Created sendToDetector function that handles the logistics around the…

… integration with the xss detectors
NetSPI · Dec 23, 2014 · 375551d · 375551d
1 parent 5092130
commit 375551d
Showing 1 changed file with 30 additions and 111 deletions.
diff --git a/burp-extender/src/burp/BurpExtender.java b/burp-extender/src/burp/BurpExtender.java
@@ -133,70 +133,13 @@ public void processHttpMessage(int toolFlag, boolean messageIsRequest,
 
         if ((toolFlag != 32) || (!messageIsRequest)) {
             if ((toolFlag == 32) && (!messageIsRequest)) {
-                HttpPost PhantomJs = new HttpPost(this.phantomURL.getText());
-                HttpPost SlimerJS = new HttpPost(this.slimerURL.getText());
-                try {
-                    byte[] encodedBytes = Base64.encodeBase64(messageInfo
-                            .getResponse());
-                    String encodedResponse = this.helpers
-                            .bytesToString(encodedBytes);
-
-                    List nameValuePairs = new ArrayList(1);
-                    nameValuePairs.add(new BasicNameValuePair("http-response",
-                            encodedResponse));
-
-                    PhantomJs
-                    .setEntity(new UrlEncodedFormEntity(nameValuePairs));
-
-                    HttpResponse response = this.client.execute(PhantomJs);
-                    String responseAsString = EntityUtils.toString(response
-                            .getEntity());
-
-                    this.stdout.println("Response: " + responseAsString);
-
-                    if (responseAsString.toLowerCase().contains(
-                            BurpExtender.triggerPhrase.toLowerCase())) {
-                        String newResponse = this.helpers
-                                .bytesToString(messageInfo.getResponse())
-                                + this.grepVal.getText();
-                        messageInfo.setResponse(this.helpers
-                                .stringToBytes(newResponse));
-                        this.stdout.println("XSS Found");
-                    }
-                }catch (Exception e) {
-                    this.stderr.println(e.getMessage());
-                }
+            boolean vulnerable;
 
-                try {
-                    byte[] encodedBytes = Base64.encodeBase64(messageInfo
-                            .getResponse());
-                    String encodedResponse = this.helpers
-                            .bytesToString(encodedBytes);
-
-                    List nameValuePairs = new ArrayList(1);
-                    nameValuePairs.add(new BasicNameValuePair("http-response",
-                            encodedResponse));
-
-                    SlimerJS.setEntity(new UrlEncodedFormEntity(nameValuePairs));
-
-                    HttpResponse response = this.client.execute(SlimerJS);
-                    String responseAsString = EntityUtils.toString(response
-                            .getEntity());
-
-                    this.stdout.println("Response: " + responseAsString);
-
-                    if (responseAsString.toLowerCase().contains(
-                            BurpExtender.triggerPhrase.toLowerCase())) {
-                        String newResponse = this.helpers
-                                .bytesToString(messageInfo.getResponse())
-                                + this.grepVal.getText();
-                        messageInfo.setResponse(this.helpers
-                                .stringToBytes(newResponse));
-                        this.stdout.println("XSS Found");
-                    }
-                }catch (Exception e) {
-                    this.stderr.println(e.getMessage());
-                }
+            vulnerable = sendToDetector(this.phantomURL.getText(), messageInfo);
+
+            // If Phantom.js doesn't process the payload, try slimer
+            if(!vulnerable)
+                vulnerable = sendToDetector(this.slimerURL.getText(), messageInfo);
             }
         }
     }
@@ -221,24 +164,11 @@ public List<IScanIssue> doPassiveScan(IHttpRequestResponse baseRequestResponse)
 
     }
 
-    @Override
-    public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) {
-        IntruderPayloadGenerator payloadGenerator = new IntruderPayloadGenerator(this);
-        BurpExtender.this.stdout.println("Beginning active scan with xssValidator");
-        // Prepare to start attacks
-        while(payloadGenerator.hasMorePayloads()) {
-            byte[] payload = payloadGenerator.getNextPayload(new byte[1]);
-            byte[] checkRequest = insertionPoint.buildRequest(payload);
-            IHttpRequestResponse messageInfo = mCallbacks.makeHttpRequest(
-                baseRequestResponse.getHttpService(), checkRequest);
-
-            // Too much code duplication, but for now it's ok
-            HttpPost PhantomJs = new HttpPost(this.phantomURL.getText());
-            HttpPost SlimerJS = new HttpPost(this.slimerURL.getText());
-
-            Boolean vulnerable = false;
+    public boolean sendToDetector(String detectorUrl, IHttpRequestResponse messageInfo) {
+        HttpPost detector = new HttpPost(detectorUrl);
+        Boolean vulnerable = false;
 
-            try {
+         try {
                 byte[] encodedBytes = Base64.encodeBase64(messageInfo
                         .getResponse());
                 String encodedResponse = this.helpers
@@ -248,10 +178,10 @@ public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, I
                 nameValuePairs.add(new BasicNameValuePair("http-response",
                         encodedResponse));
 
-                PhantomJs
+                detector
                 .setEntity(new UrlEncodedFormEntity(nameValuePairs));
 
-                HttpResponse response = this.client.execute(PhantomJs);
+                HttpResponse response = this.client.execute(detector);
                 String responseAsString = EntityUtils.toString(response
                         .getEntity());
 
@@ -271,39 +201,28 @@ public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, I
             }catch (Exception e) {
                 this.stderr.println(e.getMessage());
             }
+        return vulnerable;
+    }
 
-            try {
-                byte[] encodedBytes = Base64.encodeBase64(messageInfo
-                        .getResponse());
-                String encodedResponse = this.helpers
-                        .bytesToString(encodedBytes);
-
-                List nameValuePairs = new ArrayList(1);
-                nameValuePairs.add(new BasicNameValuePair("http-response",
-                        encodedResponse));
-
-                SlimerJS.setEntity(new UrlEncodedFormEntity(nameValuePairs));
-
-                HttpResponse response = this.client.execute(SlimerJS);
-                String responseAsString = EntityUtils.toString(response
-                        .getEntity());
+    @Override
+    public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) {
+        IntruderPayloadGenerator payloadGenerator = new IntruderPayloadGenerator(this);
+        BurpExtender.this.stdout.println("Beginning active scan with xssValidator");
+        // Prepare to start attacks
+        while(payloadGenerator.hasMorePayloads()) {
+            byte[] payload = payloadGenerator.getNextPayload(new byte[1]);
+            byte[] checkRequest = insertionPoint.buildRequest(payload);
+            IHttpRequestResponse messageInfo = mCallbacks.makeHttpRequest(
+                baseRequestResponse.getHttpService(), checkRequest);
 
-                this.stdout.println("Response: " + responseAsString);
+            boolean vulnerable;
 
-                if (responseAsString.toLowerCase().contains(
-                        BurpExtender.triggerPhrase.toLowerCase())) {
-                    String newResponse = this.helpers
-                            .bytesToString(messageInfo.getResponse())
-                            + this.grepVal.getText();
-                    messageInfo.setResponse(this.helpers
-                            .stringToBytes(newResponse));
-                    this.stdout.println("XSS Found");
-                    vulnerable = true;
-                }
-            }catch (Exception e) {
-                this.stderr.println(e.getMessage());
-            }
+            vulnerable = sendToDetector(this.phantomURL.getText(), messageInfo);
 
+            // If Phantom.js doesn't process the payload, try slimer
+            if(!vulnerable)
+                vulnerable = sendToDetector(this.slimerURL.getText(), messageInfo);
+
             // Update this to actually detect matches
             List<int[]> matches = new ArrayList<int[]>();
             byte[] response = baseRequestResponse.getResponse();