portswigger / backslash-powered-scanner Goto Github PK

Finds unknown classes of injection vulnerabilities

License: Other

Java 98.85% HTML 1.15%

backslash-powered-scanner's Introduction

backslash-powered-scanner

This extension complements Burp's active scanner by using a novel approach capable of finding and confirming both known and unknown classes of server-side injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.

For more information, please refer to the whitepaper at http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html

The code can be found at https://github.com/portswigger/backslash-powered-scanner Contributions and feature requests are welcome.

Changelog

1.21 20211015

Support for detecting iterable inputs
Support for Burp Suite Enterprise Edition

1.10 20210407

Major refactor
Support for bulk-scanning
Misc bugfixes

1.03 20190814

Detect path normalization exploits based on Orange Tsai's research

1.02 20180606

Add MD5/SHA-1 lax comparison to magic value attacks
Misc bugfixes

1.01 20180509

Add 'COM1' Windows reserved filename to magic value attacks
Support custom magic value attacks
Don't attempt filepath related attacks in the request path

1.0 20180214

Provide a configuration dialog

0.91 20170612

Detect alternative code paths triggered by keywords like 'null', 'undefined' etc

0.9 20170520

Detect JSON Injection and escalate into RCE where possible
Detect Server-Side HTTP Parameter Pollution
Support bruteforcing backend parameter names
Improve evidence clarity and reduce false positives
Find vulnerabilities with subtler evidence
Detect escape sequence injection
Improve LFI detection
Misc tweaks, bugfixes and efficiency improvements

0.86 20161004

First public release

Installation

This extension requires Burp Suite Pro 1.7.10 or later. To install it, simply use the BApps tab in Burp.

If you want to manually build/install it from source, you'll need to add the following JAR to your libraries: https://commons.apache.org/proper/commons-lang/download_lang.cgi

backslash-powered-scanner's People

Contributors

Stargazers

Watchers

Forkers

tghosth decidedlygray kingthorin haltcompiler johnjohnsp1 5up3rc cass203 alonek1 jameslinus gub0x1 open-sec wyousquared av1080p dbaxa dayisuki irivera007 acealchemycyberblaze r3dfruitrollup 6ug gongchengcheng selfevo nbg0x1 gosecure asadanwar90 strunz983 coreyd97 bbhunter zariaio ldbfpiaoran sry309 natscience attackgithub jonathanjonathanjonathan toygang netsec exploitprotocol gnebbia lvir0 imulmul hack-things modulexcite benhe119 cesarhub lynx-1 evrohachik laowang1026 luton1507 kesonn createuseraccount burpsuiteextensions arukaminado gitakaal goodhal a0xpg mobius07 pyking varandinawer ingramali nancheal robinoneway ameg-yag anthonymcqueen21 5l1v3r1 marciopocebon xww123xxxx naveen12 securityanalysts hartl3y94 stevieg27 walexzzy arcilli 1crazymoney mihabin alihunt rakhithjk dieberge jnblack81 noorahsmith stoicmehedi sna3l-jm87fso sojib195 eaagteam malshammri walisonmorais nickbabkin som3one0 0xsojalsec dmore

backslash-powered-scanner's Issues

Cannot Import Local Build of Extension

(This may be a duplicate of #3, but that user did not leave many details. If these issues end up being the same feel free to close.)

Issue: Current repository cannot be imported to Burp because of a missing resource

Currently, in Utilities.java, line 40 references a resource that is not currently committed to the repository. The resource is named /functions. Code, starting at the bad reference on line 40:

        Scanner s = new Scanner(getClass().getResourceAsStream("/functions"));
        while (s.hasNext()) {
            phpFunctions.add(s.next());
        }

The result is the Java code compiles, the jar can be built, but when you actually import into Burp you get this error message:

java.lang.NullPointerException
	at java.io.Reader.<init>(Reader.java:78)
	at java.io.InputStreamReader.<init>(InputStreamReader.java:72)
	at java.util.Scanner.<init>(Scanner.java:563)
	at burp.Utilities.<init>(Utilities.java:40)
	at burp.BurpExtender.registerExtenderCallbacks(BurpExtender.java:16)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at burp.nie.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)

Temporary workaround

In case others are interested, a workaround is to just copy the missing resource from the existing jar from the BApp store and place it in the proper location when building the jar. After doing that I've been able to successfully build the extension and import it into Burp Pro.

I've also created a fork that contains the missing resource and provides a PowerShell build script. Happy to submit a PR if you want to integrate, but this should be enough for now to help people get their local modifications up and running.

Multiple NULL-dereferences

Hello,

I'm having several NULL-deref on the latest (1.02) Backslash-powered scanner, using also the latest Brup (1.7.35), installed via the automatic installer, on Ubuntu 18.04 LTS.

This log is taken verbatim from Extender -> Backslash powered scanner -> Errors.

	at java.awt.EventQueue.access$500(EventQueue.java:97)
	at java.awt.EventQueue$3.run(EventQueue.java:709)
	at java.awt.EventQueue$3.run(EventQueue.java:703)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90)
	at java.awt.EventQueue$4.run(EventQueue.java:731)
	at java.awt.EventQueue$4.run(EventQueue.java:729)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
	at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
	at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
	at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
	at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
java.lang.NullPointerException
	at burp.OfferParamGuess.createMenuItems(BurpExtender.java:355)
	at burp.wcg.a(Unknown Source)
	at burp.m1d.a(Unknown Source)
	at burp.gvh.b(Unknown Source)
	at burp.gvh.a(Unknown Source)
	at burp.uif.a(Unknown Source)
	at burp.uif.mousePressed(Unknown Source)
	at java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:280)
	at java.awt.Component.processMouseEvent(Component.java:6530)
	at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
	at java.awt.Component.processEvent(Component.java:6298)
	at java.awt.Container.processEvent(Container.java:2236)
	at java.awt.Component.dispatchEventImpl(Component.java:4889)
	at java.awt.Container.dispatchEventImpl(Container.java:2294)
	at java.awt.Component.dispatchEvent(Component.java:4711)
	at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4888)
	at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4522)
	at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4466)
	at java.awt.Container.dispatchEventImpl(Container.java:2280)
	at java.awt.Window.dispatchEventImpl(Window.java:2746)
	at java.awt.Component.dispatchEvent(Component.java:4711)
	at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
	at java.awt.EventQueue.access$500(EventQueue.java:97)
	at java.awt.EventQueue$3.run(EventQueue.java:709)
	at java.awt.EventQueue$3.run(EventQueue.java:703)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90)
	at java.awt.EventQueue$4.run(EventQueue.java:731)
	at java.awt.EventQueue$4.run(EventQueue.java:729)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
	at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
	at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
	at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
	at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
java.lang.NullPointerException
	at burp.OfferParamGuess.createMenuItems(BurpExtender.java:355)
	at burp.wcg.a(Unknown Source)
	at burp.m1d.a(Unknown Source)
	at burp.gvh.b(Unknown Source)
	at burp.gvh.a(Unknown Source)
	at burp.uif.a(Unknown Source)
	at burp.uif.mousePressed(Unknown Source)
	at java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:280)
	at java.awt.Component.processMouseEvent(Component.java:6530)
	at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
	at java.awt.Component.processEvent(Component.java:6298)
	at java.awt.Container.processEvent(Container.java:2236)
	at java.awt.Component.dispatchEventImpl(Component.java:4889)
	at java.awt.Container.dispatchEventImpl(Container.java:2294)
	at java.awt.Component.dispatchEvent(Component.java:4711)
	at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4888)
	at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4522)
	at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4466)
	at java.awt.Container.dispatchEventImpl(Container.java:2280)
	at java.awt.Window.dispatchEventImpl(Window.java:2746)
	at java.awt.Component.dispatchEvent(Component.java:4711)
	at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
	at java.awt.EventQueue.access$500(EventQueue.java:97)
	at java.awt.EventQueue$3.run(EventQueue.java:709)
	at java.awt.EventQueue$3.run(EventQueue.java:703)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90)
	at java.awt.EventQueue$4.run(EventQueue.java:731)
	at java.awt.EventQueue$4.run(EventQueue.java:729)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
	at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
	at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
	at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
	at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
java.lang.NullPointerException
	at burp.OfferParamGuess.createMenuItems(BurpExtender.java:355)
	at burp.wcg.a(Unknown Source)
	at burp.m1d.a(Unknown Source)
	at burp.gvh.b(Unknown Source)
	at burp.gvh.a(Unknown Source)
	at burp.uif.a(Unknown Source)
	at burp.uif.mousePressed(Unknown Source)
	at java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:280)
	at java.awt.Component.processMouseEvent(Component.java:6530)
	at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
	at java.awt.Component.processEvent(Component.java:6298)
	at java.awt.Container.processEvent(Container.java:2236)
	at java.awt.Component.dispatchEventImpl(Component.java:4889)
	at java.awt.Container.dispatchEventImpl(Container.java:2294)
	at java.awt.Component.dispatchEvent(Component.java:4711)
	at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4888)
	at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4522)
	at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4466)
	at java.awt.Container.dispatchEventImpl(Container.java:2280)
	at java.awt.Window.dispatchEventImpl(Window.java:2746)
	at java.awt.Component.dispatchEvent(Component.java:4711)
	at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
	at java.awt.EventQueue.access$500(EventQueue.java:97)
	at java.awt.EventQueue$3.run(EventQueue.java:709)
	at java.awt.EventQueue$3.run(EventQueue.java:703)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90)
	at java.awt.EventQueue$4.run(EventQueue.java:731)
	at java.awt.EventQueue$4.run(EventQueue.java:729)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
	at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
	at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
	at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
	at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

Selecting irrelevant part in scan results

when an issue is found using the automated scanner and this extension, it selects (highlight) an irrelevant part of the request rather than the actual input.

java.lang.NullPointerException

Hi,
I have an Active Scan running on a single thread; Thorough speed, Minimize false negative, Use intelligent attack selection. I have most of the Active scan areas checked, I'm using Burp v1.7.27 Pro on Windows Server 2012 R2, 64-bit Java 1.8.0_112-b15 and Backslash powered scanner v0.91. I can see following exception in the Errors tab in Extender:

java.lang.NullPointerException
	at burp.OfferParamGuess.createMenuItems(BurpExtender.java:364)
	at burp.ohd.a(Unknown Source)
	at burp.cwd.a(Unknown Source)
	at burp.to.b(Unknown Source)
	at burp.to.a(Unknown Source)
	at burp.q7b.b(Unknown Source)
	at burp.q7b.mouseReleased(Unknown Source)
	at java.awt.AWTEventMulticaster.mouseReleased(AWTEventMulticaster.java:290)
	at java.awt.Component.processMouseEvent(Component.java:6533)
	at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
	at java.awt.Component.processEvent(Component.java:6298)
	at java.awt.Container.processEvent(Container.java:2236)
	at java.awt.Component.dispatchEventImpl(Component.java:4889)
	at java.awt.Container.dispatchEventImpl(Container.java:2294)
	at java.awt.Component.dispatchEvent(Component.java:4711)
	at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4888)
	at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4525)
	at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4466)
	at java.awt.Container.dispatchEventImpl(Container.java:2280)
	at java.awt.Window.dispatchEventImpl(Window.java:2746)
	at java.awt.Component.dispatchEvent(Component.java:4711)
	at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
	at java.awt.EventQueue.access$500(EventQueue.java:97)
	at java.awt.EventQueue$3.run(EventQueue.java:709)
	at java.awt.EventQueue$3.run(EventQueue.java:703)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90)
	at java.awt.EventQueue$4.run(EventQueue.java:731)
	at java.awt.EventQueue$4.run(EventQueue.java:729)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
	at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
	at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
	at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
	at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

I'm unsure if it causes any problems, or what further information should I provide you, but I just thought I will share what I can to improve this awesome tool:)

usage?

Hi,

where exactly can I use or enable/disable this extension?

The best,
Simon

where is the "functions" resources

Support for JSON parameters

Great tool.

Will there be support for JSON endpoints. Scanning with the latest version of the scanner with Burp doesn't issue any request.

can't install the extension on Burp Suite version 1.7.37

Hi,

I can't install the extension on Burp Suite version 1.7.37 is there's any solution ?

It says : "Requires a later version of Burp"

Regards

java.lang.StringIndexOutOfBoundsException

Backslash powered scanner extender errors page says:
java.lang.StringIndexOutOfBoundsException: begin 1, end 0, length 0
at java.base/java.lang.String.checkBoundsBeginEnd(Unknown Source)
at java.base/java.lang.String.substring(Unknown Source)
at burp.DiffingScan.findReflectionIssues(DiffingScan.java:431)
at burp.FastScan.doActiveScan(BurpExtender.java:105)
at burp.gj2.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
is there any bug?

On MacOS settings window pops up multiple times when using Help->Search

This extension adds only a top-level menu activator instead of creating a submenu. On MacOS it causes the item to activate and show the settings window if other menu is opened and mouse moved over the "Backslash" item or when any text is entered into the Help->Search function. When searching it switches focus to the popup and shows additional popups with subsequent keystrokes which is pretty annoying.

throwing error/ not working

java.lang.UnsupportedClassVersionError: burp/BurpExtender has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:763)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:467)
at java.net.URLClassLoader.access$100(URLClassLoader.java:73)
at java.net.URLClassLoader$1.run(URLClassLoader.java:368)
at java.net.URLClassLoader$1.run(URLClassLoader.java:362)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:361)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at burp.ab2.a(Unknown Source)
at burp.ab2.(Unknown Source)
at burp.cg9.a(Unknown Source)
at burp.exv.lambda$panelLoaded$0(Unknown Source)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
The extension could not be loaded because it requires a later version of Java. To use this extension you will need to start Burp with the required or later Java version.

Burps embedded browser is not working

Hello PortSwigger i am having a on-going problem with my new operating system named Parrot. I am getting many errors when it comes to a sandbox issues here is an example of what kind of errors i am receiving.

"net.portswigger.devtools.client.a9: Refusing to start browser as your current configuration does not support running without sandbox" ???

Is it works with burp 2.1.03?

About the installation

Hi there!
There is some kind of guid/how-to to install/compile this extension on macOS?

Thanks.

Feature request: Support unicode transformations (and especially emojis if you feel funny)

As discussed on https://twitter.com/floyd_ch/status/1561991748682915840

There are certain unicode characters that are sometimes turned into < or " or similar, meaning they are very nice examples of suspicious transformations that Backslash Powered Scanner checks for. Further details:

https://medium.com/@fpatrik/how-i-found-an-xss-vulnerability-via-using-emojis-7ad72de49209
https://medium.com/csg-govtech/weaponizing-unicode-for-fun-and-profit-e2ce24d594c6

Apparently there are a couple of software that behave differently when Unicode is used as well:

https://www.theguardian.com/technology/2014/jun/12/tweetdeck-vulnerability-teen-code-emoji-heart
https://hackerone.com/reports/96337

As far as I see, backslash powered scanner uses \u escapes such as:

https://github.com/PortSwigger/backslash-powered-scanner/blob/master/src/burp/DiffingScan.java#L161

But does not directly use the "unicode in UTF-8" bytes (starting with something 0x7f).

I don't have much experience with which unicode chars would be a good start, I actually think it's a blind spot during my testing. So it would be nice if backslash powered scanner provides this.

Extracted from the above links on what I think would be useful:

ſ always leads to I if uppercased. Nice to circumvent WAFs.
а (U+0430) might lead to "a" or "A" if additionally uppercased. Nice to circumvent WAFs. Looks nearly identical.
👔 (U+1F454) might lead to d”Y’”
💋 might lead to <
💛 might lead to >

Maybe it would make sense to add them as unicode in UTF-8 bytes but maybe also \u escaped?

java.lang.ArithmeticException

Hi,
Usually I see java.lang.NullPointerException, but this time I have many instances of java.lang.ArithmeticException:

java.lang.ArithmeticException: / by zero
	at burp.DiffingScan.findReflectionIssues(DiffingScan.java:425)
	at burp.FastScan.doActiveScan(BurpExtender.java:105)
	at burp.dhd.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
java.lang.ArithmeticException: / by zero
	at burp.DiffingScan.findReflectionIssues(DiffingScan.java:425)
	at burp.FastScan.doActiveScan(BurpExtender.java:105)
	at burp.dhd.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
java.lang.ArithmeticException: / by zero
	at burp.DiffingScan.findReflectionIssues(DiffingScan.java:425)
	at burp.FastScan.doActiveScan(BurpExtender.java:105)
	at burp.dhd.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
java.lang.ArithmeticException: / by zero
	at burp.DiffingScan.findReflectionIssues(DiffingScan.java:425)
	at burp.FastScan.doActiveScan(BurpExtender.java:105)
	at burp.dhd.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
java.lang.ArithmeticException: / by zero
	at burp.DiffingScan.findReflectionIssues(DiffingScan.java:425)
	at burp.FastScan.doActiveScan(BurpExtender.java:105)
	at burp.dhd.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
java.lang.ArithmeticException
java.lang.ArithmeticException
java.lang.ArithmeticException
java.lang.ArithmeticException
java.lang.ArithmeticException
java.lang.ArithmeticException
java.lang.ArithmeticException
java.lang.ArithmeticException
java.lang.ArithmeticException

Not sure if the fix was part of the #13 or if it is something new entirely, which may impede the scanning.
Thanks

False positives/bad higlighting scanning REST url paths

First of all, let me say I'm super excited about this tool, I really like the approach of just turning up odd transformations/responses for the operator to look at versus going all out to confirm something is an XSS/SQLi or whatnot.

I gave it a whirl on some REST paths and the responses showed promise. I got 'Interesting input handling: Interpolation (percent)' and 'Suspicious input transformation'.

Here is a redacted line of what I was scanning:

GET /api/function/{insertion point 1}/{insertion point 2}/{insertion point 3}/

For the interpolation, in the Request/Response tabs, the wrong parts of the strings are highlighted. Instead of the inserted string, the first 6 chars and the last 6 chars of the injection point are highlighted in the request and response respectively.

For the Suspicious input transformation, again the first part of the injection point and the last part of the injection point, this time up to the insertion of the backslashes, are highlighted.
Also, most of the list of interesting transformations are false positives. For example, the scanner says that \101 => A, but when I try this it is reflected as is. The 'reflection dissapeared' results are incorrect, but the truncations are accurate.

Sorry for just making an issue without sending a patch, I don't really know enough Java to see where to start!

java.lang.NullPointerException

I'm using Burp Pro 1.7.33 with Backslash Powered Scanner v1.01 from 16th of May.

I can see following trace in Error for the extender:

	at burp.cwb.a(Unknown Source)
	at burp.i9i.a(Unknown Source)
	at burp.i9i.a(Unknown Source)
	at burp.sqf.b(Unknown Source)
	at burp.sqf.mouseReleased(Unknown Source)
	at java.awt.AWTEventMulticaster.mouseReleased(AWTEventMulticaster.java:290)
	at java.awt.Component.processMouseEvent(Component.java:6533)
	at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
	at java.awt.Component.processEvent(Component.java:6298)
	at java.awt.Container.processEvent(Container.java:2236)
	at java.awt.Component.dispatchEventImpl(Component.java:4889)
	at java.awt.Container.dispatchEventImpl(Container.java:2294)
	at java.awt.Component.dispatchEvent(Component.java:4711)
	at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4888)
	at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4525)
	at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4466)
	at java.awt.Container.dispatchEventImpl(Container.java:2280)
	at java.awt.Window.dispatchEventImpl(Window.java:2746)
	at java.awt.Component.dispatchEvent(Component.java:4711)
	at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
	at java.awt.EventQueue.access$500(EventQueue.java:97)
	at java.awt.EventQueue$3.run(EventQueue.java:709)
	at java.awt.EventQueue$3.run(EventQueue.java:703)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90)
	at java.awt.EventQueue$4.run(EventQueue.java:731)
	at java.awt.EventQueue$4.run(EventQueue.java:729)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
	at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
	at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
	at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
	at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
java.lang.NullPointerException
	at burp.OfferParamGuess.createMenuItems(BurpExtender.java:355)
	at burp.adi.a(Unknown Source)
	at burp.cwb.a(Unknown Source)
	at burp.i9i.a(Unknown Source)
	at burp.i9i.a(Unknown Source)
	at burp.sqf.b(Unknown Source)
	at burp.sqf.mouseReleased(Unknown Source)
	at java.awt.AWTEventMulticaster.mouseReleased(AWTEventMulticaster.java:290)
	at java.awt.Component.processMouseEvent(Component.java:6533)
	at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
	at java.awt.Component.processEvent(Component.java:6298)
	at java.awt.Container.processEvent(Container.java:2236)
	at java.awt.Component.dispatchEventImpl(Component.java:4889)
	at java.awt.Container.dispatchEventImpl(Container.java:2294)
	at java.awt.Component.dispatchEvent(Component.java:4711)
	at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4888)
	at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4525)
	at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4466)
	at java.awt.Container.dispatchEventImpl(Container.java:2280)
	at java.awt.Window.dispatchEventImpl(Window.java:2746)
	at java.awt.Component.dispatchEvent(Component.java:4711)
	at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
	at java.awt.EventQueue.access$500(EventQueue.java:97)
	at java.awt.EventQueue$3.run(EventQueue.java:709)
	at java.awt.EventQueue$3.run(EventQueue.java:703)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90)
	at java.awt.EventQueue$4.run(EventQueue.java:731)
	at java.awt.EventQueue$4.run(EventQueue.java:729)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
	at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
	at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
	at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
	at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
java.lang.NullPointerException
	at burp.OfferParamGuess.createMenuItems(BurpExtender.java:355)
	at burp.adi.a(Unknown Source)
	at burp.cwb.a(Unknown Source)
	at burp.i9i.a(Unknown Source)
	at burp.i9i.a(Unknown Source)
	at burp.sqf.b(Unknown Source)
	at burp.sqf.mouseReleased(Unknown Source)
	at java.awt.AWTEventMulticaster.mouseReleased(AWTEventMulticaster.java:290)
	at java.awt.Component.processMouseEvent(Component.java:6533)
	at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
	at java.awt.Component.processEvent(Component.java:6298)
	at java.awt.Container.processEvent(Container.java:2236)
	at java.awt.Component.dispatchEventImpl(Component.java:4889)
	at java.awt.Container.dispatchEventImpl(Container.java:2294)
	at java.awt.Component.dispatchEvent(Component.java:4711)
	at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4888)
	at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4525)
	at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4466)
	at java.awt.Container.dispatchEventImpl(Container.java:2280)
	at java.awt.Window.dispatchEventImpl(Window.java:2746)
	at java.awt.Component.dispatchEvent(Component.java:4711)
	at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
	at java.awt.EventQueue.access$500(EventQueue.java:97)
	at java.awt.EventQueue$3.run(EventQueue.java:709)
	at java.awt.EventQueue$3.run(EventQueue.java:703)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90)
	at java.awt.EventQueue$4.run(EventQueue.java:731)
	at java.awt.EventQueue$4.run(EventQueue.java:729)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
	at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
	at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
	at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
	at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
java.lang.NullPointerException
	at burp.OfferParamGuess.createMenuItems(BurpExtender.java:355)
	at burp.adi.a(Unknown Source)
	at burp.cwb.a(Unknown Source)
	at burp.i9i.a(Unknown Source)
	at burp.i9i.a(Unknown Source)
	at burp.sqf.b(Unknown Source)
	at burp.sqf.mouseReleased(Unknown Source)
	at java.awt.AWTEventMulticaster.mouseReleased(AWTEventMulticaster.java:290)
	at java.awt.Component.processMouseEvent(Component.java:6533)
	at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
	at java.awt.Component.processEvent(Component.java:6298)
	at java.awt.Container.processEvent(Container.java:2236)
	at java.awt.Component.dispatchEventImpl(Component.java:4889)
	at java.awt.Container.dispatchEventImpl(Container.java:2294)
	at java.awt.Component.dispatchEvent(Component.java:4711)
	at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4888)
	at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4525)
	at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4466)
	at java.awt.Container.dispatchEventImpl(Container.java:2280)
	at java.awt.Window.dispatchEventImpl(Window.java:2746)
	at java.awt.Component.dispatchEvent(Component.java:4711)
	at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
	at java.awt.EventQueue.access$500(EventQueue.java:97)
	at java.awt.EventQueue$3.run(EventQueue.java:709)
	at java.awt.EventQueue$3.run(EventQueue.java:703)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90)
	at java.awt.EventQueue$4.run(EventQueue.java:731)
	at java.awt.EventQueue$4.run(EventQueue.java:729)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
	at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
	at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
	at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
	at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
	at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

Is it possible to fix this issue, so it wouldn't throw exceptions?
Thanks

False positive when check URL section?

Hi James,

On a couple of scans now, I have seen it return me:

Interesting input handling: File Path Manipulation
Successful probes:

File Path Manipulation (./../ vs ./z/../)

It has been run on GET /api/v1/valid_API and it has sent GET /api/v1/./../valid_API which returns a 404 because that API does not exist there and then it sends GET /api/v1/./z/../valid_API which has responded with a 200, presumably because the server is cancelling out the z and the .. which seems sensible.

Is this a false positive or am I targeting the scan incorrectly?

Cheers :)

Do not do File Path Manipulation to URL file path

Servers usually do URL path normalization, which means a URI in HTTP such as http://example.com/test/../index.php is equivalent to http://example.com/index.php as specified in https://tools.ietf.org/html/rfc3986#section-5.2.4

You usually don't see this in browsers as they will normalize before sending the URL to the server. However, in burp you obviously can.

Lets say the plugin sees the following URL:
http://example.com/a/index.php

This plugin does the following tests:
http://example.com/a/./../index.php (not equivalent after serverside normalization: searching in web root)
http://example.com/a/./z/../index.php (equivalent to the original URL after serverside normalization)

There is little benefit in doing this, as this will simply test if there is a index.php in the web root directory and compare it to the original response for the URL. This produces a lot of false postives.

Even worse, when the original URL is http://example.com/index.php as http://example.com/./../index.php results in a 400 Bad Request in Apache (can you confirm?).

I suggest you either don't do the file manipulation tests in the URL path (however, this would require more testing, as normalization should take place on the server side) or change the Confidence of the finding to Tentative and Severity to Low when doing File Path Manipulation in URL paths.