implement the different ports
-- [x] Implement the oracle using checks/regex in actives
-- [x] Define the oracle for active tests
-- [x] Implement the pause of the session
-- [x] Add message definition JSON
-- [x] Write documentation for language (actives, msgtype JSON, ..)
-- [x] Write documentation for code
-- [x] Move the association of the port to the session out of the json, in a tab of the GUI
-- [x] Make invalid the URL section in the response
-- [x] For the body section, make possible the use of a regex to find and do (add, substitute,...)
-- [x] Add encode/ decode functionality to operations
-- [x] Add JWT token as a message section, implement the decoding
-- [x] Multiple operation execution to be tested
-- [x] Implement XML operations
-- [x] Finish and test XML Operation execution
-- [x] resign assertion instead of message
-- [x] resign with the incoming certificate
-- [x] Add a command to specify a delay in the web drivertrough the track
-- [x] Passive tests with SAML are ok if failing, but if they should pass there is an error
-- [x] Add an option in the track to wait tot seconds, and add more selecting options to click (i.e. classname)
-- [x] add decoded param section to passives tests (checks and regex)
-- [x] fix getBodyParameter()
-- [x] In Decode parameter, when the section is body, use a regex instead of a parameter (as in other body sections)
-- [x] Add clear cookies functionality both by language or by track
-- [x] Add a note to the documentation saying that when typing something in a field that accepts regex, the regex operators should be backslashed (\?)
-- [x] Implement the saving of the position of the last used driver, in a way that it automatically use it
-- [x] Build a graphic visualization of the language components
-- [x] Remove the session tabs if changed in the json, and fix other session tabs issues
-- [x] Verify that is possible to save a decoded parameter: wiith txt save
-- [x] Verify that is possible (or find a way) to save pieces of a decoded parameter
-- [x] Verify that is possible to add a saved variable over a decoded parameter
-- [x] Implement "use" of saved txt in decoded parameters operations
-- [x] Implement the removing of the SAML signature without the re-sign
-- [x] Move all dependencies to maven
-- [x] Fix deprecated dependency having conflicts (org.apache.xml.serialize.OutputFormat and org.apache.xml.serialize.XMLSerializer)
-- [x] Session configuration tab won't add classnames
-- [x] Xml tag actions, how to deal with multiple tags having the same name? add a variable to identify which occurency to edit
-- [x] Fix the fact that message operations don't keep the changes made on the message
-- [x] Keep track if there are active executions, if not, clear variables
-- [x] Define and fix windows problem
-- [x] Remove debug options in the code (default track/driver/ecc)
-- [x] Release a stable version
-- [x] Edit the selection of the URL, this method should return the entire URL, not the first row of the message. The headers should contain the first row.
-- [x] Sometimes if the browser cannot continue the session track, the test result is not displayed
-- [x] Reload msg_def file before reading the test suite
-- [x] Set the sessions proxy ports to default sequential value
-- [x] Fix the starting dimension of the browser, if it starts with small dimensions it could not allow some types of buttons to be shown (and pressed).
-- [x] Add a listener method for ExecuteTrack that deals with Errors that are not related to the execution of the track (for example an error on the driver selection)
-- [x] Implement a better message drop
-- [x] Fix the host editing not working
-- [x] Regex: add message section "raw" (all message)
-- [x] Add or edit content type when adding body in message Operations (BurpExtender@921)
-- [x] the last actions are currently not filtered based on the session they are made
-- [x] Fix save actions from-to, atm the save action cannot be empty, a new target has to be implemented
-- [x] Last_url does not take the right last url, it is one url after.
-- [x] implement the adding of things to the track when starting a session
-- [x] Add the decode of a parameter in passives
-- [x] Add columns to test results (Test Name | Test Description | References | Violated Properties | Mitigation |)
-- [ ] Add oracle description on the test suite
-- [ ] Add check's from option, from decoded param, in a way that checks could be executed on a decoded param
-- [ ] Improve the error feedback on the plugin, for example by highlighting the part of the plugin that failed or by writing a string
- - [x] JSON Test track
- - [x] Tabs of JSON and sessions configs to higlhight red in case of errors
- - [ ] Browser track
-- [ ] Check the add action in message operations
-- [ ] sessions list in test are updated incorrectly
-- [ ] Add the anti-proxybypass localhost rule to firefox
-- [ ] JWT edit and add is applicable only to root keys in the jwt JSON, it is not possible to edit the child elements with these commands.
-- [ ] JWT raw string methods are not jet implemented
-- [ ] Implement new session objects in the test
-- [ ] If session is stopped before the update of the track, the session operations does not have any effect
-- [ ] sessions list in test are updated incorrectly
-- [ ] Improve error feedbacks with detailed informations
-- [ ] Intermittent problem: burp.ParsingException: variable "var_host" not defined. It could be caused by a race condition between threads, has to be checked
-- [ ] Add an assert on the session to check the text content of an element in the page
-- [ ] Parse the jwt sections as JSON to avoid inaccessibility of child elements (?)
-- [ ] Add an optional session action (if the element is not found skip the action without counting as an error)
-- [ ] Add assert text inside element
-- [ ] Add assert color
-- [ ] Think of a way to inject cookies in sessions
-- [ ] Add a button in the tool to resume the execution after a certain pause action, for example to solve captcha
-- [ ] Allow passives tests to be executed on a session different from mainSession
+- [x] Add messages file as input, instead of the execution of the track
+- [x] Learn the oracle from the previous implementation
+- [x] Define the **variable saving** in the language
+- [x] Define in the language some session-conrol tag, such as: pause, stop, run, resume, clear cookies
+- [x] Define in the language the possible actions associated to the intercept tag (drop, forward,..)
+- [x] Add a tab in the plugin with the metadata of the OAuth authentication server
+- [x] Define all the basic operations for the language
+- [x] Add the buttons to save and load a saved message track for passive tests
+- [x] Add the possibility of negating the search of a string in a check (if string not present)
+- [x] Test the functionality of the GUI and the logic of the buttons
+- [x] Comment code
+- [x] Add and implement the message type "oauth request" "oauth response"
+- [x] Adapt old code to the new parsing for static tests
+- [x] Implement passive tests with new language
+- [x] Add the visualization of messages that maked fail the test
+- [x] Define sessions and active test in the markdown
+- [x] Define all passive tests in JSON
+- [x] Define all the classes for storing the parsed objects
+- [x] Implement active tests with new language
+- [x] Add new message types for filtering messages (define them)
+- [x] Implement the different ports
+- [x] Implement the oracle using checks/regex in actives
+- [x] Define the oracle for active tests
+- [x] Implement the pause of the session
+- [x] Add message definition JSON
+- [x] Write documentation for language (actives, msgtype JSON, ..)
+- [x] Write documentation for code
+- [x] Move the association of the port to the session out of the json, in a tab of the GUI
+- [x] Make invalid the URL section in the response
+- [x] For the body section, make possible the use of a regex to find and do (add, substitute,...)
+- [x] Add encode/ decode functionality to operations
+- [x] Add JWT token as a message section, implement the decoding
+- [x] Multiple operation execution to be tested
+- [x] Implement XML operations
+- [x] Finish and test XML Operation execution
+- [x] resign assertion instead of message
+- [x] resign with the incoming certificate
+- [x] Add a command to specify a delay in the web drivertrough the track
+- [x] Passive tests with SAML are ok if failing, but if they should pass there is an error
+- [x] Add an option in the track to wait tot seconds, and add more selecting options to click (i.e. classname)
+- [x] add decoded param section to passives tests (checks and regex)
+- [x] fix getBodyParameter()
+- [x] In Decode parameter, when the section is body, use a regex instead of a parameter (as in other body sections)
+- [x] Add clear cookies functionality both by language or by track
+- [x] Add a note to the documentation saying that when typing something in a field that accepts regex, the regex operators should be backslashed (\?)
+- [x] Implement the saving of the position of the last used driver, in a way that it automatically use it
+- [x] Build a graphic visualization of the language components
+- [x] Remove the session tabs if changed in the json, and fix other session tabs issues
+- [x] Verify that is possible to save a decoded parameter: wiith txt save
+- [x] Verify that is possible (or find a way) to save pieces of a decoded parameter
+- [x] Verify that is possible to add a saved variable over a decoded parameter
+- [x] Implement "use" of saved txt in decoded parameters operations
+- [x] Implement the removing of the SAML signature without the re-sign
+- [x] Move all dependencies to maven
+- [x] Fix deprecated dependency having conflicts (org.apache.xml.serialize.OutputFormat and org.apache.xml.serialize.XMLSerializer)
+- [x] Session configuration tab won't add classnames
+- [x] Xml tag actions, how to deal with multiple tags having the same name? add a variable to identify which occurency to edit
+- [x] Fix the fact that message operations don't keep the changes made on the message
+- [x] Keep track if there are active executions, if not, clear variables
+- [x] Define and fix windows problem
+- [x] Remove debug options in the code (default track/driver/ecc)
+- [x] Release a stable version
+- [x] Edit the selection of the URL, this method should return the entire URL, not the first row of the message. The headers should contain the first row.
+- [x] Sometimes if the browser cannot continue the session track, the test result is not displayed
+- [x] Reload msg_def file before reading the test suite
+- [x] Set the sessions proxy ports to default sequential value
+- [x] Fix the starting dimension of the browser, if it starts with small dimensions it could not allow some types of buttons to be shown (and pressed).
+- [x] Add a listener method for ExecuteTrack that deals with Errors that are not related to the execution of the track (for example an error on the driver selection)
+- [x] Implement a better message drop
+- [x] Fix the host editing not working
+- [x] Regex: add message section "raw" (all message)
+- [x] Add or edit content type when adding body in message Operations (BurpExtender@921)
+- [x] the last actions are currently not filtered based on the session they are made
+- [x] Fix save actions from-to, atm the save action cannot be empty, a new target has to be implemented
+- [x] Last_url does not take the right last url, it is one url after.
+- [x] implement the adding of things to the track when starting a session
+- [x] Add the decode of a parameter in passives
+- [x] Add columns to test results (Test Name | Test Description | References | Violated Properties | Mitigation |)
+- [ ] Add oracle description on the test suite
+- [ ] Add check's from option, from decoded param, in a way that checks could be executed on a decoded param
+- [ ] Improve the error feedback on the plugin, for example by highlighting the part of the plugin that failed or by writing a string
+ - [x] JSON Test track
+ - [x] Tabs of JSON and sessions configs to higlhight red in case of errors
+ - [ ] Browser track
+- [ ] Check the add action in message operations
+- [ ] sessions list in test are updated incorrectly
+- [ ] Add the anti-proxybypass localhost rule to firefox
+- [ ] JWT edit and add is applicable only to root keys in the jwt JSON, it is not possible to edit the child elements with these commands.
+- [ ] JWT raw string methods are not jet implemented
+- [ ] Implement new session objects in the test
+- [ ] If session is stopped before the update of the track, the session operations does not have any effect
+- [ ] sessions list in test are updated incorrectly
+- [ ] Improve error feedbacks with detailed informations
+- [ ] Intermittent problem: burp.ParsingException: variable "var_host" not defined. It could be caused by a race condition between threads, has to be checked
+- [ ] Add an assert on the session to check the text content of an element in the page
+- [ ] Parse the jwt sections as JSON to avoid inaccessibility of child elements (?)
+- [ ] Add an optional session action (if the element is not found skip the action without counting as an error)
+- [ ] Add assert text inside element
+- [ ] Add assert color
+- [ ] Think of a way to inject cookies in sessions
+- [ ] Add a button in the tool to resume the execution after a certain pause action, for example to solve captcha
+- [ ] Allow passives tests to be executed on a session different from mainSession
## Discarded
-- [ ] Implement the delay test for token expiration
-- [ ] Add server's metadata specific passive checks
-- [ ] divide the self self-sign Assertion or Message command in language
-- [ ] ??? Fix operation.applicable on all message operations (now is just at the first)
-- [ ] Save last JSON test in config.json and reload it at the next startup
-- [ ] Add to the documentation how to disable chrome's warnings over non secure connections (chrome://flags/#allow-insecure-localhost) enable
+- [ ] Implement the delay test for token expiration
+- [ ] Add server's metadata specific passive checks
+- [ ] divide the self self-sign Assertion or Message command in language
+- [ ] ??? Fix operation.applicable on all message operations (now is just at the first)
+- [ ] Save last JSON test in config.json and reload it at the next startup
+- [ ] Add to the documentation how to disable chrome's warnings over non secure connections (chrome://flags/#allow-insecure-localhost) enable
## IDEAS
-- Think about a way to specify the OR in the check
-- Define the replay tag as a macro of elementar operations
-- Define some type of test where given a timeout, a token (or other?) is tested to see if is still valid waiting for the timeout.
-- make json to specify the checks to be done associated with a message type, i.e. Authentication Request
-- A JSON config file, like for the filterings
-- Should remove parameter be available to the body section??
-- In message section "all" when deleting a param, if the name of a parameter is present more of one time, what should i do? delete them all?
-- New Actives oracle make sense?
-- In actives, in message operations, is it really useful to apply an action to the entire message?
-- in actives, in message operations, what are the possible params? url parameters and HTTP parameters? or url parameters inside the value of an HTTP parameter too?
-- In actives, in message operations, in ADD, what should i add to BODY?
+- Think about a way to specify the OR in the check
+- Define the replay tag as a macro of elementar operations
+- Define some type of test where given a timeout, a token (or other?) is tested to see if is still valid waiting for the timeout.
+- make json to specify the checks to be done associated with a message type, i.e. Authentication Request
+- A JSON config file, like for the filterings
+- Should remove parameter be available to the body section??
+- In message section "all" when deleting a param, if the name of a parameter is present more of one time, what should i do? delete them all?
+- New Actives oracle make sense?
+- In actives, in message operations, is it really useful to apply an action to the entire message?
+- in actives, in message operations, what are the possible params? url parameters and HTTP parameters? or url parameters inside the value of an HTTP parameter too?
+- In actives, in message operations, in ADD, what should i add to BODY?
diff --git a/templates/msg_def_template.json b/templates/msg_def_template.json
index 1c4b997..d9a2149 100644
--- a/templates/msg_def_template.json
+++ b/templates/msg_def_template.json
@@ -1,211 +1,67 @@
{
- "message_types": [
+ "message_types": [
+ {
+ "name": "authorization request",
+ "is request": true,
+ "response name": "authorization response",
+ "checks": [
{
- "name": "authorization request",
- "is request": true,
- "response name": "authorization response",
- "checks": [
- {
- "in": "url",
- "check param": "response_type",
- "is present": "true"
- }
- ]
- },
- {
- "name": "token request",
- "is request": true,
- "response name": "token response",
- "checks": [
- {
- "in": "url",
- "check param": "code",
- "is present": "true"
- }
- ]
- },
- {
- "name": "coda landing request",
- "is request": true,
- "response name": "coda landing response",
- "checks": [
- {
- "in": "url",
- "check": "/welcome",
- "is present": "true"
- },
- {
- "in": "head",
- "check param": "Host",
- "is": "coda.io"
- }
- ]
- },
- {
- "name": "saml request",
- "is request": true,
- "checks": [
- {
- "in": "url",
- "check param": "SAMLRequest",
- "is present": true
- }
- ]
- },
- {
- "name": "saml response",
- "is request": true,
- "checks": [
- {
- "in": "body",
- "check param": "SAMLResponse",
- "is present": true
- }
- ]
- },
- {
- "name": "fb_login",
- "is request": true,
- "response name": "fb_login_resp",
- "checks": [
- {
- "in": "url",
- "check": "/auth/facebook-login-callback",
- "is present": true
- },
- {
- "in": "url",
- "check param": "code",
- "is present": true
- }
- ]
- },
- {
- "name": "fb_sso",
- "is request": true,
- "checks": [
- {
- "in": "url",
- "check": "login.php",
- "is present": true
- },
- {
- "in": "head",
- "check param": "Host",
- "contains": "facebook"
- }
- ]
- },
- {
- "name": "nytimes_settings_page",
- "is request": true,
- "checks": [
- {
- "in": "url",
- "check": "/seg/settings",
- "is present": true
- },
- {
- "in": "head",
- "check param": "Host",
- "contains": "nytimes"
- }
- ]
- },
- {
- "name": "nytimes_accoun_info_req",
- "is request": true,
- "response name": "nytimes_account_info_resp",
- "checks": [
- {
- "in": "url",
- "check": "/svc/account/query",
- "is present": true
- },
- {
- "in": "head",
- "check param": "Host",
- "contains": "nytimes"
- },
- {
- "in": "body",
- "check": "getSettingsPageInfo",
- "is present": true
- }
- ]
- },
+ "in": "url",
+ "check param": "response_type",
+ "is present": "true"
+ }
+ ]
+ },
+ {
+ "name": "token request",
+ "is request": true,
+ "response name": "token response",
+ "checks": [
{
- "name": "fb_acc_link_confirm_req",
- "is request": true,
- "response name": "fb_acc_link_confirm_resp",
- "checks": [
- {
- "in": "url",
- "check": "/dialog/oauth",
- "is present": true
- },
- {
- "in": "head",
- "check param": "Host",
- "contains": "facebook.com"
- }
- ]
- },
+ "in": "url",
+ "check param": "code",
+ "is present": "true"
+ }
+ ]
+ },
+ {
+ "name": "saml request",
+ "is request": true,
+ "checks": [
{
- "name": "linking_url",
- "is request": true,
- "checks": [
- {
- "in": "url",
- "check param": "code",
- "is present": true
- },
- {
- "in": "head",
- "check param": "Referer",
- "contains": "facebook.com"
- }
- ]
- },
+ "in": "url",
+ "check param": "SAMLRequest",
+ "is present": true
+ }
+ ]
+ },
+ {
+ "name": "saml response",
+ "is request": true,
+ "checks": [
{
- "name": "message_insert_point",
- "is request": true,
- "checks": [
- {
- "in": "url",
- "check": "insertmessagehere",
- "is present": "true"
- }
- ]
- },
+ "in": "body",
+ "check param": "SAMLResponse",
+ "is present": true
+ }
+ ]
+ },
+ {
+ "name": "fb_login",
+ "is request": true,
+ "response name": "fb_login_resp",
+ "checks": [
{
- "name": "association_link_req",
- "is request": true,
- "response name": "association_link_resp",
- "checks": [
- {
- "in": "url",
- "check": "dialog/oauth?",
- "is present": "true"
- },
- {
- "in": "head",
- "check param": "Host",
- "contains": "facebook.com"
- }
- ]
+ "in": "url",
+ "check": "/auth/facebook-login-callback",
+ "is present": true
},
{
- "name": "association_inter_link_res",
- "is request": false,
- "request name": "association_inter_link_req",
- "checks": [
- {
- "in": "head",
- "check": "dialog/oauth?",
- "is present": true
- }
- ]
+ "in": "url",
+ "check param": "code",
+ "is present": true
}
- ]
+ ]
+ }
+ ]
}
\ No newline at end of file
diff --git a/.gitignore b/tool/.gitignore
similarity index 96%
rename from .gitignore
rename to tool/.gitignore
index 8a8471c..4ac0fc7 100644
--- a/.gitignore
+++ b/tool/.gitignore
@@ -52,6 +52,9 @@ cmake-build-*/
# IntelliJ
out/
+# Build files
+target/
+
# mpeltonen/sbt-idea plugin
.idea_modules/
@@ -74,6 +77,4 @@ fabric.properties
.idea/httpRequests
# Android studio 3.1+ serialized cache file
-.idea/caches/build_file_checksums.ser
-
-/tool/target/*
\ No newline at end of file
+.idea/caches/build_file_checksums.ser
\ No newline at end of file
diff --git a/tool/.idea/compiler.xml b/tool/.idea/compiler.xml
deleted file mode 100644
index 6465c9d..0000000
--- a/tool/.idea/compiler.xml
+++ /dev/null
@@ -1,13 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/tool/.idea/jarRepositories.xml b/tool/.idea/jarRepositories.xml
deleted file mode 100644
index 712ab9d..0000000
--- a/tool/.idea/jarRepositories.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/tool/.idea/misc.xml b/tool/.idea/misc.xml
index 56c7380..b6a965c 100644
--- a/tool/.idea/misc.xml
+++ b/tool/.idea/misc.xml
@@ -1,4 +1,3 @@
-
@@ -8,5 +7,5 @@
-
+
\ No newline at end of file
diff --git a/tool/.idea/uiDesigner.xml b/tool/.idea/uiDesigner.xml
deleted file mode 100644
index e96534f..0000000
--- a/tool/.idea/uiDesigner.xml
+++ /dev/null
@@ -1,124 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/tool/.idea/workspace.xml b/tool/.idea/workspace.xml
deleted file mode 100644
index 80ce4b5..0000000
--- a/tool/.idea/workspace.xml
+++ /dev/null
@@ -1,257 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1654595126983
-
-
- 1654595126983
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- file://$PROJECT_DIR$/src/main/java/burp/GUI.java
- 1812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/tool/pom.xml b/tool/pom.xml
index 5010714..6c17f4d 100644
--- a/tool/pom.xml
+++ b/tool/pom.xml
@@ -12,22 +12,12 @@
org.jsonjson
- 20230227
+ 20230618
- io.jsonwebtoken
- jjwt-api
- 0.11.5
-
-
- io.jsonwebtoken
- jjwt-impl
- 0.11.5
-
-
- io.jsonwebtoken
- jjwt-jackson
- 0.11.5
+ com.nimbusds
+ nimbus-jose-jwt
+ 9.31org.bouncycastle
@@ -37,17 +27,17 @@
com.google.code.gsongson
- 2.10
+ 2.10.1org.seleniumhq.seleniumselenium-java
- 4.6.0
+ 4.11.0org.apache.santuarioxmlsec
- 3.0.1
+ 3.0.2com.sun.xml.security
@@ -57,44 +47,18 @@
org.junit.jupiterjunit-jupiter-engine
- 5.9.0
+ 5.10.0test
-
-
- org.apache.pdfbox
- pdfbox
- 2.0.27
-
-
- org.apache.pdfbox
- fontbox
- 2.0.26
-
-
- org.apache.pdfbox
- jempbox
- 1.8.17
-
-
- org.apache.pdfbox
- xmpbox
- 2.0.27
-
-
- org.apache.pdfbox
- preflight
- 2.0.27
-
- org.apache.pdfbox
- pdfbox-tools
- 2.0.27
+ com.jayway.jsonpath
+ json-path
+ 2.8.0
- com.github.dhorions
- boxable
- 1.7.0
+ net.minidev
+ json-smart
+ 2.5.0
@@ -108,7 +72,7 @@
org.apache.maven.pluginsmaven-surefire-plugin
- 2.22.0
+ 3.1.2maven-assembly-plugin
@@ -131,6 +95,26 @@
+
+ org.apache.maven.plugins
+ maven-enforcer-plugin
+ 3.3.0
+
+
+ enforce-maven
+
+ enforce
+
+
+
+
+ 3.0
+
+
+
+
+
+
\ No newline at end of file
diff --git a/tool/readme.md b/tool/readme.md
new file mode 100644
index 0000000..5568f31
--- /dev/null
+++ b/tool/readme.md
@@ -0,0 +1,5 @@
+Useful Maven commands:
+
+- mvn versions:use-latest-versions updates all dependencies o lastest version
+
+- mvn versions:update-properties -> updates maven to match the pom
\ No newline at end of file
diff --git a/tool/src/main/java/burp/BurpExtender.java b/tool/src/main/java/burp/BurpExtender.java
deleted file mode 100644
index 44f31f7..0000000
--- a/tool/src/main/java/burp/BurpExtender.java
+++ /dev/null
@@ -1,996 +0,0 @@
-package burp;
-
-import samlraider.application.SamlTabController;
-import samlraider.helpers.XMLHelpers;
-import org.w3c.dom.Document;
-import org.xml.sax.SAXException;
-
-import javax.swing.*;
-import java.awt.*;
-import java.io.*;
-import java.util.Collections;
-import java.util.List;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-import java.util.regex.PatternSyntaxException;
-
-/**
- * Main class executed by Burp
- *
- * @author Matteo Bitussi
- */
-public class BurpExtender implements IBurpExtender, ITab, IProxyListener {
-
- public static IExtensionHelpers helpers;
- public static PrintStream printStream;
- public static PrintStream errorStream;
- public IBurpExtenderCallbacks callbacks;
- private GUI mainPane; // The GUI
- private boolean isOauthflow = false;
-
- /**
- * Main function creating the extension
- *
- * @param callbacks The callbacks received by Burp
- */
- public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
- try {
- System.setOut(new PrintStream("output_log.txt")); // Changes the default outstream with this file
- } catch (FileNotFoundException e) {
- e.printStackTrace();
- }
-
- try {
- System.setErr(new PrintStream("error_log.txt"));
- } catch (FileNotFoundException e) {
- e.printStackTrace();
- }
-
- System.out.println("Initializing extension");
-
- this.callbacks = callbacks;
- helpers = callbacks.getHelpers();
-
- callbacks.setExtensionName("MIG Testing tool");
-
- //The UI is created
- SwingUtilities.invokeLater(() -> {
- // setup output stream
- OutputStream stdOut = callbacks.getStdout();
- OutputStream stdErr = callbacks.getStderr();
- printStream = new PrintStream(stdOut);
- errorStream = new PrintStream(stdErr);
-
- mainPane = new GUI();
- mainPane.helpers = callbacks.getHelpers();
- mainPane.callbacks = callbacks;
- mainPane.messageViewer = callbacks.createMessageEditor(mainPane.controller, false);
- mainPane.splitPane.setRightComponent(mainPane.messageViewer.getComponent());
-
- // add the custom tab to Burp's UI
- callbacks.addSuiteTab(BurpExtender.this);
-
- // register ourselves as an HTTP listener
- callbacks.registerProxyListener(BurpExtender.this);
- //callbacks.registerHttpListener(BurpExtender.this);
- });
- }
-
- @Override
- public String getTabCaption() {
- return "MIG-T";
- }
-
- @Override
- public Component getUiComponent() {
- return mainPane;
- }
-
-
- /**
- * Proxy's listener function which is called wheter a new message arrives. Note that if the received message is a
- * request, you cannot access the response
- *
- * @param messageIsRequest Indicates whether the HTTP message is a request
- * or a response.
- * @param message An
- * IInterceptedProxyMessage object that extensions can use to
- * query and update details of the message, and control whether the message
- * should be intercepted and displayed to the user for manual review or
- */
- @Override
- public void processProxyMessage(boolean messageIsRequest, IInterceptedProxyMessage message) {
- String port = message.getListenerInterface().split(":")[1];
- IHttpRequestResponse messageInfo = message.getMessageInfo();
-
- if (mainPane.ACTIVE_ENABLED) {
- if (!port.equals(mainPane.act_active_op.session_port)) {
- return;
- }
-
- log_message(messageIsRequest, message);
-
- boolean matchMessage = false;
- try {
- switch (mainPane.act_active_op.getMessageType()) {
- case "request":
- if (messageIsRequest) {
- matchMessage = true;
- }
- break;
- case "response":
- if (!messageIsRequest) {
- matchMessage = true;
- }
- break;
- case "oauth request":
- if (messageIsRequest && isOauthflow) {
- matchMessage = true;
- }
- break;
- case "oauth response":
- if (!messageIsRequest && isOauthflow) {
- matchMessage = true;
- }
- break;
-
- default:
- MessageType msg_type = MessageType.getFromList(mainPane.messageTypes,
- mainPane.act_active_op.getMessageType());
- /* If the response message name is searched, the getByResponse will be true.
- * so i have to search for the request, and then evaluate the response*/
- if (msg_type.getByResponse) {
- if (!messageIsRequest) {
- if (msg_type.isRegex) {
- matchMessage = Tools.findInMessage(msg_type.messageSection,
- msg_type.regex,
- new HTTPReqRes(messageInfo, helpers, true),
- helpers, true);
- } else {
- matchMessage = Tools.executeChecks(msg_type.checks,
- new HTTPReqRes(messageInfo, helpers, true),
- helpers, true);
- }
- }
- } else if (msg_type.getByRequest) {
- if (!messageIsRequest) {
- if (msg_type.isRegex) {
- matchMessage = Tools.findInMessage(msg_type.messageSection,
- msg_type.regex,
- new HTTPReqRes(messageInfo, helpers, false),
- helpers, false);
- } else {
- matchMessage = Tools.executeChecks(msg_type.checks,
- new HTTPReqRes(messageInfo, helpers, false),
- helpers, false);
- }
- }
- } else {
- if (messageIsRequest == msg_type.isRequest) {
- if (msg_type.isRegex) {
- matchMessage = Tools.findInMessage(msg_type.messageSection,
- msg_type.regex,
- new HTTPReqRes(messageInfo, helpers, msg_type.isRequest),
- helpers, msg_type.isRequest);
- } else {
- matchMessage = Tools.executeChecks(msg_type.checks,
- new HTTPReqRes(messageInfo, helpers, msg_type.isRequest),
- helpers,
- msg_type.isRequest);
- }
- }
- }
- if (matchMessage) {
- boolean isRequest = false;
- if (msg_type.getByRequest) {
- isRequest = false;
- } else if (msg_type.getByResponse) {
- isRequest = true;
- } else {
- isRequest = msg_type.isRequest;
- }
-
- Operation.MatchedMessage m = new Operation.MatchedMessage(
- new HTTPReqRes(messageInfo, helpers, isRequest),
- HTTPReqRes.instances,
- isRequest,
- !isRequest,
- false);
- mainPane.act_active_op.matchedMessages.add(m);
- }
- }
- } catch (Exception e) {
- e.printStackTrace();
- mainPane.act_active_op.applicable = false;
- }
-
- switch (mainPane.act_active_op.getAction()) {
- // If the operation's action is an intercept
- case INTERCEPT:
- if (!isOauthflow & Utils.isAuthRequest(
- helpers.analyzeRequest(messageInfo.getRequest()).getHeaders().get(0))) isOauthflow = true;
-
- try {
- switch (mainPane.act_active_op.getMessageType()) {
- case "request":
- if (matchMessage) {
- processMatchedMsg(messageInfo, true, false);
- }
- break;
- case "response":
- if (matchMessage) {
- processMatchedMsg(messageInfo, false, true);
- }
- break;
- case "oauth request":
- if (matchMessage) {
- processMatchedMsg(messageInfo, true, false);
- }
- break;
- case "oauth response":
- if (matchMessage) {
- processMatchedMsg(messageInfo, false, true);
- }
- break;
-
- default:
- MessageType msg_type = MessageType.getFromList(mainPane.messageTypes,
- mainPane.act_active_op.getMessageType());
- /* If the response message name is searched, the getByResponse will be true.
- * so i have to search for the request, and then evaluate the response*/
- if (msg_type.getByResponse) {
- if (!messageIsRequest) {
- if (matchMessage) {
- processMatchedMsg(messageInfo, false, true);
- }
- }
- } else if (msg_type.getByRequest) {
- if (!messageIsRequest) {
- if (matchMessage) {
- processMatchedMsg(messageInfo, true, false);
- }
- }
- } else {
- if (messageIsRequest == msg_type.isRequest) {
- if (matchMessage) {
- processMatchedMsg(msg_type, messageInfo);
- if (mainPane.act_active_op.then != null &
- mainPane.act_active_op.then == Utils.Then.DROP) {
- message.setInterceptAction(IInterceptedProxyMessage.ACTION_DROP);
- }
- }
- }
- }
- }
- } catch (Exception e) {
- e.printStackTrace();
- mainPane.act_active_op.applicable = false;
- }
- break;
-
- // if the operation action is a validate
- case VALIDATE:
- if (matchMessage & (
- mainPane.act_active_op.to_match == -1 ||
- mainPane.act_active_op.to_match > mainPane.act_active_op.act_matched)) {
- if (!messageIsRequest) {
- messageInfo.setHighlight("green");
- List results = null;
- try {
- results = Tools.executePassiveOperation(mainPane.act_active_op,
- new HTTPReqRes(messageInfo, helpers, messageIsRequest),
- 0,
- isOauthflow ? -1 : 1, // this is not good
- helpers,
- mainPane.messageTypes);
- } catch (ParsingException e) {
- e.printStackTrace();
- mainPane.act_active_op.applicable = false;
- resume();
- }
-
- mainPane.act_active_op.applicable = results.get(3);
- if (mainPane.act_active_op.applicable) {
- mainPane.act_active_op.passed = results.get(0);
- if (!mainPane.act_active_op.passed) resume();
- mainPane.act_active_op.act_matched++;
- }
- resume();
- }
- }
- break;
- }
-
- }
- if (mainPane.recording) {
- if (!messageIsRequest) { // non toglierlo, non so perchè ma serve
- synchronized (mainPane.interceptedMessages) {
- IHttpRequestResponsePersisted actual = callbacks.saveBuffersToTempFiles(messageInfo);
- mainPane.interceptedMessages.add(
- new HTTPReqRes(actual, helpers)
- );
- if (mainPane.defaultSession != null) {
- mainPane.defaultSession.addMessage(actual, helpers, mainPane.FILTERING);
- }
- }
- }
- }
- }
-
- private void processMatchedMsg(IHttpRequestResponse messageInfo, boolean isRequest, boolean isResponse) {
- messageInfo.setHighlight("red");
- mainPane.act_active_op = executeOperation(mainPane.act_active_op,
- messageInfo,
- isRequest);
- if (mainPane.act_active_op.processed_message != null) {
- if (isRequest) messageInfo.setRequest(mainPane.act_active_op.processed_message);
- else messageInfo.setResponse(mainPane.act_active_op.processed_message);
- }
- resume();
- }
-
- private void processMatchedMsg(MessageType msg_type,
- IHttpRequestResponse messageInfo) {
- messageInfo.setHighlight("red");
- mainPane.act_active_op = executeOperation(mainPane.act_active_op,
- messageInfo,
- msg_type.isRequest);
- if (mainPane.act_active_op.processed_message != null) {
- if (msg_type.isRequest) {
- messageInfo.setRequest(mainPane.act_active_op.processed_message);
- } else {
- messageInfo.setResponse(mainPane.act_active_op.processed_message);
- }
- }
- resume();
- }
-
- /**
- * Executes an operation to a message, in an active test and then returns the updated Operation object, which will
- * contains the infos about the execution
- *
- * @param op the operation to be executed
- * @param messageInfo the message info
- * @param isRequest true if the message is a request
- * @return the updated operation, with its result
- */
- private Operation executeOperation(Operation op, IHttpRequestResponse messageInfo, boolean isRequest) {
- if (!op.preconditions.isEmpty()) {
- HTTPReqRes message = new HTTPReqRes(messageInfo, helpers, isRequest);
- try {
- op.applicable = Tools.executeChecks(op.preconditions,
- message,
- helpers,
- isRequest);
- if (!op.applicable) return op;
- } catch (ParsingException e) {
- op.applicable = false;
- e.printStackTrace();
- return op;
- }
- }
-
- if (isRequest) {
- if (!op.replace_request_name.equals("")) {
- try {
- op.applicable = true;
- op.processed_message = getVariableByName(op.replace_request_name).message;
- op.processed_message_service = getVariableByName(op.replace_request_name).service_info;
- //return op;
- } catch (ParsingException e) {
- e.printStackTrace();
- op.applicable = false;
- return op;
- }
- }
- } else {
- if (!op.replace_response_name.equals("")) {
- try {
- op.applicable = true;
- op.processed_message = getVariableByName(op.replace_response_name).message;
- op.processed_message_service = getVariableByName(op.replace_response_name).service_info;
- //return op;
- } catch (ParsingException e) {
- e.printStackTrace();
- op.applicable = false;
- return op;
- }
- }
- }
-
- try {
- op.applicable = true;
- op = executeMessageOps(op, messageInfo, isRequest);
-
- } catch (ParsingException | PatternSyntaxException e) {
- op.applicable = false;
- e.printStackTrace();
- return op;
- }
-
- if (!op.save_name.equals("")) {
- Var v = new Var();
- v.name = op.save_name;
- v.isMessage = true;
- v.message = isRequest ? messageInfo.getRequest() : messageInfo.getResponse();
- v.service_info = messageInfo.getHttpService();
- synchronized (mainPane.lock) {
- mainPane.act_test_vars.add(v);
- }
- }
-
- return op;
- }
-
- /**
- * Given an operation, and a message, execute the Message operations contained in the operation
- *
- * @param op the operation containing the message operations
- * @param messageInfo the message
- * @param isRequest true if the message is a request
- * @return the updated Operation with the result
- * @throws ParsingException if parsing of names is not successfull
- */
- public Operation executeMessageOps(Operation op,
- IHttpRequestResponse messageInfo,
- boolean isRequest) throws ParsingException {
- for (MessageOperation mop : op.getMessageOerations()) {
- List splitted;
- Pattern pattern;
- Matcher matcher;
- byte[] new_message;
- boolean decode = false;
- String decoded_param = "";
- String original_cert = "";
- XMLHelpers xmlHelpers = new XMLHelpers();
-
- try {
- if (!mop.decode_param.equals("")) {
- decode = true;
-
- decoded_param = Encoding.decodeParam(
- helpers, mop.from, mop.encodings, messageInfo, isRequest, mop.decode_param);
- }
- if (mop.self_sign | mop.remove_signature) {
- //Remove signatures
- Document document = null;
- try {
- document = xmlHelpers.getXMLDocumentOfSAMLMessage(decoded_param);
- original_cert = xmlHelpers.getCertificate(document.getDocumentElement());
- if (original_cert == null) {
- System.out.println("SAML Certificate not found in decoded parameter \"" + mop.decode_param + "\"");
- op.applicable = false;
- }
- decoded_param = SamlTabController.removeSignature_edit(decoded_param);
-
- } catch (SAXException e) {
- e.printStackTrace();
- }
- }
-
- if (!mop.use.equals("")) {
- Var v = getVariableByName(mop.use);
- if (!v.isMessage) {
- mop.value = v.value;
- } else {
- throw new ParsingException("Error while using variable, expected text var, got message var");
- }
- }
-
- switch (mop.type) {
- case XML: {
- if (!decode) {
- throw new ParsingException("cannot found decoded parameter");
- }
- switch (mop.xml_action) {
- case ADD_TAG:
- decoded_param = XML.addTag(decoded_param,
- mop.xml_tag,
- mop.xml_action_name,
- mop.value,
- mop.xml_occurrency);
- break;
- case ADD_ATTR:
- decoded_param = XML.addTagAttribute(decoded_param,
- mop.xml_tag,
- mop.xml_action_name,
- mop.value,
- mop.xml_occurrency);
- break;
- case EDIT_TAG:
- decoded_param = XML.editTagValue(decoded_param,
- mop.xml_action_name,
- mop.value,
- mop.xml_occurrency);
- break;
- case EDIT_ATTR:
- decoded_param = XML.editTagAttributes(decoded_param,
- mop.xml_tag,
- mop.xml_action_name,
- mop.value,
- mop.xml_occurrency);
- break;
- case REMOVE_TAG:
- decoded_param = XML.removeTag(decoded_param,
- mop.xml_action_name,
- mop.xml_occurrency);
- break;
- case REMOVE_ATTR:
- decoded_param = XML.removeTagAttribute(decoded_param,
- mop.xml_tag,
- mop.xml_action_name,
- mop.xml_occurrency);
- break;
- case SAVE_TAG: {
- String to_save = XML.getTagValaue(decoded_param,
- mop.xml_action_name,
- mop.xml_occurrency);
- Var v = new Var();
- v.name = mop.save_as;
- v.isMessage = false;
- v.value = to_save;
- synchronized (mainPane.lock) {
- mainPane.act_test_vars.add(v);
- }
-
- break;
- }
- case SAVE_ATTR:
- String to_save = XML.getTagAttributeValue(decoded_param,
- mop.xml_tag, mop.xml_action_name,
- mop.xml_occurrency);
- Var v = new Var();
- v.name = mop.save_as;
- v.isMessage = false;
- v.value = to_save;
- synchronized (mainPane.lock) {
- mainPane.act_test_vars.add(v);
- }
- break;
- }
- break;
- }
- case JWT: {
- op.jwt = new JWT();
- if (mop.isRawJWT) {
- op.jwt.parseJWT_string(decoded_param);
- } else {
- op.jwt.parseJWT(decoded_param);
- }
-
- switch (mop.jwt_action) {
- case REMOVE:
- op.jwt.removeClaim(mop.jwt_section, mop.what);
- break;
- case EDIT:
- case ADD:
- op.jwt.editAddClaim(mop.jwt_section, mop.what, mop.value);
- break;
- case SAVE:
- Var v = new Var();
- v.name = mop.save_as;
- v.isMessage = false;
- v.value = op.jwt.getClaim(mop.jwt_section, mop.what);
- synchronized (mainPane.lock) {
- mainPane.act_test_vars.add(v);
- }
- break;
- }
-
- decoded_param = mop.isRawJWT ?
- op.jwt.buildJWT_string() :
- op.jwt.buildJWT();
- break;
- }
- case TXT: {
- Pattern p = Pattern.compile(mop.txt_action_name);
- Matcher m = p.matcher(decoded_param);
-
- if (mop.txt_action == null) {
- throw new ParsingException("txt action not specified");
- }
-
- switch (mop.txt_action) {
- case REMOVE:
- decoded_param = m.replaceAll("");
-
- break;
- case EDIT:
- decoded_param = m.replaceAll(mop.value);
-
- break;
- case ADD:
- while (m.find()) {
- int index = m.end();
- String before = decoded_param.substring(0, index);
- String after = decoded_param.substring(index);
- decoded_param = before + mop.value + after;
- break;
- }
- break;
- case SAVE:
- String val = "";
- while (m.find()) {
- val = m.group();
- break;
- }
-
- Var v = new Var();
- v.name = mop.save_as;
- v.isMessage = false;
- v.value = val;
- synchronized (mainPane.lock) {
- mainPane.act_test_vars.add(v);
- }
- break;
- }
- break;
- }
- case GENERATE_POC: {
- //TODO: Finish
- if (!isRequest) {
- throw new ParsingException("Invalid POC generation, message should be a request");
- }
-
- if (!mop.template.equals("csrf")){
- continue; // other templates not supported yet
- }
-
- String poc = Utils.generate_CSRF_POC(messageInfo, helpers);
-
- try {
- File myObj = new File(mop.output_path);
- myObj.createNewFile();
- } catch (IOException e) {
- throw new ParsingException("Invalid POC generation output path: "
- + mop.output_path + " " + e.getMessage());
- }
- try {
- FileWriter myWriter = new FileWriter(mop.output_path);
- myWriter.write(poc);
- myWriter.close();
- } catch (IOException e) {
- throw new ParsingException("Something went wrong while writing output file for POC generator: "
- + mop.output_path + " " + e.getMessage());
- }
- }
- default: // HTTP standard
- if (mop.action != null) {
- switch (mop.action) {
- case REMOVE_PARAMETER:
- switch (mop.from) {
- case URL:
- // Works
- if (!isRequest) {
- throw new ParsingException("Searching URL in response");
- }
- List parts = Utils.splitMessage(messageInfo, helpers, isRequest);
- pattern = Pattern.compile("&?" + mop.what + "=[^& ]*((?=&)|(?= ))");
- matcher = pattern.matcher(parts.get(0));
- String new_url = matcher.replaceFirst("");
-
- new_message = Utils.setUrl(new_url, messageInfo, helpers, isRequest);
-
- op.processed_message = new_message;
- break;
- case HEAD:
- List headers = Utils.getHeaders(messageInfo, isRequest, helpers);
- headers = Utils.removeHeadParameter(headers, mop.what);
- byte[] message = helpers.buildHttpMessage(
- headers,
- Utils.getBody(messageInfo, isRequest, helpers));
-
- op.processed_message = message;
- break;
- case BODY:
- // Works
- splitted = Utils.splitMessage(messageInfo, helpers, isRequest);
-
- pattern = Pattern.compile(mop.what);
- matcher = pattern.matcher(splitted.get(2));
- splitted.set(2, matcher.replaceAll(""));
-
- List head = Utils.getHeaders(messageInfo, isRequest, helpers);
- //Automatically update content-lenght
- op.processed_message = helpers.buildHttpMessage(
- head,
- helpers.stringToBytes(splitted.get(2)));
- break;
- }
- break;
-
- case ADD:
- if (getAdding(mop) == null | getAdding(mop).equals("")) {
- break;
- }
- switch (mop.from) {
- case HEAD: {
- List headers = Utils.getHeaders(messageInfo, isRequest, helpers);
- headers = Utils.addHeadParameter(headers, mop.what, getAdding(mop));
- byte[] message = helpers.buildHttpMessage(
- headers,
- Utils.getBody(messageInfo, isRequest, helpers));
-
- op.processed_message = message;
- break;
- }
- case BODY: {
- // Works
- splitted = Utils.splitMessage(messageInfo, helpers, isRequest);
-
- String tmp = splitted.get(2);
- tmp = tmp + getAdding(mop);
- splitted.set(2, tmp);
-
- List head = Utils.getHeaders(messageInfo, isRequest, helpers);
- //Automatically update content-lenght
- op.processed_message = helpers.buildHttpMessage(
- head,
- helpers.stringToBytes(splitted.get(2)));
- break;
- }
- case URL:
- // Works
- if (!isRequest) {
- throw new ParsingException("Searching URL in response");
- }
-
- List parts = Utils.splitMessage(messageInfo, helpers, isRequest);
- String header_0 = parts.get(0);
-
- pattern = Pattern.compile("&?" + mop.what + "=[^& ]*((?=&)|(?= ))");
- matcher = pattern.matcher(header_0);
-
- String newHeader_0 = "";
- boolean found = false;
- while (matcher.find() & !found) {
- String before = header_0.substring(0, matcher.end());
- String after = header_0.substring(matcher.end());
- newHeader_0 = before + getAdding(mop) + after;
- found = true;
- }
-
- new_message = Utils.setUrl(newHeader_0, messageInfo, helpers, isRequest);
- op.processed_message = new_message;
- break;
- }
- break;
-
- case EDIT:
- op.processed_message = Utils.editMessageParam(
- helpers,
- mop.what,
- mop,
- messageInfo,
- isRequest,
- getAdding(mop),
- true);
- break;
-
- case EDIT_REGEX:
- op.processed_message = Utils.editMessage(
- helpers,
- mop.what,
- mop,
- messageInfo,
- isRequest,
- getAdding(mop),
- true);
- break;
-
- case REMOVE_MATCH_WORD:
- switch (mop.from) {
- case HEAD: {
- // Works
- splitted = Utils.splitMessage(messageInfo, helpers, isRequest);
-
- pattern = Pattern.compile(mop.what);
- matcher = pattern.matcher(splitted.get(1));
- splitted.set(1, matcher.replaceAll(""));
-
- byte[] message = Utils.buildMessage(splitted, helpers);
-
- op.processed_message = message;
- break;
- }
- case BODY: {
- // Works
- splitted = Utils.splitMessage(messageInfo, helpers, isRequest);
-
- pattern = Pattern.compile(mop.what);
- matcher = pattern.matcher(splitted.get(2));
- splitted.set(2, matcher.replaceAll(""));
-
- List head = Utils.getHeaders(messageInfo, isRequest, helpers);
- //Automatically update content-lenght
- op.processed_message = helpers.buildHttpMessage(
- head,
- helpers.stringToBytes(splitted.get(2)));
- break;
- }
- case URL:
- // Works
- if (!isRequest) {
- throw new ParsingException("Searching URL in response");
- }
- List parts = Utils.splitMessage(messageInfo, helpers, isRequest);
- String header_0 = parts.get(0);
-
- pattern = Pattern.compile(mop.what);
- matcher = pattern.matcher(header_0);
- String newHeader_0 = matcher.replaceFirst("");
-
- new_message = Utils.setUrl(newHeader_0, messageInfo, helpers, isRequest);
- op.processed_message = new_message;
- break;
- }
- break;
-
- case SAVE:
- case SAVE_MATCH:
- switch (mop.from) {
- case HEAD: {
- String value = "";
- if (mop.action == Utils.MessageOperationActions.SAVE) {
- List headers = Utils.getHeaders(messageInfo, isRequest, helpers);
- value = Utils.getHeadParameterValue(headers, mop.what).trim();
- } else {
- splitted = Utils.splitMessage(messageInfo, helpers, isRequest);
- pattern = Pattern.compile(mop.what);
- matcher = pattern.matcher(splitted.get(1));
- value = "";
- while (matcher.find()) {
- value = matcher.group();
- break;
- }
- }
-
- Var v = new Var();
- v.name = mop.save_as;
- v.isMessage = false;
- v.value = value;
- synchronized (mainPane.lock) {
- mainPane.act_test_vars.add(v);
- }
- break;
- }
- case BODY: {
- // Works
- splitted = Utils.splitMessage(messageInfo, helpers, isRequest);
- String tmp = splitted.get(2);
- pattern = Pattern.compile(mop.what);
- matcher = pattern.matcher(tmp);
- Var v = new Var();
-
- while (matcher.find()) {
- v.name = mop.save_as;
- v.isMessage = false;
- v.value = matcher.group();
- break;
- }
- synchronized (mainPane.lock) {
- mainPane.act_test_vars.add(v);
- }
- break;
- }
- case URL: {
- // works
- if (!isRequest) {
- throw new ParsingException("Searching URL in response");
- }
- List parts = Utils.splitMessage(messageInfo, helpers, isRequest);
- String header_0 = parts.get(0);
-
- pattern = mop.action == Utils.MessageOperationActions.SAVE ?
- Pattern.compile(mop.what + "=[^& ]*(?=(&| ))") :
- Pattern.compile(mop.what);
-
- matcher = pattern.matcher(header_0);
- String value = "";
-
- if (matcher.find()) {
- String matched = matcher.group();
- value = mop.action == Utils.MessageOperationActions.SAVE ?
- matched.split("=")[1] :
- matched;
-
- Var v = new Var();
- v.name = mop.save_as;
- v.isMessage = false;
- v.value = value;
- synchronized (mainPane.lock) {
- mainPane.act_test_vars.add(v);
- }
- }
- break;
- }
- }
- break;
- }
- }
- }
-
-
- if (mop.self_sign && !decoded_param.equals("")) {
- //re-sign
-
- decoded_param = SamlTabController.resignAssertion_edit(decoded_param, original_cert);
- //decoded_param = SamlTabController.resignMessage_edit(decoded_param, original_cert);
-
- }
-
- if (decode && !decoded_param.equals("")) {
- // encode the edited param and substitute it in the right place
-
- Collections.reverse(mop.encodings); // Set the right order for encoding
- String encoded = Encoding.encode(mop.encodings, decoded_param, helpers);
-
- op.processed_message = Utils.editMessageParam(helpers,
- mop.decode_param, mop, messageInfo, isRequest, encoded, true);
- }
- if (op.processed_message != null) {
- if (isRequest) {
- messageInfo.setRequest(op.processed_message);
- } else {
- messageInfo.setResponse(op.processed_message);
- }
- if (op.processed_message_service != null) {
- messageInfo.setHttpService(op.processed_message_service);
- }
- }
- } catch (StackOverflowError e) {
- e.printStackTrace();
- }
- }
- return op;
- }
-
- /**
- * Returns the adding of a message operation, decides if the value to be inserted/edited should be a variable or
- * a typed value and return it
- *
- * @param m the message operation which has to be examined
- * @return the adding to be used in add/edit
- * @throws ParsingException if the variable name is not valid or the variable has not been initiated
- */
- private String getAdding(MessageOperation m) throws ParsingException {
- if (!m.use.isEmpty()) {
- return getVariableByName(m.use).value;
- } else {
-
- return m.to;
- }
- }
-
- /**
- * Given a name, returns the corresponding variable
- *
- * @param name the name of the variable
- * @return the Var object
- * @throws ParsingException if the variable cannot be found
- */
- private Var getVariableByName(String name) throws ParsingException {
- synchronized (mainPane.lock) {
- for (Var act : mainPane.act_test_vars) {
- if (act.name.equals(name)) {
- return act;
- }
- }
- }
- throw new ParsingException("variable not defined");
- }
-
- /**
- * Tells the lock on the Execute Actives process to resume the execution
- */
- private void resume() {
- // Resume the execution thread
- synchronized (mainPane.waiting) {
- mainPane.waiting.notify();
- }
- }
-
- private void log_message(boolean isRequest, IInterceptedProxyMessage message) {
- mainPane.act_active_op.log_messages.add(message);
- }
-}
diff --git a/tool/src/main/java/burp/Check.java b/tool/src/main/java/burp/Check.java
deleted file mode 100644
index 7086722..0000000
--- a/tool/src/main/java/burp/Check.java
+++ /dev/null
@@ -1,27 +0,0 @@
-package burp;
-
-/**
- * Check Object class. This object is used in Operations to check that a parameter or some text is in as specified.
- *
- * @author Matteo Bitussi
- */
-public class Check {
- String what; // what to search
- Utils.CheckOps op; // the check operations
- Utils.MessageSection in; // the section over which to search
- String op_val;
- boolean isParamCheck = false; // specifies if what is declared in what is a parameter name
-
- public void setWhat(String what) {
- this.what = what;
- }
-
- public void setOp(Utils.CheckOps op) {
- this.op = op;
- }
-
- @Override
- public String toString() {
- return "check: " + what + (op == null ? "" : " " + op + ": " + op_val);
- }
-}
diff --git a/tool/src/main/java/burp/Encoding.java b/tool/src/main/java/burp/Encoding.java
deleted file mode 100644
index 7d2654d..0000000
--- a/tool/src/main/java/burp/Encoding.java
+++ /dev/null
@@ -1,321 +0,0 @@
- package burp;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.net.URLEncoder;
-import java.nio.charset.StandardCharsets;
-import java.util.List;
-import java.util.zip.DataFormatException;
-import java.util.zip.Deflater;
-import java.util.zip.Inflater;
-
-/**
- * Class containing methods used for the encoding of variables in messages
- *
- * @author Matteo Bitussi
- */
-public class Encoding {
-
- /**
- * Decodes a parameter from a message, given the message section and the list of encodings to be applied during
- * decoding
- * @param helpers IExtensionHelpers helpers object from Burp
- * @param ms The message section that contains the parameter to be decoded
- * @param encodings The list of encodings to be applied to decode the parameter
- * @param messageInfo The message to be decoded
- * @param isRequest True if the message containing the parameter is a request
- * @param decode_param The name of the parameter to be decoded
- * @return The decoded parameter as a string
- * @throws ParsingException If problems are encountered during decoding
- */
- public static String decodeParam(IExtensionHelpers helpers,
- Utils.MessageSection ms,
- List encodings,
- HTTPReqRes messageInfo,
- Boolean isRequest,
- String decode_param) throws ParsingException {
- String decoded_param = "";
- switch (ms) {
- case HEAD:
- decoded_param = Encoding.decode(
- encodings, Utils.getHeadParam(helpers, messageInfo, isRequest, decode_param), helpers);
- break;
- case BODY:
- decoded_param = Encoding.decode(
- encodings, Utils.getBodyParam(helpers, messageInfo, isRequest, decode_param), helpers);
- break;
- case URL:
- decoded_param = Encoding.decode(
- encodings, Utils.getUrlParam(helpers, messageInfo, isRequest, decode_param), helpers);
- break;
- }
-
- decoded_param = Utils.removeNewline(decoded_param);
-
- return decoded_param;
- }
-
- /**
- * Decodes a parameter from a message, given the message section and the list of encodings to be applied during
- * decoding
- * @param helpers IExtensionHelpers helpers object from Burp
- * @param ms The message section that contains the parameter to be decoded
- * @param encodings The list of encodings to be applied to decode the parameter
- * @param messageInfo The message to be decoded
- * @param isRequest True if the message containing the parameter is a request
- * @param decode_param The name of the parameter to be decoded
- * @return The decoded parameter as a string
- * @throws ParsingException If problems are encountered during decoding
- */
- public static String decodeParam(IExtensionHelpers helpers,
- Utils.MessageSection ms,
- List encodings,
- IHttpRequestResponse messageInfo,
- Boolean isRequest,
- String decode_param) throws ParsingException {
- String decoded_param = "";
- switch (ms) {
- case HEAD:
- decoded_param = Encoding.decode(
- encodings, Utils.getHeadParam(helpers, messageInfo, isRequest, decode_param), helpers);
- break;
- case BODY:
- decoded_param = Encoding.decode(
- encodings, Utils.getBodyParam(helpers, messageInfo, isRequest, decode_param), helpers);
- break;
- case URL:
- decoded_param = Encoding.decode(
- encodings, Utils.getUrlParam(helpers, messageInfo, isRequest, decode_param), helpers);
- break;
- }
-
- decoded_param = Utils.removeNewline(decoded_param);
-
- return decoded_param;
- }
-
- /**
- * Decode the given string, with the given ordered encodings
- * Example taken from
- * Saml Raider
- *
- * @param encodings the ordered list of encodings to be applied
- * @param encoded the string to be decoded
- * @return the decoded string
- * @throws ParsingException if the decoding fails
- */
- public static String decode(List encodings, String encoded, IExtensionHelpers helpers) throws ParsingException {
- String actual = encoded;
- byte[] actual_b = null;
- boolean isActualString = true;
-
- if (encoded.length() == 0) {
- return "";
- }
-
- for (Utils.Encoding e : encodings) {
- switch (e) {
- case BASE64:
- if (isActualString) {
- actual_b = helpers.base64Decode(actual);
- isActualString = false;
- } else {
- actual_b = helpers.base64Decode(actual_b);
- }
- break;
- case URL:
-
- if (isActualString) {
- actual = helpers.urlDecode(actual);
- } else {
- actual = helpers.urlDecode(new String(actual_b));
- isActualString = true;
- }
- break;
- case JWT:
- if (!isActualString) {
- actual = new String(actual_b);
- isActualString = true;
- }
- actual = burp.JWT.decode_raw_jwt(actual);
-
- break;
- case DEFLATE:
- boolean done = false;
- if (isActualString) {
- byte[] data = actual.getBytes();
-
- try {
- actual_b = decompress(data, true);
- done = true;
- isActualString = false;
- } catch (IOException | DataFormatException ioException) {
- ioException.printStackTrace();
- //ioException.printStackTrace();
- }
-
- try {
- if (!done) {
- actual_b = decompress(data, false);
- done = true;
- isActualString = false;
- }
- } catch (IOException | DataFormatException ioException) {
- //ioException.printStackTrace();
-
- }
- } else {
- try {
- actual_b = decompress(actual_b, true);
- done = true;
- } catch (IOException | DataFormatException ioException) {
-
- //ioException.printStackTrace();
- }
-
- try {
- if (!done) {
- actual_b = decompress(actual_b, false);
- done = true;
- }
- } catch (IOException | DataFormatException ioException) {
-
- }
- }
- break;
- }
- }
- if (isActualString) {
- return actual;
- } else {
- return new String(actual_b, StandardCharsets.UTF_8);
- }
- }
-
- /**
- * Encode the given string, with the given encodings (in the specified order)
- * Example taken from
- * Saml Raider
- *
- * @param encodings the ordered list of encodings to be applied
- * @param decoded the string to be encoded
- * @return the encoded string
- */
- public static String encode(List encodings, String decoded, IExtensionHelpers helpers) {
- String actual = decoded;
- byte[] actual_b = null;
- boolean isActualString = true;
- for (Utils.Encoding e : encodings) {
- switch (e) {
- case BASE64:
-
- if (isActualString) {
- actual = helpers.base64Encode(actual);
- } else {
- actual = helpers.base64Encode(actual_b);
- isActualString = true;
- }
- break;
-
- case URL:
-
- if (isActualString) {
- actual = URLEncoder.encode(actual);
- } else {
- actual = new String(actual_b);
- actual = URLEncoder.encode(actual);
- isActualString = true;
- }
- break;
-
- case JWT:
- //TBD
- break;
-
- case DEFLATE:
-
- if (isActualString) {
- try {
- actual_b = compress(actual.getBytes(StandardCharsets.UTF_8), true);
- } catch (IOException ioException) {
-
- //ioException.printStackTrace();
- }
- isActualString = false;
- } else {
- try {
- actual_b = compress(actual_b, true);
- } catch (IOException ioException) {
-
- //ioException.printStackTrace();
- }
- isActualString = false;
- }
- }
- }
-
- if (isActualString) {
- return actual;
- } else {
- return new String(actual_b, StandardCharsets.UTF_8);
- }
- }
-
-
- /**
- * Also named Inflate, taken from
- * here
- *
- * @param data the data to be decompressed (inflated)
- * @param gzip true to use gzip
- * @return returns the decompressed data
- * @throws IOException if something goes wrong
- * @throws DataFormatException if something goes wrong
- */
- public static byte[] decompress(byte[] data, boolean gzip) throws IOException, DataFormatException {
- Inflater inflater = new Inflater(true);
- inflater.setInput(data);
-
- ByteArrayOutputStream outputStream = new ByteArrayOutputStream(data.length);
- byte[] buffer = new byte[1024];
- while (!inflater.finished()) {
- int count = inflater.inflate(buffer);
- outputStream.write(buffer, 0, count);
- }
- outputStream.close();
- byte[] output = outputStream.toByteArray();
-
- inflater.end();
-
- return output;
- }
-
- /**
- * Also named Deflate, taken from
- * here
- *
- * @param data data to be compressed (deflated)
- * @param gzip true to use gzip
- * @return the compressed data
- * @throws IOException if the compression goes wrong
- */
- public static byte[] compress(byte[] data, boolean gzip) throws IOException {
- Deflater deflater = new Deflater(5, gzip);
- deflater.setInput(data);
-
- ByteArrayOutputStream outputStream = new ByteArrayOutputStream(data.length);
-
- deflater.finish();
- byte[] buffer = new byte[1024];
- while (!deflater.finished()) {
- int count = deflater.deflate(buffer);
- outputStream.write(buffer, 0, count);
- }
- outputStream.close();
- byte[] output = outputStream.toByteArray();
-
- deflater.end();
-
- return output;
- }
-}
diff --git a/tool/src/main/java/burp/HTTPReqRes.java b/tool/src/main/java/burp/HTTPReqRes.java
deleted file mode 100644
index e45832b..0000000
--- a/tool/src/main/java/burp/HTTPReqRes.java
+++ /dev/null
@@ -1,116 +0,0 @@
-package burp;
-
-/**
- * Class which is intended to substitute the IHTTPRequestResponse one, because of serialization support
- *
- * @author Matteo Bitussi
- */
-public class HTTPReqRes implements Cloneable {
- static public int instances;
- private String request_url;
- private byte[] request;
- private byte[] response;
- private String host;
- private int port;
- private String protocol;
-
- /**
- * Instantiate an HTTPReqRes element
- *
- * @param request the request in byte[] form
- * @param response the response in byte[] form
- */
- public HTTPReqRes(byte[] request, byte[] response) {
- this.setRequest(request);
- this.setResponse(response);
- instances++;
- }
-
- /**
- * Istantiate an HTTPReqRes element from a IHttpRequestResponsePersisted message
- *
- * @param message the message to be created from
- * @param helpers the helpers
- */
- public HTTPReqRes(IHttpRequestResponsePersisted message, IExtensionHelpers helpers) {
- this.setRequest(message.getRequest());
- this.setResponse(message.getResponse());
- this.setRequest_url(helpers.analyzeRequest(message).getUrl().toString());
- IHttpService service = message.getHttpService();
- this.setHost(service.getHost());
- this.setPort(service.getPort());
- this.setProtocol(service.getProtocol());
- instances++;
- }
-
- /**
- * Instantiate an HTTPReqRes element. If a message is a request it does not gather the response
- *
- * @param message an IHTTPRequestResponse message
- * @param helpers an istance of the IExtensionHelpers
- * @param isRequest true if the message is a request, false otherwise
- */
- public HTTPReqRes(IHttpRequestResponse message, IExtensionHelpers helpers, Boolean isRequest) {
- this.setRequest(message.getRequest());
- if (!isRequest) this.setResponse(message.getResponse());
- this.setRequest_url(helpers.analyzeRequest(message).getUrl().toString());
- IHttpService service = message.getHttpService();
- this.setHost(service.getHost());
- this.setPort(service.getPort());
- this.setProtocol(service.getProtocol());
- instances++;
- }
-
- public byte[] getRequest() {
- return request;
- }
-
- public void setRequest(byte[] request) {
- this.request = request;
- }
-
- public byte[] getResponse() {
- return response;
- }
-
- public void setResponse(byte[] response) {
- this.response = response;
- }
-
- public String getRequest_url() {
- return request_url;
- }
-
- public void setRequest_url(String request_url) {
- this.request_url = request_url;
- }
-
- public String getHost() {
- return host;
- }
-
- public void setHost(String host) {
- this.host = host;
- }
-
- public int getPort() {
- return port;
- }
-
- public void setPort(int port) {
- this.port = port;
- }
-
- public String getProtocol() {
- return protocol;
- }
-
- public void setProtocol(String protocol) {
- this.protocol = protocol;
- }
-
- @Override
- public Object clone() throws CloneNotSupportedException {
- return super.clone();
- }
-}
diff --git a/tool/src/main/java/burp/JWT.java b/tool/src/main/java/burp/JWT.java
deleted file mode 100644
index 15df3ba..0000000
--- a/tool/src/main/java/burp/JWT.java
+++ /dev/null
@@ -1,236 +0,0 @@
-package burp;
-
-import io.jsonwebtoken.*;
-import org.json.JSONException;
-
-import java.nio.charset.StandardCharsets;
-import java.util.Base64;
-import java.util.Map;
-
-/**
- * Class to manage JWT tokens
- *
- * @Author Matteo Bitussi
- */
-public class JWT {
- public String header;
- public String payload;
- public String signature;
- public String raw;
- public Jwt jwt;
- public String singing_alg;
- public boolean sign;
- private boolean isProcessedAsString;
-
- /**
- * Constructor that instantiate a JWT object
- */
- public JWT() {
- this.raw = "";
- this.signature = "";
- this.header = "";
- this.payload = "";
- this.sign = false;
- }
-
- /**
- * Function that decodes a raw jwt with Base64 and splitting it into the three parts
- *
- * @param jwt the raw jwt as string
- * @return an array of length 3 containing the three parts of the decoded JWT in order.
- */
- static public String decode_raw_jwt(String jwt) {
- String[] parts = jwt.split("\\.");
- String res = "";
-
- if (parts.length != 3) {
- return "";
- }
-
- res = new String(Base64.getDecoder().decode(parts[0]), StandardCharsets.UTF_8) + ".";
- res += new String(Base64.getDecoder().decode(parts[1]), StandardCharsets.UTF_8) + ".";
- res += parts[2];
-
- return res;
- }
-
- /**
- * Parse a jwt token from a string.
- *
- * @param raw_jwt the raw jwt to be parsed
- */
- public void parseJWT(String raw_jwt) throws ParsingException {
- int i = raw_jwt.lastIndexOf('.');
- String withoutSignature = raw_jwt.substring(0, i + 1);
- jwt = Jwts.parserBuilder().build().parse(withoutSignature);
-
- singing_alg = (String) jwt.getHeader().get("alg");
-
- signature = raw_jwt.substring(i + 1);
- isProcessedAsString = false;
- }
-
- /**
- * Builds a jwt token in form of a string, from the Claims and the Header declared in this class
- *
- * @return the jwt token in string format
- */
- public String buildJWT() {
- JwtBuilder builder = Jwts.builder();
- builder.setHeader((Map) jwt.getHeader());
- builder.setClaims(jwt.getBody());
-
- boolean isNone = jwt.getHeader().get("alg") != null && jwt.getHeader().get("alg").equals("none");
-
- String tmp = builder.compact();
- tmp += signature;
-
- String[] splitted = tmp.split("\\.");
-
- String header = new String(Base64.getDecoder().decode(splitted[0]));
- header = isNone ? header : header.replaceAll("none", singing_alg);
- header = Base64.getEncoder().encodeToString(header.getBytes());
- header = header.replaceAll("=", "");
- splitted[0] = header;
-
- tmp = splitted[0] + "." + splitted[1];
- if (splitted.length == 3) {
- tmp = tmp + "." + splitted[2];
- }
-
- return tmp;
- }
-
- /**
- * Parse a JWT token from a string and stores string values of it
- *
- * @param raw_jwt the raw JWT in string format
- * @throws ParsingException if there are problems in the parsing
- */
- public void parseJWT_string(String raw_jwt) throws ParsingException {
- String[] splitted = raw_jwt.split("\\.");
- if (splitted.length != 3) throw new ParsingException("Invalid jwt");
-
- try {
- header = new String(Base64.getDecoder().decode(splitted[0]));
- payload = new String(Base64.getDecoder().decode(splitted[1]));
- signature = splitted[2];
- } catch (JSONException e) {
- throw new ParsingException("Error parsing JWT tokens");
- }
- isProcessedAsString = true;
- }
-
- /**
- * Builds a JWT token from the string values in this class
- *
- * @return A JWT as a string
- * @throws ParsingException
- */
- public String buildJWT_string() throws ParsingException {
- String res = "";
-
- if (isProcessedAsString)
- throw new ParsingException("error in building jwt, tried to build from string");
-
- if (this.header.equals("") || this.payload.equals(""))
- throw new ParsingException("error in building jwt, empty values");
-
- res += Base64.getEncoder().encodeToString(header.getBytes());
- res += "." + Base64.getEncoder().encodeToString(payload.getBytes());
-
- if (signature != null && !signature.equals("")) {
- res += "." + signature;
- }
-
- res = res.replaceAll("=", "");
- return res;
- }
-
- /**
- * Removes a claim from the given jwt section
- *
- * @param section the section containing the claim to remove
- * @param what the name of the claim to remove
- */
- public void removeClaim(Utils.Jwt_section section, String what) {
- switch (section) {
- case HEADER:
- jwt.getHeader().remove(what);
- break;
- case PAYLOAD:
- jwt.getBody().remove(what);
- break;
- case SIGNATURE:
- signature = "";
- break;
- case RAW_HEADER:
- break;
- case RAW_PAYLOAD:
- break;
- case RAW_SIGNATURE:
- break;
- }
- }
-
- /**
- * This function add or edit a claim from the given section. If the claim is present, it edits it, otherwise it
- * adds it.
- *
- * @param section the section containing the claim or that should contain the claim
- * @param what the name of the claim
- * @param value the value of the claim to set
- */
- public void editAddClaim(Utils.Jwt_section section, String what, String value) {
- switch (section) {
- case HEADER:
- jwt.getHeader().put(what, value);
- break;
- case PAYLOAD:
- jwt.getBody().put(what, value);
- break;
- case SIGNATURE:
- signature = value;
- break;
- case RAW_HEADER:
- break;
- case RAW_PAYLOAD:
- break;
- case RAW_SIGNATURE:
- break;
- }
- }
-
- /**
- * Function used to get the value of a claim
- *
- * @param section the section containing the claim
- * @param what the name of the claim
- * @return the value of the claim
- */
- public String getClaim(Utils.Jwt_section section, String what) {
- String res = "";
- if (isProcessedAsString) {
- res = "";
- } else {
- switch (section) {
- case HEADER:
- res = (String) jwt.getHeader().get(what);
- break;
- case PAYLOAD:
- res = (String) jwt.getBody().get(what);
- break;
- case SIGNATURE:
- res = signature;
- break;
- case RAW_HEADER:
- break;
- case RAW_PAYLOAD:
- break;
- case RAW_SIGNATURE:
- break;
- }
- }
- return res;
- }
-}
diff --git a/tool/src/main/java/burp/MessageOperation.java b/tool/src/main/java/burp/MessageOperation.java
deleted file mode 100644
index b765507..0000000
--- a/tool/src/main/java/burp/MessageOperation.java
+++ /dev/null
@@ -1,70 +0,0 @@
-package burp;
-
-import java.util.ArrayList;
-import java.util.List;
-
-/**
- * The class storing a MessageOperation object
- *
- * @author Matteo Bitussi
- */
-public class MessageOperation {
- Utils.MessageSection from;
- String what;
- String to;
- Utils.MessageOperationActions action;
- String save_as; // The name of the variable to save the parameter's value
- String use;
- String decode_param;
- List encodings;
- Utils.MessageOpType type;
-
- // XML
- Utils.XmlAction xml_action;
- String xml_action_name;
- String xml_tag;
- String xml_attr;
- String value;
- Integer xml_occurrency;
- Boolean self_sign;
- Boolean remove_signature;
-
- // TXT
- Utils.TxtAction txt_action;
- String txt_action_name;
-
- // JWT
- boolean isRawJWT = false;
- Utils.Jwt_section jwt_section;
- Utils.Jwt_action jwt_action;
- boolean sign = false;
-
- // GENERATE POC
- String template;
- String output_path;
-
- /**
- * Used to Instantiate the class
- */
- public MessageOperation() {
- this.what = "";
- this.to = "";
- this.save_as = "";
- this.use = "";
- this.decode_param = "";
- this.encodings = new ArrayList<>();
- this.type = Utils.MessageOpType.HTTP;
- this.value = "";
- this.xml_action_name = "";
- this.xml_tag = "";
- this.xml_attr = "";
- this.self_sign = false;
- this.txt_action_name = "";
- this.remove_signature = false;
- this.xml_occurrency = -1;
- this.jwt_action = null;
- this.jwt_section = null;
- this.template = "";
- this.output_path = "";
- }
-}
diff --git a/tool/src/main/java/burp/MessageType.java b/tool/src/main/java/burp/MessageType.java
deleted file mode 100644
index 869cf13..0000000
--- a/tool/src/main/java/burp/MessageType.java
+++ /dev/null
@@ -1,66 +0,0 @@
-package burp;
-
-import java.util.ArrayList;
-import java.util.List;
-
-/**
- * Class storing a MessageType
- *
- * @author Matteo Bitussi
- */
-public class MessageType implements Cloneable {
- String name;
- Boolean isRequest;
- String regex;
- List checks;
- Utils.MessageSection messageSection;
- String responseName;
- String requestName;
-
- Boolean getByResponse;
- Boolean getByRequest;
- Boolean isRegex;
-
- /**
- * Instantiate a MessageType
- *
- * @param name the name of that message
- * @param isRequest if the message is a request
- */
- public MessageType(String name, Boolean isRequest) {
- this.name = name;
- this.isRequest = isRequest;
- this.regex = "";
- this.checks = new ArrayList<>();
- this.isRegex = false;
- this.responseName = "";
- this.requestName = "";
- this.getByResponse = false;
- this.getByRequest = false;
- }
-
- /**
- * From a list of message types, get the corresponding MessageType from the name
- *
- * @param list the list of message types
- * @param name the name of the message type
- * @return the corresponding MessageType (if found)
- * @throws Exception if the MessageType can not be found
- */
- public static MessageType getFromList(List list, String name) throws Exception {
- for (MessageType act : list) {
- if (act.name.equals(name)) {
- return act;
- } else if (act.responseName.equals(name)) {
- MessageType tmp = (MessageType) act.clone();
- tmp.getByResponse = true;
- return tmp;
- } else if (act.requestName.equals(name)) {
- MessageType tmp = (MessageType) act.clone();
- tmp.getByRequest = true;
- return tmp;
- }
- }
- throw new ParsingException("cannot find the specified message type");
- }
-}
diff --git a/tool/src/main/java/burp/Operation.java b/tool/src/main/java/burp/Operation.java
deleted file mode 100644
index d1aa654..0000000
--- a/tool/src/main/java/burp/Operation.java
+++ /dev/null
@@ -1,184 +0,0 @@
-package burp;
-
-import java.util.ArrayList;
-import java.util.List;
-
-/**
- * Class storing an Operation in a Test
- *
- * @author Matteo Bitussi
- */
-public class Operation {
- public List messageOerations;
- public String from_session;
- public String to_session;
- public Utils.Then then;
- public String save_name;
- public int to_match;
- public int act_matched;
- public String session_port;
- public List preconditions;
- public String replace_request_name;
- public String replace_response_name;
- public boolean isSessionOp = false;
- public boolean isRegex = false;
- public List matchedMessages;
- public byte[] processed_message;
- public IHttpService processed_message_service; // null if it is not changed
- public String decode_param;
- public List encodings;
- public JWT jwt;
- public List log_messages;
-
- // Session operation
-
- public List session_operations;
-
- boolean applicable = false; // if the operation can't find a matching message, is not applicable
- boolean passed = true; // defalult true
- private List checks;
- private String messageType;
- private String regex;
- private Utils.MessageSection messageSection;
- private Utils.Action action;
- private String session;
- private Utils.SessionAction sessionAction;
-
- /**
- * Instantiate an operation
- */
- public Operation() {
- this.messageOerations = new ArrayList<>();
- this.preconditions = new ArrayList<>();
- this.checks = new ArrayList<>();
- this.setChecks(new ArrayList<>());
- this.matchedMessages = new ArrayList<>();
- this.encodings = new ArrayList<>();
- this.session_operations = new ArrayList<>();
- this.log_messages = new ArrayList<>();
- this.to_match = 0;
- this.act_matched = 0;
- this.from_session = "";
- this.to_session = "";
- this.save_name = "";
- this.session_port = "";
- this.replace_response_name = "";
- this.replace_request_name = "";
- this.messageType = "";
- this.regex = "";
- this.session = "";
- this.decode_param = "";
- this.processed_message_service = null;
- this.processed_message = null;
- this.jwt = null;
- }
-
- public String getMessageType() {
- return messageType;
- }
-
- /**
- * Set the message type of the message the operation needs to deal with
- * @param messageType the name of the message type
- * @param msg_types the list of message types
- * @throws Exception Thrown if the message type is not found
- */
- public void setMessageType(String messageType, List msg_types) throws Exception {
- if (MessageType.getFromList(msg_types, messageType) != null) {
- this.messageType = messageType;
- } else {
- throw new ParsingException("Message type not found");
- }
- this.messageType = messageType;
- }
-
- public List getMessageOerations() {
- return messageOerations;
- }
-
- public List getChecks() {
- return checks;
- }
-
- public void setChecks(List checks) {
- this.checks = checks;
- }
-
- public String getRegex() {
- return regex;
- }
-
- public void setRegex(String regex) {
- this.regex = regex;
- }
-
- public Utils.MessageSection getMessageSection() {
- return messageSection;
- }
-
- public void setMessageSection(Utils.MessageSection messageSection) {
- this.messageSection = messageSection;
- }
-
- public Utils.Action getAction() {
- return action;
- }
-
- public void setAction(String action) throws ParsingException {
- this.setAction(Utils.Action.fromString(action));
- }
-
- public void setAction(Utils.Action action) {
- this.action = action;
- }
-
- public String getSession() {
- return session;
- }
-
- public void setSession(String sessionName) {
- this.session = sessionName;
- }
-
- public Utils.SessionAction getSessionAction() {
- return sessionAction;
- }
-
- public void setSessionAction(String sessionAction) throws ParsingException {
- this.setSessionAction(Utils.SessionAction.fromString(sessionAction));
- }
-
- public void setSessionAction(Utils.SessionAction sessionAction) {
- this.sessionAction = sessionAction;
- }
-
-
- /**
- * Class to store the index and some information about matched messages (with regex or check) in an operation
- */
- public static class MatchedMessage {
- HTTPReqRes message;
- boolean isRequest = false;
- boolean isResponse = false;
- boolean isFail = false;
- Integer index;
-
- /**
- * Instantiates a MatchedMessage
- *
- * @param message the message
- * @param index the index in the message list
- * @param isRequest if it is a request
- * @param isResponse if it is a response
- * @param isFail if it maked the test fail
- */
- public MatchedMessage(HTTPReqRes message, Integer index, boolean isRequest, boolean isResponse, boolean isFail) {
- this.message = message;
- this.isResponse = isResponse;
- this.isRequest = isRequest;
- this.index = index;
- this.isFail = isFail;
- }
- }
-}
-
diff --git a/tool/src/main/java/burp/Report.java b/tool/src/main/java/burp/Report.java
deleted file mode 100644
index ba5b48a..0000000
--- a/tool/src/main/java/burp/Report.java
+++ /dev/null
@@ -1,71 +0,0 @@
-package burp;
-
-import be.quodlibet.boxable.BaseTable;
-import be.quodlibet.boxable.Cell;
-import be.quodlibet.boxable.Row;
-import be.quodlibet.boxable.datatable.DataTable;
-import org.apache.pdfbox.pdmodel.PDDocument;
-import org.apache.pdfbox.pdmodel.PDPage;
-import org.apache.pdfbox.pdmodel.PDPageContentStream;
-import org.apache.pdfbox.pdmodel.font.PDType1Font;
-
-import java.awt.*;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-
-/**
- * Class used to generate a report for a test
- *
- * @author Matteo Bitussi
- */
-public class Report {
-
- public void toPdf() throws IOException {
- String message = "Test Report";
- try (PDDocument doc = new PDDocument())
- {
- PDPage page = new PDPage();
-
-
- try (PDPageContentStream contents = new PDPageContentStream(doc, page))
- {
- contents.beginText();
- contents.setFont(PDType1Font.HELVETICA_BOLD, 12);
- contents.newLineAtOffset(100, 700);
- contents.showText(message);
- contents.endText();
- }
-
- //Source: github.com/dhorions/boxable
-
- //Dummy Table
- float margin = 50;
-// starting y position is whole page height subtracted by top and bottom margin
- float yStartNewPage = page.getMediaBox().getHeight() - (2 * margin);
-// we want table across whole page width (subtracted by left and right margin ofcourse)
- float tableWidth = page.getMediaBox().getWidth() - (2 * margin);
-
- BaseTable table = new BaseTable(550, yStartNewPage, 70, tableWidth, margin, doc, page, true,
- true);
- //Create Header row
- Row headerRow = table.createRow(15f);
- Cell cell = headerRow.createCell(100, "Awesome Facts About Belgium");
- cell.setFont(PDType1Font.HELVETICA_BOLD);
- cell.setFillColor(Color.BLACK);
- table.addHeaderRow(headerRow);
-
- Row row = table.createRow(12);
- cell = row.createCell(30, "Test 1");
- cell = row.createCell(70, "Some value");
-
- table.draw();
-
- doc.addPage(page);
-
- doc.save("testfile.pdf");
- doc.close();
- }
- }
-}
diff --git a/tool/src/main/java/burp/SessionOperation.java b/tool/src/main/java/burp/SessionOperation.java
deleted file mode 100644
index 3b95857..0000000
--- a/tool/src/main/java/burp/SessionOperation.java
+++ /dev/null
@@ -1,139 +0,0 @@
-package burp;
-
-import org.json.JSONArray;
-import org.json.JSONObject;
-
-import java.util.ArrayList;
-import java.util.Iterator;
-import java.util.List;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
-/**
- * Class containing a session Operation
- *
- * @author Matteo Bitussi
- */
-public class SessionOperation {
- public String from_session;
- public Utils.SessOperationAction action;
- public String what;
- public String as;
- public String at;
- public String to; // until to which ession action save
- public boolean is_from_included = false;
- public boolean is_to_included = false;
- public Utils.SessOperationTarget target;
- public String mark_name;
-
- /**
- * Parses a list of session operations from json
- * @param act_operation the session operations as JSON object
- * @return the list of tession operations
- * @throws ParsingException if the parsing goes wrong
- */
- public static List parseFromJson(JSONObject act_operation) throws ParsingException {
- List lsop = new ArrayList<>();
- if (act_operation.has("session operations")) {
- JSONArray session_ops = act_operation.getJSONArray("session operations");
- for (int l = 0; l < session_ops.length(); l++) {
- JSONObject act_session_op = session_ops.getJSONObject(l);
- SessionOperation sop = new SessionOperation();
- Iterator keys = act_session_op.keys();
- while (keys.hasNext()) {
- String key = keys.next();
-
- switch (key) {
- case "session":
- sop.from_session = act_session_op.getString("session");
- break;
- case "save":
- sop.action = Utils.SessOperationAction.SAVE;
- sop.target = Utils.SessOperationTarget
- .getFromString(act_session_op.getString("save"));
- break;
- case "as":
- sop.as = act_session_op.getString("as");
- break;
- case "insert":
- sop.action = Utils.SessOperationAction.INSERT;
- sop.what = act_session_op.getString("insert");
- break;
- case "at":
- sop.at = act_session_op.getString("at");
- break;
- case "mark":
- sop.action = Utils.SessOperationAction.MARKER;
- sop.target = Utils.SessOperationTarget
- .getFromString(act_session_op.getString("mark"));
- sop.mark_name = act_session_op.getString("name");
- break;
- case "name":
- //Already processed in mark
- break;
- case "remove":
- sop.action = Utils.SessOperationAction.REMOVE;
- if (sop.at == null || sop.at.length()==0) {
- sop.at = act_session_op.getString("remove");
- }
- break;
-
- case "range":
- List