diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..28e7976 --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +build +gradle +.gradle +.idea + diff --git a/build.gradle b/build.gradle new file mode 100644 index 0000000..b1df13f --- /dev/null +++ b/build.gradle @@ -0,0 +1,21 @@ +plugins { + id 'java' +} + +repositories { + mavenCentral() +} + +dependencies { + implementation 'net.portswigger.burp.extender:burp-extender-api:2.3' + testImplementation files('/home/kali/BurpSuitePro/burpsuite_pro.jar') +} + +test { + useJUnitPlatform() +} + +compileJava { + targetCompatibility '15' + sourceCompatibility '15' +} \ No newline at end of file diff --git a/gradlew b/gradlew new file mode 100755 index 0000000..1b6c787 --- /dev/null +++ b/gradlew @@ -0,0 +1,234 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit + +APP_NAME="Gradle" +APP_BASE_NAME=${0##*/} + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + +# Collect all arguments for the java command; +# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of +# shell script including quotes and variable substitutions, so put them in +# double quotes to make sure that they get re-expanded; and +# * put everything else in single quotes, so that it's not re-expanded. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/gradlew.bat b/gradlew.bat new file mode 100644 index 0000000..ac1b06f --- /dev/null +++ b/gradlew.bat @@ -0,0 +1,89 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%" == "" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%" == "" set DIRNAME=. +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if "%ERRORLEVEL%" == "0" goto execute + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if "%ERRORLEVEL%"=="0" goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 +exit /b 1 + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/settings.gradle b/settings.gradle new file mode 100644 index 0000000..a42619a --- /dev/null +++ b/settings.gradle @@ -0,0 +1,2 @@ +rootProject.name = 'host_header_inchecktion' + diff --git a/src/main/java/burp/BurpExtender.java b/src/main/java/burp/BurpExtender.java new file mode 100644 index 0000000..41b20b3 --- /dev/null +++ b/src/main/java/burp/BurpExtender.java @@ -0,0 +1,18 @@ +package burp; + +import java.io.PrintWriter; + +public class BurpExtender implements IBurpExtender { + + @Override + public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) { + callbacks.setExtensionName("Host Header Inchecktion"); + var stdout = new PrintWriter(callbacks.getStdout(), true); + + var menu = new HostHeaderInchecktionMenu(new HostHeaderAttackExecutor(callbacks)); + callbacks.registerContextMenuFactory(menu); + + stdout.println("Host Header Inchecktion loaded."); + } + +} diff --git a/src/main/java/burp/HostHeaderAttack.java b/src/main/java/burp/HostHeaderAttack.java new file mode 100644 index 0000000..e798191 --- /dev/null +++ b/src/main/java/burp/HostHeaderAttack.java @@ -0,0 +1,162 @@ +package burp; + +import java.util.List; +import java.util.function.BiFunction; + +import static burp.HostHeaderUtils.*; + +enum HostHeaderAttack { + + ARBITRARY("Arbitrary Host Header", + HostHeaderAttack::generateArbitraryHostHeader, + "Host: [PAYLOAD]"), + + DUPLICATE_AFTER_HOST("Duplicate Host Header After Host Header", + HostHeaderAttack::generateDuplicatedHostHeaderAfter, + "Host: www.example.com\nHost: [PAYLOAD]"), + + DUPLICATE_BEFORE_HOST("Duplicate Host Header Before Host Header", + HostHeaderAttack::generateDuplicatedHostHeaderBefore, + "Host: [PAYLOAD]\nHost: www.example.com"), + + INDENTED_AFTER_HOST("Indented Host Header After Host Header", + HostHeaderAttack::generateIndentedHostHeaderAfter, + "Host: www.example.com\n\sHost: [PAYLOAD]"), + + INDENTED_BEFORE_HOST("Indented Host Header Before Host Header", + HostHeaderAttack::generateIndentedHostHeaderBefore, + "\sHost: [PAYLOAD]\nHost: www.example.com"), + + X_HOST("X-Host Header", + HostHeaderAttack::generateXHostHostHeader, + "Host: www.example.com\nX-Host: [PAYLOAD]"), + + X_FORWARDED_SERVER("X-Forwarded-Server Header", + HostHeaderAttack::generateXForwardedServerHostHeader, + "Host: www.example.com\nX-Forwarded-Server: [PAYLOAD]"), + + X_HTTP_HOST_OVERRIDE("X-HTTP-Host-Override Header", + HostHeaderAttack::generateXHTTPHostOverrideHostHeader, + "Host: www.example.com\nX-HTTP-Host-Override: [PAYLOAD]"), + + FORWARDED("Forwarded Header", + HostHeaderAttack::generateForwardedHostHeader, + "Host: www.example.com\nForwarded: [PAYLOAD]"), + + PAYLOAD_IN_PORT_SECTION("Payload in The Port Section", + HostHeaderAttack::generatePayloadInPortHostHeader, + "Host: www.example.com:[PAYLOAD]"), + + SUBDOMAIN("Subdomain", + HostHeaderAttack::generateSubdomainHostHeader, + "Host: [PAYLOAD].example.com"), + + INJECTION_BEFORE_HOST("Injection Before Host", + HostHeaderAttack::generateInjectionBeforeHostHeader, + "Host: [PAYLOAD]-www.example.com"), + + INJECTION_AFTER_HOST("Injection After Host", + HostHeaderAttack::generateInjectionAfterHostHeader, + "Host: www.example.com-[PAYLOAD]"), + + ABSOLUT_URL("Absolute URL", + HostHeaderAttack::generateAbsoluteUrl, + "GET https://[PAYLOAD]/ HTTP/1.1\nHost: www.example.com"), + + MALFORMED_REQUEST_LINE("Malformed Request Line", + HostHeaderAttack::generateMalformedRequestLine, + "GET @[PAYLOAD]/example HTTP/1.1\nHost: www.example.com\n"); + + private final String name; + private final BiFunction, List> patcher; + private final String description; + + HostHeaderAttack( + String name, + BiFunction, List> patcher, + String description) { + this.name = name; + this.patcher = patcher; + this.description = description; + } + + String title() { + return this.name; + } + + List patchHeader(String payload, List headers) { + return this.patcher.apply(payload, headers); + } + + String description() { + return this.description; + } + + private static List generateArbitraryHostHeader(String payload, List headers) { + return rewriteHostHeader(headers, hostHeader -> payload); + } + + private static List generateDuplicatedHostHeaderAfter(String payload, List headers) { + return addHeaderAfterHostHeader(headers, "Host: " + payload); + } + + private static List generateDuplicatedHostHeaderBefore(String payload, List headers) { + return addHeaderBeforeHostHeader(headers, "Host: " + payload); + } + + private static List generateIndentedHostHeaderAfter(String payload, List headers) { + return addHeaderAfterHostHeader(headers, "\sHost: " + payload); + } + + private static List generateIndentedHostHeaderBefore(String payload, List headers) { + return addHeaderBeforeHostHeader(headers, "\sHost: " + payload); + } + + private static List generateXHostHostHeader(String payload, List headers) { + return addHeaderAfterHostHeader(headers, "X-Host: " + payload); + } + + private static List generateXForwardedServerHostHeader(String payload, List headers) { + return addHeaderAfterHostHeader(headers, "X-Forwarded-Server: " + payload); + } + + private static List generateXHTTPHostOverrideHostHeader(String payload, List headers) { + return addHeaderAfterHostHeader(headers, "X-HTTP-Host-Override: " + payload); + } + + private static List generateForwardedHostHeader(String payload, List headers) { + return addHeaderAfterHostHeader(headers, "Forwarded: " + payload); + } + + private static List generatePayloadInPortHostHeader(String payload, List headers) { + return rewriteHostHeader(headers, hostHeader -> hostHeader + ":" + payload); + } + + private static List generateSubdomainHostHeader(String payload, List headers) { + return rewriteHostHeader(headers, hostHeader -> payload + "." + hostHeader); + } + + private static List generateInjectionBeforeHostHeader(String payload, List headers) { + return rewriteHostHeader(headers, hostHeader -> payload + "-" + hostHeader); + } + + private static List generateInjectionAfterHostHeader(String payload, List headers) { + return rewriteHostHeader(headers, hostHeader -> hostHeader + "-" + payload); + } + + private static List generateAbsoluteUrl(String payload, List headers) { + var modifiedHeaders = rewriteUrl(headers, (url, hostHeader) -> { + var urlParts = url.split("\s"); + var hostHeaderParts = hostHeader.split(":"); + return String.format("%s\shttps://%s%s\s%s", urlParts[0], hostHeaderParts[1].trim(), urlParts[1], urlParts[2]); + }); + return rewriteHostHeader(modifiedHeaders, hostHeader -> payload); + } + + private static List generateMalformedRequestLine(String payload, List headers) { + return rewriteUrl(headers, (url, hostHeader) -> { + var urlParts = url.split("\s"); + return String.format("%s\s@%s%s\s%s", urlParts[0], payload, urlParts[1], urlParts[2]); + }); + } +} diff --git a/src/main/java/burp/HostHeaderAttackConfig.java b/src/main/java/burp/HostHeaderAttackConfig.java new file mode 100644 index 0000000..cc07cac --- /dev/null +++ b/src/main/java/burp/HostHeaderAttackConfig.java @@ -0,0 +1,43 @@ +package burp; + +import java.util.List; + +final class HostHeaderAttackConfig { + + private final AttackType attackType; + private final String payload; + private final List attacks; + private final boolean useCacheBuster; + + enum AttackType { + CUSTOM, + CANARY + } + + HostHeaderAttackConfig( + final AttackType attackType, + final String payload, + final List attacks, + final boolean useCacheBuster) { + this.attackType = attackType; + this.payload = payload; + this.attacks = List.copyOf(attacks); + this.useCacheBuster = useCacheBuster; + } + + AttackType getAttackType() { + return attackType; + } + + String getPayload() { + return payload; + } + + List getAttacks() { + return attacks; + } + + boolean useCacheBuster() { + return useCacheBuster; + } +} diff --git a/src/main/java/burp/HostHeaderAttackConfigDialog.java b/src/main/java/burp/HostHeaderAttackConfigDialog.java new file mode 100644 index 0000000..e95f6af --- /dev/null +++ b/src/main/java/burp/HostHeaderAttackConfigDialog.java @@ -0,0 +1,129 @@ +package burp; + +import burp.HostHeaderAttackConfig.AttackType; + +import javax.swing.*; +import java.awt.*; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.UUID; +import java.util.stream.Collectors; + +import static burp.HostHeaderAttackConfig.AttackType.CANARY; + +class HostHeaderAttackConfigDialog { + + private static final String DEFAULT_HOST = "www.example.com"; + + private final JPanel dialogPanel; + private final JComboBox payloadTypeComboBox = new JComboBox<>(AttackType.values()); + private final JTextField hostHeaderPayloadTextField = new JTextField(DEFAULT_HOST); + private final JCheckBox useCacheBusterCheckBox = new JCheckBox("Use Cache Buster"); + private final Map attacks = new HashMap<>(); + + HostHeaderAttackConfigDialog() { + this.dialogPanel = new JPanel(); + this.dialogPanel.setLayout(new BoxLayout(dialogPanel,BoxLayout.Y_AXIS)); + this.dialogPanel.add(createPayloadPanel()); + this.dialogPanel.add(createOptionsPanel()); + this.dialogPanel.add(createAttackPanel()); + } + + private JPanel createPayloadPanel() { + var payloadPanel = new JPanel(); + payloadPanel.setLayout(new BoxLayout(payloadPanel,BoxLayout.X_AXIS)); + payloadPanel.setBorder(BorderFactory.createTitledBorder("Payload")); + + this.payloadTypeComboBox.addItemListener(e -> { + if(e.getSource() == this.payloadTypeComboBox) { + if(this.payloadTypeComboBox.getSelectedItem() == CANARY) { + this.hostHeaderPayloadTextField.setText(String.valueOf(UUID.randomUUID())); + this.hostHeaderPayloadTextField.setEditable(false); + } else { + this.hostHeaderPayloadTextField.setText(DEFAULT_HOST); + this.hostHeaderPayloadTextField.setEditable(true); + } + } + }); + this.payloadTypeComboBox.setSelectedItem(CANARY); + payloadPanel.add(payloadTypeComboBox); + payloadPanel.add(Box.createRigidArea(new Dimension(5, 0))); + + var payloadLabel = new JLabel("Payload:"); + payloadPanel.add(payloadLabel); + payloadPanel.add(Box.createRigidArea(new Dimension(5, 0))); + + this.hostHeaderPayloadTextField.setText(String.valueOf(UUID.randomUUID())); + this.hostHeaderPayloadTextField.setEditable(false); + // this.hostHeaderPayloadTextField.setPreferredSize(new Dimension(400, TEXT_HEIGHT)); + payloadPanel.add(hostHeaderPayloadTextField); + return payloadPanel; + } + + private JPanel createOptionsPanel() { + var optionsPanel = new JPanel(); + optionsPanel.setLayout(new GridLayout(0, 2)); + optionsPanel.setBorder(BorderFactory.createTitledBorder("Options")); + this.useCacheBusterCheckBox.setSelected(true); + optionsPanel.add(this.useCacheBusterCheckBox); + return optionsPanel; + } + + private JPanel createAttackPanel() { + var attackPanel = new JPanel(); + attackPanel.setLayout(new GridLayout(0, 3)); + attackPanel.setBorder(BorderFactory.createTitledBorder("Attacks")); + + for (HostHeaderAttack attack : HostHeaderAttack.values()) { + var tile = new JPanel(); + tile.setBorder(BorderFactory.createCompoundBorder( + BorderFactory.createEmptyBorder(2,2,2,2), + BorderFactory.createLineBorder(Color.BLACK))); + tile.setLayout(new GridLayout(0, 1)); + var checkbox = new JCheckBox(attack.title(), true); + this.attacks.put(attack, checkbox); + tile.add(checkbox); + var description = new JTextArea(attack.description()); + description.setEditable(false); + description.setBackground(Color.DARK_GRAY); + description.setForeground(Color.LIGHT_GRAY); + tile.add(description); + attackPanel.add(tile); + } + return attackPanel; + } + + int showDialog() { + return JOptionPane.showConfirmDialog( + getBurpFrame(), + this.dialogPanel, + "Host Header Attack Config", + JOptionPane.OK_CANCEL_OPTION, + JOptionPane.PLAIN_MESSAGE); + } + + HostHeaderAttackConfig getAttackConfig() { + return new HostHeaderAttackConfig( + (AttackType) this.payloadTypeComboBox.getSelectedItem(), + this.hostHeaderPayloadTextField.getText(), + getSelectedAttacks(), + this.useCacheBusterCheckBox.isSelected()); + } + + private static JFrame getBurpFrame() { + for (Frame frame : Frame.getFrames()) { + if (frame.isVisible() && frame.getTitle().startsWith("Burp Suite")) { + return (JFrame) frame; + } + } + return null; + } + + private List getSelectedAttacks() { + return this.attacks.entrySet().stream() + .filter(entry -> entry.getValue().isSelected()) + .map(Map.Entry::getKey) + .collect(Collectors.toList()); + } +} diff --git a/src/main/java/burp/HostHeaderAttackExecutor.java b/src/main/java/burp/HostHeaderAttackExecutor.java new file mode 100644 index 0000000..083f1e6 --- /dev/null +++ b/src/main/java/burp/HostHeaderAttackExecutor.java @@ -0,0 +1,94 @@ +package burp; + +import javax.swing.*; +import java.nio.charset.StandardCharsets; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; +import java.util.concurrent.Executor; +import java.util.concurrent.Executors; + +import static burp.HostHeaderAttackConfig.AttackType.CANARY; +import static burp.HostHeaderUtils.addCacheBuster; + +class HostHeaderAttackExecutor { + + private static final Executor executor = Executors.newSingleThreadExecutor(); + + private final IBurpExtenderCallbacks callbacks; + private final IExtensionHelpers helpers; + + HostHeaderAttackExecutor(IBurpExtenderCallbacks callbacks) { + this.callbacks = callbacks; + this.helpers = callbacks.getHelpers(); + } + + void execute(IHttpRequestResponse[] originalMessages) { + HostHeaderAttackConfigDialog hostHeaderAttackConfigDialog = new HostHeaderAttackConfigDialog(); + int selectedOption = hostHeaderAttackConfigDialog.showDialog(); + if(selectedOption != JOptionPane.OK_OPTION) { + return; + } + var attackConfig = hostHeaderAttackConfigDialog.getAttackConfig(); + + for(var originalMessage : originalMessages) { + executor.execute(() -> { + var request = this.helpers.analyzeRequest(originalMessage); + var headers = request.getHeaders(); + var rawRequest = originalMessage.getRequest(); + var rawBody = Arrays.copyOfRange(rawRequest, request.getBodyOffset(), rawRequest.length); + + for(var attack : attackConfig.getAttacks()) { + List patchedHeaders = attack.patchHeader(attackConfig.getPayload(), headers); + if(attackConfig.useCacheBuster()) { + patchedHeaders = addCacheBuster(patchedHeaders); + } + + var requestResponse = sendRequest(patchedHeaders, rawBody, originalMessage); + if(attackConfig.getAttackType() == CANARY) { + reportReflections(requestResponse, attackConfig.getPayload()); + } + } + }); + } + } + + private IHttpRequestResponse sendRequest(List headers, byte[] rawBody, IHttpRequestResponse message) { + byte[] rawMessage = this.helpers.buildHttpMessage(headers, rawBody); + return callbacks.makeHttpRequest(message.getHttpService(), rawMessage); + } + + private void reportReflections(IHttpRequestResponse requestResponse, String payload) { + byte[] request = requestResponse.getRequest(); + byte[] response = requestResponse.getResponse(); + if(request == null || response == null) { + return; + } + var requestMatches = getMatches(request, payload.getBytes(StandardCharsets.UTF_8)); + var responseMatches = getMatches(response, payload.getBytes(StandardCharsets.UTF_8)); + if(responseMatches.size() > 0) { + HostHeaderScanIssue hostHeaderScanIssue = HostHeaderScanIssue.createDefaultIssue( + requestResponse.getHttpService(), + this.helpers.analyzeRequest(requestResponse).getUrl(), + new IHttpRequestResponse[] { callbacks.applyMarkers(requestResponse, requestMatches, responseMatches) }); + callbacks.addScanIssue(hostHeaderScanIssue); + } + } + + private List getMatches(byte[] response, byte[] match) { + List matches = new ArrayList<>(); + + int start = 0; + while (start < response.length) { + start = helpers.indexOf(response, match, true, start, response.length); + if (start == -1) { + break; + } + matches.add(new int[] { start, start + match.length }); + start += match.length; + } + + return matches; + } + +} diff --git a/src/main/java/burp/HostHeaderInchecktionMenu.java b/src/main/java/burp/HostHeaderInchecktionMenu.java new file mode 100644 index 0000000..bc9aeaf --- /dev/null +++ b/src/main/java/burp/HostHeaderInchecktionMenu.java @@ -0,0 +1,27 @@ +package burp; + +import javax.swing.*; +import java.util.ArrayList; +import java.util.List; + +public class HostHeaderInchecktionMenu implements IContextMenuFactory { + + private final HostHeaderAttackExecutor hostHeaderAttackExecutor; + + public HostHeaderInchecktionMenu(HostHeaderAttackExecutor hostHeaderAttackExecutor) { + this.hostHeaderAttackExecutor = hostHeaderAttackExecutor; + } + + @Override + public List createMenuItems(IContextMenuInvocation invocation) { + var menuItems = new ArrayList(); + var button = new JMenuItem("Execute Host Header Inchecktion"); + + button.addActionListener(e -> SwingUtilities.invokeLater(() -> + this.hostHeaderAttackExecutor.execute(invocation.getSelectedMessages()))); + + menuItems.add(button); + return menuItems; + } + +} diff --git a/src/main/java/burp/HostHeaderScanIssue.java b/src/main/java/burp/HostHeaderScanIssue.java new file mode 100644 index 0000000..c5a25cc --- /dev/null +++ b/src/main/java/burp/HostHeaderScanIssue.java @@ -0,0 +1,96 @@ +package burp; + +import java.net.URL; + +public class HostHeaderScanIssue implements IScanIssue { + + private final IHttpService httpService; + private final URL url; + private final IHttpRequestResponse[] httpMessages; + private final String name; + private final String detail; + private final String severity; + + private HostHeaderScanIssue( + IHttpService httpService, + URL url, + IHttpRequestResponse[] httpMessages, + String name, + String detail, + String severity) { + this.httpService = httpService; + this.url = url; + this.httpMessages = httpMessages; + this.name = name; + this.detail = detail; + this.severity = severity; + } + + public static HostHeaderScanIssue createDefaultIssue( + IHttpService httpService, + URL url, + IHttpRequestResponse[] httpMessages) { + return new HostHeaderScanIssue( + httpService, + url, + httpMessages, + "Host Header Injection", + "The host header payload was probably reflected.", + "Medium"); + } + + @Override + public URL getUrl() { + return this.url; + } + + @Override + public String getIssueName() { + return this.name; + } + + @Override + public int getIssueType() { + return 0; + } + + @Override + public String getSeverity() { + return this.severity; + } + + @Override + public String getConfidence() { + return "Firm"; + } + + @Override + public String getIssueBackground() { + return null; + } + + @Override + public String getRemediationBackground() { + return null; + } + + @Override + public String getIssueDetail() { + return this.detail; + } + + @Override + public String getRemediationDetail() { + return null; + } + + @Override + public IHttpRequestResponse[] getHttpMessages() { + return httpMessages; + } + + @Override + public IHttpService getHttpService() { + return httpService; + } +} diff --git a/src/main/java/burp/HostHeaderUtils.java b/src/main/java/burp/HostHeaderUtils.java new file mode 100644 index 0000000..09b9082 --- /dev/null +++ b/src/main/java/burp/HostHeaderUtils.java @@ -0,0 +1,72 @@ +package burp; + +import java.util.ArrayList; +import java.util.List; +import java.util.UUID; +import java.util.function.BiFunction; +import java.util.function.Function; + +public enum HostHeaderUtils { + ; + + static List rewriteUrl(List headers, BiFunction rewrite) { + var modifiedHeaders = new ArrayList(); + var url = headers.get(0); + String hostHeader = ""; + for (var header : headers) { + if (header.startsWith("Host:")) { + hostHeader = header; + } + modifiedHeaders.add(header); + } + modifiedHeaders.set(0, rewrite.apply(url, hostHeader)); + return modifiedHeaders; + } + + static List rewriteHostHeader(List headers, Function rewrite) { + var modifiedHeaders = new ArrayList(); + for (var header : headers) { + if (header.startsWith("Host:")) { + modifiedHeaders.add("Host: " + rewrite.apply(header.split(":")[1].trim())); + } else { + modifiedHeaders.add(header); + } + } + return modifiedHeaders; + } + + static List addHeaderAfterHostHeader(List headers, String newHeader) { + var modifiedHeaders = new ArrayList(); + for (var header : headers) { + if (header.startsWith("Host:")) { + modifiedHeaders.add(header); + modifiedHeaders.add(newHeader); + } else { + modifiedHeaders.add(header); + } + } + return modifiedHeaders; + } + + static List addHeaderBeforeHostHeader(List headers, String newHeader) { + var modifiedHeaders = new ArrayList(); + for (var header : headers) { + if (header.startsWith("Host:")) { + modifiedHeaders.add(newHeader); + modifiedHeaders.add(header); + } else { + modifiedHeaders.add(header); + } + } + return modifiedHeaders; + } + + static List addCacheBuster(List headers) { + return HostHeaderUtils.rewriteUrl(headers, (url, hostHeader) -> { + var urlParts = url.split("\s"); + String cacheBuster = (urlParts[1].contains("?") ? "&" : "?") + "cb=" + UUID.randomUUID(); + return String.format("%s\s%s\s%s", urlParts[0], urlParts[1] + cacheBuster, urlParts[2]); + }); + } + +} diff --git a/src/test/java/HostHeaderInchecktionTest.java b/src/test/java/HostHeaderInchecktionTest.java new file mode 100644 index 0000000..48bccff --- /dev/null +++ b/src/test/java/HostHeaderInchecktionTest.java @@ -0,0 +1,13 @@ +import java.lang.reflect.Method; + +public class HostHeaderInchecktionTest { + + public static void main(String[] args) { + try { + Method main = Class.forName("burp.StartBurp").getMethod("main", String[].class); + main.invoke(null, (Object) args); + } catch (Exception e) { + throw new RuntimeException("Could not start burp.", e); + } + } +}