Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/silentsignal/burp-image-size
Image size issues plugin for Burp Suite
https://github.com/silentsignal/burp-image-size
burp imagetragick
Last synced: about 2 months ago
JSON representation
Image size issues plugin for Burp Suite
- Host: GitHub
- URL: https://github.com/silentsignal/burp-image-size
- Owner: silentsignal
- License: mit
- Created: 2016-02-10T14:29:09.000Z (over 8 years ago)
- Default Branch: master
- Last Pushed: 2018-06-27T11:06:15.000Z (about 6 years ago)
- Last Synced: 2024-05-09T00:04:50.193Z (4 months ago)
- Topics: burp, imagetragick
- Language: Java
- Homepage: https://blog.silentsignal.eu/2016/02/10/youre-not-looking-at-the-big-picture/
- Size: 73.2 KB
- Stars: 92
- Watchers: 17
- Forks: 32
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE.txt
Awesome Lists containing this project
README
Image size issues for Burp Suite
================================[![Build Status](https://travis-ci.org/silentsignal/burp-image-size.svg?branch=master)](https://travis-ci.org/silentsignal/burp-image-size)
When serving image assets, many web developers find it useful to have a
feature that scales the image to a size specified in a URL parameter.
Such functionality can not only be used for scaling images **down** but
also making them huge, this leads to Denial of Service (DoS). This Burp
plugin that can be loaded into Extender, and passively detects if the
size of an image reply is included in the request parameters.In active scanning mode, it also detects [ImageTragick](https://imagetragick.com/)
(CVE-2016–3714) based on timing and using Collaborator.Read more in [our blog post about this plugin](https://blog.silentsignal.eu/2016/02/10/youre-not-looking-at-the-big-picture/)
Building
--------- (For testing) install JUnit, put the JARs into `lib`
- Execute `ant`, and you'll have the plugin ready in `burp-image-size.jar`Dependencies
------------- JDK 1.6+ (tested on OpenJDK 6 and Oracle JDK 7 + 8, recommended Debian/Ubuntu package: `openjdk-8-jdk`)
- Apache ANT (Debian/Ubuntu package: `ant`)
- JUnit 4+ (only required for testing)License
-------The whole project is available under MIT license, see `LICENSE.txt`.