init version

nccgroup · Jul 4, 2018 · f8f87c0 · f8f87c0
1 parent 40ad5a8
commit f8f87c0
Show file tree

Hide file tree

Showing 59 changed files with 7,056 additions and 0 deletions.
diff --git a/.classpath b/.classpath
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<classpath>
+	<classpathentry kind="src" path="src"/>
+	<classpathentry kind="lib" path="c:/temp/burpsuite_pro.jar"/>
+	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/jre1.8.0_171"/>
+	<classpathentry kind="output" path="bin"/>
+</classpath>
diff --git a/.externalToolBuilders/MakeHTTPSmugglerJAR.launch b/.externalToolBuilders/MakeHTTPSmugglerJAR.launch
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<launchConfiguration type="org.eclipse.ant.AntBuilderLaunchConfigurationType">
+<booleanAttribute key="org.eclipse.ant.ui.ATTR_TARGETS_UPDATED" value="true"/>
+<booleanAttribute key="org.eclipse.ant.ui.DEFAULT_VM_INSTALL" value="false"/>
+<stringAttribute key="org.eclipse.debug.core.ATTR_REFRESH_SCOPE" value="${workspace}"/>
+<listAttribute key="org.eclipse.debug.core.MAPPED_RESOURCE_PATHS">
+<listEntry value="/HTTP Smuggler"/>
+</listAttribute>
+<listAttribute key="org.eclipse.debug.core.MAPPED_RESOURCE_TYPES">
+<listEntry value="4"/>
+</listAttribute>
+<booleanAttribute key="org.eclipse.debug.ui.ATTR_LAUNCH_IN_BACKGROUND" value="false"/>
+<stringAttribute key="org.eclipse.jdt.launching.CLASSPATH_PROVIDER" value="org.eclipse.ant.ui.AntClasspathProvider"/>
+<booleanAttribute key="org.eclipse.jdt.launching.DEFAULT_CLASSPATH" value="true"/>
+<stringAttribute key="org.eclipse.jdt.launching.PROJECT_ATTR" value="HTTP Smuggler"/>
+<stringAttribute key="org.eclipse.ui.externaltools.ATTR_LOCATION" value="${workspace_loc:/HTTP Smuggler/build.xml}"/>
+<stringAttribute key="org.eclipse.ui.externaltools.ATTR_RUN_BUILD_KINDS" value="full,incremental,auto,"/>
+<booleanAttribute key="org.eclipse.ui.externaltools.ATTR_TRIGGERS_CONFIGURED" value="true"/>
+<stringAttribute key="org.eclipse.ui.externaltools.ATTR_WORKING_DIRECTORY" value="${workspace_loc:/HTTP Smuggler/}"/>
+</launchConfiguration>
diff --git a/.project b/.project
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>HTTP Smuggler</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>org.eclipse.jdt.core.javabuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+		<buildCommand>
+			<name>org.eclipse.ui.externaltools.ExternalToolBuilder</name>
+			<triggers>auto,full,incremental,</triggers>
+			<arguments>
+				<dictionary>
+					<key>LaunchConfigHandle</key>
+					<value>&lt;project&gt;/.externalToolBuilders/MakeHTTPSmugglerJAR.launch</value>
+				</dictionary>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>org.eclipse.jdt.core.javanature</nature>
+	</natures>
+</projectDescription>
diff --git a/.settings/org.eclipse.core.resources.prefs b/.settings/org.eclipse.core.resources.prefs
@@ -0,0 +1,2 @@
+eclipse.preferences.version=1
+encoding//src/mutation/HttpEncoding.java=UTF-8
diff --git a/.settings/org.eclipse.jdt.core.prefs b/.settings/org.eclipse.jdt.core.prefs
@@ -0,0 +1,11 @@
+eclipse.preferences.version=1
+org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled
+org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.8
+org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve
+org.eclipse.jdt.core.compiler.compliance=1.8
+org.eclipse.jdt.core.compiler.debug.lineNumber=generate
+org.eclipse.jdt.core.compiler.debug.localVariable=generate
+org.eclipse.jdt.core.compiler.debug.sourceFile=generate
+org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
+org.eclipse.jdt.core.compiler.problem.enumIdentifier=error
+org.eclipse.jdt.core.compiler.source=1.8
diff --git a/build.xml b/build.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" ?>
+<!-- Configuration of the Ant build system to generate a Jar file --> 
+<project name="HTTP Smuggler" default="CreateJar">
+	<property name="projectHome" location="." />
+	<target name="CreateJar" description="Create Jar file">
+		<jar destfile="${projectHome}/httpsmuggler.jar" basedir="${projectHome}/bin">
+			<!--<zipgroupfileset dir="libs/" includes="*.jar" excludes=""/>-->
+
+			<fileset dir=".">
+			    <include name="**/resources//**"/>
+			</fileset>
+		</jar>
+	</target>
+</project>
diff --git a/src/burp/BurpExtender.java b/src/burp/BurpExtender.java
@@ -0,0 +1,262 @@
+/*
+ * Burp Suite HTTP Smuggler
+ * 
+ * Released as open source by NCC Group - https://www.nccgroup.trust/
+ * 
+ * Developed by:
+ *     Soroush Dalili (@irsdl)
+ * 
+ * Project link: https://github.com/nccgroup/BurpSuiteHTTPSmuggler/
+ * 
+ * Released under AGPL v3.0 see LICENSE for more information
+ * 
+ * */
+
+package burp;
+
+import java.awt.Component;
+import java.io.PrintWriter;
+import java.io.UnsupportedEncodingException;
+import java.net.URL;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import javax.swing.JPanel;
+import javax.swing.JTabbedPane;
+import javax.swing.SwingUtilities;
+
+import mutation.HTTPEncodingObject;
+
+public class BurpExtender implements IBurpExtender, ITab, IHttpListener
+{
+
+	private PrintWriter _stdout;
+	private PrintWriter _stderr;
+	private JTabbedPane _topTabs;
+	private IBurpExtenderCallbacks _callbacks;
+	private JTabbedPane topTabs;
+
+	public void registerExtenderCallbacks (IBurpExtenderCallbacks callbacks)
+	{
+		_callbacks = callbacks;
+		// obtain our output stream
+		_stdout = new PrintWriter(_callbacks.getStdout(), true);
+		_stderr = new PrintWriter(_callbacks.getStderr(), true);
+
+		// set our extension name
+		_callbacks.setExtensionName("HTTP Smuggler");
+
+		// register ourselves as an HTTP listener
+		callbacks.registerHttpListener(BurpExtender.this);
+
+		// create our UI
+		SwingUtilities.invokeLater(new Runnable() 
+		{
+			@Override
+			public void run()
+			{
+				topTabs = new JTabbedPane();
+
+				topTabs.addTab("Scope", null, new myui.ScopeTab(callbacks, _stdout, _stderr), null);
+				topTabs.addTab("Encoding", null, new myui.EncodingTab(callbacks, _stdout, _stderr), null);	
+				topTabs.addTab("About", null, new myui.AboutTab(callbacks, _stdout, _stderr), null);	
+
+				// customize our UI components
+				callbacks.customizeUiComponent(topTabs); 
+				helper.UIStuff.updateJCheckBoxBackground(topTabs);
+
+				// add the custom tab to Burp's UI
+				callbacks.addSuiteTab(BurpExtender.this);
+			}
+		});
+
+	}
+
+	@Override
+	public String getTabCaption()
+	{
+		return "HTTP Smuggler Settings";
+	}
+
+	@Override
+	public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) {		
+		if(messageIsRequest) {
+			/* to calculate the scope, OR has not been implemented yet*/
+			boolean isDisabled = false;
+			boolean isInScope = false;
+			boolean isTargetInScope = true;
+			boolean isURLPathInScope = true;
+			boolean isHeaderInScope = true;
+
+			IRequestInfo analyzedReq = _callbacks.getHelpers().analyzeRequest(messageInfo);
+			URL uUrl = analyzedReq.getUrl();
+			/* find the right scope based on the settings*/
+			int targetScopeOption =(int) loadExtensionSettingHelper("targetScopeOption","int",0);
+			int pathRegExOption =(int) loadExtensionSettingHelper("pathRegExOption","int",0);
+			String pathRegEx =(String) loadExtensionSettingHelper("pathRegEx","string","");
+			int headerRegExOption =(int) loadExtensionSettingHelper("headerRegExOption","int",0);
+			String headerRegEx =(String) loadExtensionSettingHelper("headerRegEx","string","");
+
+			boolean chckbxAllTools =(boolean) loadExtensionSettingHelper("chckbxAllTools","bool",false);
+			boolean chckbxProxy =(boolean) loadExtensionSettingHelper("chckbxProxy","bool",false);
+			boolean chckbxScanner =(boolean) loadExtensionSettingHelper("chckbxScanner","bool",false);
+			boolean chckbxIntruder =(boolean) loadExtensionSettingHelper("chckbxIntruder","bool",false);
+			boolean chckbxRepeator =(boolean) loadExtensionSettingHelper("chckbxRepeator","bool",true);
+			boolean chckbxExtender =(boolean) loadExtensionSettingHelper("chckbxExtender","bool",false);
+			boolean chckbxTarget =(boolean) loadExtensionSettingHelper("chckbxTarget","bool",false);
+			boolean chckbxSequencer =(boolean) loadExtensionSettingHelper("chckbxSequencer","bool",false);
+			boolean chckbxSpider =(boolean) loadExtensionSettingHelper("chckbxSpider","bool",false);
+
+			if(targetScopeOption==1 && pathRegExOption==1 && headerRegExOption==1) {
+				//evrything is disabled
+				isDisabled = true;
+			}
+
+			if(!isDisabled) {
+				if(targetScopeOption < 1 && !_callbacks.isInScope(uUrl)) {
+					isTargetInScope = false;
+				}
+
+
+				if(isTargetInScope && pathRegExOption < 1 && !pathRegEx.isEmpty()){
+					// AND rule for path/url regex
+					Pattern pathPattern = Pattern.compile(pathRegEx);
+					Matcher matcher_pathURL = pathPattern.matcher(uUrl.toString());
+					if (!matcher_pathURL.find())
+					{
+						isURLPathInScope = false;
+					}
+				}
+
+				if(isTargetInScope && isURLPathInScope && headerRegExOption < 1 && !headerRegEx.isEmpty()){
+					// AND rule for header regex
+					Pattern headerPattern = Pattern.compile(headerRegEx);
+
+					StringBuilder sb = new StringBuilder();
+					for (String headerLine : analyzedReq.getHeaders())
+					{
+						sb.append(headerLine);
+						sb.append("\r\n");
+					}
+					Matcher matcher_header = headerPattern.matcher(sb.toString());
+					if (!matcher_header.find())
+					{
+						isHeaderInScope = false;
+					}
+				}
+
+
+
+				if (isTargetInScope && isURLPathInScope && isHeaderInScope){
+					// check the tool!
+					if(chckbxAllTools){
+						isInScope = true;
+					}else if(chckbxProxy && toolFlag==_callbacks.TOOL_PROXY){
+						isInScope = true;
+					}else if(chckbxIntruder && toolFlag==_callbacks.TOOL_INTRUDER){
+						isInScope = true;
+					}else if(chckbxRepeator && toolFlag==_callbacks.TOOL_REPEATER){
+						isInScope = true;
+					}else if(chckbxScanner && toolFlag==_callbacks.TOOL_SCANNER){
+						isInScope = true;
+					}else if(chckbxSequencer && toolFlag==_callbacks.TOOL_SEQUENCER){
+						isInScope = true;
+					}else if(chckbxSpider && toolFlag==_callbacks.TOOL_SPIDER){
+						isInScope = true;
+					}else if(chckbxExtender && toolFlag==_callbacks.TOOL_EXTENDER){
+						isInScope = true;
+					}else if(chckbxTarget && toolFlag==_callbacks.TOOL_TARGET){
+						isInScope = true;
+					}
+				}
+
+
+				if (isInScope){
+					//logIt(toolFlag, messageIsRequest, messageInfo, null);
+					mutation.HttpEncoding httpEcnoding = new mutation.HttpEncoding(_callbacks,_stdout,_stderr,true);
+					try {
+						String newHTTPMessage = httpEcnoding.encodeHTTPMessage(messageInfo.getRequest(), loadHTTPEncodingObjectFromExtensionSetting());
+						if(newHTTPMessage.isEmpty()) {
+							_stdout.println("Message was not encoded - perhaps it was not eligible or there was an error (see the error tab)");
+							_stdout.println("Enable the debug mode to see more details");
+						}else {
+							byte[] requestByte = newHTTPMessage.getBytes("ISO-8859-1");
+							messageInfo.setRequest(requestByte);	
+						}
+					} catch (UnsupportedEncodingException e) {
+						_stderr.println(e.getMessage());
+					}
+				}
+			}
+		}
+	}
+
+	@Override
+	public Component getUiComponent() {
+		return topTabs;
+	}
+
+	private Object loadExtensionSettingHelper(String name, String type, Object defaultValue) {
+		Object value = null;
+		try {
+			String temp_value = _callbacks.loadExtensionSetting(name);
+			if(temp_value!=null && !temp_value.equals("")) {
+				switch(type.toLowerCase()){
+				case "int":
+				case "integer":
+					value = Integer.valueOf(temp_value);
+					break;
+				case "bool":
+				case "boolean":
+					value = Boolean.valueOf(temp_value);
+					break;
+				default:
+					value = temp_value;
+					break;
+				}
+			}
+		}catch(Exception e) {
+			_stderr.println(e.getMessage());
+		}
+
+		if(value==null) {
+			value = defaultValue;
+		}
+		return value;
+	}
+
+	private HTTPEncodingObject loadHTTPEncodingObjectFromExtensionSetting() {
+		HTTPEncodingObject currentHTTPEncodingObject = new HTTPEncodingObject();
+		currentHTTPEncodingObject.setPreventReEncoding((boolean) loadExtensionSettingHelper("preventReEncoding", "bool", true));
+		currentHTTPEncodingObject.setEncodeMicrosoftURLEncode((boolean) loadExtensionSettingHelper("encodeMicrosoftURLEncode", "bool", false));
+		currentHTTPEncodingObject.setEncodeDespiteErrors((boolean) loadExtensionSettingHelper("encodeDespiteErrors", "bool", false));
+		currentHTTPEncodingObject.setAddACharToEmptyBody((boolean) loadExtensionSettingHelper("addACharToEmptyBody", "bool", true));
+		currentHTTPEncodingObject.setReplaceGETwithPOST((boolean) loadExtensionSettingHelper("replaceGETwithPOST", "bool", false));
+		currentHTTPEncodingObject.setEncodable_QS((boolean) loadExtensionSettingHelper("isEncodable_QS", "bool", true));
+		currentHTTPEncodingObject.setEncodable_body((boolean) loadExtensionSettingHelper("isEncodable_body", "bool", true));
+		currentHTTPEncodingObject.setEncodable_QS_delimiter((boolean) loadExtensionSettingHelper("isEncodable_QS_delimiter", "bool", false));
+		currentHTTPEncodingObject.setEncodable_urlencoded_body_delimiter((boolean) loadExtensionSettingHelper("isEncodable_urlencoded_body_delimiter", "bool", false));
+		currentHTTPEncodingObject.setEncodable_QS_equal_sign((boolean) loadExtensionSettingHelper("isEncodable_QS_equal_sign", "bool", false));
+		currentHTTPEncodingObject.setEncodable_urlencoded_body_equal_sign((boolean) loadExtensionSettingHelper("isEncodable_urlencoded_body_equal_sign", "bool", false));
+		currentHTTPEncodingObject.setURLEncoded_incoming_QS((boolean) loadExtensionSettingHelper("isURLEncoded_incoming_QS", "bool", true));
+		currentHTTPEncodingObject.setURLEncoded_incoming_body((boolean) loadExtensionSettingHelper("isURLEncoded_incoming_body", "bool", true));
+		currentHTTPEncodingObject.setURLEncoded_outgoing_QS((boolean) loadExtensionSettingHelper("isURLEncoded_outgoing_QS", "bool", true));
+		currentHTTPEncodingObject.setURLEncoded_outgoing_body((boolean) loadExtensionSettingHelper("isURLEncoded_outgoing_body", "bool", true));
+		currentHTTPEncodingObject.setAllChar_URLEncoded_outgoing_QS((boolean) loadExtensionSettingHelper("isAllChar_URLEncoded_outgoing_QS", "bool", true));
+		currentHTTPEncodingObject.setAllChar_URLEncoded_outgoing_body((boolean) loadExtensionSettingHelper("isAllChar_URLEncoded_outgoing_body", "bool", true));
+		currentHTTPEncodingObject.setTrimSpacesInContentTypeHeaderValues((boolean) loadExtensionSettingHelper("trimSpacesInContentTypeHeaderValues", "bool", true));
+		currentHTTPEncodingObject.setEncodeNameValueOnlyMultipart((boolean) loadExtensionSettingHelper("encodeNameValueOnlyMultipart", "bool", false));
+		currentHTTPEncodingObject.setUse_incoming_charset_for_request_encoding((boolean) loadExtensionSettingHelper("use_incoming_charset_for_request_encoding", "bool", true));
+
+		currentHTTPEncodingObject.setDelimiter_QS((String) loadExtensionSettingHelper("delimiter_QS", "string", "?"));
+		currentHTTPEncodingObject.setDelimiter_QS_param((String) loadExtensionSettingHelper("delimiter_QS_param", "string", "&"));
+		currentHTTPEncodingObject.setQS_equalSign((String) loadExtensionSettingHelper("QS_equalSign", "string", "="));
+		currentHTTPEncodingObject.setDelimiter_urlencoded_body_param((String) loadExtensionSettingHelper("delimiter_urlencoded_body_param", "string", "&"));
+		currentHTTPEncodingObject.setBody_param_equalSign((String) loadExtensionSettingHelper("body_param_equalSign", "string", "="));
+		currentHTTPEncodingObject.setOutgoing_request_encoding((String) loadExtensionSettingHelper("outgoing_request_encoding", "string", "ibm500"));
+		currentHTTPEncodingObject.setIncoming_request_encoding((String) loadExtensionSettingHelper("incoming_request_encoding", "string", "utf-8"));
+
+		return currentHTTPEncodingObject;
+	}
+
+}