-
-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Script to solve burp labs or for bug bounty #340
base: main
Are you sure you want to change the base?
Conversation
Would be good to mention the original script, maybe it can be removed too since the HTTP Sender applies to fuzzer messages as well. |
I can't get random_x_forwarded_for_ip.js to work in Fuzzer HTTP processor. In the fuzzer the script does not appear, in the response the x-forwarded-for-ip does not appear. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove name and add comment to script origine
I'm sorry, I just understood how to use the random_x_forwarded_for_ip.js script, I see how why my script is not necessary. Thanks for the time spent on the problem. |
It's the other way around, this script supersedes the other script and why was suggesting to remove the other script, though both cover their own use cases. |
@@ -1,4 +1,4 @@ | |||
// @author Ruffenach Timothée | |||
// The original script comes from the Fuzzer HTTP Processor section under the name random_x_forwarded_for_ip.js |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was not saying to remove the name, just mention the other script. This is for maintenance purposes, if changes are done in one script they most likely need to be done in both.
@@ -0,0 +1,84 @@ | |||
# Version 1.0 | |||
# @author RUFFENACH Timothée | |||
# Script inspired from https://02108124551050482571.googlegroups.com/attach/54c6e34f6fe20/message_processor.js?part=0.1&view=1&vt=ANaJVrEJuACewYorhYYa_zyhyMSug06pmlERCqfYdLsukQBC3OW3LATuXG1WHk_Fw9a0nhexG8ykFDuFgBGYrKAg_pOQ61M36MwC9SOBGvK4KLZn3eDkNzY (dot run on owasp 2.12.0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
dot run on owasp 2.12.0
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
legacy script in javascript don't run with owasp 2.12.0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's not a ZAP issue that's a JRE issue. If you're using a Java 11 JRE it'll still run.
Also OWASP is the organization ZAP is the project/product 😉
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Link to the thread/post rather than the attachment, which should be more reliable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't found the original post.
httpfuzzerprocessor/pitchWork.py
Outdated
# The script fuzz in mode pitchfork. | ||
# To Use : Enable script. | ||
# In fuzzer Add 2 EmptyNull with good number. | ||
# Select two 2 files and launch the fuzzer. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's a double space between launch and the.
httpfuzzerprocessor/pitchWork.py
Outdated
fileChooser.setMultiSelectionEnabled(True) | ||
filePath1 = "" | ||
result = fileChooser.showOpenDialog(None) | ||
|
||
if result == JFileChooser.APPROVE_OPTION: | ||
selectedFiles = fileChooser.getSelectedFiles() | ||
for file in selectedFiles: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does this need to allow multi-select? If only single files could be selected wouldn't that remove the need to loop?
Also since this logic is the same for both files can't it just be extracted to a method?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be done in the EDT also.
httpfuzzerprocessor/pitchWork.py
Outdated
# Script inspired from https://02108124551050482571.googlegroups.com/attach/54c6e34f6fe20/message_processor.js?part=0.1&view=1&vt=ANaJVrEJuACewYorhYYa_zyhyMSug06pmlERCqfYdLsukQBC3OW3LATuXG1WHk_Fw9a0nhexG8ykFDuFgBGYrKAg_pOQ61M36MwC9SOBGvK4KLZn3eDkNzY (dot run on owasp 2.12.0) | ||
# The script fuzz in mode pitchfork. | ||
# To Use : Enable script. | ||
# In fuzzer Add 2 EmptyNull with good number. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# In fuzzer Add 2 EmptyNull with good number. | |
# In the Fuzzer add 2 EmptyNull payloads with a good number of iterations. |
I made some correction and integrated the multiple payloads management. |
Why are more and more files being added to this PR? |
To address the DCO requirement you'll need to sign-off the commit(s): |
Signed-off-by: Timothée Ruffenach <[email protected]>
…mIP.js Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
I'm doing courses on zap proxy to do burp suite labs with zap proxy. I need to make scripts to fix labs or bounty bugs. I don't know much about git hub it my first contribution on other project with github. |
Okay that makes more sense I guess. They're all useful. Might want to tweak the title/subject and maybe make it draft (until you've included everything you're thinking of). |
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
…to fileAction.py Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't get through all the "standalone" scripts, but here's more feedback.
if (init == False): | ||
initialise() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe "shouldInit" should be more clear to future users/maintainers?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok Im have rename to shouldInit
|
||
# Called after receiving the fuzzed message from the server | ||
def processResult(utils, fuzzResult) : | ||
global isChek,time |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
isCheck?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rename isCheck by choice
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My point was that it's misspelled here.
time = getNumber(1,50000,"how many time do you want ?") | ||
isCheck = JOptionPane.showConfirmDialog(None, "more high or equal (YES) esle less or equal (NO)", "Confirm", JOptionPane.YES_NO_OPTION) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This English is rough, I'm happy to help but I need a better description of what's meant here.
They should both start with capitals and there's a type in "else".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed the sentences for more understanding, sorry my native language is not english
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No problem, that's why I was offering to help 👍
if isCheck == JOptionPane.YES_OPTION and (int(fuzzResult.getHttpMessage().getTimeElapsedMillis()) >= time): | ||
return bool(1) | ||
elif isCheck == JOptionPane.NO_OPTION and (int(fuzzResult.getHttpMessage().getTimeElapsedMillis()) <= time): | ||
return bool(1) | ||
else: | ||
return bool(0); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason these can't just return true or false?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok i have changed by TRUE and FALSE
|
||
# ask stings to find | ||
while entry == "": | ||
entry = getString("what character string do you want to find ?") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
entry = getString("what character string do you want to find ?") | |
entry = getString("What character string do you want to find ?") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I made the changes and make correction of other sentence
httpfuzzerprocessor/pitchWork.py
Outdated
while number == -1: | ||
number = chooseNumber() | ||
|
||
# choose file user |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
user file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, is here the files of users are add. i have modified the comment by "add files chosen by the user"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it really worth including this? Aren't the URLs specific to your lab/academy instance at the time?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, but in the course I said to change the address.
it is possible to make a dialog box in zest to ask for the URLs ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmmm good question, I've never tried that with zest. Hopefully someone else on the team can answer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
biid = getString("what is your biid ?") | ||
|
||
# Get number for update info | ||
update = getNumber(1,3600, "how many time do you want refresh information ?") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
update = getNumber(1,3600, "how many time do you want refresh information ?") | |
update = getNumber(1,3600, "How many times do you want refresh information ?") |
|
||
def main(): | ||
global biid | ||
biid = getString("what is your biid ?") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
biid = getString("what is your biid ?") | |
biid = getString("What is your biid ?") |
Will "biid" be clear to a user because I have no idea what it is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The biid is a token of burp collaborator protection, i wireshark the token name is biid. Look link https://www.onsecurity.io/blog/persistent-access-to-burp-suite-sessions-step-by-step-guide/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand the meaning of biid but I know that it stores the user's secret key.
I replaced What is your biid ? by What is your secret key (biid) ?
The capital letters have been put.
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
…ull-URL_encoding_auto-submit.js Signed-off-by: Timothée Ruffenach <[email protected]>
Signed-off-by: Timothée Ruffenach <[email protected]>
It's going to be really hard for us to review this and move it along if you don't pick a "line in the sand". You can always create another branch or something for future contribs. |
# @author Timothée Ruffenach | ||
# Version 1.0 | ||
# decode HTML Entities |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not valid comment for JavaScript (there are others that need to be corrected).
Just simple script to add IP random to X-Forwarded-For: in Header request.
For section HTTP Sender