Giter Site home page Giter Site logo

backslash-powered-scanner's Introduction

backslash-powered-scanner

This extension complements Burp's active scanner by using a novel approach capable of finding and confirming both known and unknown classes of server-side injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.

For more information, please refer to the whitepaper at http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html

The code can be found at https://github.com/portswigger/backslash-powered-scanner Contributions and feature requests are welcome.

Changelog

1.21 20211015

  • Support for detecting iterable inputs
  • Support for Burp Suite Enterprise Edition

1.10 20210407

  • Major refactor
  • Support for bulk-scanning
  • Misc bugfixes

1.03 20190814

  • Detect path normalization exploits based on Orange Tsai's research

1.02 20180606

  • Add MD5/SHA-1 lax comparison to magic value attacks
  • Misc bugfixes

1.01 20180509

  • Add 'COM1' Windows reserved filename to magic value attacks
  • Support custom magic value attacks
  • Don't attempt filepath related attacks in the request path

1.0 20180214

  • Provide a configuration dialog

0.91 20170612

  • Detect alternative code paths triggered by keywords like 'null', 'undefined' etc

0.9 20170520

  • Detect JSON Injection and escalate into RCE where possible
  • Detect Server-Side HTTP Parameter Pollution
  • Support bruteforcing backend parameter names
  • Improve evidence clarity and reduce false positives
  • Find vulnerabilities with subtler evidence
  • Detect escape sequence injection
  • Improve LFI detection
  • Misc tweaks, bugfixes and efficiency improvements

0.86 20161004

  • First public release

Installation

This extension requires Burp Suite Pro 1.7.10 or later. To install it, simply use the BApps tab in Burp.

If you want to manually build/install it from source, you'll need to add the following JAR to your libraries: https://commons.apache.org/proper/commons-lang/download_lang.cgi

backslash-powered-scanner's People

Contributors

ahri avatar albinowax avatar coreyd97 avatar kingthorin avatar mike-smith-portswigger avatar pajswigger avatar portswiggersupport avatar tghosth avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.