jgillam / burp-paramalyzer Goto Github PK
View Code? Open in Web Editor NEWParamalyzer - Burp extension for parameter analysis of large-scale web application penetration tests.
Home Page: http://jgillam.github.io/burp-paramalyzer/
Paramalyzer - Burp extension for parameter analysis of large-scale web application penetration tests.
Home Page: http://jgillam.github.io/burp-paramalyzer/
The sample value on the far right column may be better off showing a decoded value instead of showing the original value. Maybe a toggle option would be good here.
Hello,
the BAppStore currently hosts v2.0 of the extension (last update: 14 January 2019). That means that most users will miss both the features introduced in v2.1.0 (REST + JSON) and the few fixes pushed afterwards. From my understanding of the BAppStore update process, only pull requests from the original author (and original repository) will be accepted.
In order to have both versions in sync, could you please create a PR from your current version to Portswigger's one, then notify [email protected] by email so that they can review it?
Thanks in advance!
It'll be very useful, if we can export the parameters listed in paramalyzer
Should be able to detect routing number format based on length and check digit:
https://en.wikipedia.org/wiki/Routing_transit_number
Currently it does not detect JSON structures that are more complex, such as a dictionary containing lists.
It will be awesome if the tool as the ability to search parameters by name or any kind of filter
Disabled (unchecked) scope entries should be omitted from analysis.
When this tool was originally written there was every intention of including a deeper analysis but the performance for it was bad. So the plan now is to perform this as a secondary analysis where the tester chooses on which parameters to perform a deeper analysis. Note that we will need the ability to cancel analysis early before we do this so we don't introduce a case where a user kicks off an analysis that will run for days with no way to stop it.
%2Fabc gets decoded to /abc but the gets identified as a base64 binary, which is incorrect. This should instead be identified as a file/folder path.
The expression for identifying numeric formatted numbers should account for an optional preceding negative sign.
When a value is selected it would be useful to display a list of encoding and hash values. When an item on this list is selected any matches in the main param table could be highlighted.
Finally, it might also make sense to include a freeform input text field to test variations.
JSON values should be identified.
Analyzing huge amounts of requests can take a while. Fortunately the memory efficiency is appears to be coping just fine but it can take a long time. Considering a popup warning if there are a large number of items in scope. Alternatively there should be a way to preemptively quit an analysis session.
The cookies tab should show an example cookie value.
Stack trace happens when running it. This was after recovering a corrupted project file. Looks like some additional null checks should be made.
java.lang.NullPointerException
at burp.egf.getProxyHistory(Unknown Source)
at burp.dqd.getProxyHistory(Unknown Source)
at burp.bcd.getProxyHistory(Unknown Source)
at com.professionallyevil.bc.CorrelatorEngine.doInBackground(CorrelatorEngine.java:61)
at com.professionallyevil.bc.CorrelatorEngine.doInBackground(CorrelatorEngine.java:31)
at java.desktop/javax.swing.SwingWorker$1.call(SwingWorker.java:304)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.desktop/javax.swing.SwingWorker.run(SwingWorker.java:343)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Hello,
the "Cookies" tab will list all cookies stored in the Proxy History, even if the corresponding messages aren't in scope. The bug is in method firstPass(), where isInScope() is checked only for parameters.
private void firstPass(IExtensionHelpers helpers, IHttpRequestResponse[] messages) {
[...]
// Analyze response for cookies
if(messages[i].getResponse() != null) {
IResponseInfo responseInfo = helpers.analyzeResponse(messages[i].getResponse());
List<String> headers = responseInfo.getHeaders();
for (String header: headers){
if (startsWithIgnoreCase(header, "set-cookie:")) {
processCookieHeader(header);
}
}
}
[...]
Hello,
I use Paramalyzer version 2.2.2, installed from BAppStore.
After clicking the Analyze button, the analysis hangs and throws the following error in the status bar.
Execution Exception: java.lang.NullPointerException: Cannot invoke "burp.Zcu5.ZN1()" because "<local1>" is null
Here is the stack trace from the paramalyzer extension's Errors tab:
java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "burp.Zcu5.ZN1()" because "<local1>" is null
at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
at java.desktop/javax.swing.SwingWorker.get(SwingWorker.java:613)
at com.professionallyevil.paramalyzer.CorrelatorEngine.done(CorrelatorEngine.java:272)
at java.desktop/javax.swing.SwingWorker$5.run(SwingWorker.java:750)
at java.desktop/javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.run(SwingWorker.java:848)
at java.desktop/sun.swing.AccumulativeRunnable.run(AccumulativeRunnable.java:112)
at java.desktop/javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.actionPerformed(SwingWorker.java:858)
at java.desktop/javax.swing.Timer.fireActionPerformed(Timer.java:311)
at java.desktop/javax.swing.Timer$DoPostEvent.run(Timer.java:243)
at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:318)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:773)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:720)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:714)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:742)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
Caused by: java.lang.NullPointerException: Cannot invoke "burp.Zcu5.ZN1()" because "<local1>" is null
at burp.Zcvq.getUrl(Unknown Source)
at burp.Zy7k.getUrl(Unknown Source)
at com.professionallyevil.paramalyzer.CorrelatorEngine.firstPass(CorrelatorEngine.java:93)
at com.professionallyevil.paramalyzer.CorrelatorEngine.doInBackground(CorrelatorEngine.java:65)
at com.professionallyevil.paramalyzer.CorrelatorEngine.doInBackground(CorrelatorEngine.java:31)
at java.desktop/javax.swing.SwingWorker$1.call(SwingWorker.java:304)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.desktop/javax.swing.SwingWorker.run(SwingWorker.java:343)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1589)
After clicking the Analyze button, the analysis hangs and throws the following error in the status bar.
Execution Exception: java.lang.NoClassDefFoundError: org/json/JSONException
Here is the stack trace from the paramalyzer extension's Errors tab.
java.util.concurrent.ExecutionException: java.lang.NoClassDefFoundError: org/json/JSONException
at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
at java.desktop/javax.swing.SwingWorker.get(SwingWorker.java:613)
at com.professionallyevil.paramalyzer.CorrelatorEngine.done(CorrelatorEngine.java:272)
at java.desktop/javax.swing.SwingWorker$5.run(SwingWorker.java:750)
at java.desktop/javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.run(SwingWorker.java:848)
at java.desktop/sun.swing.AccumulativeRunnable.run(AccumulativeRunnable.java:112)
at java.desktop/javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.actionPerformed(SwingWorker.java:858)
at java.desktop/javax.swing.Timer.fireActionPerformed(Timer.java:311)
at java.desktop/javax.swing.Timer$DoPostEvent.run(Timer.java:243)
at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:318)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:771)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:722)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:716)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:741)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
Caused by: java.lang.NoClassDefFoundError: org/json/JSONException
at com.professionallyevil.paramalyzer.CorrelatorEngine.processJSON(CorrelatorEngine.java:206)
at com.professionallyevil.paramalyzer.CorrelatorEngine.parameterFormatAnalysis(CorrelatorEngine.java:178)
at com.professionallyevil.paramalyzer.CorrelatorEngine.doInBackground(CorrelatorEngine.java:66)
at com.professionallyevil.paramalyzer.CorrelatorEngine.doInBackground(CorrelatorEngine.java:31)
at java.desktop/javax.swing.SwingWorker$1.call(SwingWorker.java:304)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.desktop/javax.swing.SwingWorker.run(SwingWorker.java:343)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.lang.ClassNotFoundException: org.json.JSONException
at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:445)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:587)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:520)
... 10 more
At this point I am not sure if it is just failing to update the UI or if it is getting stuck, but it sometimes looks like it is searching forever.
##Description
This is to replace the deep analysis function to help identify and seek out sensitive information throughout the application.
Basically what I am envisioning is a workflow that goes something like:
On the Param Tracker tab, some additional analysis will take place. For parameters with many different values, it will only look for the last (most recent) X values to maintain decent performance. Two types of analysis will occur as follow:
Too many things are being identified as JWTs. The regex needs to be refined..
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.