https://github.com/allfro/dotNetBeautifier

A BurpSuite extension for beautifying .NET message parameters and hiding some of the extra clutter that comes with .NET web apps (i.e. __VIEWSTATE).
https://github.com/allfro/dotNetBeautifier

Last synced: about 1 month ago
JSON representation

A BurpSuite extension for beautifying .NET message parameters and hiding some of the extra clutter that comes with .NET web apps (i.e. __VIEWSTATE).

• Host: GitHub
• URL: https://github.com/allfro/dotNetBeautifier
• Owner: allfro
• Created: 2014-03-11T17:08:56.000Z (almost 11 years ago)
• Default Branch: master
• Last Pushed: 2015-06-29T23:22:14.000Z (over 9 years ago)
• Last Synced: 2024-08-02T00:22:58.802Z (4 months ago)
• Language: Java
• Size: 144 KB
• Stars: 12
• Watchers: 5
• Forks: 14
• Open Issues: 1
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-burp-extensions - .NET Beautifier - A BurpSuite extension for beautifying .NET message parameters and hiding some of the extra clutter that comes with .NET web apps (i.e. __VIEWSTATE). (Beautifiers and Decoders)

README

        
About

-----

Have you ever pen-tested a .NET app and found that it has all sorts of ugly parameter names

(i.e. ctl0$blah$foo$VeryLongLine)? Sometimes these parameters can be pages long (i.e. __VIEWSTATE). Have you felt

like tearing your hair out because you can't even read the whole parameter name and see what it's corresponding value 

is in your small screen at a client site? Don't you wish you could only focus on the meat of the request?

Well cry no more! This tool is about bringing awesome back to pen-testing .NET apps. It makes requests like this:

```

POST /Default.aspx HTTP/1.1

Host: annoying-web-app

Referer: https://annoying-web-app/Default.aspx

Cookie: ASP.NET_SessionId=zprxqvwll4yoi0gbeactgzdd

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 1903

__VIEWSTATE=%2oiAIHfiohsdoigjKLASgjghajklgjSDGsjdglSDJg9SDJGsdgjSGJDDSasdfja9sdjfasdfja0sdfjasd53j5235923nf9ja9fsdjfajsD

... [1000 lines later] ...

&ctl00%24ctl00%24InnerContentPlaceHolder%24Element_42%24ctl00%24FrmLogin%24TxtUsername_internal=username&ctl00%24ctl00%2

4InnerContentPlaceHolder%24Element_42%24ctl00%24FrmLogin%24TxtPassword_internal=password&ctl00%24ctl00%24InnerContentPla

ceHolder%24Element_42%24ctl00%24BtnLogin=Login

```

Look like this:

```

POST /Default.aspx HTTP/1.1

Host: annoying-web-app

Referer: https://annoying-web-app/Default.aspx

Cookie: ASP.NET_SessionId=zprxqvwll4yoi0gbeactgzdd

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 1903

X-dotNet-Beautifier: 259; DO-NOT-REMOVE

__VIEWSTATE=&TxtUsername_internal=username&TxtPassword_internal=password&BtnLogin=Login

```

All **without** compromising the integrity of the outgoing message so you can alter the values of the parameters you

want to target *without losing your mind*! Better yet, you can send "beautified" messages to other tools within Burp and

the outgoing messages will get automatically transformed back into what the web app expects from us.

**WAWAWEWA!**

Requirements

------------

You'll need the following to get started:

- the latest version of BurpSuite versions 1.6 or later.

- a positive attitude!

Help!

-----

This is still a work in progress so their may be a few bugs I haven't hammered out.