Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/righettod/burp-piper-custom-scripts

Custom scripts for the PIPER Burp extensions.
https://github.com/righettod/burp-piper-custom-scripts

burpsuite pentesting piper web

Last synced: about 2 months ago
JSON representation

Custom scripts for the PIPER Burp extensions.

Awesome Lists containing this project

README

        

> 🚨 Project was stopped to move to [Burp BCheck](https://portswigger.net/burp/documentation/scanner/bchecks) build-in feature.

![code_static_analysis_and_os_compatibility_tests](https://github.com/righettod/burp-piper-custom-scripts/workflows/code_static_analysis_and_os_compatibility_tests/badge.svg?branch=main)

# Objective

Centralize and share all my custom scripts to be used with the [PIPER](https://portswigger.net/bappstore/e4e0f6c4f0274754917dcb5f4937bb9e) Burp extension.

[Documentation](https://blog.silentsignal.eu/2020/03/27/unix-style-approach-to-web-application-testing/) of the extension.

# Runtime requirements

> :information_source: Reduced to the minimal ones needed, see file [requirements.txt](requirements.txt) for details.

Python >= **3.9** needed and in `PATH`.

```powershell
PS> python --version
Python 3.9.7
```

# Compatibility tests

This [GitHub action workfow](.github/workflows/static_code_analysis.yml) validate that all scripts are compatible with Python `3.9`, `3.10` on `Windows`, `Mac` and `Linux` OS.

# Embedding of this collection of scripts into the PIPER source repository

This [topic](https://github.com/silentsignal/burp-piper/issues/8) is pending on the PIPER's author side. Once ready, this repository will be merged.

# IDE

[Visual Studio Code](https://code.visualstudio.com/) with [Python extension provided by Microsoft](https://marketplace.visualstudio.com/items?itemName=ms-python.python) is used to develop the scripts.

[Project workspace file](project.code-workspace) has been configured to trigger the installation of required code analysis modules and analysis profile is defined in the workspace settings area.

[Debug configuration](.vscode/launch.json) was provided to debug a python script.

# Structure

Each script describes its goal in its header, for which PIPER tools is targeted to be used and instruction regarding if HTTP headers must be passed as well as filter to define:

```text
"""
PIPER script to ...
Target tool: [PIPER_TOOL]
[INSTRUCTION_IF_HTTP_HEADERS_MUST_BE_PASSED]
[FILTER_NEEDED_TO_BE_DEFINED]
"""
```

# Overview of the scripts behavior

## detect-non-standart-headers

Add a comment to the matching line in the proxy tab for every response containing non-standart HTTP headers.

![detect-non-standart-headers](images/detect-non-standart-headers.png)

## detect-request-to-web-api

Highlight the matching line in the proxy tab for every request that is made to a web api.

![detect-request-to-web-api](images/detect-request-to-web-api.png)

## extract-web-api-endpoints

Extract all API endpoints (*and URL like because it is hard to really identify if a URL is an API endpoint or not from a static point view*) from a JS script content obtained from a HTTP response.

![extract-web-api-endpoints](images/extract-web-api-endpoints.png)

## extract-html-metadatas

Extract interesting information from HTML META tags from a HTTP response. Mainly used to quickly identify which products/tools was used to build the site/application.

![extract-html-metadatas](images/extract-html-metadatas.png)

## detect-response-with-errors-disclosure

Detect HTTP responses containing a strack trace. Mainly used to quickly identify pages disclosing technical information via stack traces.

![detect-response-with-errors-disclosure](images/detect-response-with-errors-disclosure.png)

## extract-jwt-tokens

> :dart: This script was created in order to avoid the need to use another [extensions](https://portswigger.net/bappstore) or the [decoder](https://portswigger.net/burp/documentation/desktop/tools/decoder) to just see the content of the token.

Extract and pretty-display all [JWT](https://jwt.io/introduction) tokens present in an HTTP response.

![extract-jwt-tokens](images/extract-jwt-tokens.png)

## extract-blazor-webassembly-assemblies

> :dart: Just copy/paste the script section in a `ps1` / `sh` file and execute it to retrieve all the assemblies.

Extract the collection of assemblies from a HTTP response describing the assemblies used by a [Blazor WebAssembly](https://blazor-university.com/overview/blazor-hosting-models/) application.

A script to download all the assemblies, is generated in the same time:

* For Windows is PowerShell.
* For other is Bash.

![extract-blazor-webassembly-assemblies](images/extract-blazor-webassembly-assemblies.png)

## extract-uuid-infos

> :clap: Inspired from this [project](https://github.com/silentsignal/burp-uuid) so, credits goes first to it!

Extract the collection of [UUID](https://en.wikipedia.org/wiki/Universally_unique_identifier) present in a HTTP response and then, depending on the version of UUID, extract the infos for each of them.

![extract-uuid-infos](images/extract-uuid-infos.png)

Sources:

* [How secure are your Universally Unique IDentifiers?](https://versprite.com/blog/universally-unique-identifiers/)
* [Not so unique snowflakes](https://blog.silentsignal.eu/2017/02/17/not-so-unique-snowflakes/).
* [UUID versions explained](https://www.uuidtools.com/uuid-versions-explained).
* [POC "Sandwich Attack: A New Way Of Brute Forcing UUIDs"](https://gist.github.com/righettod/45d59e1d8eb83fe351a9e9aafb37f91f).

## extract-spa-unsafe-patterns

Extract all occurences of unsafe patterns used in a [Single Page Application](https://en.wikipedia.org/wiki/Single-page_application) (SPA) main JS bundle file.

The objective is to quickly spot if framework built-in security features are disabled or if unsafe code patterns are used in order to identify potential attack vectors on the client side.

![extract-spa-unsafe-patterns](images/extract-spa-unsafe-patterns.png)

## extract-spa-low-hanging-fruits

Extract elements from a [Single Page Application](https://en.wikipedia.org/wiki/Single-page_application) (SPA) html files and main JS bundles that can be interesting from security point of view.

The objective is to quickly spot interesting low-level issues than can used as foundation to discover more critical issues.

![extract-spa-low-hanging-fruits](images/extract-spa-low-hanging-fruits.png)

![extract-spa-low-hanging-fruits](images/extract-spa-low-hanging-fruits2.png)

## extract-saml-response-infos

> :dart: This script was created in order to avoid the need to use another [extensions](https://portswigger.net/bappstore) or the [decoder](https://portswigger.net/burp/documentation/desktop/tools/decoder) to just see the content of the SAML response.

Extract and pretty-display information from a [SAML response](https://auth0.com/blog/how-saml-authentication-works/) present in an HTTP response.

![extract-saml-response-infos](images/extract-saml-response-infos.png)

## extract-saml-request-infos

> :dart: This script was created in order to avoid the need to use another [extensions](https://portswigger.net/bappstore) or the [decoder](https://portswigger.net/burp/documentation/desktop/tools/decoder) to just see the content of the SAML request.

Extract and pretty-display information from a [SAML request](https://auth0.com/blog/how-saml-authentication-works/) present in an HTTP request.

![extract-saml-request-infos](images/extract-saml-request-infos.png)

# Configuration

> :warning: Change the script location path defined in **prefix** field for all custom scripts **before** to import the configuration.

> After the import, do not forget to enable the scripts because they are all disabled by default by the import command.

> For **Highlighters**, the color can be changed before the import by changing the **color** field to one constants supported by PIPER/BURP.

The file [piper-config.yaml](piper-config.yaml) contains the complete configuration that I use for all my custom scripts.