Skip to content

Commit

Permalink
Update to v2.0.0 (#4)
Browse files Browse the repository at this point in the history
* progress, stop, multithreaded, precompiled regex

* feat: updated to JDK17

* docs: updated README

* fix: formatted files

* fix: disable analysis button while stopping

* fix: use memory instead of files

* refactor: general changes to uniform style

* refactor: BurpLeaksScanner

* feat: added message on extension load

* fix: interrupt scan instantly

* WIP: refactor: MainUI

* refactor: MainUI - Logger pane

* refactor: MainUI - Options pane

* fix: reset didn't compile the regex

* -- some code cleanup
-- fix thread number
-- bump gson dep
-- removed unused method

Co-authored-by: Alessio Dalla Piazza <[email protected]>
  • Loading branch information
LorenzoCoppi-cys4 and alessiodallapiazza authored Nov 16, 2022
1 parent 20e3739 commit d015348
Show file tree
Hide file tree
Showing 22 changed files with 1,005 additions and 1,597 deletions.
21 changes: 20 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,25 @@
# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
hs_err_pid*

### Maven ###
target/
pom.xml.tag
pom.xml.releaseBackup
pom.xml.versionsBackup
pom.xml.next
release.properties
dependency-reduced-pom.xml
buildNumber.properties
.mvn/timing.properties
# https://github.com/takari/maven-wrapper#usage-without-binary-jar
.mvn/wrapper/maven-wrapper.jar

# Eclipse m2e generated files
# Eclipse Core
.project
# JDT-specific (Eclipse Java Development Tools)
.classpath

# manually added
out/
Burp.iml
Expand All @@ -29,6 +48,6 @@ src/build/
.idea
*.jar
*.lst

.vscode

target/maven-status/maven-compiler-plugin/compile/default-compile/
62 changes: 33 additions & 29 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,64 +1,68 @@
# CYS4-SensitiveDiscoverer

> Burp Suite extension to scan for sensitive strings in HTTP messages.
## Introduction

Burp Suite is a useful tool used to do web application security testing. While Burp Suite provides a lot of
functionalities, it does not offer the opportunity to scan for particular pattern or file extension inside HTTP messages
and is very tedious to check every message manually.
CYS4-SensitiveDiscoverer is a Burp Suite tool used to extract Regular Expression or File Extension form HTTP response automatically or
at the end of all tests or during the test. The plugin will be available with a pre-defined set of Regular Expression
and File Extension, but then you can choose which of them activate or deactivate and also create your own lists.
functionalities, it does not offer the opportunity to scan for particular pattern or file extensions inside HTTP messages. Checking every message by hand can be a very tedious process.

`CYS4-SensitiveDiscoverer` is a Burp Suite extension that solves this problem. With this extension you can automatically search sensitive strings in HTTP messages. It uses a list of Regular Expressions and File Extensions to match for in each message.

The plugin is available with a pre-defined set of Regular Expression and File Extensions, but you can also add your custom lists.

## How to compile from source code

The extension was compiled with IntelliJ 2021.2.2, with OpenJDK version 16.0.1.
The extension was compiled with OpenJDK 17.

The BApp can be compiled with Maven by following these steps:

1. View > Tool Windows > Maven.
2. On the new right panel expand the Lifecycle folder.
3. Double-click on install.

The BApp could be compiled with a Maven by following the below steps:
The compiled extension will be in the "/target" folder.

1. View > Tool Windows > Maven
2. On the new right panel expand the Lifecycle folder
3. Double-click on install
### Using Maven from CLI

Using Maven configuration will be generated a .jar file that will include all the dependencies.
As an alternative, run the following command:

```bash
mvn clean package
```

## Installation

To install CYS4-SensitiveDiscoverer manually, you have to:

1. Download newest CYS4-SensitiveDiscoverer from the Release page
2. Go to Extender -> Extension. Click Add. Set Extension type to Java. Set the path of the file download at step 1.
inside Extension file (.jar)
3. CYS4-SensitiveDiscoverer should appear inside Burp Extension list. Also you will see a new tab.
1. Download newest CYS4-SensitiveDiscoverer from the Release page.
2. Go to Extender -> Extension. Click Add. Set Extension type to Java. Set the path of the (.jar) to the file downloaded at step 1.
3. CYS4-SensitiveDiscoverer should appear inside Burp Extension list. A new tab will also appear.

## Usage

The default configuration has a list of regular expression and file extension. To see the predefined list go to Options
TAB. Here you can choose which of them activate or not or you can choose to insert your own regular expression or file
extension. For both of them there are a list of actions to interact with them The actions are:
The default configuration has a list of regular expression and file extension.

To see the predefined list go to the Options tab. There you can choose which of them to activate and you can also insert your own regular expressions.

These are the actions to manage the list:

- **Reset**: the plugin will reset the default list of regular expression or file extension.
- **New**: a pop-up will appear and offer the opportunity to insert a new regular expression or file extension.
- **Delete**: after selecting a row, this will be deleted from the list.
- **Clear**: the plugin will clear the list leave them empty.
- **Open**: a pop-up will appear and offer the opportunity to insert in bulk a list of regular expression or file
extension from a file.
- **Save**: the plugin offer the possibility to save your custom list for future tests. After you have select your own
desired configuration you can start to find sensitive informations inside HTTP messages. The plugin will be execute in
two different modes:
- **Open**: a pop-up will appear and offer the opportunity to insert in bulk a list of regular expression or file extension from a file.
- **Save**: the plugin offer the possibility to save your custom list for future tests. After you have select your own desired configuration you can start to find sensitive information inside HTTP messages. The plugin will be execute in two different modes:

1. **Analyze HTTP History**: the plugin will parse all http history generated from that moment and it will find any
active pattern
2. **Live**: the plugin will parse request by request as the user will generates one from his web browser.
1. **Analyze HTTP History**: the plugin will parse all http history generated from that moment and it will find any active pattern.
2. **Live**: the plugin will parse request by request as the user will generates one from his web browser.

## Credits

CYS4 was born in 2015 from a collaboration with an Israeli company in the world of Cyber Security, then detaching its team ensuring the focus on innovation and quality towards a national context.

Check out our [blog](https://blog.cys4.com/) for more information.
Check out [our blog](https://blog.cys4.com/) for more information.

## References

- [shhgit](https://github.com/eth0izzle/shhgit/blob/master/config.yaml): Regex and File Extension database used in this project.


29 changes: 22 additions & 7 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,15 @@
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>

<groupId>groupId</groupId>
<artifactId>CYS4-SensitiveDiscoverer</artifactId>
<version>1.0</version>
<groupId>com.cys4.sensitive-discoverer</groupId>
<artifactId>cys4-sensitive-discoverer</artifactId>
<version>2.0</version>

<properties>
<maven.compiler.source>15</maven.compiler.source>
<maven.compiler.target>15</maven.compiler.target>
<maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
</properties>

<dependencies>
Expand All @@ -22,7 +24,7 @@
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.8.8</version>
<version>2.8.9</version>
</dependency>
</dependencies>

Expand All @@ -40,9 +42,21 @@
</resource>
</resources>
<plugins>
<!-- any other plugins -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>3.3.0</version>
<executions>
<execution>
<id>default-jar</id>
<phase>none</phase>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-assembly-plugin</artifactId>
<version>3.3.0</version>
<executions>
<execution>
<phase>package</phase>
Expand All @@ -52,6 +66,7 @@
</execution>
</executions>
<configuration>
<finalName>CYS4-SensitiveDiscoverer-${project.version}</finalName>
<descriptorRefs>
<descriptorRef>jar-with-dependencies</descriptorRef>
</descriptorRefs>
Expand Down
49 changes: 5 additions & 44 deletions src/main/java/burp/BurpExtender.java
Original file line number Diff line number Diff line change
@@ -1,55 +1,16 @@
package burp;

import cys4.ui.MainUI;
import cys4.model.ExtensionEntity;
import cys4.model.RegexEntity;
import cys4.seed.BurpLeaksSeed;

import java.io.PrintWriter;
import java.util.ArrayList;
import java.util.List;

public class BurpExtender implements IBurpExtender {
private IBurpExtenderCallbacks callbacks;
private IExtensionHelpers helpers;

//private List<LogEntity> _lLogEntries = new ArrayList<>();
private List<RegexEntity> _lRegexes;
private List<ExtensionEntity> _lExtensions;
private MainUI mainUI;

// Implement default constructor
public BurpExtender()
{
_lRegexes = new ArrayList<>();
_lExtensions = new ArrayList<>();
}

//
// implement IBurpExtender
//
@Override
public void registerExtenderCallbacks(final IBurpExtenderCallbacks callbacks) {
MainUI mainUI = new MainUI(callbacks);
mainUI.initialize();


// get regexes and extensions
BurpLeaksSeed bls = new BurpLeaksSeed();

this._lRegexes = BurpLeaksSeed.getRegex();
this._lExtensions = BurpLeaksSeed.getExtensions();

// keep a reference to our callbacks object
this.callbacks = callbacks;

// obtain an extension helpers object
this.helpers = callbacks.getHelpers();

// init the main UI methods
this.mainUI = new MainUI(_lRegexes, _lExtensions, callbacks);
this.mainUI.createUI();

// set our extension name
callbacks.setExtensionName(mainUI.getNameExtension());


callbacks.printOutput("Extension loaded successfully!");
}
}
}
101 changes: 4 additions & 97 deletions src/main/java/burp/SpringUtilities.java
Original file line number Diff line number Diff line change
Expand Up @@ -40,99 +40,6 @@
* SpringBox and SpringCompactGrid.
*/
public class SpringUtilities {
/**
* A debugging utility that prints to stdout the component's
* minimum, preferred, and maximum sizes.
*/
public static void printSizes(Component c) {
System.out.println("minimumSize = " + c.getMinimumSize());
System.out.println("preferredSize = " + c.getPreferredSize());
System.out.println("maximumSize = " + c.getMaximumSize());
}

/**
* Aligns the first <code>rows</code> * <code>cols</code>
* components of <code>parent</code> in
* a grid. Each component is as big as the maximum
* preferred width and height of the components.
* The parent is made just big enough to fit them all.
*
* @param rows number of rows
* @param cols number of columns
* @param initialX x location to start the grid at
* @param initialY y location to start the grid at
* @param xPad x padding between cells
* @param yPad y padding between cells
*/
public static void makeGrid(Container parent,
int rows, int cols,
int initialX, int initialY,
int xPad, int yPad) {
SpringLayout layout;
try {
layout = (SpringLayout) parent.getLayout();
} catch (ClassCastException exc) {
System.err.println("The first argument to makeGrid must use SpringLayout.");
return;
}
Spring xPadSpring = Spring.constant(xPad);
Spring yPadSpring = Spring.constant(yPad);
Spring initialXSpring = Spring.constant(initialX);
Spring initialYSpring = Spring.constant(initialY);
int max = rows * cols;
//Calculate Springs that are the max of the width/height so that all
//cells have the same size.
Spring maxWidthSpring = layout.getConstraints(parent.getComponent(0)).
getWidth();
Spring maxHeightSpring = layout.getConstraints(parent.getComponent(0)).
getHeight();
for (int i = 1; i < max; i++) {
SpringLayout.Constraints cons = layout.getConstraints(
parent.getComponent(i));
maxWidthSpring = Spring.max(maxWidthSpring, cons.getWidth());
maxHeightSpring = Spring.max(maxHeightSpring, cons.getHeight());
}
//Apply the new width/height Spring. This forces all the
//components to have the same size.
for (int i = 0; i < max; i++) {
SpringLayout.Constraints cons = layout.getConstraints(
parent.getComponent(i));
cons.setWidth(maxWidthSpring);
cons.setHeight(maxHeightSpring);
}
//Then adjust the x/y constraints of all the cells so that they
//are aligned in a grid.
SpringLayout.Constraints lastCons = null;
SpringLayout.Constraints lastRowCons = null;
for (int i = 0; i < max; i++) {
SpringLayout.Constraints cons = layout.getConstraints(
parent.getComponent(i));
if (i % cols == 0) { //start of new row
lastRowCons = lastCons;
cons.setX(initialXSpring);
} else { //x position depends on previous component
cons.setX(Spring.sum(lastCons.getConstraint(SpringLayout.EAST),
xPadSpring));
}
if (i / cols == 0) { //first row
cons.setY(initialYSpring);
} else { //y position depends on previous row
cons.setY(Spring.sum(lastRowCons.getConstraint(SpringLayout.SOUTH),
yPadSpring));
}
lastCons = cons;
}
//Set the parent's size.
SpringLayout.Constraints pCons = layout.getConstraints(parent);
pCons.setConstraint(SpringLayout.SOUTH,
Spring.sum(
Spring.constant(yPad),
lastCons.getConstraint(SpringLayout.SOUTH)));
pCons.setConstraint(SpringLayout.EAST,
Spring.sum(
Spring.constant(xPad),
lastCons.getConstraint(SpringLayout.EAST)));
}

/* Used by makeCompactGrid. */
private static SpringLayout.Constraints getConstraintsForCell(
Expand Down Expand Up @@ -170,7 +77,7 @@ public static void makeCompactGrid(Container parent,
System.err.println("The first argument to makeCompactGrid must use SpringLayout.");
return;
}
//Align all cells in each column and make them the same width.
// Align all cells in each column and make them the same width.
Spring x = Spring.constant(initialX);
for (int c = 0; c < cols; c++) {
Spring width = Spring.constant(0);
Expand All @@ -187,7 +94,7 @@ public static void makeCompactGrid(Container parent,
}
x = Spring.sum(x, Spring.sum(width, Spring.constant(xPad)));
}
//Align all cells in each row and make them the same height.
// Align all cells in each row and make them the same height.
Spring y = Spring.constant(initialY);
for (int r = 0; r < rows; r++) {
Spring height = Spring.constant(0);
Expand All @@ -204,9 +111,9 @@ public static void makeCompactGrid(Container parent,
}
y = Spring.sum(y, Spring.sum(height, Spring.constant(yPad)));
}
//Set the parent's size.
// Set the parent's size.
SpringLayout.Constraints pCons = layout.getConstraints(parent);
pCons.setConstraint(SpringLayout.SOUTH, y);
pCons.setConstraint(SpringLayout.EAST, x);
}
}
}
Loading

0 comments on commit d015348

Please sign in to comment.