ActiveScan++ extends Burp Suite's active and passive scanning capabilities. Designed to add minimal network overhead, it adds checks for the following issues:
- Host header attacks (password reset poisoning, cache poisoning, DNS rebinding)
- OS command injection (designed to complement Burp's coverage)
- CVE-2014-6271/CVE-2014-6278 'shellshock' and CVE-2015-2080
Rather than risking numerous false negatives by attempting to automate Relative Path Overwrite and Host header attacks from start to finish, it identifies key vulnerability components and flags these for user review.
Burp Suite Professional (version 1.6 or later) Jython 2.5 or later standalone: http://www.jython.org/downloads.html
- 'Extender'->'Options'
- Click 'Select file' under 'Python environment'
- Choose jython-standalone-2.5.jar
- 'Extender'->'Extensions'
- Click 'Add'
- Change 'Extension Type' to Python
- Choose activeScan++.py
- Done!
To invoke these checks, just run a normal active scan. The Relative Path Overwrite check is part of the passive scanner and always active.
The host header checks tamper with the host header, which may result in requests being routed to different applications on the same host. Exercise caution when running this scanner against applications in a shared hosting environment.
The extension's 'Errors' tab may print 'java.lang.NullPointerException: Request cannot be null.' during active scans. This is a currently unavoidable side effect of the host header attacks, and has no actual impact on the scanner's effectiveness.
1.0.10 - 20150327
- Add test for ruby open() exploit - see http://sakurity.com/blog/2015/02/28/openuri.html
- Assorted minor tweaks and fixes
1.0.9 - 20150225
- Add tentative test for CVE-2015-2080
- Remove dynamic code injection and RPO checks - these are now implemented in core Burp
- Provide a useful error message when someone foolishly tries using Jython 2.7 beta
1.0.8 - 20141001
- Add tentative test for CVE-2014-6278
1.0.7 - 20140926
- Tweak test for CVE-2014-6271 for better coverage
1.0.6 - 20140925
- Add a test for CVE-2014-6271
1.0.5 - 20140708
- Add compatibility for Jython 2.5 (stable)
- Improve cache poisoning detection
- Add a cachebust parameter to prevent accidental cache poisoning
- Misc. bugfixes
1.0.4 - 20140616
- Prevent RPO false positives by checking page's DOCTYPE
- Reduce host header poisoning false negatives
1.0.3 - 20140523
- Prevent duplicate issues when saving/restoring state
- Refactor: the passive scanner is now almost extensible
- Improve expression language injection detection
- Improve RPO regex
1.0.2 - 20140424
- Thread safety related bugfixes
1.0.1 - 20140422
- Minor bugfixes
1.0:
- Release