augustd / burp-suite-software-version-checks Goto Github PK

Proposed pattern for OpinionLab OnlineOpinion:

\\bOnlineOpinion\\s+v([\\d\\.]+)\\b

Seen at:
https://assets.staples-static.com/sbdpas/onlineopinionV5/oo_tab.js
https://assets.staples-static.com/sbdpas/onlineopinionV5/oo_style_english.css

Could we consolidate versions if it is the same version on the same host?

For example if example.org has several time "nginx/1.10.1" in the HTTP server response header, I get 158 issues reported in Burp, although one is enough if the host is the same and the version string is the same but on different URLs.

Proposed pattern for CKEditor

ckeditor.*([0-9].[0-9].[]0-9])

A new pattern for Prototype:

Prototype\s*=\s*\{\s*Version:\s*["']([\d.]+)["']

as seen at:
https://ajax.googleapis.com/ajax/libs/prototype/1.7.3.0/prototype.js
http://ideas.quill.com/customer/resource/1431073472000/idea_js/all_min.js
http://ideas.quill.com/customer/resource/1431073472000/quill_allscripts_min_js

Please add a check for for GWT version, maybe in the form of a JS scan of a 
cache.html file with this:

$gwt_version = "2.5.1"

Thanks.

Original issue reported on code.google.com by veggiespam on 7 Jul 2015 at 5:27

Similar to vulnersCom/burp-vulners-scanner#7.
I can't find and references in
https://github.com/augustd/burp-suite-software-version-checks/blob/master/src/test/resources/burp/testResponse.txt

Please add checks

The application I am testing exports base-64 encoded data, like this:

0t8UGYfJSF/5q6IFb3KImLoQBoA1+3vqfvp61zMUuj3zDV...

The plugin incorrectly reports the server uses Java Server Faces 5 because JSF/5 exists in this data.

Somewhere else, I get a session cookie with a value like this:

85athjhd7yxaclvj3ajdk8l

The version plugin reports this as JDK 8, because it contains jdk8.

Do you have any ideas to reduce the number of false positives? Should the short regexes be modified to match word boundaries?

When I define my own custom URL with match-rules.tab and reload Burp, the plugin does not restore the custom URL. Can you modify it to save those settings? If I forget to add my custom URL, I lose all functionality for the plugin due to being in a closed network without access to github.

Proposed pattern for Handlebars:

Handlebars\.VERSION\s*=\s*["']([\w.]+)["']

Seen in /javascripts/vendor.js distributed with Apache Ambari:

...
var Handlebars = {};

Handlebars.VERSION = "1.0.beta.6";

Handlebars.helpers  = {};
Handlebars.partials = {};
...

Proposed pattern for older versions of jQuery UI:

jQuery UI ([0-9.]+)

Seen at
http://www.staplesadvantage.com/assets-sa-unification/js/jquery-ui-1.7.2.custom.min.js

On Windows 10, when I close Burp program after working on a project, then start it again after few minutes with default settings, quite often the program will freeze.
I narrowed it down to this happening when either “Error Message Checks” or “Software Version Reporter” extension is enabled.
I’m not sure about other extensions.
It’s possible to reproduce this issue quickly on my computer after starting and stopping burp about 3-4 times.

Also when I start Burp I usually click on the maximize button when it’s loading before it starts, after which it resizes when it loads.
However I am able to reproduce this issue without having to click resize button on start.

Several patterns seem defective due to excessive backslashes. As an example, pattern

http://errors\\.angularjs\\.org/([0-9\\.]+)/

is not matching on a page that contains http://errors.angularjs.org/1.4.5/. When the doubled backslashes are removed, i.e.

http://errors\.angularjs\.org/([0-9\.]+)/

then the version does get detected correctly.

As a side note, there is no reason to escape "dot" inside a class because it is not considered to be a meta-character. Also, it might be useful to consider using predefined classes, such as \d in lieu of [0-9]. Therefore a clean pattern would be:

http://errors\.angularjs\.org/([\d.]+)/

Or, in a pedantic way to avoid matching on a single "dot", such as http://errors.angularjs.org/./, the pattern could be

http://errors\.angularjs\.org/(\d+(?:\.\d+)*)/

It seems that the current list of rules is similar but smaller than Wappalyzer.
Would it make sense to use their database instead?
https://github.com/AliasIO/Wappalyzer/blob/master/src/apps.json

P.S they accept PR so you can merge the current missing rules and continue contributing to one single database

The README says that I can load the rules from a local file, but I can't find anywhere to do this in the UI. I tried a file:/// URI in the remote file input field just in case, but that didn't appear to work.

This would seem to apply to the Error Message Checks extension as well.

Is this feature still supported? It would be nice to be able to use a local file in case this repo is ever down or becomes unavailable.

Thanks.

Proposed pattern for IBM Tealeaf:

"X-Tealeaf":"device\\s+\\(UIC\\)\\s+Lib/([\\d\\.]+)"

Seen at:
https://www.united.com/web/format/javascript/TeaLeaf/TeaLeaf.min.js
https://www.staples.com/sbdpas/20151106024917/js/tealeaf.js

Proposed pattern for Ember:

Ember\.VERSION\s*=\s*["']([\w.]+)["']

Seen in /javascripts/vendor.js distributed with Apache Ambari:

...
Ember.isNamespace = true;

Ember.toString = function() { return "Ember"; };


/**
  @static
  @type String
  @default '1.0.pre'
  @constant
*/
Ember.VERSION = '1.0.pre';
...

Patterns for mustache.js:

Prevalent:

mustache\.version\s*=\s*'([\d.]+)'

Also seen:

name:"mustache.js",version:"([\d.]+)"

as seen at
http://ideas.quill.com/customer/jslibrary/1457334052000/ui-sfdc-javascript-impl/SfdcCore.js

The plugin reports I got Linux version "is":

The IcedTea browser plugin installed on Linux is incompatible with

Proposing

>Apache Subversion</a>\s+version\s+([\d.]+(?:\s*\(r\d+\))?)

Seen at https://svn.nmap.org/ as follows:

<em>Powered by <a href="http://subversion.apache.org/">Apache Subversion</a> version 1.7.14 (r1542130).</em>

There doesn't seem to be a way to tell the tool to obey the current scope, which sometimes results in hundreds or thousands of false positives for domains outside of the scope of a test. Since it is a passive scan it isn't as crucial as if it was an active scan but it can still be quite annoying and result in larger-than-necessary state files.

Hi,
maybe it's not connected, but I get Java exceptions when trying out on the new Burp 2:

java.util.ConcurrentModificationException
	at java.util.ArrayList$Itr.checkForComodification(ArrayList.java:901)
	at java.util.ArrayList$Itr.next(ArrayList.java:851)
	at com.codemagi.burp.PassiveScan.runPassiveScanChecks(PassiveScan.java:120)
	at burp.BurpExtender.processHttpMessage(BurpExtender.java:209)
	at burp.beh.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
java.lang.IndexOutOfBoundsException: No group 2
	at java.util.regex.Matcher.group(Matcher.java:538)
	at com.codemagi.burp.PassiveScan.runPassiveScanChecks(PassiveScan.java:126)
	at burp.BurpExtender.processHttpMessage(BurpExtender.java:209)
	at burp.beh.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)

Reports for ASP.net report in the following format:

Issue detail
The server software versions used by the application are revealed by the web server. Displaying version information of software information could allow an attacker to determine which vulnerabilities are present in the software, particularly if an outdated software version is in use with published vulnerabilities. The following software appears to be in use:
Microsoft IIS: 8.5
ASP.Net MVC Framework: 5.1
ASP.Net: 4.0.30319

From the header:

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: <redacted>
Server: Microsoft-IIS/8.5
Set-Cookie: ASP.NET_SessionId=<redacted>; path=/; HttpOnly
X-AspNetMvc-Version: 5.1
X-AspNet-Version: 4.0.30319

However the X-AspNet-Version response header isn't ASP's way of indicating the MAJOR.MINOR.BUILD in use on the server, as explained here: https://stackoverflow.com/questions/12971881/how-to-reliably-detect-the-actual-net-4-5-version-installed

The checks for ASP.net should be updated to match those observed in the stackoverflow thread. Please let me know if you concur with this finding and would like me to put in a pull request.

@PeterMosmans @nnposter,

Thanks for your contributions to this extension. My Error Message Checks extension now also includes unit tests and Travis build. I'm looking for contributions of error messages encountered during testing and regexes to detect them.

Thanks!

A new pattern for Sizzle CSS Selector Engine:

Sizzle (?:CSS Selector Engine - )?v([\d.]+(?:-\w+)?)

Works against both standard and minimized versions.

Hi,
I'm running the newest and unchanged rules for this extender. It seems that at least one rule was put there with some mistake, because when I open Errors tab, I can see following:

java.lang.IndexOutOfBoundsException: No group 2
	at java.util.regex.Matcher.group(Matcher.java:538)
	at com.codemagi.burp.PassiveScan.runPassiveScanChecks(PassiveScan.java:126)
	at burp.BurpExtender.processHttpMessage(BurpExtender.java:209)
	at burp.vec.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
java.lang.IndexOutOfBoundsException: No group 2
	at java.util.regex.Matcher.group(Matcher.java:538)
	at com.codemagi.burp.PassiveScan.runPassiveScanChecks(PassiveScan.java:126)
	at burp.BurpExtender.processHttpMessage(BurpExtender.java:209)
	at burp.vec.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
java.lang.IndexOutOfBoundsException: No group 2
	at java.util.regex.Matcher.group(Matcher.java:538)
	at com.codemagi.burp.PassiveScan.runPassiveScanChecks(PassiveScan.java:126)
	at burp.BurpExtender.processHttpMessage(BurpExtender.java:209)
	at burp.vec.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
java.lang.IndexOutOfBoundsException: No group 2
	at java.util.regex.Matcher.group(Matcher.java:538)
	at com.codemagi.burp.PassiveScan.runPassiveScanChecks(PassiveScan.java:126)
	at burp.BurpExtender.processHttpMessage(BurpExtender.java:209)
	at burp.vec.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
java.lang.IndexOutOfBoundsException: No group 2
	at java.util.regex.Matcher.group(Matcher.java:538)
	at com.codemagi.burp.PassiveScan.runPassiveScanChecks(PassiveScan.java:126)
	at burp.BurpExtender.processHttpMessage(BurpExtender.java:209)
	at burp.vec.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
java.lang.IndexOutOfBoundsException: No group 2
	at java.util.regex.Matcher.group(Matcher.java:538)
	at com.codemagi.burp.PassiveScan.runPassiveScanChecks(PassiveScan.java:126)
	at burp.BurpExtender.processHttpMessage(BurpExtender.java:209)
	at burp.vec.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
java.lang.IndexOutOfBoundsException: No group 2
	at java.util.regex.Matcher.group(Matcher.java:538)
	at com.codemagi.burp.PassiveScan.runPassiveScanChecks(PassiveScan.java:126)
	at burp.BurpExtender.processHttpMessage(BurpExtender.java:209)
	at burp.vec.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
java.lang.IndexOutOfBoundsException: No group 2
	at java.util.regex.Matcher.group(Matcher.java:538)
	at com.codemagi.burp.PassiveScan.runPassiveScanChecks(PassiveScan.java:126)
	at burp.BurpExtender.processHttpMessage(BurpExtender.java:209)
	at burp.vec.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
java.lang.IndexOutOfBoundsException: No group 2
	at java.util.regex.Matcher.group(Matcher.java:538)
	at com.codemagi.burp.PassiveScan.runPassiveScanChecks(PassiveScan.java:126)
	at com.codemagi.burp.PassiveScan.doPassiveScan(PassiveScan.java:105)
	at burp.dhd.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
java.lang.IndexOutOfBoundsException: No group 2
	at java.util.regex.Matcher.group(Matcher.java:538)
	at com.codemagi.burp.PassiveScan.runPassiveScanChecks(PassiveScan.java:126)
	at com.codemagi.burp.PassiveScan.doPassiveScan(PassiveScan.java:105)
	at burp.dhd.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
java.lang.IndexOutOfBoundsException: No group 2
	at java.util.regex.Matcher.group(Matcher.java:538)
	at com.codemagi.burp.PassiveScan.runPassiveScanChecks(PassiveScan.java:126)
	at com.codemagi.burp.PassiveScan.doPassiveScan(PassiveScan.java:105)
	at burp.dhd.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)

Proposed pattern for AngularJS:

http://errors\\.angularjs\\.org/([\\d\\.]+)/

Seen at:
http://assets.staples-static.com/NDM2/pn/bui/20151117173906/js/ux2/asgard-dailydeals-min.js

When adding a large number of rules, the intersection of highlight markers is possible in the issue. In this case, Burp does not create an issue and does not display an error about it, and the extension may lose results.

For example, you can make the following rules

(HTTP/\d\.\d)	1	HTTP	High	Certain
(HTTP/1\.\d)	1	HTTP	High	Certain

Together they do not create an issue, but if you delete one of them, everything works correctly.

Links:

https://github.com/augustd/burp-suite-utils/blob/18cd784424130c038f9b58d338f9821e7c8e4bb9/src/main/java/com/codemagi/burp/ScanIssue.java#L56

https://portswigger.net/burp/extender/api/burp/IBurpExtenderCallbacks.html#applyMarkers(burp.IHttpRequestResponse,%20java.util.List,%20java.util.List)

Hi,
I got 200:ok page with following source:

<html><head><title>JBoss Web/7.4.10.Final-redhat-1 - JBWEB000064: Error report</title><style>
...
<h3>JBoss Web/7.4.10.Final-redhat-1</h3>

It is a bit different than the regexp in rules, and was not detected.
Thanks:)