jgillam / burp-paramalyzer Goto Github PK

The sample value on the far right column may be better off showing a decoded value instead of showing the original value. Maybe a toggle option would be good here.

Hello,

the BAppStore currently hosts v2.0 of the extension (last update: 14 January 2019). That means that most users will miss both the features introduced in v2.1.0 (REST + JSON) and the few fixes pushed afterwards. From my understanding of the BAppStore update process, only pull requests from the original author (and original repository) will be accepted.

In order to have both versions in sync, could you please create a PR from your current version to Portswigger's one, then notify [email protected] by email so that they can review it?

Thanks in advance!

It'll be very useful, if we can export the parameters listed in paramalyzer

Should be able to detect routing number format based on length and check digit:
https://en.wikipedia.org/wiki/Routing_transit_number

Currently it does not detect JSON structures that are more complex, such as a dictionary containing lists.

It will be awesome if the tool as the ability to search parameters by name or any kind of filter

Disabled (unchecked) scope entries should be omitted from analysis.

When this tool was originally written there was every intention of including a deeper analysis but the performance for it was bad. So the plan now is to perform this as a secondary analysis where the tester chooses on which parameters to perform a deeper analysis. Note that we will need the ability to cancel analysis early before we do this so we don't introduce a case where a user kicks off an analysis that will run for days with no way to stop it.

%2Fabc gets decoded to /abc but the gets identified as a base64 binary, which is incorrect. This should instead be identified as a file/folder path.

The expression for identifying numeric formatted numbers should account for an optional preceding negative sign.

When a value is selected it would be useful to display a list of encoding and hash values. When an item on this list is selected any matches in the main param table could be highlighted.

Finally, it might also make sense to include a freeform input text field to test variations.

JSON values should be identified.

Analyzing huge amounts of requests can take a while. Fortunately the memory efficiency is appears to be coping just fine but it can take a long time. Considering a popup warning if there are a large number of items in scope. Alternatively there should be a way to preemptively quit an analysis session.

The cookies tab should show an example cookie value.

Stack trace happens when running it. This was after recovering a corrupted project file. Looks like some additional null checks should be made.

java.lang.NullPointerException
	at burp.egf.getProxyHistory(Unknown Source)
	at burp.dqd.getProxyHistory(Unknown Source)
	at burp.bcd.getProxyHistory(Unknown Source)
	at com.professionallyevil.bc.CorrelatorEngine.doInBackground(CorrelatorEngine.java:61)
	at com.professionallyevil.bc.CorrelatorEngine.doInBackground(CorrelatorEngine.java:31)
	at java.desktop/javax.swing.SwingWorker$1.call(SwingWorker.java:304)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.desktop/javax.swing.SwingWorker.run(SwingWorker.java:343)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:834)

Hello,

the "Cookies" tab will list all cookies stored in the Proxy History, even if the corresponding messages aren't in scope. The bug is in method firstPass(), where isInScope() is checked only for parameters.

private void firstPass(IExtensionHelpers helpers, IHttpRequestResponse[] messages) {
        [...]
        //  Analyze response for cookies
        if(messages[i].getResponse() != null) {
            IResponseInfo responseInfo = helpers.analyzeResponse(messages[i].getResponse());
            List<String> headers = responseInfo.getHeaders();
            for (String header: headers){
                if (startsWithIgnoreCase(header, "set-cookie:")) {
                    processCookieHeader(header);
                }
            }
        }
        [...]

Hello,
I use Paramalyzer version 2.2.2, installed from BAppStore.

After clicking the Analyze button, the analysis hangs and throws the following error in the status bar.

Execution Exception: java.lang.NullPointerException: Cannot invoke "burp.Zcu5.ZN1()" because "<local1>" is null

Here is the stack trace from the paramalyzer extension's Errors tab:

java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "burp.Zcu5.ZN1()" because "<local1>" is null
	at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
	at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
	at java.desktop/javax.swing.SwingWorker.get(SwingWorker.java:613)
	at com.professionallyevil.paramalyzer.CorrelatorEngine.done(CorrelatorEngine.java:272)
	at java.desktop/javax.swing.SwingWorker$5.run(SwingWorker.java:750)
	at java.desktop/javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.run(SwingWorker.java:848)
	at java.desktop/sun.swing.AccumulativeRunnable.run(AccumulativeRunnable.java:112)
	at java.desktop/javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.actionPerformed(SwingWorker.java:858)
	at java.desktop/javax.swing.Timer.fireActionPerformed(Timer.java:311)
	at java.desktop/javax.swing.Timer$DoPostEvent.run(Timer.java:243)
	at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:318)
	at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:773)
	at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:720)
	at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:714)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
	at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:742)
	at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
	at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
	at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
Caused by: java.lang.NullPointerException: Cannot invoke "burp.Zcu5.ZN1()" because "<local1>" is null
	at burp.Zcvq.getUrl(Unknown Source)
	at burp.Zy7k.getUrl(Unknown Source)
	at com.professionallyevil.paramalyzer.CorrelatorEngine.firstPass(CorrelatorEngine.java:93)
	at com.professionallyevil.paramalyzer.CorrelatorEngine.doInBackground(CorrelatorEngine.java:65)
	at com.professionallyevil.paramalyzer.CorrelatorEngine.doInBackground(CorrelatorEngine.java:31)
	at java.desktop/javax.swing.SwingWorker$1.call(SwingWorker.java:304)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
	at java.desktop/javax.swing.SwingWorker.run(SwingWorker.java:343)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.lang.Thread.run(Thread.java:1589)

I've noticed that for some reason the highlighted portion of the matching value is often the 1 in HTTP/1.1

regular POST parameters are not shown in the Analysis. Fore example, neither password, not userid is shown:

I would like to see all the userid parameter values which are used, but there are no such entries.

After clicking the Analyze button, the analysis hangs and throws the following error in the status bar.

Execution Exception: java.lang.NoClassDefFoundError: org/json/JSONException

Here is the stack trace from the paramalyzer extension's Errors tab.

java.util.concurrent.ExecutionException: java.lang.NoClassDefFoundError: org/json/JSONException
	at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
	at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
	at java.desktop/javax.swing.SwingWorker.get(SwingWorker.java:613)
	at com.professionallyevil.paramalyzer.CorrelatorEngine.done(CorrelatorEngine.java:272)
	at java.desktop/javax.swing.SwingWorker$5.run(SwingWorker.java:750)
	at java.desktop/javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.run(SwingWorker.java:848)
	at java.desktop/sun.swing.AccumulativeRunnable.run(AccumulativeRunnable.java:112)
	at java.desktop/javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.actionPerformed(SwingWorker.java:858)
	at java.desktop/javax.swing.Timer.fireActionPerformed(Timer.java:311)
	at java.desktop/javax.swing.Timer$DoPostEvent.run(Timer.java:243)
	at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:318)
	at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:771)
	at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:722)
	at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:716)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
	at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:741)
	at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
	at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
	at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
Caused by: java.lang.NoClassDefFoundError: org/json/JSONException
	at com.professionallyevil.paramalyzer.CorrelatorEngine.processJSON(CorrelatorEngine.java:206)
	at com.professionallyevil.paramalyzer.CorrelatorEngine.parameterFormatAnalysis(CorrelatorEngine.java:178)
	at com.professionallyevil.paramalyzer.CorrelatorEngine.doInBackground(CorrelatorEngine.java:66)
	at com.professionallyevil.paramalyzer.CorrelatorEngine.doInBackground(CorrelatorEngine.java:31)
	at java.desktop/javax.swing.SwingWorker$1.call(SwingWorker.java:304)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.desktop/javax.swing.SwingWorker.run(SwingWorker.java:343)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.lang.ClassNotFoundException: org.json.JSONException
	at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:445)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:587)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:520)
	... 10 more

At this point I am not sure if it is just failing to update the UI or if it is getting stuck, but it sometimes looks like it is searching forever.

##Description

This is to replace the deep analysis function to help identify and seek out sensitive information throughout the application.

Basically what I am envisioning is a workflow that goes something like:

1. Perform analysis as usual (over in-scope items)
2. Paramalyzer selects potentially sensitive fields. You can adjust these.
3. Send sensitive fields to the Param Tracker tab.
4. Build findings from the tracker results (Burp Suite Pro only)

On the Param Tracker tab, some additional analysis will take place. For parameters with many different values, it will only look for the last (most recent) X values to maintain decent performance. Two types of analysis will occur as follow:

1. Active Tracking - This is a specialized search. It will look across all current history (not just in-scope) for additional instances of the parameter value.
2. Passive Tracking - This will continue to track the latest X values for each listed parameter and create findings (for Burp Suite Pro Only)

Things that will be tracked

• If the parameter value is a hash, values from all other parameters will be compared to the hash (i.e. they will be hashed with the same algorithm). This is similar to what Deep Analysis does currently.
• If the parameter value is encoded, it will be decoded and compared to the decoded values from all other parameters.
• While being compared to other parameters, it will use a contains check rather than looking for an exact match.
• Response bodies in scope will be checked for the param value. Consider a password being rendered on a page somewhere - generally considered a poor practice.
• Requests that are not the same origin as where the parameter was found will be checked for the parameter value. This will include headers, the URL and body; and it will include out-of-scope requests.
• All URLs (in and out of scope, same and different origins) will be checked for the value.

Too many things are being identified as JWTs. The regex needs to be refined..