wagiro / burpbounty Goto Github PK

Hi,

I spent many hours trying to make it work without success.
I have tested many versions from Java v1.8.X and I am using Scan Check Builder v3.0.5\6.
Most of the time scanner not yield anything in PASSIVE mode and when I using ACTIVE mode, its not firing any payloads.
It is only send the payloads when I using the default profiles.
If I try to make a new profile from scratch or even change any exist profile, it stop work.

Another bug:
In profile definition and in profile manager when I try to customize or change an exist profile, it become duplicated in profile manager, If I try to delete a profile from the button (Remove) its not work at all.

Last thing, I didnt receive any bugs from Java or from the output in the extender.

Thanks.

@wagiro hi，
I have two questions

1. I would like to ask how this should be added to the content
2. is this a simplified API plug-in tool?

Hello Edu. I notised that when I use CRLF-Attack.bb I get more false result.
for fixing this need

Payload: %0D%0ASet-Cookie:%20mycookie=myvalue # there I add %20
Response regex: ^Set-Cookie:\smycookie=myvalue #
It is 100% better and we don't get false.

Sometimes we have to replace some strings in payloads. For ex: replace /etc/passwd to /etc/resolv.conf to bypass IPS or WAF, or replace evilsite.com to blabla.burpcollaborator.com to testing blind vulns.
So replace string encoder or something like this would be very useful.
As example U can refer to my commits to burpbounty v1 forks in my github...
Once more thanks for such tool !

Hi @wagiro,

Thank you for making this, just curious about few things!

After creating the profile under BurpBounty for the active scan, if we are invoking active scan as you showed in Youtube videos, all other burp active scan checks going to run or not?

If yes, how this will be effective as burp active scanner going to scan for everything again!

if no, what's the setting will be in burp scanner?

do we need any specific configuration under burp scanner tab for using burp bounty?

Hi wagiro,

I am not able to get Instances of Issues in Target Site Map

I get one Issue as attached.

However, when I go to scanner, I get 4 instances of the Issue. Attached is screenshot

Please can you let me know how can I get Instances of Issues in Target Site Map.

Note: I am running the Active Scan for Extension generated

Thanks in advance,
Karibasavaraj K

When I sort profiles in Profile Manager and then try to enable/disable some of sorted profile - BB switches non-selected profile, but some other profile (i suppose BB switch profile that was on selected place before sorting :) )

Hi
I created a new profile and insert these payloads:

Hi
I use your tool and the problem is Sql injaction & XML_External_Entity_(XXE) payloads does not working in burp v 1.7.35

Hi, can you help me please to configure the open redirect? Thank you

I got a lot of false positive using it even if I configure it like you did on youtube tutorial

thank you

Hello, I have an "active scan" profile, and, it works when I scan with all the issues selected:

However, if I remove all the "issues" the profile payloads don't trigger, neither if I just select "SQL injection".

So my question is: which issue corresponds the profile to make the it work? Do I need to select every issue? Thank you very much!

It is suggested to add conditional judgment: for example, for WordPress websites, you only need to test payload related to wordpress.Thank you for amazing job.

While crawling, passively trigger active payloads based on conditions >>> Example: While I perform the crawling process, it will fire payloads based on the conditions (such as SQLI payloads against each parameter or path discovery, etc.

In the photo (from other extension) you can see that I match again all param values and replace them with XSS payload.
The process is performed automatically via crawling or other scan methods.

Thanks.

Very nice extender:)
I tried to use custom payloads for XSS, but these values were reflected in the HTTP response within the "x-request-path:" header.
Could there be an easy checkbox, whereas I want to search for payloads within headers, body, or both?
Thanks:)

I use burp 1.7.35 and scan check builder 3.0.5 beta, i have two problems:
1- I can't save the modifications in profiles, i press save button but the changes not were saved.
2 - I trying to use the Endpoindextractor.bb but when it's loaded not work, i saw the code and nothing in the code is loaded, for example:

[{"Name":"EndpointsExtractor","Active":true,"Scanner":2,"Author":"@GochaOqradze","Payloads":[],"Encoder":[],"UrlEncode":false,"CharsToUrlEncode":"","Grep":["(?:\"|\u0027)(((?:[a-zA-Z]{1,10}://|//)[^\"\u0027/]{1,}\\.[a-zA-Z]{2,}[^\"\u0027]{0,})|((?:/|\\.\\./|\\./)[^\"\u0027\u003e\u003c,;| *()(%%$^/\\\\\\[\\]][^\"\u0027\u003e\u003c,;|()]{1,})|([a-zA-Z0-9_\\-/]{1,}/[a-zA-Z0-9_\\-/]{1,}\\.(?:[a-zA-Z]{1,4}|action)(?:[\\?|/][^\"|\u0027]{0,}|))|([a-zA-Z0-9_\\-]{1,}\\.(?:php|asp|aspx|jsp|json|action|html|js|txt|xml)(?:\\?[^\"|\u0027]{0,}|)))(?:\"|\u0027)"],"Tags":["endpoints","regex"],"PayloadResponse":false,"NotResponse":false,"TimeOut":"","isTime":false,"contentLength":"","iscontentLength":false,"CaseSensitive":false,"ExcludeHTTP":true,"OnlyHTTP":false,"IsContentType":false,"ContentType":"","NegativeCT":false,"IsResponseCode":false,"ResponseCode":"","NegativeRC":false,"MatchType":2,"RedirType":0,"MaxRedir":0,"payloadPosition":1,"payloadsFile":"","grepsFile":"","IssueName":"EndpointsExtractor","IssueSeverity":"Information","IssueConfidence":"Firm","IssueDetail":"Regex by Gerben_Javado : \n\u003cbr\u003ehttps://github.com/GerbenJavado/LinkFinder/blob/master/linkfinder.py\n\n\u003cbr\u003e\u003cbr\u003eEndpoints: \u003cbr\u003e\u003cgrep\u003e","RemediationDetail":"","IssueBackground":"","RemediationBackground":"","Header":[],"VariationAttributes":[],"pathDiscovery":false}]

In the plugin only see:

and all empty boxes:

I read the newest version of the plugin work on burp 2.0 probably it's not support olders versions.

Regards! and I love your work, i hope my issue improve it.

When switch profile in profile manager (Enable/Disable) BurpBounty write file in single-line (not in multi-line)

We've come across an issue in your BApp Store Extension, Scan Check Builder.

You are allowing null tags to be added when you click ‘Add’ next to the empty dropdown.

How to reproduce:

• Install and go to scan check builder
• Set the profiles directory at the top to a directory of your choice
• Populate the name and author fields with test data
• Switch to ‘Tags’ tab
• Click ‘Add’ when nothing is in the drop down selector
• Click ‘Save’ button
• If you go to the profiles directory you chose, there should be a file created with a .bb extension
• Open the file and there will be some JSON
• There should by a “Tags” attribute with a list containing a null
• Close and reopen Burp
• Notice that the tab does not re-appear

There is a workaround available - go to the config file and delete the nulls from the Tags list or delete the config file and let them create their config again.

Would it be possible for you to provide a fix so that null tags cannot be added in the first place?

Hi, I'm using Burp V2.1, and after installing the latest version of Bounty Burp I have this problem.

It seems that all tabs have the same fixed length, but some of them like the "Profile Definition" need more space.

Hey man, really like the plugin!

After using it for a bit, 2 things that would really improve the usefulness of the tool are:

1. Have an option to append AND/OR replace all payloads to existing URL's/parameters
2. Have a timing option in seconds to check for timing attacks (ie. ' OR SLEEP(5)--), if response is greater than 5 seconds, indicate a vulnerability.

I think there is a problem, because I fail to save any profile, I tried countless times but useless.

I press the "Save " button But nothing happens, I see no errors in the Extender

Thank you

it should be compared twice:

1. http://testphp.vulnweb.com/artists.php?artist=1
2. http://testphp.vulnweb.com/artists.php?artist=1 and 1=1
3. http://testphp.vulnweb.com/artists.php?artist=1 and 1=2

1=2 1!=3

With reference to #26

There is an wierd bug while performming regex based Passively checks on responses.

• Sometimes it passively checks each and every requests & keeps creating issues based on patterns it detected (This is how it works).
• Sometimes it stops in the middle of the checks.
  ex: BurpBounty - HTML-DOM Reflections [5] let's imagine it caught 5 issues so far then it will freeze here no matter how much u crawl or perform passive scanning against target.
• Sometimes it doesn't initiate the scan itself (Highly possible when you have Multiple Regex Profiles under the directory.

To Reproduce the issue use the following Scan Patterns & Try the following 2 steps for around 5-6 times.

1. Run Burp/ Crawl couple of sites. (Keep an eye on No if issues it created in scanner dashboard.)
2. Then unload profile and load profile again.

Add some regex based patterns such as: in Grep set

• Passively Response.

• Grep Set Regex

ws(s)?:\/\/
document\.(URL|documentURI|URLUnencoded|baseURI|cookie|referrer)|location\.(href|search|hash|pathname)|window\.name|history\.(pushState|replaceState)(local|session)Storage
set(Timeout|Interval|Immediate)|execScript
ScriptElement\.(src|text|textContent|innerText)|.*?\.onEventName|document\.(write|writeln)
.*?\.innerHTML|Range\.createContextualFragment|(document|window)\.location
(eval|evaluate|execCommand|assign|navigate|getResponseHeaderopen|showModalDialog|Function|set(Timeout|Interval|Immediate)|execScript|crypto.generateCRMFRequest|ScriptElement\.(src|text|textContent|innerText))\(

• Grep Options : Exclude HTTP headers

First off, thank you for building this terrific extension!

I'm trying to tighten up my rule for testing for the absence of a CSP header and am running into issues. It was working as expected until I added a filter for status code. No matter what I put in here (single value, comma-delimited list), the check does not fire.

Here's what I've got set:

I haven't had the time to dig through the source yet but wanted to open an issue in the meantime.

Hi wagiro!

This plugin is amazing!

I want to select the position of insertion point at after parameter value like "Burp Intruder ".
Because I would like to compare responses as follows when testing SQLi.

For example

requestA
parameterA = value ' and 'a' = 'a

responseA
normal response

requestB
parameterA = value ' and 'b' = 'a

responseB
error response

Please add above function.

Hi wagrio,

Is there is CLI through which we can perform "Profiles Reload"

Thanks in advance,
Karibasavaraj K

Hi ,
i see u r doing an amazing job here and i would like to suggest something.
could we add more than just passwd file to be detected.
for example logs file for linux as a start then windows if you could do it.
i will referance an article mentions those important log`s names in many different environment if you allow me.

DistrosDefaultLayout

Can we use this extension with Burp Suite Pro v 1.73.x?

Is the option to scan a specific parameter there?
for example

GET /bWAPP/sqli_4.php?title=x-men&action=search HTTP/1.1
Host: itsecgames.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://itsecgames.com/bWAPP/sqli_4.php
DNT: 1
Connection: close
Cookie: PHPSESSID=ca30748e7e3c43d1d7d0ceaa1f463eb9; security_level=0
Upgrade-Insecure-Requests: 1

Scanning title for SQL?

When configuring post-request macros for the target URL under scan, BurpBounty generates Issues that include the macro request instead of the original request (containing the configured payload).

Example:

Interface A accepts requests, B displays parameter values received by A. In order to identify XSS issues a post-request macro is configured to request B after a scanner request is issued to A. If interface B contains the XSS payload an Issue is generated by BurpBounty, but the HTTP Request associated with the issue is the one for interface B instead of the one issued to A.

Environment:
Linux kali 4.18.0-kali2-amd64 #1 SMP Debian 4.18.10-2kali1 (2018-10-09) x86_64 GNU/Linux
Burp Suite Professional v2.0.11 beta

Repro steps:

1. Install BurpBounty through the Extender store
2. Go to Burp Bounty, load a profiles folder
3. Click Profiles Manager, and no window appears, and the following output is displayed in the terminal process running Burp:

root@kali:~# BurpSuitePro class java.lang.NullPointerException java.lang.NullPointerException at burpbounty.ProfilesManager.showProfiles(ProfilesManager.java:152) at burpbounty.ProfilesManager.<init>(ProfilesManager.java:65) at burpbounty.BurpBountyGui.ActionProfile(BurpBountyGui.java:1962) at burpbounty.BurpBountyGui.access$1200(BurpBountyGui.java:54) at burpbounty.BurpBountyGui$14.actionPerformed(BurpBountyGui.java:1301) at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022) at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2348) at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402) at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259) at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252) at java.awt.Component.processMouseEvent(Component.java:6533) at javax.swing.JComponent.processMouseEvent(JComponent.java:3324) at java.awt.Component.processEvent(Component.java:6298) at java.awt.Container.processEvent(Container.java:2236) at java.awt.Component.dispatchEventImpl(Component.java:4889) at java.awt.Container.dispatchEventImpl(Container.java:2294) at java.awt.Component.dispatchEvent(Component.java:4711) at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4888) at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4525) at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4466) at java.awt.Container.dispatchEventImpl(Container.java:2280) at java.awt.Window.dispatchEventImpl(Window.java:2746) at java.awt.Component.dispatchEvent(Component.java:4711) at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758) at java.awt.EventQueue.access$500(EventQueue.java:97) at java.awt.EventQueue$3.run(EventQueue.java:709) at java.awt.EventQueue$3.run(EventQueue.java:703) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90) at java.awt.EventQueue$4.run(EventQueue.java:731) at java.awt.EventQueue$4.run(EventQueue.java:729) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80) at java.awt.EventQueue.dispatchEvent(EventQueue.java:728) at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201) at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116) at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93) at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

I am using Java v1.8.201 and I am using Scan Check Builder v3.0.5beta from the Bapp store. Even creating a simple profile to look for character 'a' in a passive response is not yielding any result.

See below: -

正则匹配中忽略大小写应该使用

Pattern.compile(grep,Pattern.CASE_INSENSITIVE);

但是代码实现中是将grep和字符串全部大写，这就导致grep失效，

grep = "\d{11}";grep = grep.toUpperCase(); => grep = "\D{11}";

例如在GrepMatch.java， line：96

在GrepMatch.java的第250行，
requestResponse.getResponse() -> requestResponse.getRequest()

应该是
requestString = helpers.bytesToString(requestResponse.getRequest())

We are able to add, clear, remove payloads to profile, but not to edit them.
Suppose, I importing some fuzzlist in profile and then i have to edit some payloads to correct them fo using..
Or it may be feature for auto-read payloads from txt files when plugin start.

For example: I use some fuzzlist txt files, which I continuously update from time to time.
If I could snap txt files to profiles in BurpBounty (for ex: XXEfuzz.txt to XXE profile, JsonFuzz.txt to JSON profile and so on) I would be excellent !

So this feature would be very usefull for bughuners.

P.S. Thank U for such tool !

Change request method

For requests, you can automatically switch the request method between GET and POST, with all relevant request parameters suitably relocated within the request. This option can be used to quickly test the application's tolerance of parameter location, e.g. to bypass input filters or fine-tune a cross-site scripting attack. can you please add this a new feature in BurpBounty that we can change from POST to Get automatically to find more bugs?

It only gets one regex find although there are more.

Hi Wagiro,

The Scan Check Builder is amazing.

We used the extender to send payloads through active scan. The Active scan was able to send multiple requests using extender.

However, we noticed that the number of requests sent by scanner is not getting updated.
Scanner --> Scan Queue --> Requests. We are using Burp Suite Pro version 1.7.37.

Please could you let us know your comments.

Thanks in advance,
Karibasavaraj K

Passive audit check "hangs" and does not complete. Started noticing this issue around v2.1.04-v2.1.05 of BurpSuite Professional. Tried 3.0.5 and 3.0.6beta of BurpBounty and same issue.

No errors in the extension output. It seems to get stuck while scanning a favicon.ico page. Maybe something with unsupported characters?

Thanks!

Your links to bb profiles on github gave me this idea...

If bb profiles will be multiple lines, then we can do merging and commiting changes to bb profiles in github.
Now with one-line json bb profile if I want to merge some bb profile with my it is not possible.
But with multiple lines it will be possible..
For example:
[
{
"Name": "LDAP.Fuzzinging",
"Active": true,
"Scanner": 1,
"Payloads": [
"!",
"%21",
"%26",
"admin*",
"admin*)((|userpassword=)",
")(uid=))(|(uid="
],
"Encoder": [],
"UrlEncode": false,
"CharsToUrlEncode": "",
"SearchString": "",
"ReplaceString": "",
"Grep": [
"error"
],
"PayloadResponse": false,
"NotResponse": false,
"NotCookie": false,
"CaseSensitive": false,
"ExcludeHTTP": false,
"OnlyHTTP": false,
"IsContentType": false,
"ContentType": "",
"IsResponseCode": false,
"ResponseCode": "",
"MatchType": 1,
"IssueName": "LDAP.Fuzzinging",
"IssueSeverity": "Information",
"IssueConfidence": "Certain",
"IssueDetail": "LDAP.Fuzzinging\n\n",
"RemediationDetail": "",
"IssueBackground": "",
"RemediationBackground": ""
}
]
This profile can be loaded in bb. And I can commit and merge this in github (for ex: adding payloads, or changing Remed detail). But after loading and later saving profile - it will be saved in single-line json.

Hi wagiro,

I am trying to perform a passive response search within .css and .js files using a regular expression; however, I do not obtain any matches. For some reason, I only obtain results when the content-type is text/html. I did not enable the 'Content-Type' check option to specifically search for text/html, so I'm not sure why a match is not occurring. I have also tried changing to a 'Simple Search', rather than use a regular expression, but I am still not having any luck.

Hi (again),

Was just wonder, after going through some of you videos, if the collaborator is always on? Some videos has the "Collaborator button" and in the usage that button is gone. From my experience the collaborator url is only generated after I open the window inside of burp, or am I missing something here?

Also I was wondering if I execute a active scan against a target will "ALL" of my profiles that has the "Active" flag shot off against the target (and that are present in the profile directory?

Thanks again btw for the quick response and a wonderful tool!

Maybe BurpBounty would to aggregate issues when it create it.
For example: if we have 3 payloads:
admin'
admin' or '1'='1
admin''"
Burpbounty will create 3 issues with SQL injection.
Sometimes it is useful, but sometime are VERY VERY NOT.
So it may be some checkbox in form about aggregation so user can decide...

Awesome extension, but I'm having some trouble trying to save profiles that I have created. Nothing is showing up sadly after I try to add tags. I'm using v2.1.03 on Burp.

Great extender! I just used it but it is now one of my favorite Burp Suite Extension. I have some few issues though.

I noticed that the other profiles are using <grep> tag on the Issue Details, I'm not really sure what is its function exactly, but I assumed that this should show the grep string that was found. But this doesn't worked as I expected, please feel free to correct me if I misunderstood it.

Basically, what I want is to see on the issue detail which grep were found on the response. So, here's my profile setup:

Scanner: Passive Response
Grep: email, password, session
Match type: Regex
Issue Detail: The following string/s were found on the response: <grep>

I hope you'll be able to help me with this. I'm using v3.0.2beta

Thanks,
Chris

Hi

Today were released two new versions of Burp 2.0.10 and 2.0.11

I'm using BurpBounty 2.3 version and seems that "ProfileManager" button not works anymore, I click on it but nothing happen. Can you check please?

"Profile Directory" is fine

Thank you

Let say I want to do a CRLF passive scan like this:

IF Request param Name $1 (GET or POST) IS equal to this Response regex "Set-Cookie: $1=value"

How can I do this, is it possible without an Active scan?

Thanks for the quick implementation of "Exclude HTTP headers". However, I think it contains a bug.
I added a payload, which is once reflected within the "x-request-path: " header, and then in the body it appears on 7 different places:

However, even though I see these occurrences in the Session Tracer, there is no issue reported by this extension.
Here is my setup:

I assume it matches the payload only once, and since it happens to occur in the header, the rest of found bugs are ignored.

Hello @wagiro

• We have option to add the regex based patterns under response Tab, Problem here is if any one of regex pattern is invalid/broken then tool will stop scanning rest of the requests.

• I Tried this in Passive Response Scanning , Please let me know if you are able to reproduce this.

While processing the regex based patterns, give a try & catch exception handling rule to throw the errors directly to stderr of the extension so that we can fix the broken regex pattern.