diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..097f9f9
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,9 @@
+#
+# https://help.github.com/articles/dealing-with-line-endings/
+#
+# Linux start script should use lf
+/gradlew text eol=lf
+
+# These are Windows script files and should use crlf
+*.bat text eol=crlf
+
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..a89dc68
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,33 @@
+# Ignore Gradle project-specific cache directory
+.gradle
+
+# Ignore Gradle build output directory
+build
+
+# Compiled class file
+*.class
+
+# Log file
+*.log
+
+.idea
+.DS_Store
+out/
+dist/
+lib/bin
+
+# eclipse specific git ignore
+*.pydevproject
+.project
+.metadata
+bin/**
+tmp/**
+tmp/**/*
+*.tmp
+*.bak
+*.swp
+*~.nib
+local.properties
+.classpath
+.settings/
+.loadpath
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..f288702
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,674 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc.
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+ The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works. By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users. We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors. You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+ To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights. Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received. You must make sure that they, too, receive
+or can get the source code. And you must show them these terms so they
+know their rights.
+
+ Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+ For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software. For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+ Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so. This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software. The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable. Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products. If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+ Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary. To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ TERMS AND CONDITIONS
+
+ 0. Definitions.
+
+ "This License" refers to version 3 of the GNU General Public License.
+
+ "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+ "The Program" refers to any copyrightable work licensed under this
+License. Each licensee is addressed as "you". "Licensees" and
+"recipients" may be individuals or organizations.
+
+ To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy. The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+ A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+ To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy. Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+ To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies. Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+ An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License. If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+ 1. Source Code.
+
+ The "source code" for a work means the preferred form of the work
+for making modifications to it. "Object code" means any non-source
+form of a work.
+
+ A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+ The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form. A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+ The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities. However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work. For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+ The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+ The Corresponding Source for a work in source code form is that
+same work.
+
+ 2. Basic Permissions.
+
+ All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met. This License explicitly affirms your unlimited
+permission to run the unmodified Program. The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work. This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+ You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force. You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright. Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+ Conveying under any other circumstances is permitted solely under
+the conditions stated below. Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+ 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+ No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+ When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+ 4. Conveying Verbatim Copies.
+
+ You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+ You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+ 5. Conveying Modified Source Versions.
+
+ You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+ a) The work must carry prominent notices stating that you modified
+ it, and giving a relevant date.
+
+ b) The work must carry prominent notices stating that it is
+ released under this License and any conditions added under section
+ 7. This requirement modifies the requirement in section 4 to
+ "keep intact all notices".
+
+ c) You must license the entire work, as a whole, under this
+ License to anyone who comes into possession of a copy. This
+ License will therefore apply, along with any applicable section 7
+ additional terms, to the whole of the work, and all its parts,
+ regardless of how they are packaged. This License gives no
+ permission to license the work in any other way, but it does not
+ invalidate such permission if you have separately received it.
+
+ d) If the work has interactive user interfaces, each must display
+ Appropriate Legal Notices; however, if the Program has interactive
+ interfaces that do not display Appropriate Legal Notices, your
+ work need not make them do so.
+
+ A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit. Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+ 6. Conveying Non-Source Forms.
+
+ You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+ a) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by the
+ Corresponding Source fixed on a durable physical medium
+ customarily used for software interchange.
+
+ b) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by a
+ written offer, valid for at least three years and valid for as
+ long as you offer spare parts or customer support for that product
+ model, to give anyone who possesses the object code either (1) a
+ copy of the Corresponding Source for all the software in the
+ product that is covered by this License, on a durable physical
+ medium customarily used for software interchange, for a price no
+ more than your reasonable cost of physically performing this
+ conveying of source, or (2) access to copy the
+ Corresponding Source from a network server at no charge.
+
+ c) Convey individual copies of the object code with a copy of the
+ written offer to provide the Corresponding Source. This
+ alternative is allowed only occasionally and noncommercially, and
+ only if you received the object code with such an offer, in accord
+ with subsection 6b.
+
+ d) Convey the object code by offering access from a designated
+ place (gratis or for a charge), and offer equivalent access to the
+ Corresponding Source in the same way through the same place at no
+ further charge. You need not require recipients to copy the
+ Corresponding Source along with the object code. If the place to
+ copy the object code is a network server, the Corresponding Source
+ may be on a different server (operated by you or a third party)
+ that supports equivalent copying facilities, provided you maintain
+ clear directions next to the object code saying where to find the
+ Corresponding Source. Regardless of what server hosts the
+ Corresponding Source, you remain obligated to ensure that it is
+ available for as long as needed to satisfy these requirements.
+
+ e) Convey the object code using peer-to-peer transmission, provided
+ you inform other peers where the object code and Corresponding
+ Source of the work are being offered to the general public at no
+ charge under subsection 6d.
+
+ A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+ A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling. In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage. For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product. A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+ "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source. The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+ If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information. But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+ The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed. Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+ Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+ 7. Additional Terms.
+
+ "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law. If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+ When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it. (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.) You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+ Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+ a) Disclaiming warranty or limiting liability differently from the
+ terms of sections 15 and 16 of this License; or
+
+ b) Requiring preservation of specified reasonable legal notices or
+ author attributions in that material or in the Appropriate Legal
+ Notices displayed by works containing it; or
+
+ c) Prohibiting misrepresentation of the origin of that material, or
+ requiring that modified versions of such material be marked in
+ reasonable ways as different from the original version; or
+
+ d) Limiting the use for publicity purposes of names of licensors or
+ authors of the material; or
+
+ e) Declining to grant rights under trademark law for use of some
+ trade names, trademarks, or service marks; or
+
+ f) Requiring indemnification of licensors and authors of that
+ material by anyone who conveys the material (or modified versions of
+ it) with contractual assumptions of liability to the recipient, for
+ any liability that these contractual assumptions directly impose on
+ those licensors and authors.
+
+ All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10. If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term. If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+ If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+ Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+ 8. Termination.
+
+ You may not propagate or modify a covered work except as expressly
+provided under this License. Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+ However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+ Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+ Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License. If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+ 9. Acceptance Not Required for Having Copies.
+
+ You are not required to accept this License in order to receive or
+run a copy of the Program. Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance. However,
+nothing other than this License grants you permission to propagate or
+modify any covered work. These actions infringe copyright if you do
+not accept this License. Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+ 10. Automatic Licensing of Downstream Recipients.
+
+ Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License. You are not responsible
+for enforcing compliance by third parties with this License.
+
+ An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations. If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+ You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License. For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+ 11. Patents.
+
+ A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based. The
+work thus licensed is called the contributor's "contributor version".
+
+ A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version. For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+ Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+ In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement). To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+ If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients. "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+ If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+ A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License. You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+ Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+ 12. No Surrender of Others' Freedom.
+
+ If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all. For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+ 13. Use with the GNU Affero General Public License.
+
+ Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work. The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+ 14. Revised Versions of this License.
+
+ The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+ Each version is given a distinguishing version number. If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation. If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+ If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+ Later license versions may give you additional or different
+permissions. However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+ 15. Disclaimer of Warranty.
+
+ THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+ 16. Limitation of Liability.
+
+ IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+ 17. Interpretation of Sections 15 and 16.
+
+ If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+
+ Copyright (C)
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
+
+Also add information on how to contact you by electronic and paper mail.
+
+ If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+ Copyright (C)
+ This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+ You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+.
+
+ The GNU General Public License does not permit incorporating your program
+into proprietary programs. If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library. If this is what you want to do, use the GNU Lesser General
+Public License instead of this License. But first, please read
+.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..b39a86d
--- /dev/null
+++ b/README.md
@@ -0,0 +1,10 @@
+# Burp DOM Scanner
+It's a Burp Suite's extension to allow for recursive crawling and scanning of Single Page Applications.
+It runs a Chromium browser to scan the webpage for DOM-based XSS.
+It can also collect all the requests (XHR, fetch, websockets, etc) issued during the crawling allowing them to be forwarded to Burp's Proxy, Repeater and Intruder.
+
+It requires node and [DOMDig](https://github.com/fcavallarin/domdig).
+
+## Some screenshots
+
+![Burp DOM Scanner Screenshots](https://htcrawl.org/img/burp-dom-scanner-all.png)
diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar
new file mode 100644
index 0000000..943f0cb
Binary files /dev/null and b/gradle/wrapper/gradle-wrapper.jar differ
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
new file mode 100644
index 0000000..f398c33
--- /dev/null
+++ b/gradle/wrapper/gradle-wrapper.properties
@@ -0,0 +1,6 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.6-bin.zip
+networkTimeout=10000
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists
diff --git a/gradlew b/gradlew
new file mode 100755
index 0000000..65dcd68
--- /dev/null
+++ b/gradlew
@@ -0,0 +1,244 @@
+#!/bin/sh
+
+#
+# Copyright © 2015-2021 the original authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+##############################################################################
+#
+# Gradle start up script for POSIX generated by Gradle.
+#
+# Important for running:
+#
+# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is
+# noncompliant, but you have some other compliant shell such as ksh or
+# bash, then to run this script, type that shell name before the whole
+# command line, like:
+#
+# ksh Gradle
+#
+# Busybox and similar reduced shells will NOT work, because this script
+# requires all of these POSIX shell features:
+# * functions;
+# * expansions «$var», «${var}», «${var:-default}», «${var+SET}»,
+# «${var#prefix}», «${var%suffix}», and «$( cmd )»;
+# * compound commands having a testable exit status, especially «case»;
+# * various built-in commands including «command», «set», and «ulimit».
+#
+# Important for patching:
+#
+# (2) This script targets any POSIX shell, so it avoids extensions provided
+# by Bash, Ksh, etc; in particular arrays are avoided.
+#
+# The "traditional" practice of packing multiple parameters into a
+# space-separated string is a well documented source of bugs and security
+# problems, so this is (mostly) avoided, by progressively accumulating
+# options in "$@", and eventually passing that to Java.
+#
+# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS,
+# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly;
+# see the in-line comments for details.
+#
+# There are tweaks for specific operating systems such as AIX, CygWin,
+# Darwin, MinGW, and NonStop.
+#
+# (3) This script is generated from the Groovy template
+# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+# within the Gradle project.
+#
+# You can find Gradle at https://github.com/gradle/gradle/.
+#
+##############################################################################
+
+# Attempt to set APP_HOME
+
+# Resolve links: $0 may be a link
+app_path=$0
+
+# Need this for daisy-chained symlinks.
+while
+ APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path
+ [ -h "$app_path" ]
+do
+ ls=$( ls -ld "$app_path" )
+ link=${ls#*' -> '}
+ case $link in #(
+ /*) app_path=$link ;; #(
+ *) app_path=$APP_HOME$link ;;
+ esac
+done
+
+# This is normally unused
+# shellcheck disable=SC2034
+APP_BASE_NAME=${0##*/}
+APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+
+# Use the maximum available, or set MAX_FD != -1 to use that value.
+MAX_FD=maximum
+
+warn () {
+ echo "$*"
+} >&2
+
+die () {
+ echo
+ echo "$*"
+ echo
+ exit 1
+} >&2
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false
+msys=false
+darwin=false
+nonstop=false
+case "$( uname )" in #(
+ CYGWIN* ) cygwin=true ;; #(
+ Darwin* ) darwin=true ;; #(
+ MSYS* | MINGW* ) msys=true ;; #(
+ NONSTOP* ) nonstop=true ;;
+esac
+
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+
+
+# Determine the Java command to use to start the JVM.
+if [ -n "$JAVA_HOME" ] ; then
+ if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+ # IBM's JDK on AIX uses strange locations for the executables
+ JAVACMD=$JAVA_HOME/jre/sh/java
+ else
+ JAVACMD=$JAVA_HOME/bin/java
+ fi
+ if [ ! -x "$JAVACMD" ] ; then
+ die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+ fi
+else
+ JAVACMD=java
+ which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+fi
+
+# Increase the maximum file descriptors if we can.
+if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
+ case $MAX_FD in #(
+ max*)
+ # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
+ # shellcheck disable=SC3045
+ MAX_FD=$( ulimit -H -n ) ||
+ warn "Could not query maximum file descriptor limit"
+ esac
+ case $MAX_FD in #(
+ '' | soft) :;; #(
+ *)
+ # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
+ # shellcheck disable=SC3045
+ ulimit -n "$MAX_FD" ||
+ warn "Could not set maximum file descriptor limit to $MAX_FD"
+ esac
+fi
+
+# Collect all arguments for the java command, stacking in reverse order:
+# * args from the command line
+# * the main class name
+# * -classpath
+# * -D...appname settings
+# * --module-path (only if needed)
+# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables.
+
+# For Cygwin or MSYS, switch paths to Windows format before running java
+if "$cygwin" || "$msys" ; then
+ APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
+ CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
+
+ JAVACMD=$( cygpath --unix "$JAVACMD" )
+
+ # Now convert the arguments - kludge to limit ourselves to /bin/sh
+ for arg do
+ if
+ case $arg in #(
+ -*) false ;; # don't mess with options #(
+ /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath
+ [ -e "$t" ] ;; #(
+ *) false ;;
+ esac
+ then
+ arg=$( cygpath --path --ignore --mixed "$arg" )
+ fi
+ # Roll the args list around exactly as many times as the number of
+ # args, so each arg winds up back in the position where it started, but
+ # possibly modified.
+ #
+ # NB: a `for` loop captures its iteration list before it begins, so
+ # changing the positional parameters here affects neither the number of
+ # iterations, nor the values presented in `arg`.
+ shift # remove old arg
+ set -- "$@" "$arg" # push replacement arg
+ done
+fi
+
+# Collect all arguments for the java command;
+# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
+# shell script including quotes and variable substitutions, so put them in
+# double quotes to make sure that they get re-expanded; and
+# * put everything else in single quotes, so that it's not re-expanded.
+
+set -- \
+ "-Dorg.gradle.appname=$APP_BASE_NAME" \
+ -classpath "$CLASSPATH" \
+ org.gradle.wrapper.GradleWrapperMain \
+ "$@"
+
+# Stop when "xargs" is not available.
+if ! command -v xargs >/dev/null 2>&1
+then
+ die "xargs is not available"
+fi
+
+# Use "xargs" to parse quoted args.
+#
+# With -n1 it outputs one arg per line, with the quotes and backslashes removed.
+#
+# In Bash we could simply go:
+#
+# readarray ARGS < <( xargs -n1 <<<"$var" ) &&
+# set -- "${ARGS[@]}" "$@"
+#
+# but POSIX shell has neither arrays nor command substitution, so instead we
+# post-process each arg (as a line of input to sed) to backslash-escape any
+# character that might be a shell metacharacter, then use eval to reverse
+# that process (while maintaining the separation between arguments), and wrap
+# the whole thing up as a single "set" statement.
+#
+# This will of course break if any of these variables contains a newline or
+# an unmatched quote.
+#
+
+eval "set -- $(
+ printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" |
+ xargs -n1 |
+ sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' |
+ tr '\n' ' '
+ )" '"$@"'
+
+exec "$JAVACMD" "$@"
diff --git a/gradlew.bat b/gradlew.bat
new file mode 100644
index 0000000..93e3f59
--- /dev/null
+++ b/gradlew.bat
@@ -0,0 +1,92 @@
+@rem
+@rem Copyright 2015 the original author or authors.
+@rem
+@rem Licensed under the Apache License, Version 2.0 (the "License");
+@rem you may not use this file except in compliance with the License.
+@rem You may obtain a copy of the License at
+@rem
+@rem https://www.apache.org/licenses/LICENSE-2.0
+@rem
+@rem Unless required by applicable law or agreed to in writing, software
+@rem distributed under the License is distributed on an "AS IS" BASIS,
+@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+@rem See the License for the specific language governing permissions and
+@rem limitations under the License.
+@rem
+
+@if "%DEBUG%"=="" @echo off
+@rem ##########################################################################
+@rem
+@rem Gradle startup script for Windows
+@rem
+@rem ##########################################################################
+
+@rem Set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" setlocal
+
+set DIRNAME=%~dp0
+if "%DIRNAME%"=="" set DIRNAME=.
+@rem This is normally unused
+set APP_BASE_NAME=%~n0
+set APP_HOME=%DIRNAME%
+
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
+@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
+
+@rem Find java.exe
+if defined JAVA_HOME goto findJavaFromJavaHome
+
+set JAVA_EXE=java.exe
+%JAVA_EXE% -version >NUL 2>&1
+if %ERRORLEVEL% equ 0 goto execute
+
+echo.
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:findJavaFromJavaHome
+set JAVA_HOME=%JAVA_HOME:"=%
+set JAVA_EXE=%JAVA_HOME%/bin/java.exe
+
+if exist "%JAVA_EXE%" goto execute
+
+echo.
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:execute
+@rem Setup the command line
+
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
+
+
+@rem Execute Gradle
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
+
+:end
+@rem End local scope for the variables with windows NT shell
+if %ERRORLEVEL% equ 0 goto mainEnd
+
+:fail
+rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
+rem the _cmd.exe /c_ return code!
+set EXIT_CODE=%ERRORLEVEL%
+if %EXIT_CODE% equ 0 set EXIT_CODE=1
+if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
+exit /b %EXIT_CODE%
+
+:mainEnd
+if "%OS%"=="Windows_NT" endlocal
+
+:omega
diff --git a/lib/build.gradle b/lib/build.gradle
new file mode 100644
index 0000000..c3b7b3f
--- /dev/null
+++ b/lib/build.gradle
@@ -0,0 +1,47 @@
+/*
+ * This file was generated by the Gradle 'init' task.
+ *
+ * This generated file contains a sample Java library project to get you started.
+ * For more details take a look at the 'Building Java & JVM projects' chapter in the Gradle
+ * User Manual available at https://docs.gradle.org/7.6/userguide/building_java_projects.html
+ */
+
+plugins {
+ // Apply the java-library plugin for API and implementation separation.
+ id 'java-library'
+}
+
+repositories {
+ // Use Maven Central for resolving dependencies.
+ mavenCentral()
+}
+
+dependencies {
+ // Use JUnit Jupiter for testing.
+ testImplementation 'org.junit.jupiter:junit-jupiter:5.9.1'
+
+ // This dependency is exported to consumers, that is to say found on their compile classpath.
+ api 'org.apache.commons:commons-math3:3.6.1'
+
+ // This dependency is used internally, and not exposed to consumers on their own compile classpath.
+ implementation 'com.google.guava:guava:31.1-jre'
+
+ implementation 'net.portswigger.burp.extensions:montoya-api:+'
+
+ // sql 'org.xerial:sqlite-jdbc:3.40.0.0'
+ implementation group: 'org.xerial', name: 'sqlite-jdbc', version: '3.34.0'
+
+ implementation 'org.json:json:20220924'
+}
+
+jar{
+ archiveBaseName = rootProject.name
+ duplicatesStrategy = 'exclude'
+ from {
+ configurations.runtimeClasspath.collect { it.isDirectory() ? it : zipTree(it) }
+ }{
+ // exclude "META-INF/*.SF"
+ // exclude "META-INF/*.DSA"
+ // exclude "META-INF/*.RSA"
+ }
+}
diff --git a/lib/src/main/java/org/fcvl/domdig/burp/Burp.java b/lib/src/main/java/org/fcvl/domdig/burp/Burp.java
new file mode 100644
index 0000000..8b2af23
--- /dev/null
+++ b/lib/src/main/java/org/fcvl/domdig/burp/Burp.java
@@ -0,0 +1,16 @@
+package org.fcvl.domdig.burp;
+
+import burp.api.montoya.BurpExtension;
+import burp.api.montoya.MontoyaApi;
+
+public class Burp implements BurpExtension{
+ private MontoyaApi api;
+
+ @Override
+ public void initialize(MontoyaApi api)
+ {
+ this.api = api;
+ api.extension().setName("DOM Scanner");
+ api.userInterface().registerSuiteTab("DOM Scanner", new DomdigUI(api));
+ }
+}
diff --git a/lib/src/main/java/org/fcvl/domdig/burp/CrawlResultsPanel.java b/lib/src/main/java/org/fcvl/domdig/burp/CrawlResultsPanel.java
new file mode 100644
index 0000000..20efa11
--- /dev/null
+++ b/lib/src/main/java/org/fcvl/domdig/burp/CrawlResultsPanel.java
@@ -0,0 +1,337 @@
+package org.fcvl.domdig.burp;
+
+import javax.swing.JPanel;
+import javax.swing.JPopupMenu;
+import javax.swing.JSplitPane;
+import javax.swing.JScrollPane;
+import java.awt.BorderLayout;
+import java.awt.event.ActionEvent;
+import java.awt.event.ActionListener;
+import java.awt.event.MouseEvent;
+import java.awt.event.MouseListener;
+import java.net.MalformedURLException;
+import java.util.ArrayList;
+
+import javax.swing.JTable;
+import javax.swing.table.AbstractTableModel;
+import javax.swing.table.TableColumn;
+import javax.swing.table.TableModel;
+import javax.swing.table.TableRowSorter;
+
+import org.json.JSONObject;
+
+import burp.api.montoya.MontoyaApi;
+
+import javax.swing.JTextArea;
+import javax.swing.RowSorter;
+import javax.swing.SortOrder;
+import javax.swing.event.ListSelectionEvent;
+import javax.swing.event.ListSelectionListener;
+import javax.swing.JLabel;
+import javax.swing.JMenuItem;
+
+import burp.api.montoya.http.message.HttpHeader;
+import burp.api.montoya.http.message.requests.HttpRequest;
+import javax.swing.JTextField;
+import javax.swing.ListSelectionModel;
+
+import java.awt.FlowLayout;
+
+
+public class CrawlResultsPanel extends JPanel {
+ private MontoyaApi burpApi;
+
+ private JTable requestsTable;
+ private RequestsTableModel requestsModel;
+ private JTextArea requestTextArea;
+ private JLabel requestTriggerLabel;
+ private JTextField elementTextField;
+
+ private HttpRequest domdigRequestToBurpRequest(DomdigRequest req) {
+ if(burpApi == null) return null;
+ HttpRequest burpReq = null;
+
+ burpReq = HttpRequest.httpRequestFromUrl(req.url);
+ if(!req.method.toUpperCase().equals("GET")) {
+ burpReq = burpReq.withMethod(req.method);
+ }
+
+ if(req.headers != null && !req.headers.equals("")) {
+ JSONObject headers = new JSONObject(req.headers);
+ for(String k: headers.keySet()) {
+ burpReq = burpReq.withAddedHeader(HttpHeader.httpHeader(k, headers.getString(k)));
+ }
+ }
+
+ if(req.data != null && !req.data.equals("")) {
+ burpReq = burpReq.withBody(req.data);
+ }
+
+ return burpReq;
+ }
+
+ private void sendToRepeater(DomdigRequest req) {
+ HttpRequest burpReq = domdigRequestToBurpRequest(req);
+ if(burpReq == null) {
+ return;
+ }
+
+ burpApi.repeater().sendToRepeater(burpReq);
+ }
+
+ private void sendToIntruder(DomdigRequest req) {
+ HttpRequest burpReq = domdigRequestToBurpRequest(req);
+ if(burpReq == null) {
+ return;
+ }
+
+ burpApi.intruder().sendToIntruder(burpReq);
+ }
+
+ public void setColWidths(JTable tbl, int[] colWidths){
+ for(int i = 0; i < colWidths.length; i++){
+ TableColumn col = tbl.getColumnModel().getColumn(i);
+ if(col != null)
+ col.setPreferredWidth(colWidths[i]);
+ }
+
+ }
+
+ public void setTableSorter(JTable tbl) {
+ TableRowSorter sorter = new TableRowSorter(tbl.getModel());
+ ArrayList sortKeys = new ArrayList<>(25);
+ sortKeys.add(new RowSorter.SortKey(1, SortOrder.ASCENDING));
+ sorter.setSortKeys(sortKeys);
+ }
+
+
+ public void loadRequestsList(ArrayList list) {
+ if(list != null) {
+ for(DomdigRequest u: list) {
+ requestsModel.addRow(u);
+
+ }
+ }
+ }
+
+ public void flushTable() {
+ requestsModel.flush();
+ }
+
+
+ public void reset() {
+ flushTable();
+ requestTextArea.setText("");
+ }
+
+ private void loadRequestTextArea() {
+ if(requestsTable.getSelectedRow() > -1) {
+ DomdigRequest r = ((RequestsTableModel)requestsTable.getModel()).getRow(requestsTable.getSelectedRow());
+ try {
+ requestTextArea.setText(r.getRaw());
+ requestTextArea.setCaretPosition(0);
+ if(r.trigger != null) {
+ requestTriggerLabel.setText("Request triggered by " + r.triggerEvent + "() on ");
+ elementTextField.setText(r.triggerElement);
+ elementTextField.setVisible(true);
+ } else {
+ requestTriggerLabel.setText("");
+ elementTextField.setVisible(false);
+ }
+ } catch (MalformedURLException e) {
+ // TODO Auto-generated catch block
+ e.printStackTrace();
+ }
+ }
+ }
+
+ public CrawlResultsPanel(MontoyaApi burpApi) {
+ this.burpApi = burpApi;
+ setLayout(new BorderLayout(0, 0));
+
+ JSplitPane splitPane = new JSplitPane();
+ splitPane.setOrientation(JSplitPane.VERTICAL_SPLIT);
+ add(splitPane);
+
+ JScrollPane requestsScrollPane = new JScrollPane();
+ splitPane.setLeftComponent(requestsScrollPane);
+
+ requestsModel = new RequestsTableModel();
+ requestsTable = new JTable(requestsModel);
+ requestsTable.setSelectionMode(ListSelectionModel.SINGLE_SELECTION);
+ requestsTable.getSelectionModel().addListSelectionListener(new ListSelectionListener() {
+ public void valueChanged(ListSelectionEvent lse) {
+ if (!lse.getValueIsAdjusting()) {
+ loadRequestTextArea();
+ }
+ }
+ });
+ JPopupMenu popupMenu = new JPopupMenu("a");
+ JMenuItem m1 = new JMenuItem("Send to Repeater");
+ m1.addActionListener(new ActionListener() {
+ public void actionPerformed(ActionEvent e)
+ {
+ DomdigRequest req = requestsModel.getRow(requestsTable.getSelectedRow());
+ System.out.println(requestsTable.getSelectedRow());
+ sendToRepeater(req);
+
+ }
+ });
+ JMenuItem m2 = new JMenuItem("Send to Intruder");
+ m2.addActionListener(new ActionListener() {
+ public void actionPerformed(ActionEvent e)
+ {
+ DomdigRequest req = requestsModel.getRow(requestsTable.getSelectedRow());
+ sendToIntruder(req);
+
+ }
+ });
+ popupMenu.add(m1);
+ popupMenu.add(m2);
+ requestsTable.addMouseListener(new MouseListener() {
+ @Override
+ public void mouseReleased(MouseEvent e) {
+ if (e.getButton() == MouseEvent.BUTTON3) {
+ int r = requestsTable.rowAtPoint(e.getPoint());
+ if (r >= 0 && r < requestsTable.getRowCount()) {
+ requestsTable.setRowSelectionInterval(r, r);
+ popupMenu.show(requestsTable, e.getX(), e.getY());
+ } else {
+ requestsTable.clearSelection();
+ }
+ }
+ }
+
+ @Override
+ public void mouseClicked(MouseEvent e) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void mousePressed(MouseEvent e) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void mouseEntered(MouseEvent e) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void mouseExited(MouseEvent e) {
+ // TODO Auto-generated method stub
+
+ }
+ });
+
+ setColWidths(requestsTable, new int[]{50, 50, 70, 300, 200, 200});
+ setTableSorter(requestsTable);
+
+ requestsScrollPane.setViewportView(requestsTable);
+
+ JPanel requestDetailsPanel = new JPanel();
+ splitPane.setRightComponent(requestDetailsPanel);
+ requestDetailsPanel.setLayout(new BorderLayout(0, 0));
+
+ JScrollPane scrollPane = new JScrollPane();
+ requestDetailsPanel.add(scrollPane, BorderLayout.CENTER);
+
+ requestTextArea = new JTextArea();
+ scrollPane.setViewportView(requestTextArea);
+
+ JPanel panel_2 = new JPanel();
+ FlowLayout flowLayout = (FlowLayout) panel_2.getLayout();
+ flowLayout.setAlignment(FlowLayout.LEFT);
+ requestDetailsPanel.add(panel_2, BorderLayout.NORTH);
+
+ requestTriggerLabel = new JLabel("");
+ panel_2.add(requestTriggerLabel);
+
+ elementTextField = new JTextField();
+ panel_2.add(elementTextField);
+ elementTextField.setColumns(70);
+
+ }
+
+}
+
+
+
+class RequestsTableModel extends AbstractTableModel {
+ private String[] columnNames = {"#", "Type", "Method", "URL", "Data", "Trigger"};
+ private Class> colClasses[] = {Integer.class, String.class, String.class, String.class, String.class, String.class};
+ public ArrayList data = new ArrayList<>();
+
+ public int getColumnCount() {
+ return columnNames.length;
+ }
+
+ public int getRowCount() {
+ if(data == null) return 0;
+ return data.size();
+ }
+
+ public String getColumnName(int col) {
+ return columnNames[col];
+ }
+
+ public Object getValueAt(int row, int col) {
+ DomdigRequest req = data.get(row);
+
+ switch(col){
+ case 0: return req.id;
+ case 1: return req.type;
+ case 2: return req.method;
+ case 3: return req.url;
+ case 4: return req.data;
+ case 5:
+ if(req.trigger != null) {
+ return "$(" + req.triggerElement + ")." + req.triggerEvent + "()";
+ }
+ return "";
+ }
+ return null;
+ }
+
+
+ public Class getColumnClass(int c) {
+ return colClasses[c];
+ }
+
+ public boolean isCellEditable(int row, int col) {
+ return false ;
+ }
+
+ public void setData(ArrayList data){
+ this.data = data;
+ fireTableDataChanged();
+ //printDebugData();
+ }
+
+ public Boolean addRow(DomdigRequest data){
+ this.data.add(data);
+ fireTableDataChanged();
+ return true;
+ }
+
+ public void delRow(int i){
+ this.data.remove(i);
+ fireTableDataChanged();
+ }
+
+ public DomdigRequest getRow(int index) {
+ if(index == -1) {
+ return null;
+ }
+ return this.data.get(index);
+ }
+
+ public void flush(){
+ this.data = new ArrayList<>();
+ fireTableDataChanged();
+ }
+}
+
diff --git a/lib/src/main/java/org/fcvl/domdig/burp/DomdigDB.java b/lib/src/main/java/org/fcvl/domdig/burp/DomdigDB.java
new file mode 100644
index 0000000..685dbbe
--- /dev/null
+++ b/lib/src/main/java/org/fcvl/domdig/burp/DomdigDB.java
@@ -0,0 +1,101 @@
+package org.fcvl.domdig.burp;
+
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.ArrayList;
+
+public class DomdigDB {
+ Connection connection = null;
+ String dbFileName;
+
+ public DomdigDB(String dbFileName){
+ this.dbFileName = dbFileName;
+ }
+
+ private void connect() {
+ try {
+ connection = DriverManager.getConnection("jdbc:sqlite:" + dbFileName);
+ } catch (SQLException e1) {
+ e1.printStackTrace();
+ }
+ }
+
+ public String getStatus() {
+ connect();
+ try{
+ Statement statement = connection.createStatement();
+ // statement.setQueryTimeout(30);
+
+ ResultSet rs = statement.executeQuery("select * from scan_info order by id desc limit 1");
+ rs.next();
+ return rs.getString("status");
+ }
+ catch(SQLException e){
+ // if the error message is "out of memory",
+ // it probably means no database file is found
+ System.err.println(e.getMessage());
+ }
+ finally{
+ close();
+ }
+ return null;
+ }
+
+ public ArrayList getRequests(int lastID){
+ connect();
+ ArrayList reqList = new ArrayList<>();
+ try{
+ PreparedStatement statement = connection.prepareStatement("select * from request where id > ? order by id asc");
+ statement.setInt(1, lastID);
+ ResultSet rs = statement.executeQuery();
+
+ while(rs.next()){
+ reqList.add(new DomdigRequest(rs.getInt("id"), rs.getString("type"), rs.getString("method"), rs.getString("url"), rs.getString("headers"), rs.getString("data"), rs.getString("trigger")));
+ }
+ return reqList;
+ } catch(SQLException e){
+ System.err.println(e.getMessage());
+ }
+ finally{
+ close();
+ }
+ return null;
+ }
+
+ public ArrayList getVulnerabilities(int lastID){
+ connect();
+ ArrayList vulnList = new ArrayList<>();
+ try{
+ PreparedStatement statement = connection.prepareStatement("select * from vulnerability where id > ? order by id asc");
+ statement.setInt(1, lastID);
+ ResultSet rs = statement.executeQuery();
+
+ while(rs.next()){
+ vulnList.add(new DomdigVulnerability(rs.getInt("id"), rs.getString("type"), rs.getString("url"), rs.getString("description"), rs.getString("element"), rs.getString("payload"), rs.getBoolean("confirmed")));
+ }
+ return vulnList;
+ } catch(SQLException e){
+ System.err.println(e.getMessage());
+ }
+ finally{
+ close();
+ }
+ return null;
+ }
+
+ private void close() {
+ try {
+ if(connection != null) {
+ connection.close();
+ connection = null;
+ }
+ } catch(SQLException e){
+ // connection close failed.
+ System.err.println(e.getMessage());
+ }
+ }
+}
diff --git a/lib/src/main/java/org/fcvl/domdig/burp/DomdigEvents.java b/lib/src/main/java/org/fcvl/domdig/burp/DomdigEvents.java
new file mode 100644
index 0000000..2cbdbbe
--- /dev/null
+++ b/lib/src/main/java/org/fcvl/domdig/burp/DomdigEvents.java
@@ -0,0 +1,26 @@
+package org.fcvl.domdig.burp;
+
+import java.util.ArrayList;
+
+abstract public class DomdigEvents {
+
+ public void onError(String message) {
+
+ }
+
+ public void onStatusChange(String message) {
+
+ }
+
+ public void onScanCompleted(Boolean error) {
+
+ }
+
+ public void onNewRequests(ArrayList reqList) {
+
+ }
+
+ public void onNewVulnerabilities(ArrayList vulnList) {
+
+ }
+}
diff --git a/lib/src/main/java/org/fcvl/domdig/burp/DomdigExecutor.java b/lib/src/main/java/org/fcvl/domdig/burp/DomdigExecutor.java
new file mode 100644
index 0000000..8ee6628
--- /dev/null
+++ b/lib/src/main/java/org/fcvl/domdig/burp/DomdigExecutor.java
@@ -0,0 +1,294 @@
+package org.fcvl.domdig.burp;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.nio.file.Paths;
+import java.util.ArrayList;
+import java.util.UUID;
+
+public class DomdigExecutor {
+ private ThreadExecutor thExecutor = null;
+ public String nodePath;
+ public String domdigPath;
+ public String targetUrl;
+ public String cookies;
+ public String credentials;
+ public int timeout;
+ public String proxy;
+ public String headers;
+ public String loginSequence;
+ public String payloadsFile;
+ public String modes;
+ public String excludeRegex;
+ public String localStorage;
+ public String dbFilePath;
+ public boolean checkTemplateInjection;
+ public boolean checkStored;
+ public boolean singleBrowser;
+
+ public DomdigExecutor(String nodePath, String domdigPath, String targetUrl, String cookies, String credentials, int timeout, String proxy,
+ String headers, String loginSequence, String payloadsFile, String modes, String excludeRegex,
+ String localStorage, boolean checkTemplateInjection, boolean checkStored, boolean singleBrowser) {
+ super();
+ this.nodePath = nodePath;
+ this.domdigPath = domdigPath;
+ this.targetUrl = targetUrl;
+ this.cookies = cookies;
+ this.credentials = credentials;
+ this.timeout = timeout;
+ this.proxy = proxy;
+ this.headers = headers;
+ this.loginSequence = loginSequence;
+ this.payloadsFile = payloadsFile;
+ this.modes = modes;
+ this.excludeRegex = excludeRegex;
+ this.localStorage = localStorage;
+ this.dbFilePath = Paths.get(System.getProperty("java.io.tmpdir"), UUID.randomUUID().toString() + ".db").toAbsolutePath().toString();
+ this.checkTemplateInjection = checkTemplateInjection;
+ this.checkStored = checkStored;
+ this.singleBrowser = singleBrowser;
+ //System.out.println(this.dbFilePath);
+ }
+
+ public boolean isRunning() {
+ if(thExecutor == null) {
+ return false;
+ }
+ return thExecutor.isRunning();
+ }
+
+ public void requestStopScan() {
+ if(thExecutor != null) {
+ thExecutor.stop();
+ thExecutor = null;
+ }
+ }
+
+ private String stripJson(String json) {
+ ArrayList ls = new ArrayList();
+ json = json.trim();
+ for(String l : json.split("\n")) {
+ ls.add(l.trim());
+ }
+ return String.join("", ls);
+ }
+
+ public ArrayList getCommand() {
+ ArrayList list = new ArrayList();
+ list.add(this.nodePath);
+ list.add(this.domdigPath);
+ list.add("-l");
+ list.add("-m");
+ list.add(modes);
+ list.add("-d");
+ list.add(dbFilePath);
+ list.add("-x");
+ list.add("" + timeout);
+ if(!cookies.equals("[]")) {
+ list.add("-c");
+ list.add(cookies);
+ }
+ if(!headers.equals("{}")) {
+ list.add("-E");
+ list.add(headers);
+ }
+ if(!localStorage.equals("{}")) {
+ list.add("-g");
+ list.add(localStorage);
+ }
+ if(!credentials.equals(":")) {
+ list.add("-A");
+ list.add(credentials);
+ }
+ if(!loginSequence.equals("")) {
+ list.add("-s");
+ list.add(stripJson(loginSequence));
+ }
+ if(!payloadsFile.equals("")) {
+ list.add("-P");
+ list.add(stripJson(payloadsFile));
+ }
+ if(!excludeRegex.equals("")) {
+ list.add("-X");
+ list.add(stripJson(excludeRegex));
+ }
+ if(!proxy.equals("")) {
+ list.add("-p");
+ list.add(proxy);
+ }
+ if(!checkTemplateInjection) {
+ list.add("-T");
+ }
+ if(!checkStored) {
+ list.add("-S");
+ }
+ if(!singleBrowser) {
+ list.add("-B");
+ }
+
+ return list;
+ }
+
+ public String getCommandAsString() {
+ return String.join(" ", getCommand());
+ }
+
+ public void runCrawler(DomdigEvents events) {
+ System.out.println(getCommandAsString());
+
+ ArrayList list = getCommand();
+ list.add("-D"); // dry-run
+ list.add(this.targetUrl);
+ //System.out.println(getCommandAsString());
+ thExecutor = new ThreadExecutor();
+ thExecutor.start(list, events, dbFilePath);
+ }
+
+ public void runXSSScanner(DomdigEvents events) {
+ System.out.println(getCommandAsString());
+ ArrayList list = getCommand();
+ list.add(this.targetUrl);
+
+ thExecutor = new ThreadExecutor();
+ thExecutor.start(list, events, dbFilePath);
+ }
+
+
+}
+
+
+class ThreadExecutor implements Runnable {
+ private Thread th = null;
+ Process process = null;
+ private boolean exitRequested = false;
+ private ArrayList command;
+ private DomdigEvents events;
+ private String dbFilePath;
+ private int lastStatusID = 0;
+ private int lastRequestID = 0;
+ private int lastVulnerabilityID = 0;
+ private Boolean error = false;
+
+ public void start(ArrayList command, DomdigEvents events, String dbFilePath) {
+ this.command = command;
+ this.events = events;
+ this.dbFilePath = dbFilePath;
+ deleteDBFile();
+ th = new Thread(this);
+ th.start();
+ }
+
+ private void handleError(String message, Boolean fatal) {
+ error = true;
+ events.onError(message);
+ if(fatal) {
+ events.onScanCompleted(error);
+ }
+ }
+
+ private String getStatus() {
+ DomdigDB db = new DomdigDB(dbFilePath);
+ return db.getStatus();
+ }
+
+
+ private ArrayList getNewRequests() {
+ DomdigDB db = new DomdigDB(dbFilePath);
+ ArrayList reqList = db.getRequests(lastRequestID);
+ if(!reqList.isEmpty()) {
+ lastRequestID = reqList.get(reqList.size() - 1).id;
+ }
+ return reqList;
+ }
+
+ private ArrayList getNewVulnerabilities() {
+ DomdigDB db = new DomdigDB(dbFilePath);
+ ArrayList vulnList = db.getVulnerabilities(lastVulnerabilityID);
+ if(!vulnList.isEmpty()) {
+ lastVulnerabilityID = vulnList.get(vulnList.size() - 1).id;
+ }
+ return vulnList;
+ }
+
+
+ public void stop() {
+ exitRequested = true;
+ }
+
+ public boolean isRunning() {
+ if(th == null || process == null) {
+ return false;
+ }
+ try {
+ process.exitValue();
+ return false;
+ }catch(IllegalThreadStateException e) {
+
+ }
+ return true;
+ }
+
+ private void deleteDBFile() {
+ File f = new File(dbFilePath);
+ f.delete();
+ }
+
+ public String getStderr() {
+ ArrayList err = new ArrayList<>();
+ BufferedReader stderr = new BufferedReader(new InputStreamReader(process.getErrorStream()));
+ String s = null;
+ try {
+ while ((s = stderr.readLine()) != null) {
+ err.add(s);
+ }
+ } catch (IOException e) {
+ return "";
+ }
+
+ return String.join("\n", err);
+
+ }
+
+ @Override
+ public void run() {
+ ProcessBuilder pb = new ProcessBuilder(command);
+ try {
+ process = pb.start();
+ } catch (IOException e1) {
+ handleError("Error starting node", true);
+ return;
+ }
+
+ while(!exitRequested && isRunning()) {
+ try {
+ Thread.sleep(500);
+ } catch (InterruptedException e1) {
+ e1.printStackTrace();
+ }
+ try {
+ events.onStatusChange(getStatus());
+ events.onNewRequests(getNewRequests());
+ events.onNewVulnerabilities(getNewVulnerabilities());
+ } catch(Exception e) {
+ handleError("Database Error", true);
+ }
+ }
+
+ if(exitRequested) {
+ System.out.println("Exit requested");
+ process.destroy();
+ }
+ try {
+ process.waitFor();
+ } catch (InterruptedException e) {}
+ deleteDBFile();
+
+ if(process.exitValue() != 0 && !exitRequested) {
+ handleError("exit code not zero: " + getStderr(), true);
+ } else {
+ events.onScanCompleted(false);
+ }
+ }
+}
diff --git a/lib/src/main/java/org/fcvl/domdig/burp/DomdigRequest.java b/lib/src/main/java/org/fcvl/domdig/burp/DomdigRequest.java
new file mode 100644
index 0000000..07e2d74
--- /dev/null
+++ b/lib/src/main/java/org/fcvl/domdig/burp/DomdigRequest.java
@@ -0,0 +1,57 @@
+package org.fcvl.domdig.burp;
+
+import java.net.MalformedURLException;
+import java.net.URL;
+
+import org.json.JSONObject;
+
+public class DomdigRequest {
+ public int id;
+ public String type;
+ public String method;
+ public String url;
+ public String headers;
+ public String data;
+ public String trigger;
+ public String triggerEvent = "";
+ public String triggerElement = "";
+
+ public DomdigRequest(int id, String type, String method, String url, String headers, String data, String trigger) {
+ super();
+ this.id = id;
+ this.type = type;
+ this.method = method;
+ this.url = url;
+ this.headers = headers;
+ this.data = data;
+ this.trigger = trigger.equals("") ? null : trigger;
+
+ try {
+ JSONObject json = new JSONObject(trigger);
+ this.triggerElement = json.getString("element");
+ this.triggerEvent = json.getString("event");
+ } catch(Exception e) {
+ this.trigger = null;
+ }
+ }
+
+ public String getRaw() throws MalformedURLException{
+ URL url = new URL(this.url);
+ String path = url.getFile();
+ String raw = this.method.toUpperCase() + " " + (path.equals("") ? "/" : path) + " HTTP/1.1\r\n";
+ raw += "host: " + url.getHost() + (url.getPort() != -1 ? ":" + url.getPort() : "") + "\r\n";
+ if(headers != null && !headers.equals("")) {
+ JSONObject json = new JSONObject(headers);
+ for(String k : json.keySet()) {
+ raw += k + ": " + json.getString(k) + "\r\n";
+ }
+ }
+ raw += "\r\n";
+ if(data != null) {
+ raw += data;
+ }
+ return raw;
+
+ }
+
+}
diff --git a/lib/src/main/java/org/fcvl/domdig/burp/DomdigUI.java b/lib/src/main/java/org/fcvl/domdig/burp/DomdigUI.java
new file mode 100644
index 0000000..7e4dff2
--- /dev/null
+++ b/lib/src/main/java/org/fcvl/domdig/burp/DomdigUI.java
@@ -0,0 +1,235 @@
+package org.fcvl.domdig.burp;
+
+import java.awt.BorderLayout;
+import java.awt.FlowLayout;
+import java.awt.Font;
+
+import java.awt.GridBagConstraints;
+import java.awt.GridBagLayout;
+import java.awt.Insets;
+import java.awt.event.ActionEvent;
+import java.awt.event.ActionListener;
+import java.util.ArrayList;
+
+import javax.swing.JButton;
+import javax.swing.JCheckBox;
+import javax.swing.JLabel;
+import javax.swing.JOptionPane;
+import javax.swing.JPanel;
+import javax.swing.JSeparator;
+import javax.swing.JTabbedPane;
+import javax.swing.JTextField;
+import javax.swing.SwingConstants;
+
+import burp.api.montoya.MontoyaApi;
+import burp.api.montoya.persistence.PersistedObject;
+
+
+public class DomdigUI extends JPanel {
+ private MontoyaApi burpApi;
+
+ private JTextField targetUrlTextField;
+ private DomdigExecutor executor = null;
+ private JLabel statusLabel;
+ private SettingsPanel settingsPanel;
+ private JCheckBox dryRunCheckBox;
+ private JButton btnToggleScan;
+ private CrawlResultsPanel crawlResultsPanel;
+ private VulnerabilitiesPanel vulnerabilitiesPanel;
+
+
+ private void startScan() {
+
+ if(!settingsPanel.checkScannerIsConfigured()) {
+ return;
+ }
+ //System.out.println(settingsPanel.getJson());
+ saveState();
+ if(executor == null || !executor.isRunning()) {
+ executor = settingsPanel.getExecutor(targetUrlTextField.getText());
+ if(executor == null) {
+ return;
+ }
+
+ btnToggleScan.setText("Stop Scan");
+ btnToggleScan.setEnabled(true);
+ crawlResultsPanel.reset();
+ vulnerabilitiesPanel.reset();
+ targetUrlTextField.setEditable(false);
+ settingsPanel.setEnabledComponents(false);
+ dryRunCheckBox.setEnabled(false);
+
+ DomdigEvents events = new DomdigEvents(){
+ @Override
+ public void onError(String message) {
+ JOptionPane.showMessageDialog(DomdigUI.this, message);
+ }
+ @Override
+ public void onStatusChange(String message) {
+ statusLabel.setText(message);
+ //System.out.println("TIK " + message);
+ }
+ @Override
+ public void onNewRequests(ArrayList reqList) {
+ crawlResultsPanel.loadRequestsList(reqList);
+ }
+ @Override
+ public void onNewVulnerabilities(ArrayList vulnList) {
+ vulnerabilitiesPanel.loadVulnerabilitiesList(vulnList);
+ }
+ @Override
+ public void onScanCompleted(Boolean error) {
+ btnToggleScan.setText("Start Scan");
+ btnToggleScan.setEnabled(true);
+ statusLabel.setText("");
+ settingsPanel.setEnabledComponents(true);
+ dryRunCheckBox.setEnabled(true);
+ settingsPanel.setEnabledComponents(true);
+ targetUrlTextField.setEditable(true);
+ if(!error) {
+ JOptionPane.showMessageDialog(DomdigUI.this, "Scan finished with no errors");
+ // @TOOD switch to results Tab
+ }
+ }
+ };
+
+ if(dryRunCheckBox.isSelected()) {
+ executor.runCrawler(events);
+ } else {
+ executor.runXSSScanner(events);
+ }
+ } else {
+ executor.requestStopScan();
+ btnToggleScan.setEnabled(false);
+ }
+ }
+
+ public void saveState() {
+ if(burpApi == null)return;
+ burpApi.persistence().preferences().setString("jsonConfig", settingsPanel.getJson());
+ PersistedObject prjData = burpApi.persistence().extensionData();
+ prjData.setString("target_url", targetUrlTextField.getText());
+ }
+
+ public void loadState() {
+ if(burpApi == null)return;
+ String j = burpApi.persistence().preferences().getString("jsonConfig");
+ if(j == null)
+ return;
+ settingsPanel.loadJson(j);
+ PersistedObject prjData = burpApi.persistence().extensionData();
+ targetUrlTextField.setText(prjData.getString("target_url"));
+ //settingsPanel.checkScannerIsConfigured();
+ }
+
+ public DomdigUI(MontoyaApi burpApi) {
+ this.burpApi = burpApi;
+ try{
+ Class.forName("org.sqlite.JDBC");
+ } catch(ClassNotFoundException e){}
+
+ setLayout(new BorderLayout(0, 0));
+
+ JPanel mainPanel = new JPanel();
+ add(mainPanel, BorderLayout.CENTER);
+ mainPanel.setLayout(new BorderLayout(0, 0));
+
+ JPanel topPanel = new JPanel();
+ mainPanel.add(topPanel, BorderLayout.NORTH);
+ GridBagLayout gbl_topPanel = new GridBagLayout();
+ gbl_topPanel.columnWidths = new int[]{0, 0};
+ gbl_topPanel.rowHeights = new int[]{0, 0, 0};
+ gbl_topPanel.columnWeights = new double[]{1.0, Double.MIN_VALUE};
+ gbl_topPanel.rowWeights = new double[]{1.0, 1.0, Double.MIN_VALUE};
+ topPanel.setLayout(gbl_topPanel);
+
+ JPanel panel = new JPanel();
+ FlowLayout flowLayout_3 = (FlowLayout) panel.getLayout();
+ flowLayout_3.setHgap(10);
+ flowLayout_3.setVgap(0);
+ flowLayout_3.setAlignment(FlowLayout.LEFT);
+ GridBagConstraints gbc_panel = new GridBagConstraints();
+ gbc_panel.insets = new Insets(20, 0, 0, 0);
+ gbc_panel.fill = GridBagConstraints.BOTH;
+ gbc_panel.gridx = 0;
+ gbc_panel.gridy = 0;
+ topPanel.add(panel, gbc_panel);
+
+ JLabel lblNewLabel = new JLabel("Target URL");
+ panel.add(lblNewLabel);
+
+ targetUrlTextField = new JTextField();
+ panel.add(targetUrlTextField);
+ targetUrlTextField.setColumns(40);
+
+ JSeparator separator = new JSeparator();
+ separator.setOrientation(SwingConstants.VERTICAL);
+ panel.add(separator);
+
+ btnToggleScan = new JButton("Start Scan");
+ panel.add(btnToggleScan);
+ btnToggleScan.addActionListener(new ActionListener() {
+ public void actionPerformed(ActionEvent e) {
+ javax.swing.SwingUtilities.invokeLater(new Runnable() {
+ public void run() {
+ startScan();
+ }
+ });
+ }
+ });
+ btnToggleScan.setFont(new Font("Lucida Grande", Font.PLAIN, 14));
+
+ JSeparator separator_1 = new JSeparator();
+ separator_1.setOrientation(SwingConstants.VERTICAL);
+ panel.add(separator_1);
+
+ statusLabel = new JLabel("");
+ panel.add(statusLabel);
+
+ JPanel panel_1 = new JPanel();
+ FlowLayout flowLayout = (FlowLayout) panel_1.getLayout();
+ flowLayout.setHgap(0);
+ flowLayout.setAlignment(FlowLayout.LEFT);
+ GridBagConstraints gbc_panel_1 = new GridBagConstraints();
+ gbc_panel_1.insets = new Insets(0, 0, 12, 0);
+ gbc_panel_1.fill = GridBagConstraints.BOTH;
+ gbc_panel_1.gridx = 0;
+ gbc_panel_1.gridy = 1;
+ topPanel.add(panel_1, gbc_panel_1);
+
+ dryRunCheckBox = new JCheckBox("Just crawl the target, do not scan for XSS");
+ panel_1.add(dryRunCheckBox);
+
+ JTabbedPane tabbedPane = new JTabbedPane(JTabbedPane.TOP);
+ mainPanel.add(tabbedPane, BorderLayout.CENTER);
+
+ JPanel scanTab = new JPanel();
+ tabbedPane.addTab("Scan", null, scanTab, null);
+ scanTab.setLayout(new BorderLayout(0, 0));
+
+
+ JPanel crawlerTab = new JPanel();
+ crawlResultsPanel = new CrawlResultsPanel(burpApi);
+ tabbedPane.addTab("Crawl Results", null, crawlerTab, null);
+ crawlerTab.setLayout(new BorderLayout(0, 0));
+ crawlerTab.add(crawlResultsPanel);
+
+
+ JPanel vulnerabilitiesTab = new JPanel();
+ tabbedPane.addTab("Vulnerabilities", null, vulnerabilitiesTab, null);
+ vulnerabilitiesTab.setLayout(new BorderLayout(0, 0));
+
+
+ vulnerabilitiesPanel = new VulnerabilitiesPanel();
+ vulnerabilitiesTab.add(vulnerabilitiesPanel);
+
+ settingsPanel = new SettingsPanel();
+ scanTab.add(settingsPanel);
+ javax.swing.SwingUtilities.invokeLater(new Runnable() {
+ public void run() {
+ loadState();
+ }
+ });
+ }
+
+}
diff --git a/lib/src/main/java/org/fcvl/domdig/burp/DomdigVulnerability.java b/lib/src/main/java/org/fcvl/domdig/burp/DomdigVulnerability.java
new file mode 100644
index 0000000..cfeee6a
--- /dev/null
+++ b/lib/src/main/java/org/fcvl/domdig/burp/DomdigVulnerability.java
@@ -0,0 +1,23 @@
+package org.fcvl.domdig.burp;
+
+
+public class DomdigVulnerability {
+ public int id;
+ public String type;
+ public String url;
+ public String description;
+ public String element;
+ public String payload;
+ public boolean confirmed;
+
+ public DomdigVulnerability(int id, String type, String url, String description, String element, String payload, boolean confirmed) {
+ super();
+ this.id = id;
+ this.type = type;
+ this.url = url;
+ this.description = description;
+ this.element = element;
+ this.payload = payload;
+ this.confirmed = confirmed;
+ }
+}
diff --git a/lib/src/main/java/org/fcvl/domdig/burp/KeyValueEditor.java b/lib/src/main/java/org/fcvl/domdig/burp/KeyValueEditor.java
new file mode 100644
index 0000000..23c2987
--- /dev/null
+++ b/lib/src/main/java/org/fcvl/domdig/burp/KeyValueEditor.java
@@ -0,0 +1,50 @@
+package org.fcvl.domdig.burp;
+
+import java.util.ArrayList;
+import java.util.Vector;
+
+import javax.swing.JPanel;
+import javax.swing.table.AbstractTableModel;
+import javax.swing.table.DefaultTableModel;
+import javax.swing.table.TableColumn;
+import javax.swing.table.TableModel;
+
+import org.json.JSONObject;
+
+import java.awt.BorderLayout;
+import java.awt.Dimension;
+
+import javax.swing.JButton;
+import java.awt.FlowLayout;
+import javax.swing.JScrollPane;
+import javax.swing.JTable;
+import java.awt.event.ActionListener;
+import java.awt.event.ActionEvent;
+
+public class KeyValueEditor extends TableEditor{
+
+ @Override
+ public String toJson() {
+ ArrayList kvArr = getData();
+ if(kvArr.size() == 0)
+ return "{}";
+ JSONObject json = new JSONObject();;
+ for(String[] v : kvArr) {
+ json.put(v[0], v[1]);
+ }
+ return json.toString();
+ }
+
+ @Override
+ public void fromJson(String j) {
+ JSONObject json = new JSONObject(j);
+ for(String k : json.keySet()) {
+ addRow(new String[] {k, json.getString(k)});
+ }
+ }
+
+ public KeyValueEditor() {
+ super(new String[] {"key", "value"}, new Integer[] {200, 600});
+ }
+
+}
diff --git a/lib/src/main/java/org/fcvl/domdig/burp/MainWindow.java b/lib/src/main/java/org/fcvl/domdig/burp/MainWindow.java
new file mode 100644
index 0000000..af2d3fb
--- /dev/null
+++ b/lib/src/main/java/org/fcvl/domdig/burp/MainWindow.java
@@ -0,0 +1,47 @@
+package org.fcvl.domdig.burp;
+import java.awt.EventQueue;
+
+import javax.swing.JFrame;
+import javax.swing.JPanel;
+import java.awt.BorderLayout;
+
+public class MainWindow {
+
+ private JFrame frame;
+
+ /**
+ * Launch the application.
+ */
+ public static void main(String[] args) {
+ EventQueue.invokeLater(new Runnable() {
+ public void run() {
+ try {
+ MainWindow window = new MainWindow();
+ window.frame.setVisible(true);
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+ });
+ }
+
+ /**
+ * Create the application.
+ */
+ public MainWindow() {
+ initialize();
+ }
+
+ /**
+ * Initialize the contents of the frame.
+ */
+ private void initialize() {
+ frame = new JFrame();
+ frame.setBounds(100, 100, 1037, 732);
+ frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
+
+ JPanel panel = new DomdigUI(null);
+ frame.getContentPane().add(panel, BorderLayout.CENTER);
+ }
+
+}
diff --git a/lib/src/main/java/org/fcvl/domdig/burp/SettingsPanel.java b/lib/src/main/java/org/fcvl/domdig/burp/SettingsPanel.java
new file mode 100644
index 0000000..ebda4ad
--- /dev/null
+++ b/lib/src/main/java/org/fcvl/domdig/burp/SettingsPanel.java
@@ -0,0 +1,654 @@
+package org.fcvl.domdig.burp;
+
+import javax.swing.JPanel;
+import javax.swing.JScrollPane;
+import javax.swing.border.EmptyBorder;
+import java.awt.BorderLayout;
+import java.awt.GridBagLayout;
+import java.awt.GridBagConstraints;
+import java.awt.Insets;
+import java.io.File;
+import java.net.URI;
+import java.util.ArrayList;
+
+import javax.swing.border.TitledBorder;
+
+import org.json.JSONObject;
+
+import javax.swing.JLabel;
+import javax.swing.JOptionPane;
+import javax.swing.JTextField;
+import javax.swing.JButton;
+import javax.swing.JFileChooser;
+
+import java.awt.FlowLayout;
+import java.awt.event.ActionListener;
+import java.awt.event.MouseAdapter;
+import java.awt.event.MouseEvent;
+import java.awt.event.ActionEvent;
+import javax.swing.JCheckBox;
+import java.awt.GridLayout;
+import javax.swing.JTextArea;
+import java.awt.Color;
+import java.awt.Desktop;
+import java.awt.SystemColor;
+import javax.swing.JSeparator;
+import javax.swing.SwingConstants;
+import java.awt.Font;
+
+public class SettingsPanel extends JPanel {
+ private JTextField nodePathTextField;
+ private JTextField domdigPathTextField;
+ private TableEditor cookiesEditor;
+ private KeyValueEditor kvEditHeaders;
+ private JTextField httpAuthUserTextField;
+ private JTextField httpAuthPassTextField;
+ private JTextArea loginSequenceTextArea;
+ private JTextField ignoreRegexTextField;
+ private JTextField payloadFileTextField;
+ private KeyValueEditor kvEditLocalstorage;
+ private JCheckBox tplInjCheckBox;
+ private JCheckBox modeDOMScanCheckBox;
+ private JCheckBox modeFuzzCheckBox;
+ private JCheckBox storedXSSCheckBox;
+
+ private JTextField proxyTextField;
+ private JCheckBox proxyCheckBox;
+ private JScrollPane mainGridScrollPane;
+ private JCheckBox singleBrowserCheckBox;
+ private JTextField timeoutTextField;
+
+ public DomdigExecutor getExecutor(String targetUrl) {
+ String credentials = httpAuthUserTextField.getText() + ":" + httpAuthPassTextField.getText();
+ ArrayList modes = new ArrayList<>();
+
+ if(modeDOMScanCheckBox.isSelected()) {
+ modes.add("domscan");
+ }
+ if(modeFuzzCheckBox.isSelected()) {
+ modes.add("fuzz");
+ }
+
+ String proxy = proxyCheckBox.isSelected() ? proxyTextField.getText() : "";
+
+ int timeout = 0;
+ try {
+ timeout = Integer.parseInt(timeoutTextField.getText()) * 1000;
+ } catch(Exception e) {
+ alertError("Invalid timeout: " + timeoutTextField.getText());
+ return null;
+ }
+
+ File nodeExe = new File(nodePathTextField.getText());
+ if(!nodeExe.exists()) {
+ alertError("Node executable not found");
+ return null;
+ }
+ if(nodeExe.isDirectory()) {
+ alertError("Node executable is a directory");
+ return null;
+ }
+
+ File domdigExe = new File(domdigPathTextField.getText());
+ if(!domdigExe.exists() || domdigExe.isDirectory()) {
+ alertError("Domdig.js not found");
+ return null;
+ }
+
+ return new DomdigExecutor(nodeExe.getAbsolutePath(), domdigExe.getAbsolutePath(),
+ targetUrl, cookiesEditor.toJson(), credentials, timeout,
+ proxy, kvEditHeaders.toJson(), loginSequenceTextArea.getText(), payloadFileTextField.getText(),
+ String.join(",", modes), ignoreRegexTextField.getText(), kvEditLocalstorage.toJson(), tplInjCheckBox.isSelected(), storedXSSCheckBox.isSelected(), !singleBrowserCheckBox.isSelected());
+ }
+
+ private void alertError(String message) {
+ JOptionPane.showMessageDialog(SettingsPanel.this, message, "Error", JOptionPane.ERROR_MESSAGE);
+ }
+
+ public String getJson() {
+ JSONObject json = new JSONObject();
+ json.put("tplInjCheckBox", tplInjCheckBox.isSelected());
+ json.put("modeDOMScanCheckBox", modeDOMScanCheckBox.isSelected());
+ json.put("modeFuzzCheckBox", modeFuzzCheckBox.isSelected());
+ json.put("storedXSSCheckBox", storedXSSCheckBox.isSelected());
+ json.put("proxyCheckBox", proxyCheckBox.isSelected());
+ json.put("nodePathTextField", nodePathTextField.getText());
+ json.put("domdigPathTextField", domdigPathTextField.getText());
+ json.put("httpAuthUserTextField", httpAuthUserTextField.getText());
+ json.put("httpAuthPassTextField", httpAuthPassTextField.getText());
+ json.put("ignoreRegexTextField", ignoreRegexTextField.getText());
+ json.put("payloadFileTextField", payloadFileTextField.getText());
+ json.put("proxyTextField", proxyTextField.getText());
+ json.put("loginSequenceTextArea", loginSequenceTextArea.getText());
+ json.put("cookiesEditor", cookiesEditor.toJson());
+ json.put("kvEditHeaders", kvEditHeaders.toJson());
+ json.put("kvEditLocalstorage", kvEditLocalstorage.toJson());
+ json.put("singleBrowserCheckBox", singleBrowserCheckBox.isSelected());
+ json.put("timeoutTextField", timeoutTextField.getText());
+ return json.toString();
+
+ }
+
+ public void loadJson(String j) {
+ JSONObject json = new JSONObject(j);
+ loginSequenceTextArea.setText(json.getString("loginSequenceTextArea"));
+ httpAuthUserTextField.setText(json.getString("httpAuthUserTextField"));
+ nodePathTextField.setText(json.getString("nodePathTextField"));
+ nodePathTextField.setText(json.getString("nodePathTextField"));
+ ignoreRegexTextField.setText(json.getString("ignoreRegexTextField"));
+ payloadFileTextField.setText(json.getString("payloadFileTextField"));
+ domdigPathTextField.setText(json.getString("domdigPathTextField"));
+ proxyTextField.setText(json.getString("proxyTextField"));
+ cookiesEditor.fromJson(json.getString("cookiesEditor"));
+ kvEditHeaders.fromJson(json.getString("kvEditHeaders"));
+ kvEditLocalstorage.fromJson(json.getString("kvEditLocalstorage"));
+ tplInjCheckBox.setSelected(json.getBoolean("tplInjCheckBox"));
+ modeDOMScanCheckBox.setSelected(json.getBoolean("modeDOMScanCheckBox"));
+ modeFuzzCheckBox.setSelected(json.getBoolean("modeFuzzCheckBox"));
+ storedXSSCheckBox.setSelected(json.getBoolean("storedXSSCheckBox"));
+ proxyCheckBox.setSelected(json.getBoolean("proxyCheckBox"));
+ singleBrowserCheckBox.setSelected(json.getBoolean("singleBrowserCheckBox"));
+ timeoutTextField.setText(json.getString("timeoutTextField"));
+ }
+
+ public void setEnabledComponents(Boolean enabled) {
+ System.out.println("enable");
+ loginSequenceTextArea.setEnabled(enabled);
+ httpAuthUserTextField.setEnabled(enabled);
+ nodePathTextField.setEnabled(enabled);
+ nodePathTextField.setEnabled(enabled);
+ ignoreRegexTextField.setEnabled(enabled);
+ payloadFileTextField.setEnabled(enabled);
+ domdigPathTextField.setEnabled(enabled);
+ proxyTextField.setEnabled(enabled);
+ cookiesEditor.setEnabled(enabled);
+ kvEditHeaders.setEnabled(enabled);
+ kvEditLocalstorage.setEnabled(enabled);
+ tplInjCheckBox.setEnabled(enabled);
+ modeDOMScanCheckBox.setEnabled(enabled);
+ modeFuzzCheckBox.setEnabled(enabled);
+ storedXSSCheckBox.setEnabled(enabled);
+ proxyCheckBox.setEnabled(enabled);
+ singleBrowserCheckBox.setEnabled(enabled);
+ }
+
+ public Boolean checkScannerIsConfigured() {
+ if(domdigPathTextField.getText().equals("") || nodePathTextField.getText().equals("")) {
+ mainGridScrollPane.getVerticalScrollBar().setValue(10000);
+ alertError("Please set Node's path and DomDig's path");
+ return false;
+ }
+ return true;
+ }
+
+ public String selectFile(){
+ JFileChooser fileChooser = new JFileChooser();
+
+ fileChooser.setCurrentDirectory(new File(System.getProperty("user.home")));
+ int result = fileChooser.showOpenDialog(this);
+ if (result == JFileChooser.APPROVE_OPTION) {
+ File selectedFile = fileChooser.getSelectedFile();
+ return selectedFile.getAbsolutePath();
+ }
+ return null;
+ }
+
+ public SettingsPanel() {
+ setLayout(new BorderLayout(0, 0));
+
+ mainGridScrollPane = new JScrollPane();
+ mainGridScrollPane.setViewportBorder(new EmptyBorder(0, 0, 0, 0));
+ mainGridScrollPane.setBorder(new EmptyBorder(0, 0, 0, 0));
+ add(mainGridScrollPane, BorderLayout.CENTER);
+
+ JPanel mainGridPanel = new JPanel();
+ FlowLayout flowLayout = (FlowLayout) mainGridPanel.getLayout();
+ flowLayout.setHgap(0);
+ flowLayout.setVgap(0);
+ flowLayout.setAlignOnBaseline(true);
+ flowLayout.setAlignment(FlowLayout.LEFT);
+ mainGridScrollPane.setViewportView(mainGridPanel);
+
+ JPanel mainGrid = new JPanel();
+ mainGridPanel.add(mainGrid);
+ GridBagLayout gbl_mainGrid = new GridBagLayout();
+ gbl_mainGrid.columnWidths = new int[]{0, 0};
+ gbl_mainGrid.rowHeights = new int[]{0, 0, 0, 0};
+ gbl_mainGrid.columnWeights = new double[]{0.0, Double.MIN_VALUE};
+ gbl_mainGrid.rowWeights = new double[]{0.0, 0.0, 0.0, Double.MIN_VALUE};
+ mainGrid.setLayout(gbl_mainGrid);
+
+ JPanel settingsPanel_1 = new JPanel();
+ settingsPanel_1.setBorder(new TitledBorder(null, "Scan Parameters", TitledBorder.LEADING, TitledBorder.TOP, null, null));
+ GridBagConstraints gbc_settingsPanel_1 = new GridBagConstraints();
+ gbc_settingsPanel_1.ipady = 5;
+ gbc_settingsPanel_1.ipadx = 5;
+ gbc_settingsPanel_1.insets = new Insets(0, 0, 5, 0);
+ gbc_settingsPanel_1.gridx = 0;
+ gbc_settingsPanel_1.gridy = 0;
+ mainGrid.add(settingsPanel_1, gbc_settingsPanel_1);
+ GridBagLayout gbl_settingsPanel_1 = new GridBagLayout();
+ gbl_settingsPanel_1.columnWidths = new int[]{0, 0, 0, 0};
+ gbl_settingsPanel_1.rowHeights = new int[]{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+ gbl_settingsPanel_1.columnWeights = new double[]{1.0, 1.0, 0.0, Double.MIN_VALUE};
+ gbl_settingsPanel_1.rowWeights = new double[]{1.0, 1.0, 0.0, 1.0, 1.0, 0.0, 1.0, 1.0, 1.0, 1.0, 0.0, 1.0, Double.MIN_VALUE};
+ settingsPanel_1.setLayout(gbl_settingsPanel_1);
+
+ JLabel lblNewLabel_5 = new JLabel("Modes");
+ lblNewLabel_5.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel_5 = new GridBagConstraints();
+ gbc_lblNewLabel_5.ipady = 13;
+ gbc_lblNewLabel_5.anchor = GridBagConstraints.NORTHEAST;
+ gbc_lblNewLabel_5.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel_5.gridx = 0;
+ gbc_lblNewLabel_5.gridy = 0;
+ settingsPanel_1.add(lblNewLabel_5, gbc_lblNewLabel_5);
+
+ JPanel panel_1 = new JPanel();
+ FlowLayout flowLayout_2 = (FlowLayout) panel_1.getLayout();
+ flowLayout_2.setAlignment(FlowLayout.LEFT);
+ GridBagConstraints gbc_panel_1 = new GridBagConstraints();
+ gbc_panel_1.insets = new Insets(0, 0, 5, 5);
+ gbc_panel_1.fill = GridBagConstraints.BOTH;
+ gbc_panel_1.gridx = 1;
+ gbc_panel_1.gridy = 0;
+ settingsPanel_1.add(panel_1, gbc_panel_1);
+
+ modeDOMScanCheckBox = new JCheckBox("DOM Scan");
+ modeDOMScanCheckBox.setSelected(true);
+ panel_1.add(modeDOMScanCheckBox);
+
+ modeFuzzCheckBox = new JCheckBox("Fuzz");
+ modeFuzzCheckBox.setSelected(true);
+ panel_1.add(modeFuzzCheckBox);
+
+ JLabel lblNewLabel_14 = new JLabel("Additional Checks");
+ lblNewLabel_14.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel_14 = new GridBagConstraints();
+ gbc_lblNewLabel_14.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel_14.gridx = 0;
+ gbc_lblNewLabel_14.gridy = 1;
+ settingsPanel_1.add(lblNewLabel_14, gbc_lblNewLabel_14);
+
+ JPanel panel_3 = new JPanel();
+ FlowLayout flowLayout_3 = (FlowLayout) panel_3.getLayout();
+ flowLayout_3.setVgap(0);
+ flowLayout_3.setAlignment(FlowLayout.LEFT);
+ GridBagConstraints gbc_panel_3 = new GridBagConstraints();
+ gbc_panel_3.insets = new Insets(0, 0, 5, 5);
+ gbc_panel_3.fill = GridBagConstraints.BOTH;
+ gbc_panel_3.gridx = 1;
+ gbc_panel_3.gridy = 1;
+ settingsPanel_1.add(panel_3, gbc_panel_3);
+
+ tplInjCheckBox = new JCheckBox("Template Injection");
+ panel_3.add(tplInjCheckBox);
+ tplInjCheckBox.setSelected(true);
+
+ storedXSSCheckBox = new JCheckBox("Stored XSS");
+ panel_3.add(storedXSSCheckBox);
+ storedXSSCheckBox.setSelected(true);
+
+ JLabel lblNewLabel_11 = new JLabel("Browser");
+ lblNewLabel_11.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel_11 = new GridBagConstraints();
+ gbc_lblNewLabel_11.anchor = GridBagConstraints.EAST;
+ gbc_lblNewLabel_11.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel_11.gridx = 0;
+ gbc_lblNewLabel_11.gridy = 2;
+ settingsPanel_1.add(lblNewLabel_11, gbc_lblNewLabel_11);
+
+ singleBrowserCheckBox = new JCheckBox("Use a new browser for every new URL");
+ singleBrowserCheckBox.setSelected(true);
+ GridBagConstraints gbc_singleBrowserCheckBox = new GridBagConstraints();
+ gbc_singleBrowserCheckBox.anchor = GridBagConstraints.WEST;
+ gbc_singleBrowserCheckBox.insets = new Insets(5, 5, 5, 5);
+ gbc_singleBrowserCheckBox.gridx = 1;
+ gbc_singleBrowserCheckBox.gridy = 2;
+ settingsPanel_1.add(singleBrowserCheckBox, gbc_singleBrowserCheckBox);
+
+ JLabel lblNewLabel_10 = new JLabel("Proxy");
+ lblNewLabel_10.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel_10 = new GridBagConstraints();
+ gbc_lblNewLabel_10.ipady = 16;
+ gbc_lblNewLabel_10.anchor = GridBagConstraints.NORTHEAST;
+ gbc_lblNewLabel_10.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel_10.gridx = 0;
+ gbc_lblNewLabel_10.gridy = 3;
+ settingsPanel_1.add(lblNewLabel_10, gbc_lblNewLabel_10);
+
+ JPanel panel_6 = new JPanel();
+ FlowLayout flowLayout_5 = (FlowLayout) panel_6.getLayout();
+ flowLayout_5.setAlignment(FlowLayout.LEFT);
+ GridBagConstraints gbc_panel_6 = new GridBagConstraints();
+ gbc_panel_6.insets = new Insets(0, 0, 5, 5);
+ gbc_panel_6.fill = GridBagConstraints.BOTH;
+ gbc_panel_6.gridx = 1;
+ gbc_panel_6.gridy = 3;
+ settingsPanel_1.add(panel_6, gbc_panel_6);
+
+ proxyTextField = new JTextField();
+ proxyTextField.setText("http:127.0.0.1:8080");
+ panel_6.add(proxyTextField);
+ proxyTextField.setColumns(13);
+
+ JSeparator separator_2 = new JSeparator();
+ separator_2.setOrientation(SwingConstants.VERTICAL);
+ panel_6.add(separator_2);
+
+ proxyCheckBox = new JCheckBox("Enabled");
+ proxyCheckBox.setSelected(true);
+ panel_6.add(proxyCheckBox);
+
+ JLabel lblNewLabel_2_1 = new JLabel("Cookies");
+ lblNewLabel_2_1.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel_2_1 = new GridBagConstraints();
+ gbc_lblNewLabel_2_1.anchor = GridBagConstraints.NORTHEAST;
+ gbc_lblNewLabel_2_1.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel_2_1.gridx = 0;
+ gbc_lblNewLabel_2_1.gridy = 4;
+ settingsPanel_1.add(lblNewLabel_2_1, gbc_lblNewLabel_2_1);
+
+ cookiesEditor = new TableEditor(new String[] {"name", "value", "domain", "path"}, new Integer[] {200, 400, 200, 200});
+ JPanel jp = new JPanel();
+ GridBagConstraints gbc_jp = new GridBagConstraints();
+ gbc_jp.fill = GridBagConstraints.BOTH;
+ gbc_jp.insets = new Insets(0, 0, 5, 5);
+ gbc_jp.gridx = 1;
+ gbc_jp.gridy = 4;
+ settingsPanel_1.add(cookiesEditor, gbc_jp);
+
+ JLabel lblNewLabel_1_1 = new JLabel("Headers");
+ lblNewLabel_1_1.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel_1_1 = new GridBagConstraints();
+ gbc_lblNewLabel_1_1.anchor = GridBagConstraints.NORTHEAST;
+ gbc_lblNewLabel_1_1.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel_1_1.gridx = 0;
+ gbc_lblNewLabel_1_1.gridy = 5;
+ settingsPanel_1.add(lblNewLabel_1_1, gbc_lblNewLabel_1_1);
+
+ kvEditHeaders = new KeyValueEditor();
+
+ GridBagConstraints gbc_kvEditHeaders = new GridBagConstraints();
+ gbc_kvEditHeaders.fill = GridBagConstraints.HORIZONTAL;
+ gbc_kvEditHeaders.insets = new Insets(0, 0, 5, 5);
+ gbc_kvEditHeaders.gridx = 1;
+ gbc_kvEditHeaders.gridy = 5;
+ settingsPanel_1.add(kvEditHeaders, gbc_kvEditHeaders);
+
+ JLabel lblNewLabel_9 = new JLabel("Local Storage");
+ lblNewLabel_9.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel_9 = new GridBagConstraints();
+ gbc_lblNewLabel_9.anchor = GridBagConstraints.NORTHEAST;
+ gbc_lblNewLabel_9.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel_9.gridx = 0;
+ gbc_lblNewLabel_9.gridy = 6;
+ settingsPanel_1.add(lblNewLabel_9, gbc_lblNewLabel_9);
+
+ kvEditLocalstorage = new KeyValueEditor();
+ GridBagConstraints gbc_kvEditLocalstorage = new GridBagConstraints();
+ gbc_kvEditLocalstorage.fill = GridBagConstraints.HORIZONTAL;
+ gbc_kvEditLocalstorage.insets = new Insets(0, 0, 5, 5);
+ gbc_kvEditLocalstorage.gridx = 1;
+ gbc_kvEditLocalstorage.gridy = 6;
+ settingsPanel_1.add(kvEditLocalstorage, gbc_kvEditLocalstorage);
+
+ JLabel lblNewLabel = new JLabel("HTTP Auth");
+ lblNewLabel.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel = new GridBagConstraints();
+ gbc_lblNewLabel.ipady = 20;
+ gbc_lblNewLabel.anchor = GridBagConstraints.NORTHEAST;
+ gbc_lblNewLabel.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel.gridx = 0;
+ gbc_lblNewLabel.gridy = 7;
+ settingsPanel_1.add(lblNewLabel, gbc_lblNewLabel);
+
+ JPanel panel = new JPanel();
+ FlowLayout flowLayout_1 = (FlowLayout) panel.getLayout();
+ flowLayout_1.setAlignOnBaseline(true);
+ flowLayout_1.setAlignment(FlowLayout.LEFT);
+ GridBagConstraints gbc_panel = new GridBagConstraints();
+ gbc_panel.insets = new Insets(0, 0, 5, 5);
+ gbc_panel.fill = GridBagConstraints.BOTH;
+ gbc_panel.gridx = 1;
+ gbc_panel.gridy = 7;
+ settingsPanel_1.add(panel, gbc_panel);
+
+ JLabel lblNewLabel_3 = new JLabel("user:");
+ panel.add(lblNewLabel_3);
+
+ httpAuthUserTextField = new JTextField();
+ panel.add(httpAuthUserTextField);
+ httpAuthUserTextField.setColumns(10);
+
+ JLabel lblNewLabel_4 = new JLabel("pass:");
+ panel.add(lblNewLabel_4);
+
+ httpAuthPassTextField = new JTextField();
+ panel.add(httpAuthPassTextField);
+ httpAuthPassTextField.setColumns(10);
+
+ JLabel lblNewLabel_6 = new JLabel("Login Sequence");
+ lblNewLabel_6.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel_6 = new GridBagConstraints();
+ gbc_lblNewLabel_6.anchor = GridBagConstraints.NORTHEAST;
+ gbc_lblNewLabel_6.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel_6.gridx = 0;
+ gbc_lblNewLabel_6.gridy = 8;
+ settingsPanel_1.add(lblNewLabel_6, gbc_lblNewLabel_6);
+
+ JPanel panel_2 = new JPanel();
+ GridBagConstraints gbc_panel_2 = new GridBagConstraints();
+ gbc_panel_2.insets = new Insets(0, 0, 5, 5);
+ gbc_panel_2.fill = GridBagConstraints.BOTH;
+ gbc_panel_2.gridx = 1;
+ gbc_panel_2.gridy = 8;
+ settingsPanel_1.add(panel_2, gbc_panel_2);
+ panel_2.setLayout(new GridLayout(1, 0, 0, 0));
+
+ JScrollPane scrollPane = new JScrollPane();
+ panel_2.add(scrollPane);
+
+ loginSequenceTextArea = new JTextArea();
+ scrollPane.setViewportView(loginSequenceTextArea);
+
+ JTextArea txtrtypeusername = new JTextArea();
+ txtrtypeusername.setText(" [\n [\"navigate\", \"https://loginpage.local\"],\n [\"write\", \"#username\", \"example\"],\n [\"write\", \"#password\", \"example\"],\n [\"sleep\", 3],\n [\"clickToNavigate\", \"#btn-login\"]\n ]");
+ txtrtypeusername.setBackground(SystemColor.window);
+ panel_2.add(txtrtypeusername);
+
+ JLabel lblNewLabel_8 = new JLabel("Payload file");
+ lblNewLabel_8.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel_8 = new GridBagConstraints();
+ gbc_lblNewLabel_8.ipady = 18;
+ gbc_lblNewLabel_8.anchor = GridBagConstraints.NORTHEAST;
+ gbc_lblNewLabel_8.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel_8.gridx = 0;
+ gbc_lblNewLabel_8.gridy = 9;
+ settingsPanel_1.add(lblNewLabel_8, gbc_lblNewLabel_8);
+
+ JPanel panel_5 = new JPanel();
+ FlowLayout flowLayout_4 = (FlowLayout) panel_5.getLayout();
+ flowLayout_4.setAlignment(FlowLayout.LEFT);
+ GridBagConstraints gbc_panel_5 = new GridBagConstraints();
+ gbc_panel_5.insets = new Insets(0, 0, 5, 5);
+ gbc_panel_5.fill = GridBagConstraints.BOTH;
+ gbc_panel_5.gridx = 1;
+ gbc_panel_5.gridy = 9;
+ settingsPanel_1.add(panel_5, gbc_panel_5);
+
+ payloadFileTextField = new JTextField();
+ panel_5.add(payloadFileTextField);
+ payloadFileTextField.setColumns(33);
+
+ JSeparator separator_1 = new JSeparator();
+ panel_5.add(separator_1);
+
+ JButton btnNewButton = new JButton("...");
+ btnNewButton.addActionListener(new ActionListener() {
+ public void actionPerformed(ActionEvent e) {
+ String f = selectFile();
+ if(f != null)
+ payloadFileTextField.setText(f);
+ }
+ });
+ panel_5.add(btnNewButton);
+
+ JSeparator separator = new JSeparator();
+ separator.setOrientation(SwingConstants.VERTICAL);
+ panel_5.add(separator);
+
+ JLabel lblNewLabel_7 = new JLabel("Ignore RegEx");
+ lblNewLabel_7.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel_7 = new GridBagConstraints();
+ gbc_lblNewLabel_7.ipady = 5;
+ gbc_lblNewLabel_7.anchor = GridBagConstraints.NORTHEAST;
+ gbc_lblNewLabel_7.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel_7.gridx = 0;
+ gbc_lblNewLabel_7.gridy = 10;
+ settingsPanel_1.add(lblNewLabel_7, gbc_lblNewLabel_7);
+
+ ignoreRegexTextField = new JTextField();
+ ignoreRegexTextField.setText(".*logout.*");
+ GridBagConstraints gbc_ignoreRegexTextField = new GridBagConstraints();
+ gbc_ignoreRegexTextField.insets = new Insets(0, 0, 5, 5);
+ gbc_ignoreRegexTextField.fill = GridBagConstraints.HORIZONTAL;
+ gbc_ignoreRegexTextField.gridx = 1;
+ gbc_ignoreRegexTextField.gridy = 10;
+ settingsPanel_1.add(ignoreRegexTextField, gbc_ignoreRegexTextField);
+ ignoreRegexTextField.setColumns(10);
+
+ JLabel lblNewLabel_12 = new JLabel("Timeout");
+ lblNewLabel_12.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel_12 = new GridBagConstraints();
+ gbc_lblNewLabel_12.anchor = GridBagConstraints.EAST;
+ gbc_lblNewLabel_12.insets = new Insets(0, 0, 0, 5);
+ gbc_lblNewLabel_12.gridx = 0;
+ gbc_lblNewLabel_12.gridy = 11;
+ settingsPanel_1.add(lblNewLabel_12, gbc_lblNewLabel_12);
+
+ JPanel panel_4 = new JPanel();
+ FlowLayout flowLayout_6 = (FlowLayout) panel_4.getLayout();
+ flowLayout_6.setAlignment(FlowLayout.LEFT);
+ flowLayout_6.setVgap(0);
+ flowLayout_6.setHgap(0);
+ GridBagConstraints gbc_panel_4 = new GridBagConstraints();
+ gbc_panel_4.insets = new Insets(0, 0, 0, 5);
+ gbc_panel_4.fill = GridBagConstraints.BOTH;
+ gbc_panel_4.gridx = 1;
+ gbc_panel_4.gridy = 11;
+ settingsPanel_1.add(panel_4, gbc_panel_4);
+
+ timeoutTextField = new JTextField();
+ timeoutTextField.setText("30");
+ panel_4.add(timeoutTextField);
+ timeoutTextField.setColumns(5);
+
+ JLabel lblNewLabel_13 = new JLabel(" seconds");
+ panel_4.add(lblNewLabel_13);
+
+ JPanel settingsPanel = new JPanel();
+ settingsPanel.setBorder(new TitledBorder(null, "Scanner Settings", TitledBorder.LEADING, TitledBorder.TOP, null, null));
+ GridBagConstraints gbc_settingsPanel = new GridBagConstraints();
+ gbc_settingsPanel.anchor = GridBagConstraints.NORTHWEST;
+ gbc_settingsPanel.insets = new Insets(0, 0, 5, 0);
+ gbc_settingsPanel.gridx = 0;
+ gbc_settingsPanel.gridy = 1;
+ mainGrid.add(settingsPanel, gbc_settingsPanel);
+ GridBagLayout gbl_settingsPanel = new GridBagLayout();
+ gbl_settingsPanel.columnWidths = new int[]{0, 0, 0, 0};
+ gbl_settingsPanel.rowHeights = new int[]{0, 0, 0, 0};
+ gbl_settingsPanel.columnWeights = new double[]{0.0, 1.0, 0.0, Double.MIN_VALUE};
+ gbl_settingsPanel.rowWeights = new double[]{0.0, 0.0, 0.0, Double.MIN_VALUE};
+ settingsPanel.setLayout(gbl_settingsPanel);
+
+ JLabel lblNewLabel_2 = new JLabel("Node Path");
+ GridBagConstraints gbc_lblNewLabel_2 = new GridBagConstraints();
+ gbc_lblNewLabel_2.anchor = GridBagConstraints.EAST;
+ gbc_lblNewLabel_2.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel_2.gridx = 0;
+ gbc_lblNewLabel_2.gridy = 0;
+ settingsPanel.add(lblNewLabel_2, gbc_lblNewLabel_2);
+
+ nodePathTextField = new JTextField();
+ nodePathTextField.setColumns(10);
+ GridBagConstraints gbc_nodePathTextField = new GridBagConstraints();
+ gbc_nodePathTextField.fill = GridBagConstraints.HORIZONTAL;
+ gbc_nodePathTextField.insets = new Insets(0, 0, 5, 5);
+ gbc_nodePathTextField.gridx = 1;
+ gbc_nodePathTextField.gridy = 0;
+ settingsPanel.add(nodePathTextField, gbc_nodePathTextField);
+
+ JButton btnNewButton_3 = new JButton("...");
+ btnNewButton_3.addActionListener(new ActionListener() {
+ public void actionPerformed(ActionEvent e) {
+ String f = selectFile();
+ if(f != null)
+ nodePathTextField.setText(f);
+ }
+ });
+ GridBagConstraints gbc_btnNewButton_3 = new GridBagConstraints();
+ gbc_btnNewButton_3.insets = new Insets(0, 0, 5, 0);
+ gbc_btnNewButton_3.gridx = 2;
+ gbc_btnNewButton_3.gridy = 0;
+ settingsPanel.add(btnNewButton_3, gbc_btnNewButton_3);
+
+ JLabel lblNewLabel_1 = new JLabel("Domdig Path");
+ GridBagConstraints gbc_lblNewLabel_1 = new GridBagConstraints();
+ gbc_lblNewLabel_1.anchor = GridBagConstraints.EAST;
+ gbc_lblNewLabel_1.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel_1.gridx = 0;
+ gbc_lblNewLabel_1.gridy = 1;
+ settingsPanel.add(lblNewLabel_1, gbc_lblNewLabel_1);
+
+ domdigPathTextField = new JTextField();
+ domdigPathTextField.setColumns(30);
+ GridBagConstraints gbc_domdigPathTextField = new GridBagConstraints();
+ gbc_domdigPathTextField.fill = GridBagConstraints.HORIZONTAL;
+ gbc_domdigPathTextField.insets = new Insets(0, 0, 0, 5);
+ gbc_domdigPathTextField.gridx = 1;
+ gbc_domdigPathTextField.gridy = 1;
+ settingsPanel.add(domdigPathTextField, gbc_domdigPathTextField);
+
+ JButton btnNewButton_1 = new JButton("...");
+ btnNewButton_1.addActionListener(new ActionListener() {
+ public void actionPerformed(ActionEvent e) {
+ String f = selectFile();
+ if(f != null)
+ domdigPathTextField.setText(f);
+ }
+ });
+ GridBagConstraints gbc_btnNewButton_1 = new GridBagConstraints();
+ gbc_btnNewButton_1.insets = new Insets(0, 0, 5, 0);
+ gbc_btnNewButton_1.gridx = 2;
+ gbc_btnNewButton_1.gridy = 1;
+ settingsPanel.add(btnNewButton_1, gbc_btnNewButton_1);
+
+ JLabel domdigLinkLabel = new JLabel("https://github.com/fcavallarin/domdig");
+ domdigLinkLabel.setFont(new Font("Lucida Grande", Font.ITALIC, 13));
+ domdigLinkLabel.addMouseListener(new MouseAdapter() {
+ @Override
+ public void mouseClicked(MouseEvent ev) {
+ try {
+ Desktop.getDesktop().browse(new URI(domdigLinkLabel.getText()));
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+ });
+ domdigLinkLabel.setForeground(new Color(4, 97, 255));
+ GridBagConstraints gbc_domdigLinkLabel = new GridBagConstraints();
+ gbc_domdigLinkLabel.anchor = GridBagConstraints.WEST;
+ gbc_domdigLinkLabel.insets = new Insets(0, 0, 0, 5);
+ gbc_domdigLinkLabel.gridx = 1;
+ gbc_domdigLinkLabel.gridy = 2;
+ settingsPanel.add(domdigLinkLabel, gbc_domdigLinkLabel);
+
+ mainGridScrollPane.getVerticalScrollBar().setUnitIncrement(16);
+ javax.swing.SwingUtilities.invokeLater(new Runnable() {
+ public void run() {
+ mainGridScrollPane.getVerticalScrollBar().setValue(0);
+ }
+ });
+ }
+}
diff --git a/lib/src/main/java/org/fcvl/domdig/burp/TableEditor.java b/lib/src/main/java/org/fcvl/domdig/burp/TableEditor.java
new file mode 100644
index 0000000..de50660
--- /dev/null
+++ b/lib/src/main/java/org/fcvl/domdig/burp/TableEditor.java
@@ -0,0 +1,143 @@
+package org.fcvl.domdig.burp;
+
+import java.awt.BorderLayout;
+import java.awt.Dimension;
+import java.awt.FlowLayout;
+import java.awt.event.ActionEvent;
+import java.awt.event.ActionListener;
+import java.util.ArrayList;
+import java.util.Vector;
+
+import javax.swing.JButton;
+import javax.swing.JPanel;
+import javax.swing.JScrollPane;
+import javax.swing.JTable;
+import javax.swing.ListSelectionModel;
+import javax.swing.table.DefaultTableModel;
+import javax.swing.table.TableModel;
+
+import org.json.JSONArray;
+import org.json.JSONException;
+import org.json.JSONObject;
+
+
+public class TableEditor extends JPanel{
+ private JTable keyValueTable;
+ private String[] columns = null;
+ private Integer[] columnWidths = null;
+ public Boolean enabled = true;
+ private JButton btnRemove;
+ private JButton btnAdd;
+
+
+ public ArrayList getData() {
+ ArrayList ret = new ArrayList<>();
+ for(Vector> v: ((DefaultTableModel)keyValueTable.getModel()).getDataVector()) {
+ String[] row = new String[columns.length];
+ for(int i = 0; i < columns.length; i++) {
+ Object e = v.elementAt(i);
+ row[i] = e != null ? e.toString() : "";
+ }
+ ret.add(row);
+ }
+
+ return ret;
+
+ }
+
+ public void setEnabled(Boolean enabled) {
+ btnAdd.setEnabled(enabled);
+ btnRemove.setEnabled(enabled);
+ this.enabled = enabled;
+ }
+
+ public String toJson() {
+ ArrayList kvArr = getData();
+ if(kvArr.size() == 0)
+ return "[]";
+ JSONArray jsonArr = new JSONArray();
+ for(String[] v : kvArr) {
+ JSONObject json = new JSONObject();
+ for(int i = 0; i < columns.length; i++) {
+ if(i < v.length && v[i] != null && !v[i].equals("")) {
+ json.put(columns[i], v[i]);
+ }
+
+ }
+ jsonArr.put(json);
+ }
+ return jsonArr.toString();
+ }
+
+ public void fromJson(String j) {
+ JSONArray json = new JSONArray(j);
+ for(Object k1 : json) {
+ String[] row = new String[columns.length];
+ for(int i = 0; i < columns.length; i++) {
+ try {
+ row[i] = ((JSONObject)k1).getString(columns[i]);
+ } catch(JSONException je) {
+ row[i] = "";
+ }
+ }
+ addRow(row);
+ }
+ }
+
+ public void addRow(String[] row) {
+ if(!enabled)return;
+ TableModel dt = (TableModel) keyValueTable.getModel();
+ DefaultTableModel dt1 = (DefaultTableModel)dt;
+ dt1.addRow(row);
+ }
+
+ public TableEditor(String[] columns, Integer[] columnWidths) {
+ this.columns = columns;
+ this.columnWidths = columnWidths;
+
+ setLayout(new BorderLayout(0, 0));
+
+ JPanel bottomPanel = new JPanel();
+ FlowLayout fl_bottomPanel = (FlowLayout) bottomPanel.getLayout();
+ fl_bottomPanel.setAlignment(FlowLayout.RIGHT);
+ add(bottomPanel, BorderLayout.SOUTH);
+
+ btnRemove = new JButton("Remove");
+ btnRemove.addActionListener(new ActionListener() {
+ public void actionPerformed(ActionEvent e) {
+ if(!enabled)return;
+ int i = keyValueTable.getSelectedRow();
+ if(i > -1) {
+ ((DefaultTableModel)keyValueTable.getModel()).removeRow(i);
+ }
+ }
+ });
+ bottomPanel.add(btnRemove);
+
+ btnAdd = new JButton("Add");
+ btnAdd.addActionListener(new ActionListener() {
+ public void actionPerformed(ActionEvent e) {
+ addRow(new String[] {"name", "value", "", ""});
+ }
+ });
+ bottomPanel.add(btnAdd);
+
+ JScrollPane keyValueTableScrollPane = new JScrollPane();
+ add(keyValueTableScrollPane, BorderLayout.NORTH);
+
+ Object[] headers = new Object[columns.length];
+ for(int i = 0; i < columns.length; i++) {
+ headers[i] = columns[i].substring(0, 1).toUpperCase() + columns[i].substring(1);
+ }
+
+ keyValueTable = new JTable(new DefaultTableModel(headers, 0));
+ keyValueTable.setSelectionMode(ListSelectionModel.SINGLE_SELECTION);
+ keyValueTableScrollPane.setViewportView(keyValueTable);
+
+ keyValueTableScrollPane.setPreferredSize(new Dimension(700, 110));
+ for(int i = 0; i < columnWidths.length; i++) {
+ keyValueTable.getColumnModel().getColumn(i).setPreferredWidth(columnWidths[i]);
+ }
+
+ }
+}
diff --git a/lib/src/main/java/org/fcvl/domdig/burp/VulnerabilitiesPanel.java b/lib/src/main/java/org/fcvl/domdig/burp/VulnerabilitiesPanel.java
new file mode 100644
index 0000000..c3a5aef
--- /dev/null
+++ b/lib/src/main/java/org/fcvl/domdig/burp/VulnerabilitiesPanel.java
@@ -0,0 +1,359 @@
+package org.fcvl.domdig.burp;
+
+import java.awt.BorderLayout;
+import java.awt.Font;
+import java.awt.GridBagConstraints;
+import java.awt.GridBagLayout;
+import java.awt.Insets;
+import java.util.ArrayList;
+
+import javax.swing.BorderFactory;
+import javax.swing.JLabel;
+import javax.swing.JPanel;
+import javax.swing.JScrollPane;
+import javax.swing.JSplitPane;
+import javax.swing.JTable;
+import javax.swing.JTextField;
+import javax.swing.ListSelectionModel;
+import javax.swing.RowSorter;
+import javax.swing.SortOrder;
+import javax.swing.border.EmptyBorder;
+import javax.swing.event.ListSelectionEvent;
+import javax.swing.event.ListSelectionListener;
+import javax.swing.table.AbstractTableModel;
+import javax.swing.table.TableColumn;
+import javax.swing.table.TableModel;
+import javax.swing.table.TableRowSorter;
+
+
+public class VulnerabilitiesPanel extends JPanel {
+ private JTable vulnerabilitieTable;
+ private VulnerabilitiesTableModel vulnerabilitiesModel;
+ private JLabel requestTriggerLabel;
+ private JTextField urlTextField;
+ private JTextField idTextField;
+ private JTextField typeTextField;
+ private JTextField descrTextField;
+ private JTextField payloadTextField;
+ private JTextField elementTextField;
+ private JLabel confirmedLabel;
+
+
+ public VulnerabilitiesPanel() {
+ setLayout(new BorderLayout(0, 0));
+
+ JSplitPane splitPane = new JSplitPane();
+ splitPane.setOrientation(JSplitPane.VERTICAL_SPLIT);
+ add(splitPane);
+
+ JScrollPane requestsScrollPane = new JScrollPane();
+ splitPane.setLeftComponent(requestsScrollPane);
+
+ vulnerabilitiesModel = new VulnerabilitiesTableModel();
+ vulnerabilitieTable = new JTable(vulnerabilitiesModel);
+ vulnerabilitieTable.setSelectionMode(ListSelectionModel.SINGLE_SELECTION);
+ vulnerabilitieTable.getSelectionModel().addListSelectionListener(new ListSelectionListener() {
+ public void valueChanged(ListSelectionEvent lse) {
+ if (!lse.getValueIsAdjusting()) {
+ if(vulnerabilitieTable.getSelectedRow() > -1) {
+ DomdigVulnerability r = ((VulnerabilitiesTableModel)vulnerabilitieTable.getModel()).getRow(vulnerabilitieTable.getSelectedRow());
+ //vulnerabilityTextArea.setText(r.payload);
+ urlTextField.setText(r.url);
+ idTextField.setText(r.id+"");
+ typeTextField.setText(r.type);
+ descrTextField.setText(r.description);
+ payloadTextField.setText(r.payload);
+ elementTextField.setText(r.element);
+ confirmedLabel.setText(r.confirmed ? "YES" : "NO");
+ }
+ }
+ }
+ });
+ setColWidths(vulnerabilitieTable, new int[]{20, 50, 300, 200, 100, 50, 300});
+ setTableSorter(vulnerabilitieTable);
+
+ requestsScrollPane.setViewportView(vulnerabilitieTable);
+
+ JPanel requestDetailsPanel = new JPanel();
+ requestDetailsPanel.setLayout(new BorderLayout(0, 0));
+
+ JPanel detailsPanel = new JPanel();
+ detailsPanel.setBorder(new EmptyBorder(10, 10, 10, 10));
+ detailsPanel.setLayout(new BorderLayout(0, 0));
+ JScrollPane scrollPane = new JScrollPane();
+ scrollPane.setBorder(BorderFactory.createEmptyBorder());
+ requestDetailsPanel.add(scrollPane, BorderLayout.CENTER);
+ detailsPanel.add(requestDetailsPanel);
+ splitPane.setRightComponent(detailsPanel);
+ JPanel panel = new JPanel();
+ panel.setBorder(null);
+ scrollPane.setViewportView(panel);
+ GridBagLayout gbl_panel = new GridBagLayout();
+ gbl_panel.columnWidths = new int[]{0, 0, 0};
+ gbl_panel.rowHeights = new int[]{0, 0, 0, 0, 0, 0, 0, 0};
+ gbl_panel.columnWeights = new double[]{0.0, 1.0, Double.MIN_VALUE};
+ gbl_panel.rowWeights = new double[]{0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, Double.MIN_VALUE};
+ panel.setLayout(gbl_panel);
+
+ JLabel lblNewLabel = new JLabel("ID");
+ lblNewLabel.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel = new GridBagConstraints();
+ gbc_lblNewLabel.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel.anchor = GridBagConstraints.EAST;
+ gbc_lblNewLabel.gridx = 0;
+ gbc_lblNewLabel.gridy = 0;
+ panel.add(lblNewLabel, gbc_lblNewLabel);
+
+ idTextField = new JTextField();
+ GridBagConstraints gbc_idTextField = new GridBagConstraints();
+ gbc_idTextField.insets = new Insets(0, 0, 5, 0);
+ gbc_idTextField.fill = GridBagConstraints.HORIZONTAL;
+ gbc_idTextField.gridx = 1;
+ gbc_idTextField.gridy = 0;
+ panel.add(idTextField, gbc_idTextField);
+ idTextField.setColumns(10);
+
+ JLabel lblNewLabel_1 = new JLabel("Type");
+ lblNewLabel_1.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel_1 = new GridBagConstraints();
+ gbc_lblNewLabel_1.anchor = GridBagConstraints.EAST;
+ gbc_lblNewLabel_1.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel_1.gridx = 0;
+ gbc_lblNewLabel_1.gridy = 1;
+ panel.add(lblNewLabel_1, gbc_lblNewLabel_1);
+
+ typeTextField = new JTextField();
+ GridBagConstraints gbc_typeTextField = new GridBagConstraints();
+ gbc_typeTextField.insets = new Insets(0, 0, 5, 0);
+ gbc_typeTextField.fill = GridBagConstraints.HORIZONTAL;
+ gbc_typeTextField.gridx = 1;
+ gbc_typeTextField.gridy = 1;
+ panel.add(typeTextField, gbc_typeTextField);
+ typeTextField.setColumns(10);
+
+ JLabel lblNewLabel_2 = new JLabel("Description");
+ lblNewLabel_2.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel_2 = new GridBagConstraints();
+ gbc_lblNewLabel_2.anchor = GridBagConstraints.EAST;
+ gbc_lblNewLabel_2.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel_2.gridx = 0;
+ gbc_lblNewLabel_2.gridy = 2;
+ panel.add(lblNewLabel_2, gbc_lblNewLabel_2);
+
+ descrTextField = new JTextField();
+ GridBagConstraints gbc_descrTextField = new GridBagConstraints();
+ gbc_descrTextField.insets = new Insets(0, 0, 5, 0);
+ gbc_descrTextField.fill = GridBagConstraints.HORIZONTAL;
+ gbc_descrTextField.gridx = 1;
+ gbc_descrTextField.gridy = 2;
+ panel.add(descrTextField, gbc_descrTextField);
+ descrTextField.setColumns(10);
+
+ JLabel lblNewLabel_3 = new JLabel("Payload");
+ lblNewLabel_3.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel_3 = new GridBagConstraints();
+ gbc_lblNewLabel_3.anchor = GridBagConstraints.EAST;
+ gbc_lblNewLabel_3.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel_3.gridx = 0;
+ gbc_lblNewLabel_3.gridy = 3;
+ panel.add(lblNewLabel_3, gbc_lblNewLabel_3);
+
+ payloadTextField = new JTextField();
+ GridBagConstraints gbc_payloadTextField = new GridBagConstraints();
+ gbc_payloadTextField.insets = new Insets(0, 0, 5, 0);
+ gbc_payloadTextField.fill = GridBagConstraints.HORIZONTAL;
+ gbc_payloadTextField.gridx = 1;
+ gbc_payloadTextField.gridy = 3;
+ panel.add(payloadTextField, gbc_payloadTextField);
+ payloadTextField.setColumns(10);
+
+ JLabel lblNewLabel_4 = new JLabel("Element");
+ lblNewLabel_4.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel_4 = new GridBagConstraints();
+ gbc_lblNewLabel_4.anchor = GridBagConstraints.EAST;
+ gbc_lblNewLabel_4.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel_4.gridx = 0;
+ gbc_lblNewLabel_4.gridy = 4;
+ panel.add(lblNewLabel_4, gbc_lblNewLabel_4);
+
+ elementTextField = new JTextField();
+ GridBagConstraints gbc_elementTextField = new GridBagConstraints();
+ gbc_elementTextField.insets = new Insets(0, 0, 5, 0);
+ gbc_elementTextField.fill = GridBagConstraints.HORIZONTAL;
+ gbc_elementTextField.gridx = 1;
+ gbc_elementTextField.gridy = 4;
+ panel.add(elementTextField, gbc_elementTextField);
+ elementTextField.setColumns(10);
+
+ JLabel lblNewLabel_5 = new JLabel("Confirmed");
+ lblNewLabel_5.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel_5 = new GridBagConstraints();
+ gbc_lblNewLabel_5.insets = new Insets(0, 0, 5, 5);
+ gbc_lblNewLabel_5.gridx = 0;
+ gbc_lblNewLabel_5.gridy = 5;
+ panel.add(lblNewLabel_5, gbc_lblNewLabel_5);
+
+ confirmedLabel = new JLabel("YES");
+ GridBagConstraints gbc_confirmedLabel = new GridBagConstraints();
+ gbc_confirmedLabel.anchor = GridBagConstraints.WEST;
+ gbc_confirmedLabel.insets = new Insets(0, 0, 5, 0);
+ gbc_confirmedLabel.gridx = 1;
+ gbc_confirmedLabel.gridy = 5;
+ panel.add(confirmedLabel, gbc_confirmedLabel);
+
+ JLabel lblNewLabel_6 = new JLabel("URL");
+ lblNewLabel_6.setFont(new Font("Lucida Grande", Font.BOLD, 13));
+ GridBagConstraints gbc_lblNewLabel_6 = new GridBagConstraints();
+ gbc_lblNewLabel_6.anchor = GridBagConstraints.EAST;
+ gbc_lblNewLabel_6.insets = new Insets(0, 0, 0, 5);
+ gbc_lblNewLabel_6.gridx = 0;
+ gbc_lblNewLabel_6.gridy = 6;
+ panel.add(lblNewLabel_6, gbc_lblNewLabel_6);
+
+ urlTextField = new JTextField();
+ GridBagConstraints gbc_urlTextField = new GridBagConstraints();
+ gbc_urlTextField.fill = GridBagConstraints.HORIZONTAL;
+ gbc_urlTextField.gridx = 1;
+ gbc_urlTextField.gridy = 6;
+ panel.add(urlTextField, gbc_urlTextField);
+ urlTextField.setColumns(10);
+
+ JPanel panel_2 = new JPanel();
+ requestDetailsPanel.add(panel_2, BorderLayout.NORTH);
+
+ requestTriggerLabel = new JLabel("");
+ panel_2.add(requestTriggerLabel);
+
+ }
+
+ public void setColWidths(JTable tbl, int[] colWidths){
+ for(int i = 0; i < colWidths.length; i++){
+ TableColumn col = tbl.getColumnModel().getColumn(i);
+ if(col != null)
+ col.setPreferredWidth(colWidths[i]);
+ }
+
+ }
+
+ public void setTableSorter(JTable tbl) {
+ TableRowSorter sorter = new TableRowSorter(tbl.getModel());
+ ArrayList sortKeys = new ArrayList<>(25);
+ sortKeys.add(new RowSorter.SortKey(1, SortOrder.ASCENDING));
+ //sortKeys.add(new RowSorter.SortKey(0, SortOrder.ASCENDING));
+ sorter.setSortKeys(sortKeys);
+ }
+
+
+ public void loadVulnerabilitiesList(ArrayList list) {
+ if(list != null) {
+ for(DomdigVulnerability u: list) {
+ vulnerabilitiesModel.addRow(u);
+
+ }
+ }
+ }
+
+ public void flushTable() {
+ vulnerabilitiesModel.flush();
+ }
+
+ public void reset() {
+ flushTable();
+ //vulnerabilityTextArea.setText("");
+ urlTextField.setText("");
+ idTextField.setText("");
+ typeTextField.setText("");
+ descrTextField.setText("");
+ payloadTextField.setText("");
+ elementTextField.setText("");
+ confirmedLabel.setText("");
+ }
+}
+
+
+class VulnerabilitiesTableModel extends AbstractTableModel {
+ private String[] columnNames = {"#", "Type", "Description", "Payload", "Element", "Confirmed", "URL"};
+ private Class> colClasses[] = {Integer.class, String.class, String.class, String.class, String.class, String.class, String.class};
+ public ArrayList data = new ArrayList<>();
+ private ArrayList withIconOk = new ArrayList<>();
+
+
+ public int getColumnCount() {
+ return columnNames.length;
+ }
+
+ public int getRowCount() {
+ if(data == null) return 0;
+ return data.size();
+ }
+
+ public String getColumnName(int col) {
+ return columnNames[col];
+ }
+
+ public void setIconOk(String value) {
+ this.withIconOk.add(value);
+ fireTableDataChanged();
+ }
+
+ public Object getValueAt(int row, int col) {
+
+ DomdigVulnerability vuln = data.get(row);
+
+ switch(col){
+ case 0: return vuln.id;
+ case 1: return vuln.type;
+ case 2: return vuln.description;
+ case 3: return vuln.payload;
+ case 4: return vuln.element;
+ case 5: return vuln.confirmed ? "YES" : "NO";
+ case 6: return vuln.url;
+ }
+
+ return null;
+ }
+
+
+ public Class getColumnClass(int c) {
+ return colClasses[c];
+ }
+
+ public boolean isCellEditable(int row, int col) {
+
+ return false ;
+ }
+
+ public void setData(ArrayList data){
+ this.data = data;
+ fireTableDataChanged();
+ //printDebugData();
+ }
+
+ public Boolean addRow(DomdigVulnerability data){
+
+ this.data.add(data);
+ fireTableDataChanged();
+ //printDebugData();
+ return true;
+ }
+
+ public void delRow(int i){
+ this.data.remove(i);
+ fireTableDataChanged();
+ }
+
+ public DomdigVulnerability getRow(int index) {
+ if(index == -1) {
+ return null;
+ }
+ return this.data.get(index);
+ }
+
+ public void flush(){
+ this.data = new ArrayList<>();
+ this.withIconOk = new ArrayList<>();
+ fireTableDataChanged();
+ }
+}
+
+
diff --git a/settings.gradle b/settings.gradle
new file mode 100644
index 0000000..c8721bd
--- /dev/null
+++ b/settings.gradle
@@ -0,0 +1,11 @@
+/*
+ * This file was generated by the Gradle 'init' task.
+ *
+ * The settings file is used to specify which projects to include in your build.
+ *
+ * Detailed information about configuring a multi-project build in Gradle can be found
+ * in the user manual at https://docs.gradle.org/7.6/userguide/multi_project_builds.html
+ */
+
+rootProject.name = 'burp-dom-scanner'
+include('lib')