From aaf11b0fe7d323b09e325e526ef8ac0ef4263495 Mon Sep 17 00:00:00 2001 From: minamo7sen Date: Sun, 22 Aug 2021 23:26:07 +0200 Subject: [PATCH] v1.0 --- LICENSE.md | 201 +++++++++++++++ README.md | 45 ++++ build.gradle | 16 ++ gradlew | 185 ++++++++++++++ gradlew.bat | 89 +++++++ settings.gradle | 2 + src/main/java/burp/BurpExtender.java | 162 ++++++++++++ src/main/java/burp/CustomScanIssue.java | 92 +++++++ .../java/burp/ExecutorServiceManager.java | 26 ++ .../java/burp/InterestingStuffFinder.java | 236 ++++++++++++++++++ src/main/java/burp/JSMapFile.java | 26 ++ src/main/java/burp/JSMapFileFetcher.java | 146 +++++++++++ src/main/java/burp/JSMinerScan.java | 95 +++++++ src/main/java/burp/Utilities.java | 211 ++++++++++++++++ 14 files changed, 1532 insertions(+) create mode 100644 LICENSE.md create mode 100644 README.md create mode 100644 build.gradle create mode 100755 gradlew create mode 100644 gradlew.bat create mode 100644 settings.gradle create mode 100644 src/main/java/burp/BurpExtender.java create mode 100644 src/main/java/burp/CustomScanIssue.java create mode 100644 src/main/java/burp/ExecutorServiceManager.java create mode 100644 src/main/java/burp/InterestingStuffFinder.java create mode 100644 src/main/java/burp/JSMapFile.java create mode 100644 src/main/java/burp/JSMapFileFetcher.java create mode 100644 src/main/java/burp/JSMinerScan.java create mode 100644 src/main/java/burp/Utilities.java diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..96c99d6 --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2021 Mina M. Edwar + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md new file mode 100644 index 0000000..48914c9 --- /dev/null +++ b/README.md @@ -0,0 +1,45 @@ +# Burp JS Miner +This tool tries to find interesting stuff inside static files; mainly JavaScript and JSON files. + +## Background +While assessing a web application, it is expected to enumerate information residing inside static ".js" and ".json" files. + +This tool tries to help with this "initial" phase, which should be followed by manual review/analysis of the reported issues. + +**Note:** Like many other tools of the same nature, this tool is expected to produce false positives. Also, as it is meant to be used as a helper tool, but it does not replace manual review/analysis (nothing really can). + +## Features +- Scans for secrets / credentials +- Scans for subdomains +- Scans for cloud URLs +- Tries to construct source code from JavaScript Source Map Files (if found). + +### What are JavaScript source maps? +**TL;DR: If the ".map" files were found, this tool can construct the front-end source code and store it under your home directory.** +- JavaScript source map files are mainly meant for debugging purposes. To map the minified JavaScript files to the original source code. +- The constructed source code might include comments, configurations and other internal information. +- While most of this data might be included in the minified JavaScript files, the original source code and its comments can be easier to review/analyze. +- References: + - https://www.html5rocks.com/en/tutorials/developertools/sourcemaps/ + - https://www.rapid7.com/de/blog/post/2017/05/24/what-are-javascript-source-maps/ + +## How to use this tool +The tool contains two main scans: +- **Passive** scans, which are enabled by default (to search for secrets, subdomains and cloud URLs). +- **Actively** try to guess JavaScript source map files. (During the process, HTTP requests will be sent) + +For the best results, ensure to navigate your target first in order for all the static files to be loaded then right-click on the target domain +(example.com) from Burp Suite's site map tree, then select one of "JS Miner" scan options. + +Note: JS Source mapper scan is not included in Burp's "Active scan". + +## Motivation and contribution +As I'm using Burp Suite almost every day, my goal was to have a burp extension that searches for information inside static files. (Many good command-line tools are out there that are doing what this extension is doing) + +I'm open for ideas/suggestions to help improve or optimize this tool. + +## Disclaimer +It is the user's responsibility to obey all applicable local, state and federal laws. The author assumes no liability and is not responsible for any misuse or damage caused by this tool. + +## License +This project is licensed under the terms of the Apache 2.0 open source license. Please refer to LICENSE for the full terms. diff --git a/build.gradle b/build.gradle new file mode 100644 index 0000000..75b67ff --- /dev/null +++ b/build.gradle @@ -0,0 +1,16 @@ +plugins { + id 'java' + id 'com.github.johnrengelman.shadow' version '7.0.0' +} + +repositories { + mavenCentral() +} + +dependencies { + implementation 'net.portswigger.burp.extender:burp-extender-api:2.2' + implementation 'com.fasterxml.jackson.core:jackson-core:2.13.0-rc1' + implementation 'com.fasterxml.jackson.core:jackson-databind:2.13.0-rc1' +} + +defaultTasks 'shadowJar' \ No newline at end of file diff --git a/gradlew b/gradlew new file mode 100755 index 0000000..744e882 --- /dev/null +++ b/gradlew @@ -0,0 +1,185 @@ +#!/usr/bin/env sh + +# +# Copyright 2015 the original author or authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +## +## Gradle start up script for UN*X +## +############################################################################## + +# Attempt to set APP_HOME +# Resolve links: $0 may be a link +PRG="$0" +# Need this for relative symlinks. +while [ -h "$PRG" ] ; do + ls=`ls -ld "$PRG"` + link=`expr "$ls" : '.*-> \(.*\)$'` + if expr "$link" : '/.*' > /dev/null; then + PRG="$link" + else + PRG=`dirname "$PRG"`"/$link" + fi +done +SAVED="`pwd`" +cd "`dirname \"$PRG\"`/" >/dev/null +APP_HOME="`pwd -P`" +cd "$SAVED" >/dev/null + +APP_NAME="Gradle" +APP_BASE_NAME=`basename "$0"` + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD="maximum" + +warn () { + echo "$*" +} + +die () { + echo + echo "$*" + echo + exit 1 +} + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "`uname`" in + CYGWIN* ) + cygwin=true + ;; + Darwin* ) + darwin=true + ;; + MSYS* | MINGW* ) + msys=true + ;; + NONSTOP* ) + nonstop=true + ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD="$JAVA_HOME/jre/sh/java" + else + JAVACMD="$JAVA_HOME/bin/java" + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD="java" + which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." +fi + +# Increase the maximum file descriptors if we can. +if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then + MAX_FD_LIMIT=`ulimit -H -n` + if [ $? -eq 0 ] ; then + if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then + MAX_FD="$MAX_FD_LIMIT" + fi + ulimit -n $MAX_FD + if [ $? -ne 0 ] ; then + warn "Could not set maximum file descriptor limit: $MAX_FD" + fi + else + warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" + fi +fi + +# For Darwin, add options to specify how the application appears in the dock +if $darwin; then + GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" +fi + +# For Cygwin or MSYS, switch paths to Windows format before running java +if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then + APP_HOME=`cygpath --path --mixed "$APP_HOME"` + CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` + + JAVACMD=`cygpath --unix "$JAVACMD"` + + # We build the pattern for arguments to be converted via cygpath + ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` + SEP="" + for dir in $ROOTDIRSRAW ; do + ROOTDIRS="$ROOTDIRS$SEP$dir" + SEP="|" + done + OURCYGPATTERN="(^($ROOTDIRS))" + # Add a user-defined pattern to the cygpath arguments + if [ "$GRADLE_CYGPATTERN" != "" ] ; then + OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" + fi + # Now convert the arguments - kludge to limit ourselves to /bin/sh + i=0 + for arg in "$@" ; do + CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` + CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option + + if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition + eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` + else + eval `echo args$i`="\"$arg\"" + fi + i=`expr $i + 1` + done + case $i in + 0) set -- ;; + 1) set -- "$args0" ;; + 2) set -- "$args0" "$args1" ;; + 3) set -- "$args0" "$args1" "$args2" ;; + 4) set -- "$args0" "$args1" "$args2" "$args3" ;; + 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; + 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; + 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; + 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; + 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; + esac +fi + +# Escape application args +save () { + for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done + echo " " +} +APP_ARGS=`save "$@"` + +# Collect all arguments for the java command, following the shell quoting and substitution rules +eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" + +exec "$JAVACMD" "$@" diff --git a/gradlew.bat b/gradlew.bat new file mode 100644 index 0000000..ac1b06f --- /dev/null +++ b/gradlew.bat @@ -0,0 +1,89 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%" == "" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%" == "" set DIRNAME=. +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if "%ERRORLEVEL%" == "0" goto execute + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if "%ERRORLEVEL%"=="0" goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 +exit /b 1 + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/settings.gradle b/settings.gradle new file mode 100644 index 0000000..0f52470 --- /dev/null +++ b/settings.gradle @@ -0,0 +1,2 @@ +rootProject.name = 'burp-JS-Miner' + diff --git a/src/main/java/burp/BurpExtender.java b/src/main/java/burp/BurpExtender.java new file mode 100644 index 0000000..ec476c2 --- /dev/null +++ b/src/main/java/burp/BurpExtender.java @@ -0,0 +1,162 @@ +package burp; + +import javax.swing.*; +import java.awt.event.ActionEvent; +import java.awt.event.ActionListener; +import java.io.PrintWriter; +import java.util.ArrayList; +import java.util.HashSet; +import java.util.List; + +public class BurpExtender implements IBurpExtender, IContextMenuFactory, IExtensionStateListener, IScannerCheck { + private static IBurpExtenderCallbacks callbacks; + private static IExtensionHelpers helpers; + private static final ExecutorServiceManager executorServiceManager = ExecutorServiceManager.getInstance(); + private static boolean loaded = true; + static PrintWriter mStdOut; + static PrintWriter mStdErr; + public static final String EXTENSION_NAME = "JS Miner"; + private static final String EXTENSION_VERSION = "1.0"; + + // Exposing callbacks for use in other classes + public static IBurpExtenderCallbacks getCallbacks() { + return callbacks; + } + + public static IExtensionHelpers getHelpers() { + return helpers; + } + + public static boolean isLoaded() { + return loaded; + } + + public static void setLoaded(boolean loaded) { + BurpExtender.loaded = loaded; + } + + public static ExecutorServiceManager getExecutorServiceManager() { + return executorServiceManager; + } + + @Override + public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) { + BurpExtender.callbacks = callbacks; + // Extension initializations + helpers = callbacks.getHelpers(); + callbacks.setExtensionName(EXTENSION_NAME); + callbacks.registerContextMenuFactory(this); + callbacks.registerExtensionStateListener(this); + + // register ourselves as a custom scanner check + callbacks.registerScannerCheck(this); + + // obtain our output and error streams + mStdOut = new PrintWriter(callbacks.getStdout(), true); + mStdErr = new PrintWriter(callbacks.getStderr(), true); + + mStdOut.println("[*] Loaded:\t" + EXTENSION_NAME + " v" + EXTENSION_VERSION); + mStdOut.println("[*] Author:\tMina M. Edwar (minamo7sen@gmail.com)"); + mStdOut.println("================================================="); + + } + + @Override + public void extensionUnloaded() { + setLoaded(false); + mStdOut.println("[*] Sending shutdown signal to terminate any running threads.."); + executorServiceManager.getExecutorService().shutdownNow(); + mStdOut.println("[*] Extension was unloaded."); + mStdOut.println("================================================="); + } + + /* + * Context menu items + */ + @Override + public List createMenuItems(IContextMenuInvocation invocation) { + List items = new ArrayList<>(); + + if (IContextMenuInvocation.CONTEXT_TARGET_SITE_MAP_TABLE == invocation.getInvocationContext() || + IContextMenuInvocation.CONTEXT_TARGET_SITE_MAP_TREE == invocation.getInvocationContext() || + IContextMenuInvocation.CONTEXT_PROXY_HISTORY == invocation.getInvocationContext() || + IContextMenuInvocation.CONTEXT_MESSAGE_VIEWER_REQUEST == invocation.getInvocationContext() || + IContextMenuInvocation.CONTEXT_MESSAGE_VIEWER_RESPONSE == invocation.getInvocationContext() || + IContextMenuInvocation.CONTEXT_MESSAGE_EDITOR_REQUEST == invocation.getInvocationContext() || + IContextMenuInvocation.CONTEXT_MESSAGE_EDITOR_RESPONSE == invocation.getInvocationContext() + ) { + IHttpRequestResponse[] selectedMessages = invocation.getSelectedMessages(); + + JMenuItem autoMineItem = new JMenuItem("JS Auto-Mine (check everything)"); + menuItemActions autoAction = new menuItemActions(selectedMessages, true, true); + autoMineItem.addActionListener(autoAction); + items.add(autoMineItem); + + JMenuItem jsSourceMapItem = new JMenuItem("Only guess JS source maps (active)"); + menuItemActions jsMapAction = new menuItemActions(selectedMessages, true, false); + jsSourceMapItem.addActionListener(jsMapAction); + items.add(jsSourceMapItem); + + JMenuItem findInterestingStuffItem = new JMenuItem("Only find interesting stuff (passive)"); + menuItemActions findStuffAction = new menuItemActions(selectedMessages, false, true); + findInterestingStuffItem.addActionListener(findStuffAction); + items.add(findInterestingStuffItem); + + } + return items; + } + + /** + * Class to handle menu items actions + */ + class menuItemActions implements ActionListener { + + private final IHttpRequestResponse[] httpReqResArray; + private final boolean scanSourceMapFiles; + private final boolean checkInterestingStuff; + + menuItemActions(IHttpRequestResponse[] httpReqResArr, boolean scanSourceMapFiles, boolean checkInterestingStuff) { + this.httpReqResArray = httpReqResArr; + this.scanSourceMapFiles = scanSourceMapFiles; + this.checkInterestingStuff = checkInterestingStuff; + } + + @Override + public void actionPerformed(ActionEvent e) { + new Thread(() -> handleTargets(httpReqResArray, scanSourceMapFiles, checkInterestingStuff)).start(); + } + } + + static void handleTargets(IHttpRequestResponse[] siteMapReqResArray, boolean sourceMapScan, boolean findInterestingStuffScan) { + HashSet uniqueTargets = new HashSet<>(); + for (IHttpRequestResponse httpReqRes : siteMapReqResArray) { + String host = helpers.analyzeRequest(httpReqRes).getUrl().getHost(); + // If host is in the list, add to our unique targets & scan it + if (!uniqueTargets.contains(host)) { + uniqueTargets.add(host); + new JSMinerScan(httpReqRes, sourceMapScan, findInterestingStuffScan); + } + } + + uniqueTargets.clear(); + } + + @Override + public List doPassiveScan(IHttpRequestResponse baseRequestResponse) { + return null; + } + + @Override + public List doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { + new Thread(() -> new JSMinerScan(baseRequestResponse, true, false)).start(); + return null; + } + + @Override + public int consolidateDuplicateIssues(IScanIssue existingIssue, IScanIssue newIssue) { + if (existingIssue.getIssueName().equals(newIssue.getIssueName())) + return -1; + else return 0; + } + +} \ No newline at end of file diff --git a/src/main/java/burp/CustomScanIssue.java b/src/main/java/burp/CustomScanIssue.java new file mode 100644 index 0000000..a3f49b2 --- /dev/null +++ b/src/main/java/burp/CustomScanIssue.java @@ -0,0 +1,92 @@ +package burp; + +import java.net.URL; + +// +// class implementing IScanIssue to hold our custom scan issue details +// + +class CustomScanIssue implements IScanIssue { + private final IHttpService httpService; + private final URL url; + private final IHttpRequestResponse[] httpMessages; + private final String name; + private final String background; + private final String detail; + private final String severity; + private final String confidence; + + public CustomScanIssue( + IHttpService httpService, + URL url, + IHttpRequestResponse[] httpMessages, + String name, + String detail, + String background, + String severity, + String confidence) { + this.httpService = httpService; + this.url = url; + this.httpMessages = httpMessages; + this.name = name; + this.detail = detail; + this.background = background; + this.severity = severity; + this.confidence = confidence; + } + + @Override + public URL getUrl() { + return url; + } + + @Override + public String getIssueName() { + return name; + } + + @Override + public int getIssueType() { + return 0; + } + + @Override + public String getSeverity() { + return severity; + } + + @Override + public String getConfidence() { + return confidence; + } // Expected values are "Certain", "Firm" or "Tentative". + + @Override + public String getIssueBackground() { + return background; + } + + @Override + public String getRemediationBackground() { + return null; + } + + @Override + public String getIssueDetail() { + return detail; + } + + @Override + public String getRemediationDetail() { + return null; + } + + @Override + public IHttpRequestResponse[] getHttpMessages() { + return httpMessages; + } + + @Override + public IHttpService getHttpService() { + return httpService; + } +} \ No newline at end of file diff --git a/src/main/java/burp/ExecutorServiceManager.java b/src/main/java/burp/ExecutorServiceManager.java new file mode 100644 index 0000000..e5e62a2 --- /dev/null +++ b/src/main/java/burp/ExecutorServiceManager.java @@ -0,0 +1,26 @@ +package burp; + +import java.util.concurrent.ExecutorService; +import java.util.concurrent.Executors; + +public class ExecutorServiceManager { + private static ExecutorServiceManager executorServiceManager = null; + private final ExecutorService executorService = Executors.newFixedThreadPool(5); + + public static ExecutorServiceManager getInstance() { + if (executorServiceManager == null) + executorServiceManager = new ExecutorServiceManager(); + return executorServiceManager; + } + + private ExecutorServiceManager() { + } + + public ExecutorService getExecutorService() { + return executorService; + } + + +} + + diff --git a/src/main/java/burp/InterestingStuffFinder.java b/src/main/java/burp/InterestingStuffFinder.java new file mode 100644 index 0000000..e61f38e --- /dev/null +++ b/src/main/java/burp/InterestingStuffFinder.java @@ -0,0 +1,236 @@ +package burp; + +import java.util.List; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import static burp.BurpExtender.mStdErr; + +/** + * Class to find interesting stuff in JavaScript & JSON files + */ + +public class InterestingStuffFinder implements Runnable { + private static final IBurpExtenderCallbacks callbacks = BurpExtender.getCallbacks(); + private static final IExtensionHelpers helpers = callbacks.getHelpers(); + private final IHttpRequestResponse[] baseRequestResponseArray; + private static final String WHITE_SPACES = "(\\s*)"; + + private static final Pattern CLOUD_URLS_REGEX = Pattern.compile("([\\w]+[.]){1,10}" + // get up to 10 subdomain levels + "(s3.amazonaws.com|rds.amazonaws.com|cache.amazonaws.com|" + // AWS + "blob.core.windows.net|onedrive.live.com|1drv.com|" + // Azure + "storage.googleapis.com|storage.cloud.google.com|storage-download.googleapis.com|content-storage-upload.googleapis.com|content-storage-download.googleapis.com|" + // Google + "cloudfront.net|" + + "digitaloceanspaces.com|" + + "oraclecloud.com|" + + "aliyuncs.com|" + // Ali baba + "firebaseio.com|" + // Firebase + "rackcdn.com|" + + "objects.cdn.dream.io|objects-us-west-1.dream.io)", + Pattern.CASE_INSENSITIVE | Pattern.MULTILINE); + + // Inspired by: https://github.com/nsonaniya2010/SubDomainizer/blob/master/SubDomainizer.py + private static final Pattern SECRETS_REGEX = Pattern.compile(("['\"`]?(\\w*)" + // Starts with a quote then a word / white spaces + WHITE_SPACES + + "(secret|token|password|passwd|authorization|bearer|aws_access_key_id|aws_secret_access_key|irc_pass|SLACK_BOT_TOKEN|id_dsa" + + "secret[_-]?(key|token|secret)|" + + "api[_-]?(key|token|secret)|" + + "access[_-]?(key|token|secret)|" + + "auth[_-]?(key|token|secret)|" + + "session[_-]?(key|token|secret)|" + + "consumer[_-]?(key|token|secret)|" + + "private[_-]?(key|token|secret)|" + + "client[_-]?(id|token|key)|" + + "ssh[_-]?key|" + + "encrypt[_-]?(secret|key)|" + + "decrypt[_-]?(secret|key)|" + + "github[_-]?(key|token|secret)|" + + "slack[_-]?token)" + + "(\\w*)" + // in case there are any characters / white spaces + WHITE_SPACES + + "['\"`]?" + // closing quote for variable name + WHITE_SPACES +// white spaces + "[:=]+[:=>]?" +// assignments operation + WHITE_SPACES + + "['\"`]" + // opening quote for secret + WHITE_SPACES + + "([\\w\\-/~!@#$%^&*+]+)" + // Assuming secrets will be alphanumeric with some special characters + WHITE_SPACES + + "['\"`]" // closing quote for secrets + ), + Pattern.CASE_INSENSITIVE | Pattern.MULTILINE); + + private static final String SCAN_ISSUE_HEADER = "This issue was generated by \"" + BurpExtender.EXTENSION_NAME + "\" Burp extension.

"; + private static final String CONFIDENCE_CERTAIN = "Certain"; + private static final String CONFIDENCE_TENTATIVE = "Tentative"; + private static final String CONFIDENCE_FIRM = "Firm"; + private static final String SEVERITY_INFORMATION = "Information"; + private static final String SEVERITY_MEDIUM = "Medium"; + private static final String HTML_LIST_OPEN = "
    "; + private static final String HTML_LIST_BULLET_OPEN = "
  • "; + private static final String HTML_LIST_BULLET_CLOSED = "
    • "; + private static final String HTML_LIST_CLOSED = "
"; + + + InterestingStuffFinder(IHttpRequestResponse[] baseRequestResponseArray) { + this.baseRequestResponseArray = baseRequestResponseArray; + } + + public void run() { + try { + for (IHttpRequestResponse baseRequestResponse : baseRequestResponseArray) { + // only process ".js" and ".json" files + if (baseRequestResponse.getResponse() != null + && + ( + (helpers.analyzeRequest(baseRequestResponse).getUrl().getPath().endsWith(".js")) + || (helpers.analyzeRequest(baseRequestResponse).getUrl().getPath().endsWith(".json")) + ) + && BurpExtender.isLoaded() + ) { + String responseString = new String(baseRequestResponse.getResponse()); + String responseBodyString = responseString.substring(helpers.analyzeResponse(baseRequestResponse.getResponse()).getBodyOffset()); + mainHandler(baseRequestResponse, responseBodyString); + + } + } + } catch (Exception e) { + try { + throw e; + } catch (Exception ex) { + mStdErr.println("InterestingStuffFinder run Exception"); + } + } + } + + private void mainHandler(IHttpRequestResponse baseRequestResponse, String responseBodyString) { + findSecrets(baseRequestResponse, responseBodyString); + findSubDomains(baseRequestResponse, responseBodyString); + findCloudURLs(baseRequestResponse, responseBodyString); + } + + /** + * Scan function 1 - Check all strings for potential secrets (uses Shannon Entropy to increase confidence) + */ + private void findSecrets(IHttpRequestResponse baseRequestResponse, String responseBodyString) { + + Matcher matcherSecrets = SECRETS_REGEX.matcher(responseBodyString); + while (matcherSecrets.find() && BurpExtender.isLoaded()) { + List secretsMatches = Utilities.getMatches(baseRequestResponse.getResponse(), helpers.stringToBytes(matcherSecrets.group())); + double entropy = Utilities.getShannonEntropy(matcherSecrets.group(20)); // group(2) matches our secret + if (entropy >= 3.5) { + // if high entropy, confidence is "Firm" + IScanIssue secretsCustomScanIssue = new CustomScanIssue( + baseRequestResponse.getHttpService(), + helpers.analyzeRequest(baseRequestResponse).getUrl(), + new IHttpRequestResponse[]{callbacks.applyMarkers(baseRequestResponse, null, secretsMatches)}, + "[JS Miner] Secrets / Credentials", + SCAN_ISSUE_HEADER + + "The following secrets / credentials has high entropy and it was found in a JavaScript file." + + HTML_LIST_OPEN + + HTML_LIST_BULLET_OPEN + matcherSecrets.group() + HTML_LIST_BULLET_CLOSED + + HTML_LIST_CLOSED + + "The identified secrets are also highlighted in the HTTP response.
" + + "
", + null, + SEVERITY_MEDIUM, + CONFIDENCE_FIRM); + Utilities.reportIssueIfNotDuplicate(secretsCustomScanIssue, baseRequestResponse); + } else { + // if low entropy, confidence is "Tentative" + IScanIssue secretsCustomScanIssue = new CustomScanIssue( + baseRequestResponse.getHttpService(), + helpers.analyzeRequest(baseRequestResponse).getUrl(), + new IHttpRequestResponse[]{callbacks.applyMarkers(baseRequestResponse, null, secretsMatches)}, + "[JS Miner] Secrets / Credentials", + SCAN_ISSUE_HEADER + + "The following secrets / credentials has high entropy and it was found in a JavaScript file." + + HTML_LIST_OPEN + + HTML_LIST_BULLET_OPEN + matcherSecrets.group() + HTML_LIST_BULLET_CLOSED + + HTML_LIST_CLOSED + + "The identified secrets are also highlighted in the HTTP response.
" + + "
", + null, + SEVERITY_MEDIUM, + CONFIDENCE_TENTATIVE); + Utilities.reportIssueIfNotDuplicate(secretsCustomScanIssue, baseRequestResponse); + } + } + } + + /** + * Scan function 2 - Get all subdomains + */ + private void findSubDomains(IHttpRequestResponse baseRequestResponse, String responseBodyString) { + + String requestDomain = helpers.analyzeRequest(baseRequestResponse).getUrl().getHost(); + // Get root Domain (e.g.: example.com instead of sub.example.com) + Pattern rootDomainRegex = Pattern.compile("[a-z0-9]+.[a-z0-9]+$", Pattern.CASE_INSENSITIVE); + Matcher matcherRootDomain = rootDomainRegex.matcher(requestDomain); + if (matcherRootDomain.find() && BurpExtender.isLoaded()) { + String rootDomain = matcherRootDomain.group(); + // Simple SubDomains Regex + Pattern subDomainsRegex = Pattern.compile("([a-z0-9]+[.])+" + rootDomain, Pattern.CASE_INSENSITIVE); + Matcher matcherSubDomains = subDomainsRegex.matcher(responseBodyString); + while (matcherSubDomains.find() && BurpExtender.isLoaded()) { + if (!matcherSubDomains.group().equals("www." + requestDomain) + && !matcherSubDomains.group().equals(requestDomain) + && !matcherSubDomains.group().equals("www." + rootDomain)) { + // Get markers of found subdomains + List subDomainsMatches = Utilities.getMatches(baseRequestResponse.getResponse(), matcherSubDomains.group().getBytes()); + // report the issue + if (!subDomainsMatches.isEmpty()) { + IScanIssue subDomainsCustomScanIssue = new CustomScanIssue( + baseRequestResponse.getHttpService(), + helpers.analyzeRequest(baseRequestResponse).getUrl(), + new IHttpRequestResponse[]{callbacks.applyMarkers(baseRequestResponse, null, subDomainsMatches)}, + "[JS Miner] Subdomains", + SCAN_ISSUE_HEADER + + "The following subdomain was found in a JavaScript file." + + HTML_LIST_OPEN + + HTML_LIST_BULLET_OPEN + helpers.urlDecode(matcherSubDomains.group()) + HTML_LIST_BULLET_CLOSED + + HTML_LIST_CLOSED + + "The identified subdomains are also highlighted in the HTTP response.
" + + "
", + null, + SEVERITY_INFORMATION, + CONFIDENCE_CERTAIN); + Utilities.reportIssueIfNotDuplicate(subDomainsCustomScanIssue, baseRequestResponse); + } + } + } + } + + } + + /** + * Scan function 3 - Get Cloud URLs + */ + private void findCloudURLs(IHttpRequestResponse baseRequestResponse, String responseBodyString) { + + Matcher cloudURLsMatcher = CLOUD_URLS_REGEX.matcher(responseBodyString); + while (cloudURLsMatcher.find() && BurpExtender.isLoaded()) { + // Get markers of found Cloud URL Matches + List cloudHostsMatches = Utilities.getMatches(baseRequestResponse.getResponse(), cloudURLsMatcher.group().getBytes()); + // report the issue + if (!cloudHostsMatches.isEmpty()) { + IScanIssue cloudURLsCustomIssue = new CustomScanIssue( + baseRequestResponse.getHttpService(), + helpers.analyzeRequest(baseRequestResponse).getUrl(), + new IHttpRequestResponse[]{callbacks.applyMarkers(baseRequestResponse, null, cloudHostsMatches)}, + "[JS Miner] Cloud Resources", + SCAN_ISSUE_HEADER + + "The following cloud URL was found in a JavaScript file." + + HTML_LIST_OPEN + + HTML_LIST_BULLET_OPEN + cloudURLsMatcher.group() + HTML_LIST_BULLET_CLOSED + + HTML_LIST_CLOSED + + "The identified URLs are highlighted in the HTTP response.

" + + "
", + null, + SEVERITY_INFORMATION, + CONFIDENCE_CERTAIN); + Utilities.reportIssueIfNotDuplicate(cloudURLsCustomIssue, baseRequestResponse); + } + } + } +} diff --git a/src/main/java/burp/JSMapFile.java b/src/main/java/burp/JSMapFile.java new file mode 100644 index 0000000..583ecfb --- /dev/null +++ b/src/main/java/burp/JSMapFile.java @@ -0,0 +1,26 @@ +package burp; + +/* + * JS Source Maps - mainly used for ObjectMapper + */ + +public class JSMapFile { + private String[] sources; + private String[] sourcesContent; + + public String[] getSources() { + return sources; + } + + public void setSources(String[] sources) { + this.sources = sources; + } + + public String[] getSourcesContent() { + return sourcesContent; + } + + public void setSourcesContent(String[] sourcesContent) { + this.sourcesContent = sourcesContent; + } +} \ No newline at end of file diff --git a/src/main/java/burp/JSMapFileFetcher.java b/src/main/java/burp/JSMapFileFetcher.java new file mode 100644 index 0000000..4491274 --- /dev/null +++ b/src/main/java/burp/JSMapFileFetcher.java @@ -0,0 +1,146 @@ +package burp; + +import com.fasterxml.jackson.databind.DeserializationFeature; +import com.fasterxml.jackson.databind.ObjectMapper; + +import java.io.File; +import java.io.IOException; +import java.net.URL; +import java.nio.file.*; + +import static burp.BurpExtender.mStdErr; + +public class JSMapFileFetcher implements Runnable { + private static final IBurpExtenderCallbacks callbacks = BurpExtender.getCallbacks(); + private static final IExtensionHelpers helpers = BurpExtender.getHelpers(); + private final URL myURL; + private final Path outputDirectory; + + public JSMapFileFetcher(URL myURL, long currentTimestamp) { + this.myURL = myURL; + this.outputDirectory = Paths.get(System.getProperty("user.home")) + .resolve(".BurpSuite") + .resolve("JS-Miner") + .resolve(myURL.getHost() + "-" + currentTimestamp); + } + + private URL getMyURL() { + return myURL; + } + + private Path getOutputDirectory() { + return outputDirectory; + } + + public Path getTempDirectory() { + return getOutputDirectory().resolve("tmp"); + } + + public void run() { + try { + IHttpRequestResponse newHTTPReqRes = callbacks.makeHttpRequest(Utilities.url2HttpService(getMyURL()), helpers.buildHttpRequest(getMyURL())); + // if 200 OK, add to sitemap & pass content to parse map files + if (helpers.analyzeResponse(newHTTPReqRes.getResponse()).getStatusCode() == 200 + && BurpExtender.isLoaded() + ) { + callbacks.addToSiteMap(newHTTPReqRes); + String response = new String(newHTTPReqRes.getResponse()); + String responseBody = response.substring(helpers.analyzeRequest(newHTTPReqRes.getResponse()).getBodyOffset()); + parseMapFile(newHTTPReqRes, responseBody); + } + } catch (Exception e) { + mStdErr.println("JSMapFileFetcher run Exception"); + } + } + + // Function 1 - parse Map Files + private void parseMapFile(IHttpRequestResponse httpReqRes, String json) { + ObjectMapper objectMapper = new ObjectMapper() + .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false); + try { + JSMapFile mapFile = objectMapper.readValue(json, JSMapFile.class); + for (int i = 0; i <= mapFile.getSources().length - 1; i++) { + saveFile( + httpReqRes, + mapFile.getSources()[i].replaceAll("[?%*|:\"<>~]", ""), + helpers.stringToBytes(mapFile.getSourcesContent()[i]) + ); + } + } catch (Exception e) { + mStdErr.println("[-] Error processing the file - parseMapFile Exception."); + } + } + + // Function 2 - After parsing map files, save resulting data to mapped destinations + private void saveFile(IHttpRequestResponse httpReqRes, String sourceFilePath, byte[] data) { + Path filePath = Paths.get(sourceFilePath); + String fileName = filePath.getFileName().toString(); + Utilities.createDirectoriesIfNotExist(getTempDirectory()); + try { + Path tempFile = Files.createTempFile(getTempDirectory(), fileName, ".js"); + Files.write(tempFile, data); + String trustedFileName = secureFile(sourceFilePath); + Path trustedPath = Paths.get(trustedFileName); + // check & rename to "e.g.: existingFile_n.js" if duplicate + trustedPath = Utilities.handleDuplicateFile(trustedPath); + Files.move(tempFile, trustedPath); + if (!Utilities.isDirEmpty(getOutputDirectory())) { + sendJSMapperIssue(httpReqRes); + } + } catch (IOException e) { + mStdErr.println("[-] Error saving the file - saveFile IOException."); + } + } + + + // Function 3 - Security check for File name to prevent potential path traversal attacks + private String secureFile(String fileName) { + File destinationDir = new File(getOutputDirectory().toString()); + + String fakeRootPath; + if (System.getenv("SystemDrive") != null) { + fakeRootPath = System.getenv("SystemDrive"); + } else { + fakeRootPath = FileSystems.getDefault().getSeparator(); + } + File untrustedFile = new File(fakeRootPath + fileName); // Fake root path + + File trustedFile; + try { + trustedFile = new File(destinationDir.getCanonicalPath() + + untrustedFile.toPath().normalize().toString().replace(fakeRootPath, FileSystems.getDefault().getSeparator())); // Replace fakeRootPath with system separator + + if (trustedFile.getCanonicalPath().startsWith(destinationDir.getCanonicalPath())) { + Utilities.createDirectoriesIfNotExist(trustedFile.getParentFile().toPath()); + return trustedFile.toString(); + } else { + mStdErr.println("[-] Unexpected OS file write was prevented."); + } + } catch (IOException ioException) { + mStdErr.println("[-] secureFile failed - IOException."); + } + // If structuring the file path failed, keep the file in the temp directory instead of not saving it + return getTempDirectory().toString(); + } + + private void sendJSMapperIssue(IHttpRequestResponse httpReqRes) { + IScanIssue scanIssue = null; + try { + scanIssue = new CustomScanIssue( + httpReqRes.getHttpService(), + getMyURL(), + new IHttpRequestResponse[]{httpReqRes}, + "[JS Miner] JavaScript Source Mapper", + "This issue was generated by \"" + BurpExtender.EXTENSION_NAME + "\" Burp extension.

" + + "It was possible to retrieve JavaScript source map files of the target host." + + "The retrieved (front-end) source code is available (for manual review) in the following location:

" + + "" + getOutputDirectory() + "", + null, + "Information", + "Certain"); + } catch (Exception e) { + mStdErr.println("[-] createDirectoriesIfNotExist Exception."); + } + Utilities.reportIssueIfNotDuplicate(scanIssue, httpReqRes); + } +} \ No newline at end of file diff --git a/src/main/java/burp/JSMinerScan.java b/src/main/java/burp/JSMinerScan.java new file mode 100644 index 0000000..5c55ca5 --- /dev/null +++ b/src/main/java/burp/JSMinerScan.java @@ -0,0 +1,95 @@ +package burp; + +import java.net.MalformedURLException; +import java.net.URL; +import java.time.Instant; +import java.util.HashSet; + +import static burp.BurpExtender.mStdErr; + +/** + * Manage extension scan targets which shall invoke other scans + */ + +public class JSMinerScan { + + private static final IBurpExtenderCallbacks callbacks = BurpExtender.getCallbacks(); + private static final IExtensionHelpers helpers = BurpExtender.getHelpers(); + + final URL targetURL; + final IHttpRequestResponse baseHTTPReqRes; + final boolean sourceMapScan; + final boolean findInterestingStuffScan; + + public URL getTargetURL() { + return targetURL; + } + + public boolean isSourceMapScan() { + return sourceMapScan; + } + + public boolean isFindInterestingStuffScan() { + return findInterestingStuffScan; + } + + JSMinerScan(IHttpRequestResponse baseHTTPReqRes, boolean sourceMapScan, boolean findInterestingStuffScan) { + this.baseHTTPReqRes = baseHTTPReqRes; + this.targetURL = helpers.analyzeRequest(this.baseHTTPReqRes).getUrl(); + + // Scan flags + this.sourceMapScan = sourceMapScan; + this.findInterestingStuffScan = findInterestingStuffScan; + + // Kick off the scans + invokeScans(); + } + + // All scans should be invoked from here + private void invokeScans() { + // Fetch the target's HTTP requests / responses from site map + IHttpRequestResponse[] siteMapReqResArray = callbacks.getSiteMap( + Utilities.getURL(getTargetURL()) + ); + + if (isSourceMapScan()) { + HashSet sourceMapURLs = guessSourceMapFiles(siteMapReqResArray); + invokeJavaScriptSourceMapper(sourceMapURLs); + } + + if (isFindInterestingStuffScan()) { + BurpExtender.getExecutorServiceManager().getExecutorService().submit(new InterestingStuffFinder(siteMapReqResArray)); + } + } + + // Function to handle Source Mapper scan + private void invokeJavaScriptSourceMapper(HashSet sourceMapURLs) { + long currentTimestamp = Instant.now().toEpochMilli(); + // Crawl URLs & construct sources from .map files + if (sourceMapURLs.size() > 1) { + // Try to Fetch Map Files + for (URL url : sourceMapURLs) { + BurpExtender.getExecutorServiceManager().getExecutorService().submit( + new JSMapFileFetcher(url, currentTimestamp) + ); + } + } + } + + // Function to guess source map URLs ( it fetches all ".js" files from siteMapReqResArray then append ".map" to them) + private HashSet guessSourceMapFiles(IHttpRequestResponse[] iHttpRequestResponses) { + HashSet urls = new HashSet<>(); + for (IHttpRequestResponse message : iHttpRequestResponses) { + URL url = helpers.analyzeRequest(message).getUrl(); + if (url.getPath().endsWith(".js")) { + try { + // Appending ".map" to the list of ".js" files + urls.add(new URL(Utilities.appendURLPath(url, ".map"))); + } catch (MalformedURLException malformedURLException) { + mStdErr.println("guessSourceMapFiles MalformedURLException."); + } + } + } + return urls; + } +} diff --git a/src/main/java/burp/Utilities.java b/src/main/java/burp/Utilities.java new file mode 100644 index 0000000..ce621a2 --- /dev/null +++ b/src/main/java/burp/Utilities.java @@ -0,0 +1,211 @@ +package burp; + +import java.io.IOException; +import java.net.URL; +import java.nio.file.DirectoryStream; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import static burp.BurpExtender.*; + +public final class Utilities { + private static final Pattern FILE_NAME_REGEX = Pattern.compile("(.*)\\.(.*)"); + + private Utilities() { + } + + private static final IBurpExtenderCallbacks callbacks = BurpExtender.getCallbacks(); + private static final IExtensionHelpers helpers = BurpExtender.getHelpers(); + + public static void reportIssueIfNotDuplicate(IScanIssue iScanIssue, IHttpRequestResponse baseRequestResponse) { + synchronized (Utilities.class) { + if (isNewIssue(iScanIssue, helpers.analyzeRequest(baseRequestResponse).getUrl())) { + callbacks.addScanIssue(iScanIssue); + } + } + } + + private static boolean isNewIssue(IScanIssue scanIssueCheck, URL targetURL) { + String urlPrefix = Utilities.getURLPrefix(targetURL); + IScanIssue[] allIssues = getCallbacks().getScanIssues(urlPrefix); + for (IScanIssue scanIssue : allIssues) { + if (scanIssue.getIssueName().equals(scanIssueCheck.getIssueName()) + && scanIssue.getIssueDetail().equals(scanIssueCheck.getIssueDetail()) + ) { + return false; + } + } + return true; + } + + // Source: https://rosettacode.org/wiki/Entropy#Java + @SuppressWarnings("boxing") + public static double getShannonEntropy(String s) { + int n = 0; + Map occ = new HashMap<>(); + + for (int c_ = 0; c_ < s.length(); ++c_) { + char cx = s.charAt(c_); + if (occ.containsKey(cx)) { + occ.put(cx, occ.get(cx) + 1); + } else { + occ.put(cx, 1); + } + ++n; + } + double e = 0.0; + for (Map.Entry entry : occ.entrySet()) { + if (n != 0) { + double p = (double) entry.getValue() / n; + e += p * log2(p); + } + } + return -e; + } + + private static double log2(double a) { + return Math.log(a) / Math.log(2); + } + + /** + * Source: https://github.com/PortSwigger/example-scanner-checks/blob/master/java/BurpExtender.java + * helper method to search a response for occurrences of a literal match string + * and return a list of start/end offsets + */ + public static List getMatches(byte[] response, byte[] match) { + List matches = new ArrayList<>(); + + int start = 0; + while (start < response.length) { + start = helpers.indexOf(response, match, true, start, response.length); + if (start == -1) + break; + matches.add(new int[]{start, start + match.length}); + start += match.length; + } + + return matches; + } + + public static Path handleDuplicateFile(Path originalFilePath) { + if (Files.exists(originalFilePath)) { + Matcher matcherFileName = FILE_NAME_REGEX.matcher(originalFilePath.toString()); + if ( + matcherFileName.find() + && !matcherFileName.group(1).isEmpty() + && !matcherFileName.group(2).isEmpty() + ) { + String fileName = matcherFileName.group(1); + String fileExtension = matcherFileName.group(2); + return findValidName(originalFilePath, fileName, fileExtension); + } else { + return Paths.get(originalFilePath.getParent().toString()) + .resolve(originalFilePath + "_copy"); + } + } + return originalFilePath; + } + + private static Path findValidName(Path originalFilePath, String fileName, String fileExtension) { + // To maintain performance, we will only handle 20 duplicate file names + for (int i = 1; i < 20; i++) { + if (!Files.exists( + Paths.get(originalFilePath.getParent().toString()) // get parent directory + .resolve(fileName + "_" + i + "." + fileExtension) // append suffix + )) { + return Paths.get(originalFilePath.getParent().toString()) // get parent directory + .resolve(fileName + "_" + i + "." + fileExtension); // append suffix + } + } + return null; + } + + public static void createDirectoriesIfNotExist(Path directoryPath) { + if (!Files.exists(directoryPath)) { + try { + Files.createDirectories(directoryPath); + } catch (IOException ioException) { + mStdErr.println("[-] createDirectoriesIfNotExist IOException."); + } + } + } + + public static boolean isDirEmpty(Path directory) throws IOException { + try (DirectoryStream dirStream = Files.newDirectoryStream(directory)) { + return !dirStream.iterator().hasNext(); + } + } + + // Build IHttpService object from a URL (to use it for "makeHttpRequest") + static IHttpService url2HttpService(URL url) { + return new IHttpService() { + @Override + // This is the actual host + public String getHost() { + return url.getHost(); + } + + @Override + public int getPort() { + if ((url.getPort() == -1) && (url.getProtocol().equals("https"))) { + return 443; + } else if ((url.getPort() == -1) && (url.getProtocol().equals("http"))) { + return 80; + } else { + return url.getPort(); + } + } + + @Override + public String getProtocol() { + return url.getProtocol(); + } + }; + } + + public static String getURL(URL url) { + String urlString = url.toString(); + if (url.getDefaultPort() == url.getPort()) { // https://example.com:443/index -> https://example.com/index + urlString = urlString.replaceFirst(":" + url.getPort(), ""); + } + return urlString; + } + + // get URL Prefix without query strings (to use with "getScanIssues") + public static String getURLPrefix(URL url) { + if (url.getDefaultPort() == url.getPort()) { + return url.getProtocol() + "://" + + url.getHost() + + url.getPath(); + } else { + return url.getProtocol() + "://" + + url.getHost() + + ":" + + url.getPort() + + url.getPath(); + } + } + + public static String appendURLPath(URL url, String appendedPath) { + if ((url.getProtocol().equalsIgnoreCase("https") && url.getPort() == 443) + || (url.getProtocol().equalsIgnoreCase("http") && url.getPort() == 80) + ) { + return url.getProtocol() + "://" + + url.getHost() + + url.getPath() + appendedPath; + } else { + return url.getProtocol() + "://" + + url.getHost() + + ":" + + url.getPort() + + url.getPath() + appendedPath; + } + } +}