arvinddoraiswamy / mywebappscripts Goto Github PK

A collection of all the lists, scripts and techniques I use while doing web application penetration tests.

License: MIT License

Python 98.02% HTML 1.57% Java 0.41%

mywebappscripts's Introduction

This ReadMe is just a list of the Burp extensions and other scripts I have here. For details look at the file extensions_brief_summary or download the code itself :)

1. Search and fuzz all valid directories on a website
2. Detect CSRF tokens in requests
3. Detecting invalid Referers in case a Referer is used for protecting against CSRF
4. Download all JS files on a site
5. Record all cookies and their attributes
6. Record third party referers
7. Identify candidates for URL redirection, LFI and RFI
8. Detect version information leakage in headers or response bodies
9. Remove session cookie and reissue request to check Direct requests
10. Test PUT and DELETE on every single directory that you browse
11. Scan all SSL hosts in Proxy history
12. A couple of per_request_decoders of key parts of the request.
13. Extension which makes Direct requests as a request appears in Proxy History
14. Make requests without some cookies to identify which cookie is useful
15. Fuzz the antiCSRF token to check if random tokens are valid
16. One click to set positions for requests in Intruder
17. Toggle request method for every request and see if anything changes
18. Clickjacking POC generator
19. Wrapper to try and fuzz file upload features

Other scripts/tools/fuzz lists/misc :)

1. Request every single HTTPS request over HTTP
2. Custom fuzzing lists for specific situations
3. Code for all extensions has been modularized. List of functions in modules is present in modules/modules_functions_readme

Tips:
1. Add 2 slashes for configuring your modules path on Windows. Every extension needs this - as of now extensions search for webcommon.py inside a directory called 'modules' - this is in the same directory as all the Burp Extensions. An example would be C:\\tools\\extensions\\modules\\. A single slash is enough for Linux systems.

2. Some extensions work best as you browse the application. Others work best when the entire application is browsed and you have all your requests inside Burp's history. Refer the file 'scripts_brief_summary' before starting to work.

mywebappscripts's People

Contributors

Stargazers

Watchers

mywebappscripts's Issues

Recursive loop starts when download js files extension runs

Load downloadjsfiles extension. Download JS file. Browser never loads file and makes a huge number of requests instead for that file. Wget or Curl inside the extension also make a huge number of calls. No clue why :-o . Weird bug as there are no loops inside the file either.

Unable to add csrf token detect script to latest version of Burp

I cannot add the csrf_token_detect.py script to latest version of Burp. It returns errors and fails.


SyntaxError: Non-ASCII character in file '/home/anandu/Burp/csrf_token_detect.py', but no encoding declared; see http://www.python.org/peps/pep-0263.html for details

    at org.python.core.Py.SyntaxError(Py.java:198)
    at org.python.core.ParserFacade.fixParseError(ParserFacade.java:105)
    at org.python.core.ParserFacade.parse(ParserFacade.java:190)
    at org.python.core.Py.compile_flags(Py.java:1956)
    at org.python.core.__builtin__.execfile_flags(__builtin__.java:527)
    at org.python.util.PythonInterpreter.execfile(PythonInterpreter.java:286)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at burp.gtd.<init>(Unknown Source)
    at burp.dze.a(Unknown Source)
    at burp.k1e.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:745)

Could you please check and revert?

By the way, many thanks for putting the efforts for these scripts.

.jsp extension gets ignored by CSRF token detector

Since .js files do not need a CSRF token I had added them to the excluded extensions array. But that caused .jsp to get ignored too. Need to improve regex.

Also make excluding extensions case insensitive.

Add BigIP to version info disclosure list

Add to platforms that are detected.

Track list of third party JS files

Identify JS scripts that people directly use. This will help in focusing on the ones that the client has custom written.

SSL scanner seems to scan limited items and crash

It looked only at the first 5 requests and then crashed with a NullPointer exception. Not sure why.

Cookie grabber didn't grab 1 of the cookies

It recorded 2 of the cookies but missed the 3rd one for some reason.

Fix HTTP methods script

Fix the curl command and print correct values. Also ensure that only hosts within scope are scanned.

Direct request crashes once in a way

BurpExtensions/direct_request.py", line 36, in processProxyMessage
request_byte_array,flag = BurpExtender.remove_sessioncookie_from_request(self,messageIsRequest,message)
TypeError: 'NoneType' object is not iterable

File name not listed in "Force over SSL" python script in final report

After the list of urls that can be accessed over HTTP are reported, the file in which each URL was found is not reported. Also verify if all the files are correctly getting processed.

Improve Direct request extension to handle authenticated users too

Each request must be replayed using all valid session cookies of users of different roles.

Duplicate JS files

The download JS files extension dumps duplicate files into the selected directory. Check for existence of files before dumping.

Exclude parameter to track in the "parameter in URL" extension

Maybe there is a cookie which matches the regex and is getting detected on every request. We KNOW that it isn't vulnerable, so we should be able to exclude it from the results.