TrustedSec - Prepare to Write A Scanner Plugin Before Your Next Platform Test!
BurpSuite is a remarkably extensible platform. While I have written a number of extensions for testing specific applications, as well as more general extensions, one type of extension I had never attempted before was creating my own BurpSuite Scanner plugin.
Because modern applications are increasingly difficult to exhaustively test for certain types of issues, I thought it might be worth implementing a scanner plugin. In the days when everything used server-side templates, we could design a payload we wanted to inject and it may have gone into a header directly. It could also be that we needed to URL encode the payload and start copy/pasting it into query strings or POST body parameters, moving through them all quickly.
With today’s applications, especially those that have grown organically as technology has shifted, it tends to be difficult to try a specific payload on all the insertion points. We are faced with a mixture of URL encoded parameters, JSON, SOAP XML, and sometimes nested things such as URL encoded JSON in POST parameters. Let’s consider the POST body below.
Thing1=someValue&Thing2=%7B%22param1%22%3A%22foo%22%2C+%22param2%22%3A%22bar%22%2C+%22param4%22%3A%22baz%22%7D
Suppose this application allows some type of server-side template processing on some resources and we want to find out if it can be used on others. Assume we know that if templates are processed, and injection is present, a payload of would return something like ‘8.5.60’ as a string.
To be thorough, this is the process I need to follow:
- Submit my payload as the entire body
- Submit my payload URL encoded as the entire body
- %7B%7B+%24Objects.getServiceVersion%28%29+%7D%7D
- x=%7B%7B+%24Objects.getServiceVersion%28%29+%7D%7D
- Try it as parameter values for Thing1 and Thing1
- Thing1=%7B%7B+%24Objects.getServiceVersion%28%29+%7D%7D& Thing2=%7B%22param1%22%3A%22foo%22%2C+%22param2%22%3A%22bar%22%2C+%22param4%22%3A%22baz%22%7D
- Thing1=someValue&Thing2=%7B%7B+%24Objects.getServiceVersion%28%29+%7D%7D
- Try it as each of the JSON values param1, param2, param3
- %7B%22param1%22%3A%22%7B%7B+%24Objects.getServiceVersion%28%29+%7D%7D%22%2C+%22param2%22%3A%22bar%22%2C+%22param4%22%3A%22baz%22%7D
- …
- …
Are you tired yet? I know I am, and this one was easy. This did not even have content that had to be escaped for a JSON string. We did not have to deal with XML either. Oh, but wait, we still have to eyeball or search all those responses for ‘8.5.60’.
The good news is that we have a tool in BurpSuite’s Scanner that already knows how to do everything we need to do. It can locate the insertion points, including the nested ones, even to an arbitrary depth. Additionally, it can perform all the correct encoding in the correct order so we do not have deal with that tedious error-prone task. With little more than the contribution of regex pattern on our part can watch for the tells. BurpSuite’s extender documentation is pretty good as far as each interface goes, but understanding how they relate to one another in Scanner took me some time.
There are six Scanner-related interfaces that you can implement or extend. These are IScanIssue, IScanQueueItem, IScannerCheck, IScannerInsertionPoint, IScannerInsertionPointProvider, and IScannerListener. Again, this a lot of complexity that offers wonderful flexibility when needed, but it is a lot to process when you are just looking to solve a problem quickly. Fortunately, as long the application you are testing sticks to normal exchange formats (XML, JSON, traditional HTTP form encodings, etc.), there are only two of these interfaces to be concerned with – IScannerCheck and IScanIssue.
The IScanIssue interface is pretty straightforward. The concreate class we create is basically going to be a bag of properties that, among other things, includes the name of our issue, its severity, a confidence value, and various strings we want to have presented if BurpSuite’s reporting features are used. Your Scanner check will return instances of this class.
IScannerCheck is the interface that, when implemented, is the meat of your Scanner issue. It will receive instances of classes implementing the IScannerInsertionPoint interface, which it will complete with payloads, generate http requests from, and finally examine the responses.
I have created a rough template for implementing a Scanner check in Ruby, as that is simpler than Java for iteratively tweaking and editing. I have stuck to the Java-like naming and calling of things for the most part, however.
require 'java' java_import 'burp.IExtensionHelpers' java_import 'burp.IBurpExtender' java_import 'burp.IScannerCheck' java_import 'burp.IScanIssue' java_import 'burp.IScannerInsertionPoint' module BURPMethods def self.included(base) base.send(:include,InstanceMethods) base.extend(StaticMethods) end module InstanceMethods def method_missing(method, *args, &block) if self.class.helpers.respond_to? method self.class.helpers.send(method, *args, &block) elsif self.class.callbacks.respond_to? method self.class.callbacks.send(method, *args, &block) else raise NoMethodError, "undefined method `#{method}` for #{self.class.name}" end end def respond_to?(method, include_private = false) super || self.class.callbacks.respond_to?(method, include_private) || self.class.helpers.respond_to?(method, include_private) end end module StaticMethods def callbacks=(callbacks) @callbacks = callbacks @helpers = @callbacks.getHelpers end attr_reader :callbacks attr_reader :helpers end end class MyScannerCheck include IScannerCheck include BURPMethods INS_PARAM_URL = 0x00 INS_PARAM_BODY = 0x01 INS_PARAM_COOKIE = 0x02 INS_PARAM_XML = 0x03 INS_PARAM_XML_ATTR = 0x04 INS_PARAM_MULTIPART_ATTR = 0x05 INS_PARAM_JSON = 0x06 INS_PARAM_AMF = 0x07 INS_HEADER = 0x20 INS_URL_PATH_FOLDER = 0x21 INS_PARAM_NAME_URL = 0x22 INS_PARAM_NAME_BODY = 0x23 INS_ENTIRE_BODY = 0x24 INS_URL_PATH_FILENAME = 0x25 INS_USER_PROVIDED = 0x40 INS_EXTENSION_PROVIDED = 0x41 INS_UNKNOWN = 0x7f EXISTING_ISSUE = -1 NEW_ISSUE = 1 BOTH_ISSUES = 0 IDX_START = 'TS_ASDF' IDX_END = 'TS_LKJH' INJECT = "${'#{IDX_START} ' YOUR_PAYLOAD_HERE ' #{IDX_END}'}" def doPassiveScan(baseRequestResponse) nil #Will not be able to spot the issue on a passive scan end def doActiveScan(baseRequestResponse, insertionPoint) issues = Array.new #return issues if insertionPoint.getInsertionPointType() == 0x21 checkRequest = insertionPoint.buildRequest(stringToBytes(INJECT)); checkRequestResponse = makeHttpRequest(baseRequestResponse.getHttpService(), checkRequest) response = bytesToString(checkRequestResponse.getResponse()).to_s #Get a Ruby String index_start = response.index IDX_START index_end = response.index IDX_END if index_start issue = MyScannerIssue.new issue.setHttpService(baseRequestResponse.getHttpService()) issue.setURL(analyzeRequest(baseRequestResponse).getUrl()) issue.setHTTPMessages([applyMarkers(checkRequestResponse, requestHighlights, nil)]) issues << issue end issues end def consolidateDuplicateIssues(existingIssue, newIssue) return EXISTING_ISSUES if existingIssue == newIssue BOTH_ISSUES end end class MyScannerIssue include IScanIssue attr_accessor :getURL alias_method :setURL, :getURL= alias_method :getUrl, :getURL alias_method :setUrl, :setURL attr_reader :getConfidence attr_accessor :getHttpMessages alias_method :setHTTPMessages, :getHttpMessages= attr_accessor :getHttpService alias_method :setHttpService, :getHttpService= def ==(v) false #Right now never match so will report all issues; but we can put sensible looking logic elsewhere end alias_method :eql?, :== def initialize @getConfidence = 'Tentative' end def setConfidence(c) case c when :certain @getConfidence = 'Certain' when :firm @getConfidence = 'Firm' when :tentative @getConfidence = 'Tentative' else 'Tentative' end end alias_method :getConfidence=, :setConfidence def getIssueBackground 'https://telekomsecurity.github.io/2018/07/servicenow-privilege-escalation.html' end alias_method :getIssueDetail, :getIssueBackground def getRemediationBackground 'Contact ServiceNow' end alias_method :getRemediationDetail, :getRemediationBackground def getIssueName ‘Script Injection' end def getIssueType 0xFF000000 end def getSeverity 'High' end end class BurpExtender include IBurpExtender ExtensionName = 'YOUR EXTENSION NAME Scanner' def registerExtenderCallbacks(callbacks) ObjectSpace.each_object(Class).select {|klass| klass < BURPMethods }.each do |kklass| kklass.callbacks = callbacks end callbacks.setExtensionName ExtensionName callbacks.registerScannerCheck(MyScannerCheck.new) end end
Here is a quick explanation of what is going on here – the first thing to look at is the BurpExtender class. Every extension has to implement this and BurpSuite will trigger the registerExtenderCallbacks method when it loads the extension. This method does a few things. It first obtains the callbacks object. This object gives access to BurpSuite’s helper functions and network methods such as makeHTTPRequest, stringToBytes, etc. The ObjectSpace call identifies any user classes that have been created and that have the BURPMethods module in their inheritance tree and assigns a reference to the callbacks object as a class variable. The BURPMethods module is a quick way to leverage Ruby’s metaprogramming method lookup overrides to make the important BurpSuite methods available without passing the callbacks object around in method signatures or having long chains of receivers. This means the ScannerCheck implementation and any other classes that might be defined can get straight to business, abstracting away some BurpSuite’s object hierarchy.
MyScannerIssue is basically just a bag of values for BurpSuite’s reporting and dashboard functions and does not require much explanation. The sample here hardcodes some things like severity because of the targeted way I have been utilizing custom scan issues, but it certainly could make these properties as well.
MyScannerIssue::doActiveScan is where things get interesting. A base request and an insertionPoint are passed into the method. The first thing we do is create an empty array. The API expects us to return an array of zero or more ScannerIssue objects. It may be preferrable to skip testing for certain types of insertion points and return an empty array early. These are the defined constants in the sample class and can be compared against the return value of getInsertionPointType on the insertionPoint object. As an example, it may not make sense to test certain types of injection payloads in locations such as URL path components part of a REST API. The insertionPoint.buildRequest method enables the raw payload we want to send to be encoded and inserted into the request. Next, MakeHTTPRequest is used to send the newly formed request to the same HTTPService as the base request. After that, we obtain the response object from the RequestResponse object and convert its bytes first to a Java string with BurpSuite’s helper method and finally to a Ruby string with call to to_s.
At this point, you are really on your own. You need to inspect the response for whatever indication there is that an issue is likely present. If something is found, create a new instance of your ScannerIssue class, fill out the values, and append it to the issues array. Finally, return the array. That is all there is to it. Not hard after all, despite the number of Scanner interfaces in the BurpSuite API.
Now, all that is left to do is to register the new extension on the Extender tab.
If you have not used JRuby extensions before, you might need to pay the Extender -> Options tab a visit and set the JRuby JAR file. You can obtain it from https://www.jruby.org. If you do not want to set up a complete JRuby environment, you can download one of the JRuby-complete jars, which includes the Ruby standard library in the JAR and will provide you with all the functionality needed for Scanner extensions.
Now, all that is left is to get scanning and watch the findings roll in on the dashboard!
The post Prepare to Write A Scanner Plugin Before Your Next Platform Test! appeared first on TrustedSec.
from TrustedSec https://www.trustedsec.com/blog/prepare-to-write-a-scanner-plugin-before-your-next-platform-test/
Comments
Post a Comment