https://silentrobots.com/tags/automation/Recent content in Automation on Willis VandevanterHugo -- gohugo.ioen-usFri, 26 Aug 2022 00:00:00 +0000https://silentrobots.com/pulling-data-from-trickest-inventory/Fri, 26 Aug 2022 00:00:00 +0000https://silentrobots.com/pulling-data-from-trickest-inventory/<img src="https://silentrobots.com/" alt="Featured image of post Pulling Specific Files from the Trickest Inventory (or any Github project)" /><p>The <a class="link" href="https://twitter.com/trick3st" target="_blank" rel="noopener" >@trickest</a> <a class="link" href="https://github.com/trickest/inventory" target="_blank" rel="noopener" >Inventory project</a> is an interesting resource. It has a massive set of hostnames, live services, spidered URLs, and cloud data organized by Bug Bounty program. There is so much more data than I have interest in storing for my needs. In fact, the only thing I am interested in is the hostnames resource. Here is a quick and dirty way to pull the <code>hostnames.txt</code> file from every program without cloning the entire project.</p> <blockquote> <p>💡 There is a good chance I am going to embarrass myself with this post and there is a better way. But this is part of learning and I embrace it. Please let me know and I will post the faster way at the top.</p> </blockquote> <p>First, pull the current project git history without cloning it:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">git clone --no-checkout \ </span></span><span class="line"><span class="cl">--depth 1 \ </span></span><span class="line"><span class="cl">--single-branch --branch=main \ </span></span><span class="line"><span class="cl">https://github.com/trickest/inventory.git </span></span></code></pre></td></tr></table> </div> </div><p>Above we are cloning the project without checking out any files; <code>--no-checkout</code>. We are also only pulling HEAD (<code>--depth 1</code>) and only focused on the main branch.</p> <blockquote> <p>Note, just the commit history from main takes up 336Mb 😲</p> </blockquote> <p>Finally, we are going to download every <code>hostname.txt</code> file. This is done by finding the listing the HEAD tree, grep&rsquo;ing for the filename, urlencoding <code>&amp;</code> , and then downloading the file.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">git ls-tree --full-name --name-only -r HEAD <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">grep hostnames.txt <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">sed -e <span class="s2">&#34;s/&amp;/%26/&#34;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">xargs -I <span class="o">{}</span> sh -c <span class="s1">&#39;curl -o $(echo {} | cut -d\/ -f1)_hostnames.txt https://raw.githubusercontent.com/trickest/inventory/main/{}&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p>At this point you should have a directory full of the relevant files.</p> <blockquote> <p>💡 If you are using this technique with another project take care that you trust the input (directories and filenames). You are piping them into a subshell.</p> </blockquote> <p>If you don&rsquo;t want to pipe into a subshell (yolo), you can use wget (remove the -o subshell) but you will be left with every file named <code>hostnames.txt.X</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">git ls-tree --full-name --name-only -r HEAD <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">grep hostnames.txt <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">sed -e <span class="s2">&#34;s/&amp;/%26/&#34;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">xargs -I <span class="o">{}</span> wget https://raw.githubusercontent.com/trickest/inventory/main/<span class="o">{}</span> </span></span></code></pre></td></tr></table> </div> </div>https://silentrobots.com/burpsuite-project-parser-v1-1/Thu, 21 Jul 2022 00:00:00 +0000https://silentrobots.com/burpsuite-project-parser-v1-1/<img src="https://silentrobots.com/" alt="Featured image of post 🎉 burpsuite-project-file-parser v1.1 🎉" /><p><em><strong>Edit</strong>: 1.1b fixes an auto shutdown issue in burpsuite, I would highly recommend this release over 1.1a. The rest of the post still applies.</em></p> <p>This is a small <a class="link" href="https://github.com/BuffaloWill/burpsuite-project-file-parser/releases/tag/1.1a" target="_blank" rel="noopener" >release</a> but a useful one.</p> <p>Release 1.1b adds the ability to parse projects for portions of siteMap and proxyHistory. For example, the following will only respond with the <code>proxyHistory</code> <code>request.headers</code> and <code>request.body</code>. Note, the URL is always included:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">java -jar -Djava.awt.headless<span class="o">=</span><span class="nb">true</span> <span class="o">[</span>PATH_TO burpsuite_pro.jar<span class="o">]</span> --project-file<span class="o">=[</span>PATH TO PROJECT FILE<span class="o">]</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> proxyHistory.request.headers, proxyHistory.request.body </span></span></code></pre></td></tr></table> </div> </div><p>This should result in <strong>significant speed improvements</strong> as parsing will ignore <code>response.body</code> which can be very large. Conversely, if you only wanted to parse the proxyHistory response body for interesting things you could do:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">java -jar -Djava.awt.headless<span class="o">=</span><span class="nb">true</span> <span class="o">[</span>PATH_TO burpsuite_pro.jar<span class="o">]</span> --project-file<span class="o">=[</span>PATH TO PROJECT FILE<span class="o">]</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> proxyHistory.response.body </span></span></code></pre></td></tr></table> </div> </div>https://silentrobots.com/pushing-burp-suite-data-into-your-testing-pipeline-part-2/Fri, 17 Jun 2022 00:00:00 +0000https://silentrobots.com/pushing-burp-suite-data-into-your-testing-pipeline-part-2/<img src="https://silentrobots.com/" alt="Featured image of post Building on an AppSec Pipeline with Burp Suite data - Part 2" /><p>In this two part series we are going to take Burp Suite Project files as input from the command line, parse them, and then feed them into a testing pipeline.</p> <p>The series is broken down into two parts:</p> <ol> <li><a class="link" href="https://silentrobots.com/building-an-appsec-pipeline-with-burpsuite-data/" >Getting at the Data</a> (i.e. from the CLI to feeding the pipeline)</li> <li><a class="link" href="https://silentrobots.com/pushing-burp-suite-data-into-your-testing-pipeline-part-2/" >8 Bug Hunting Examples with burpsuite-project-parser</a> (i.e. from the pipeline to testing)</li> </ol> <p>This post is focused on bug hunting examples. Check out the <a class="link" href="https://silentrobots.com/building-an-appsec-pipeline-with-burpsuite-data/" >previous post</a> if you haven&rsquo;t already setup the environment.</p> <h2 id="command-shortcut">Command Shortcut </h2><p>In the previous post we used a long (repetitive) command to print the <code>auditItems</code> from a Burp Suite project file:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">java</span> <span class="o">-</span><span class="n">jar</span> <span class="o">-</span><span class="n">Djava</span><span class="o">.</span><span class="n">awt</span><span class="o">.</span><span class="n">headless</span><span class="o">=</span><span class="bp">true</span> \ </span></span><span class="line"><span class="cl"><span class="o">-</span><span class="n">Xmx2G</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">opens</span><span class="o">=</span><span class="n">java</span><span class="o">.</span><span class="n">desktop</span><span class="o">/</span><span class="n">javax</span><span class="o">.</span><span class="n">swing</span><span class="o">=</span><span class="n">ALL</span><span class="o">-</span><span class="n">UNNAMED</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">opens</span><span class="o">=</span><span class="n">java</span><span class="o">.</span><span class="n">base</span><span class="o">/</span><span class="n">java</span><span class="o">.</span><span class="n">lang</span><span class="o">=</span><span class="n">ALL</span><span class="o">-</span><span class="n">UNNAMED</span> \ </span></span><span class="line"><span class="cl"><span class="o">~/</span><span class="n">Downloads</span><span class="o">/</span><span class="n">burpsuite_pro_v2022</span><span class="o">.</span><span class="mf">3.6</span><span class="o">.</span><span class="n">jar</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">user</span><span class="o">-</span><span class="n">config</span><span class="o">-</span><span class="n">file</span><span class="o">=</span><span class="n">ONLY_BURP_PROJECT_PARSER</span><span class="o">.</span><span class="n">json</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">project</span><span class="o">-</span><span class="n">file</span><span class="o">=</span><span class="mi">2022</span><span class="o">-</span><span class="mi">06</span><span class="o">-</span><span class="mf">08.</span><span class="n">burp</span> \ </span></span><span class="line"><span class="cl"><span class="n">auditItems</span> </span></span></code></pre></td></tr></table> </div> </div><p>For the sake of brevity, in this post we will replace the long command with a shorter one (e.g. $PARSE_BURP). You will need to make this specific to your environment:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="k">export</span> <span class="n">PARSE_BURP</span><span class="o">=</span><span class="s2">&#34;java -jar -Djava.awt.headless=true -Xmx2G --add-opens=java.desktop/javax.swing=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED [INSERT_FULL_PATH]/burpsuite_pro_v2022.3.6.jar --user-config-file=[INSERT_FULL_PATH]/ONLY_BURP_PROJECT_PARSER.json --project-file=[INSERT_FULL_PATH]/[PROJECT_FILE].burp&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Then we can print all of the auditItems with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">$PARSE_BURP auditItems </span></span></code></pre></td></tr></table> </div> </div><h2 id="8-bug-hunting-examples-with-burpsuite-project-parser">8 Bug Hunting Examples with burpsuite-project-parser </h2> <blockquote> <p>⛅ This list does not try to be comprehensive. Smarter people than me have done much better work mind mapping bug hunting techniques. In fact, if anything these are incomplete. They are meant as starting points in taking input from a Burp Suite Project file to &ldquo;looking for a bug or testing for a state&rdquo; (i.e. pipeline). If your feeling is &ldquo;I could do this better&rdquo; you are probably right ha. Take what works for you and leave the rest 😊.</p> </blockquote> <h3 id="1-base-case">1. Base Case </h3><p>In the base case burpsuite-project-parser proxyHistory will print the entire request (i.e. URL, headers, etc.) and response (headers, body, etc.) as JSON. For example:  </p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">$PARSE_BURP proxyHistory 2&gt;/dev/null | grep -F &#34;{&#34; | head -n 2 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">{&#34;Message&#34;:&#34;Loaded project file parser; updated for burp 2022.&#34;} </span></span><span class="line"><span class="cl">{&#34;request&#34;:{&#34;url&#34;:&#34;http://detectportal.firefox.com:80/success.txt&#34;,&#34;headers&#34;:[&#34;Host: detectportal.firefox.com&#34;,&#34;User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0&#34;,&#34;Accept: */*&#34;,&#34;Accept-Language: en-US,en;q\u003d0.5&#34;,&#34;Accept-Encoding: gzip, deflate&#34;,&#34;Cache-Control: no-cache&#34;,&#34;Pragma: no-cache&#34;,&#34;Connection: close&#34;],&#34;uri&#34;:&#34;/success.txt&#34;,&#34;method&#34;:&#34;GET&#34;,&#34;httpVersion&#34;:&#34;HTTP/1.1&#34;,&#34;body&#34;:&#34;&#34;},&#34;response&#34;:{&#34;url&#34;:&#34;http://detectportal.firefox.com:80/success.txt&#34;,&#34;headers&#34;:[&#34;Content-Type: text/plain&#34;,&#34;Content-Length: 8&#34;,&#34;Last-Modified: Mon, 15 May 2017 18:04:40 GMT&#34;,&#34;ETag: \&#34;ae780585fe1444eb7d28906123\&#34;&#34;,&#34;Accept-Ranges: bytes&#34;,&#34;Server: AmazonS3&#34;,&#34;X-Amz-Cf-Pop: ORD53-&#34;,&#34;X-Amz-Cf-Id: ADZK&#34;,&#34;Cache-Control: no-cache, no-store, must-revalidate&#34;,&#34;Date: Mon, 14 Sep 2020 17:59:54 GMT&#34;,&#34;Connection: close&#34;],&#34;code&#34;:&#34;200&#34;,&#34;body&#34;:&#34;success\n&#34;}} </span></span></code></pre></td></tr></table> </div> </div><p>You will notice later on that we pipe this result to <code>jq</code> to get more specific with our query. For example, &ldquo;give me only the URL from the JSON request&rdquo; : <code>| jq -c '{&quot;url&quot;:.request.url}'</code>). Although we could grep all of the requests and responses, the chances are we can be more surgical than that.</p> <blockquote> <p>⚠️ I created an issue in burpsuite-project-parser to filter components from the proxyHistory and siteMap without jq. This should make the tool faster as well. You can follow the issue here and I will update the blog when this is done. ⚠️</p> </blockquote> <h3 id="2-search-for-bug-class-specific-get-parameters">2. Search for bug class specific GET Parameters </h3><p>Like many people I have bug class specific GET parameters I search for (e.g. <code>url=</code> for SSRF). Let&rsquo;s say we wanted to search a Burp Suite project for any request with <code>url=</code> as a GET parameter:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">$PARSE_BURP proxyHistory 2&gt;/dev/null \ </span></span><span class="line"><span class="cl">| grep -F &#34;{&#34; | jq -c &#39;{&#34;url&#34;:.request.url}&#39; \ </span></span><span class="line"><span class="cl">| cut -d\&#34; -f4 | tr -d \&#34; \ </span></span><span class="line"><span class="cl">| grep -ie &#34;\?url=&#34; -ie &#34;\&amp;url=&#34; </span></span></code></pre></td></tr></table> </div> </div><p>Example Results:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">https://target1:443/pagead/1p-user-list/1057924016/?url=example </span></span><span class="line"><span class="cl">https://target1:443/cc.js?engine_key=123Q2K&amp;url=somesite </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>Let&rsquo;s break this first example down a bit.</p> <ol> <li><code>$PARSE_BURP proxyHistory 2&gt;/dev/null</code>&ndash;&gt; Parse our project file and output all of the request/response Proxy History as JSON</li> <li><code>| grep -F &quot;{&quot; | jq -c '{&quot;url&quot;:.request.url}'</code>&ndash;&gt;  Take the JSON input and grab** only the request URLs**</li> <li><code>|  cut -d&quot; -f4 | tr -d  \&quot;</code>&ndash;&gt;  Give me the URL only and trim the quotes</li> <li><code>grep -ie &quot;?url=&quot; -ie &quot;&amp;url=&quot;</code>&ndash;&gt; Grep for either (-e) &ldquo;?url=&rdquo; or &ldquo;&amp;url&rdquo; in a case insensitive manner</li> </ol> <p>This should give us a nice list of URLs that contained <code>=url</code> in their GET request.</p> <blockquote> <p>💡 You can replace the above grep command with any bug class you find interesting. Resources like SecLists are a good start with example dictionaries. There are a lot more out there as well and I think most people curate their own.</p> </blockquote> <h3 id="3-create-a-script-to-request-a-page-with-input-from-proxy-history">3. Create a script to request a page with input from proxy history </h3><p>Let&rsquo;s say we wanted to take in every URL from our project and perform a scan looking for a specific file (e.g. <code>/.git/config</code>) on that URL. Here is one way to create a script for this using the previous Burp History as input in our pipeline.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">$PARSE_BURP proxyHistory 2&gt;/dev/null \ </span></span><span class="line"><span class="cl">| grep -F &#34;{&#34; | jq -c &#39;{&#34;url&#34;:.request.url}&#39; \ </span></span><span class="line"><span class="cl">| cut -d\&#34; -f4 | tr -d \&#34; \ </span></span><span class="line"><span class="cl">| cut -d\? -f1 \ </span></span><span class="line"><span class="cl">| xargs -I {} printf &#34;curl {}/.git/config\n&#34; </span></span><span class="line"><span class="cl">| tee git_script.sh </span></span></code></pre></td></tr></table> </div> </div><p>You should end up with set of commands in a shell script like:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">curl https://target1.com/images/font-awesome-4.2.0/fonts/fontawesome-webfont.woff/.git/config </span></span><span class="line"><span class="cl">curl https://target1.com/images/avatar.png/.git/config </span></span><span class="line"><span class="cl">curl https://target1.com/some/dir/.git/config </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>Right away you can probably see one of the (many) problems with this. Our &ldquo;pipeline&rdquo; is appending to the full URL and not cutting off at the directory. In some cases this might be intended behavior, but chances are it is not.</p> <blockquote> <p>💡 I will leave it as an exercise to the reader to fix this (hint: rev + cut complement is one way. The solution is also in the next section).What other problems could there be with doing it this way? Are these the best settings for curl? Is curl the best tool for this job?</p> </blockquote> <h3 id="4-feeding-the-ffuf-monster">4. Feeding the ffuf monster </h3><p><a class="link" href="https://github.com/ffuf/ffuf" target="_blank" rel="noopener" >ffuf</a> is incredible. Read/watch this brilliant 💎 by <a class="link" href="https://twitter.com/codingo_?lang=en" target="_blank" rel="noopener" >@codingo</a> for an overview of ffuf: <a class="link" href="https://codingo.io/tools/ffuf/bounty/2020/09/17/everything-you-need-to-know-about-ffuf.html" target="_blank" rel="noopener" >https://codingo.io/tools/ffuf/bounty/2020/09/17/everything-you-need-to-know-about-ffuf.html</a>.</p> <p>The previous idea of searching for a specific file is better suited for a tool like ffuf. So let&rsquo;s go back to the same page search but with ffuf instead. First, make sure to create a &ldquo;bruteforce dictionary&rdquo; with the just <code>/.git/config</code> in it. Then:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">$PARSE_BURP proxyHistory 2&gt;/dev/null \ </span></span><span class="line"><span class="cl">| grep -F &#34;{&#34; | jq -c &#39;{&#34;url&#34;:.request.url}&#39; \ </span></span><span class="line"><span class="cl">| cut -d\&#34; -f4 | tr -d \&#34; \ </span></span><span class="line"><span class="cl">| rev | cut -d\/ -f2- | rev \ </span></span><span class="line"><span class="cl">| sort -u --parallel=2G \ </span></span><span class="line"><span class="cl">| xargs -I {} printf &#34;ffuf -t 40 -r -u \&#34;{}/FUZZ\&#34; -maxtime 60 -v -c -w /tmp/gitc \n&#34; \ </span></span><span class="line"><span class="cl">| tee ffuf_search.sh </span></span></code></pre></td></tr></table> </div> </div><p>Example results:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">ffuf -t 40 -r -u &#34;http://target1/ajax/libs/jquery/1.11.0/FUZZ&#34; -maxtime 60 -v -c -w /tmp/gitc </span></span><span class="line"><span class="cl">ffuf -t 40 -r -u &#34;http://target2/FUZZ&#34; -maxtime 60 -v -c -w /tmp/gitc </span></span><span class="line"><span class="cl">ffuf -t 40 -r -u &#34;http://target2/images/FUZZ&#34; -maxtime 60 -v -c -w /tmp/gitc </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><ol> <li><code>| rev | cut -d\/ -f2- | rev \</code>&ndash;&gt; This is the solution to the previous question; grab the URL up to the directory</li> <li><code>| sort -u --parallel=2G</code>&ndash;&gt; Sort and give only the unique URLs.</li> <li><code>xargs -I {} printf &quot;ffuf -t 40 -r -u &quot;{}/FUZZ&quot; -maxtime 60 -v -c -w /tmp/gitc \n&quot;</code>&ndash;&gt; The ffuf command</li> </ol> <blockquote> <p>💡 What are my assumptions and potential issues with this new technique? How is this inefficient? Is every URL in-scope to your testing? Is the ffuf command correct?</p> </blockquote> <h3 id="5-find-http-response-headers-with-nginx">5. Find HTTP Response Headers with nginx </h3><p>In this example we want to look through a Burp Suite project for any server response header that contains nginx (i.e. <code>Server: Nginx 1.12</code> ). This can be done with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">$PARSE_BURP responseHeader=&#39;.*(Servlet|nginx).*&#39; 2&gt;/dev/null \ </span></span><span class="line"><span class="cl">| sort -u --parallel=2G </span></span></code></pre></td></tr></table> </div> </div><p>Example Results:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">{&#34;url&#34;:&#34;https://target1:443/webfonts/fa-solid-900.woff2&#34;,&#34;header&#34;:&#34;Server: nginx/1.12.2&#34;} </span></span><span class="line"><span class="cl">{&#34;url&#34;:&#34;https://target2:443/&#34;,&#34;header&#34;:&#34;Server: nginx/1.14.0 + Phusion Passenger 6.0.6&#34;} </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><h3 id="6-search-for-an-api-key-with-regex---take-1">6. Search for an API key with regex - Take 1 </h3><p>In this example we want to search through a Burp Suite Project for a known API key regex. For example, <code>([^A-Z0-9]|^)(AKIA|A3T|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{12,}</code> (Source: <a class="link" href="https://github.com/dxa4481/truffleHogRegexes/issues/19" target="_blank" rel="noopener" >https://github.com/dxa4481/truffleHogRegexes/issues/19</a>) will identify AWS API keys. Here is how we would do that against our project file:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">$PARSE_BURP responseHeader=&#39;.*([^A-Z0-9]|^)(AKIA|A3T|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{12,}.*&#39; 2&gt;/dev/null </span></span></code></pre></td></tr></table> </div> </div><h3 id="7-search-for-all-the-api-keys-with-regex---take-2">7. Search for all the API key(s) with regex - Take 2 </h3><p>There are a couple of issues with Take 1 above. First, it has low yield because we are only using a single regex when we could be greedier about it. Second, it&rsquo;s memory intensive and doesn&rsquo;t scale well.</p> <p>One solution is to use &ldquo;the save results to MongoDB&rdquo; feature (i.e. <code>storeData=[MongoDB Host]</code>) and then write a script to search the results. This scales very well and is reusable.</p> <p>Another solution which is a little messier (and greedier) is to write all of the responses to files and then use an awesome tool like trufflehog (<a class="link" href="https://github.com/trufflesecurity/trufflehog" target="_blank" rel="noopener" >https://github.com/trufflesecurity/trufflehog</a>) to find all the secrets.  That sounds like more fun, let&rsquo;s go with that.</p> <p>Step 1 is to write all of the HTTP responses from a Burp Suite project file to a directory.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">mkdir burp_responses </span></span><span class="line"><span class="cl">$PARSE_BURP proxyHistory 2&gt;/dev/null \ </span></span><span class="line"><span class="cl">| grep -F &#34;{&#34; | jq -c &#39;{&#34;url&#34;:.request.url,&#34;body&#34;:.response.body}&#39; \ </span></span><span class="line"><span class="cl">| while read line; do echo $line | tee burp_responses/$(uuidgen | tr -d &#39;-&#39;).burp; done </span></span></code></pre></td></tr></table> </div> </div> <blockquote> <p>💡 Note, this will print the URL and the response body (only) to a set of files with one request/response per file. If you want to search HTTP request headers, HTTP response headers etc. then you need to adjust or remove the jq filter on line 2.On my system this command took around 10 minutes to run. A 384Mb project file became 313Mb worth of 105,309 files.⚠️ This is the first time I have broken ls on my system with a too many files error in a directory 😂 ⚠️</p> </blockquote> <p>At this point we should have a directory (i.e. <code>burp_responses</code>) filled with thousands of files containing the URL and the response one per file. Lastly run <code>trufflehog</code> over the set of files and look for results.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">trufflehog filesystem --directory=burp_responses --no-verification | tee trufflehog_results.txt </span></span></code></pre></td></tr></table> </div> </div> <blockquote> <p>💡 For speed and privacy reasons, I chose to set the &ndash;no-verification flag on my first pass. On secondary passes I would likely remove this flag.</p> </blockquote> <h3 id="8-search-for-all-the-api-keys-with-regex---take-3">8. Search for all the API key(s) with regex - Take 3 </h3><p>Because we already have the HTTP response bodies in files let&rsquo;s use <a class="link" href="https://github.com/tomnomnom/gf" target="_blank" rel="noopener" >gf</a> by the legend <a class="link" href="https://twitter.com/TomNomNom" target="_blank" rel="noopener" >@tomnomnom</a> to search for interesting things. If you are unfamiliar with gf, the core idea is it&rsquo;s a reusable wrapper around grep.</p> <p>gf comes pre-packaged with a set of great checks; <a class="link" href="https://github.com/tomnomnom/gf/blob/master/examples/takeovers.json" target="_blank" rel="noopener" >https://github.com/tomnomnom/gf/blob/master/examples/</a>.</p> <p>Let&rsquo;s run the <code>s3-buckets</code> common gf patterns over our HTTP responses and see if we find anything of interest:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">cd burp_responses </span></span><span class="line"><span class="cl">gf s3-buckets \ </span></span><span class="line"><span class="cl">| sort -u --parallel=2G \ </span></span><span class="line"><span class="cl">| tee -a gf_results.txt </span></span></code></pre></td></tr></table> </div> </div><p>Although it&rsquo;s not as powerful as using trufflehog, it is far superior to take 1. Furthermore, gf makes it easy to write and reuse your own grep checks. Consider this option when reviewing for interesting things at scale.</p> <h3 id="concluding-thoughts">Concluding Thoughts </h3><p>We have just skimmed the surface of the automation capabilities. I have lot more ideas (and experience) related to AppSec automation, so stay tuned!</p>https://silentrobots.com/building-an-appsec-pipeline-with-burpsuite-data/Wed, 08 Jun 2022 00:00:00 +0000https://silentrobots.com/building-an-appsec-pipeline-with-burpsuite-data/<img src="https://silentrobots.com/" alt="Featured image of post Building on an AppSec Pipeline with Burp Suite data - Part 1" /><p>In this two part series we are going to take Burp Suite Project files as input from the command line, parse them, and then feed them into a testing pipeline.  </p> <p>The series is broken down into two parts:</p> <ol> <li><a class="link" href="https://silentrobots.com/building-an-appsec-pipeline-with-burpsuite-data/" >Getting at the Data</a> (i.e. from the CLI to feeding the pipeline)</li> <li><a class="link" href="https://silentrobots.com/pushing-burp-suite-data-into-your-testing-pipeline-part-2/" >8 Bug Hunting Examples with burpsuite-project-parser</a> (i.e. from the pipeline to testing)</li> </ol> <h3 id="introduction">Introduction </h3><p>Two years ago I pushed to Github a Burp Suite plugin with a mouthful of a name: <a class="link" href="https://github.com/BuffaloWill/burpsuite-project-file-parser" target="_blank" rel="noopener" >burpsuite-project-parser</a>. It started out to solve a very simple problem.</p> <blockquote> <p>I am on day 10 of a web application assessment, I intercept a request, and I ask myself “Where the $@#* have I seen that parameter before?!?!”</p> </blockquote> <p>When I am on a long assessment or bug hunting over a period of time I keep multiple sequential Burp project files (e.g. 06-01-2022.burp, 06-08-2022.burp, etc). Typically I would need to open and close Burp Suite for each project file using the search UI to hunt for this single parameter or URI. This led to the idea:</p> <blockquote> <p>💡 What if you could output as JSON all of the requests, responses, and findings from a Burp Suite project file using the CLI and then grep to search? Or save to a database? Or feed to another tool? &hellip;.</p> </blockquote> <p>This was the first problem solved by <a class="link" href="https://github.com/BuffaloWill/burpsuite-project-file-parser" target="_blank" rel="noopener" >burpsuite-project-parser</a>. From the CLI it will output every request/response (or findings) from a project file. For example:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">{&#34;request&#34;:{&#34;url&#34;:&#34;http://secret.targethost.com:80/success.txt&#34;,&#34;headers&#34;:[&#34;Host: secret.targethost.com&#34;,&#34;User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0&#34;,&#34;Accept: */*&#34;,&#34;Accept-Language: en-US,en;q\u003d0.5&#34;,&#34;Accept-Encoding: gzip, deflate&#34;,&#34;Cache-Control: no-cache&#34;,&#34;Pragma: no-cache&#34;,&#34;Connection: close&#34;],&#34;uri&#34;:&#34;/success.txt&#34;,&#34;method&#34;:&#34;GET&#34;,&#34;httpVersion&#34;:&#34;HTTP/1.1&#34;,&#34;body&#34;:&#34;&#34;},&#34;response&#34;:{&#34;url&#34;:&#34;http://secret.targethost.com:80/success.txt&#34;,&#34;headers&#34;:[&#34;Content-Type: text/plain&#34;,&#34;Content-Length: 8&#34;,&#34;Last-Modified: Mon, 15 May 2017 18:04:40 GMT&#34;,&#34;ETag: \&#34;ae780585fe1444eb7d28906123\&#34;&#34;,&#34;Accept-Ranges: bytes&#34;,&#34;Server: AmazonS3&#34;,&#34;X-Amz-Cf-Pop: ORD53-&#34;,&#34;X-Amz-Cf-Id: ADZK&#34;,&#34;Cache-Control: no-cache, no-store, must-revalidate&#34;,&#34;Date: Mon, 14 Sep 2020 17:59:54 GMT&#34;,&#34;Connection: close&#34;],&#34;code&#34;:&#34;200&#34;,&#34;body&#34;:&#34;success\n&#34;}} </span></span><span class="line"><span class="cl">{&#34;request&#34;:{&#34;url&#34;:&#34;https://mail.targethost.com:443/somepage&#34;,&#34;headers&#34;:[&#34;Host: x.tesla.com:443/somepage&#34;,&#34;User-Agent: ... </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>The Github page for <a class="link" href="https://github.com/BuffaloWill/burpsuite-project-file-parser" target="_blank" rel="noopener" >burpsuite-project-parser</a> has the most <a class="link" href="https://github.com/BuffaloWill/burpsuite-project-file-parser#installation" target="_blank" rel="noopener" >up to date installation instructions</a> so I won&rsquo;t repeat those here. Instead I want to talk about how to parse larger amounts of Burp data in our pipeline.</p> <h3 id="moving-faster-with-burp-suite-user-level-configuration">Moving Faster with Burp Suite User-Level Configuration </h3><p><img src="https://images.unsplash.com/photo-1649182325585-27a7d33563b5?crop=entropy&amp;cs=tinysrgb&amp;fit=max&amp;fm=jpg&amp;ixid=MnwxMTc3M3wwfDF8c2VhcmNofDV8fGxpZ2h0c3BlZWR8ZW58MHx8fHwxNjU0NDM2OTA2&amp;ixlib=rb-1.2.1&amp;q=80&amp;w=2000" alt="Photo by Anton Filatov / Unsplash" loading="lazy" /> <em>Photo by Anton Filatov / Unsplash</em></p> <p>You may or may not have played with Burp User-Level Configurations; they were certainly new to me when I started this project. The Burp Suite <a class="link" href="https://portswigger.net/burp/documentation/desktop/configurations" target="_blank" rel="noopener" >documentation</a> does the best job of describing what&rsquo;s included so I will just screenshot it here:</p> <p><img src="https://silentrobots.com/images/2022/06/Screen-Shot-2022-06-05-at-6.31.28-AM.png" alt="" loading="lazy" /> </p> <p>BurpSuite Documentation Screenshot taken on 06/05/22</p> <p>The most important point is that we can create a User-Level configuration to include just the <a class="link" href="https://github.com/BuffaloWill/burpsuite-project-file-parser" target="_blank" rel="noopener" >burpsuite-project-parser</a> Extender tool and not break our default Burp Suite configuration. This allows the loading and unloading of Burp Suite to be much faster as we are only applying one extension against the project file.</p> <p>The following assumes you have already installed Burp Suite Project File Parser; if not, install it before going forward.</p> <p>First, **save your existing user options; **Burp &gt; User Options &gt; Save user options. Use a memorable name such as &ldquo;DEFAULT_BURP_USER_OPTIONS.json&rdquo;:</p> <p><img src="https://silentrobots.com/images/2022/06/Screen-Shot-2022-06-08-at-5.41.39-AM.png" alt="" loading="lazy" /> </p> <p>My default setup</p> <p>Next, disable all other Extensions except &ldquo;BurpSuite Project File Parser&rdquo; and &ldquo;Save user options&rdquo; as a new file (i.e. &ldquo;ONLY_BURP_PROJECT_PARSER.json&rdquo;):</p> <p><img src="https://silentrobots.com/images/2022/06/Screen-Shot-2022-06-08-at-5.50.06-AM.png" alt="" loading="lazy" /> </p> <p>Only the Project File Parser tool</p> <p>Finally, before closing Burp Suite, click &ldquo;Load user options&rdquo; and load your original custom options (i.e. &ldquo;DEFAULT_BURP_USER_OPTIONS.json&rdquo;) back in. This way, the next time you open Burp Suite GUI your configuration will be the same as what you are used to.</p> <h3 id="testing">Testing </h3><p>It&rsquo;s time to test our setup. Run the following command against an existing project file to verify everything is working correctly. Make sure to replace 2022-06-08.burp with the name of your Burp Suite Project file and the location of your burpsuite jar file (e.g. ~/Downloads/burpsuite_pro_v2022.3.6.jar below):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">java</span> <span class="o">-</span><span class="n">jar</span> <span class="o">-</span><span class="n">Djava</span><span class="o">.</span><span class="n">awt</span><span class="o">.</span><span class="n">headless</span><span class="o">=</span><span class="bp">true</span> \ </span></span><span class="line"><span class="cl"><span class="o">-</span><span class="n">Xmx2G</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">opens</span><span class="o">=</span><span class="n">java</span><span class="o">.</span><span class="n">desktop</span><span class="o">/</span><span class="n">javax</span><span class="o">.</span><span class="n">swing</span><span class="o">=</span><span class="n">ALL</span><span class="o">-</span><span class="n">UNNAMED</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">opens</span><span class="o">=</span><span class="n">java</span><span class="o">.</span><span class="n">base</span><span class="o">/</span><span class="n">java</span><span class="o">.</span><span class="n">lang</span><span class="o">=</span><span class="n">ALL</span><span class="o">-</span><span class="n">UNNAMED</span> \ </span></span><span class="line"><span class="cl"><span class="o">~/</span><span class="n">Downloads</span><span class="o">/</span><span class="n">burpsuite_pro_v2022</span><span class="o">.</span><span class="mf">3.6</span><span class="o">.</span><span class="n">jar</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">user</span><span class="o">-</span><span class="n">config</span><span class="o">-</span><span class="n">file</span><span class="o">=</span><span class="n">ONLY_BURP_PROJECT_PARSER</span><span class="o">.</span><span class="n">json</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">project</span><span class="o">-</span><span class="n">file</span><span class="o">=</span><span class="mi">2022</span><span class="o">-</span><span class="mi">06</span><span class="o">-</span><span class="mf">08.</span><span class="n">burp</span> \ </span></span><span class="line"><span class="cl"><span class="n">auditItems</span> </span></span></code></pre></td></tr></table> </div> </div><p>You should see audit items in the result:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Warning: the fonts &#34;Times&#34; and &#34;Times&#34; are not available for the Java logical font &#34;Serif&#34;, which may have unexpected appearance or behavior. Re-enable the &#34;Times&#34; font to remove this warning. </span></span><span class="line"><span class="cl">{&#34;Message&#34;:&#34;Loaded project file parser; updated for burp 2022.&#34;} </span></span><span class="line"><span class="cl">[auditItems] </span></span><span class="line"><span class="cl">{&#34;issueName&#34;:&#34;Unencrypted communications&#34;,&#34;url&#34;:&#34;http://site1:80/&#34;,&#34;confidence&#34;:&#34;Certain&#34;,&#34;severity&#34;:&#34;Low&#34;} </span></span><span class="line"><span class="cl">{&#34;issueName&#34;:&#34;Unencrypted communications&#34;,&#34;url&#34;:&#34;http://site2:80/&#34;,&#34;confidence&#34;:&#34;Certain&#34;,&#34;severity&#34;:&#34;Low&#34;} </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div> <blockquote> <p>💡 Using my laptop as a benchmark it took around half the time to process a project file using the single purpose user option configuration compared to default. This speed up is even more drastic when we begin to process more files, larger projects, and include more complex options.</p> </blockquote> <p>Maybe not light speed but it&rsquo;s waayyy faster.</p> <h2 id="burpsuite-project-parser-flags">burpsuite-project-parser Flags </h2><p>At this point we now have a speedier way to parse project files. Before giving a few examples let&rsquo;s reiterate what flags are available as of burpsuite-project-parser 1.0. Remember any output will be in JSON:</p> <p>auditItems: Outputs the audit findings from a project file. siteMap: Outputs  all requests/responses from the site map. proxyHistory: Outputs all requests/responses from the site map. responseHeader=[regex]: Using the [regex] output any response that matches in the response headers. responseBody=[regex]: Using the [regex] output any response that matches in the response body. storeData=[MongoDB Host]: Store all requests/responses to a MongoDB server; check out the Github project for the required MongoDB settings.</p> <h2 id="feeding-data-into-the-pipeline">Feeding Data into the Pipeline </h2><p>Before we finish up let&rsquo;s do a few examples.</p> <p>Here is a bash one-liner to output all of the findings from all of the project files in the current directory:</p> <p>Linux:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">find</span> <span class="o">.</span> <span class="o">-</span><span class="n">maxdepth</span> <span class="mi">1</span> <span class="o">-</span><span class="n">name</span> <span class="s2">&#34;*.burp&#34;</span> <span class="o">|</span> <span class="n">xargs</span> <span class="o">-</span><span class="n">i</span><span class="p">{}</span> \ </span></span><span class="line"><span class="cl"><span class="n">java</span> <span class="o">-</span><span class="n">jar</span> <span class="o">-</span><span class="n">Djava</span><span class="o">.</span><span class="n">awt</span><span class="o">.</span><span class="n">headless</span><span class="o">=</span><span class="bp">true</span> \ </span></span><span class="line"><span class="cl"><span class="o">-</span><span class="n">Xmx2G</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">opens</span><span class="o">=</span><span class="n">java</span><span class="o">.</span><span class="n">desktop</span><span class="o">/</span><span class="n">javax</span><span class="o">.</span><span class="n">swing</span><span class="o">=</span><span class="n">ALL</span><span class="o">-</span><span class="n">UNNAMED</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">opens</span><span class="o">=</span><span class="n">java</span><span class="o">.</span><span class="n">base</span><span class="o">/</span><span class="n">java</span><span class="o">.</span><span class="n">lang</span><span class="o">=</span><span class="n">ALL</span><span class="o">-</span><span class="n">UNNAMED</span> \ </span></span><span class="line"><span class="cl"><span class="o">~/</span><span class="n">Downloads</span><span class="o">/</span><span class="n">burpsuite_pro_v2022</span><span class="o">.</span><span class="mf">3.6</span><span class="o">.</span><span class="n">jar</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">user</span><span class="o">-</span><span class="n">config</span><span class="o">-</span><span class="n">file</span><span class="o">=</span><span class="n">ONLY_BURP_PROJECT_PARSER</span><span class="o">.</span><span class="n">json</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">project</span><span class="o">-</span><span class="n">file</span><span class="o">=</span><span class="p">{}</span> \ </span></span><span class="line"><span class="cl"><span class="n">auditItems</span> <span class="mi">2</span><span class="o">&gt;/</span><span class="n">dev</span><span class="o">/</span><span class="n">null</span> </span></span></code></pre></td></tr></table> </div> </div><p>OS X:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">find</span> <span class="o">.</span> <span class="o">-</span><span class="n">maxdepth</span> <span class="mi">1</span> <span class="o">-</span><span class="n">name</span> <span class="s2">&#34;*.burp&#34;</span> <span class="o">|</span> <span class="n">xargs</span> <span class="o">-</span><span class="n">I</span><span class="p">{}</span> \ </span></span><span class="line"><span class="cl"><span class="n">java</span> <span class="o">-</span><span class="n">jar</span> <span class="o">-</span><span class="n">Djava</span><span class="o">.</span><span class="n">awt</span><span class="o">.</span><span class="n">headless</span><span class="o">=</span><span class="bp">true</span> \ </span></span><span class="line"><span class="cl"><span class="o">-</span><span class="n">Xmx2G</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">opens</span><span class="o">=</span><span class="n">java</span><span class="o">.</span><span class="n">desktop</span><span class="o">/</span><span class="n">javax</span><span class="o">.</span><span class="n">swing</span><span class="o">=</span><span class="n">ALL</span><span class="o">-</span><span class="n">UNNAMED</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">opens</span><span class="o">=</span><span class="n">java</span><span class="o">.</span><span class="n">base</span><span class="o">/</span><span class="n">java</span><span class="o">.</span><span class="n">lang</span><span class="o">=</span><span class="n">ALL</span><span class="o">-</span><span class="n">UNNAMED</span> \ </span></span><span class="line"><span class="cl"><span class="o">~/</span><span class="n">Downloads</span><span class="o">/</span><span class="n">burpsuite_pro_v2022</span><span class="o">.</span><span class="mf">3.6</span><span class="o">.</span><span class="n">jar</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">user</span><span class="o">-</span><span class="n">config</span><span class="o">-</span><span class="n">file</span><span class="o">=</span><span class="n">ONLY_BURP_PROJECT_PARSER</span><span class="o">.</span><span class="n">json</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">project</span><span class="o">-</span><span class="n">file</span><span class="o">=</span><span class="p">{}</span> \ </span></span><span class="line"><span class="cl"><span class="n">auditItems</span> <span class="mi">2</span><span class="o">&gt;/</span><span class="n">dev</span><span class="o">/</span><span class="n">null</span> </span></span></code></pre></td></tr></table> </div> </div><p>Search every project file for Servlet or nginx in response header:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">find</span> <span class="o">.</span> <span class="o">-</span><span class="n">maxdepth</span> <span class="mi">1</span> <span class="o">-</span><span class="n">name</span> <span class="s2">&#34;*.burp&#34;</span> <span class="o">|</span> <span class="n">xargs</span> <span class="o">-</span><span class="n">I</span><span class="p">{}</span> \ </span></span><span class="line"><span class="cl"><span class="n">java</span> <span class="o">-</span><span class="n">jar</span> <span class="o">-</span><span class="n">Djava</span><span class="o">.</span><span class="n">awt</span><span class="o">.</span><span class="n">headless</span><span class="o">=</span><span class="bp">true</span> \ </span></span><span class="line"><span class="cl"><span class="o">-</span><span class="n">Xmx2G</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">opens</span><span class="o">=</span><span class="n">java</span><span class="o">.</span><span class="n">desktop</span><span class="o">/</span><span class="n">javax</span><span class="o">.</span><span class="n">swing</span><span class="o">=</span><span class="n">ALL</span><span class="o">-</span><span class="n">UNNAMED</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">opens</span><span class="o">=</span><span class="n">java</span><span class="o">.</span><span class="n">base</span><span class="o">/</span><span class="n">java</span><span class="o">.</span><span class="n">lang</span><span class="o">=</span><span class="n">ALL</span><span class="o">-</span><span class="n">UNNAMED</span> \ </span></span><span class="line"><span class="cl"><span class="o">~/</span><span class="n">Downloads</span><span class="o">/</span><span class="n">burpsuite_pro_v2022</span><span class="o">.</span><span class="mf">3.6</span><span class="o">.</span><span class="n">jar</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">user</span><span class="o">-</span><span class="n">config</span><span class="o">-</span><span class="n">file</span><span class="o">=</span><span class="n">ONLY_BURP_PROJECT_PARSER</span><span class="o">.</span><span class="n">json</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">project</span><span class="o">-</span><span class="n">file</span><span class="o">=</span><span class="p">{}</span> \ </span></span><span class="line"><span class="cl"><span class="n">responseHeader</span><span class="o">=</span><span class="s1">&#39;.*(Servlet|nginx).*&#39;</span> <span class="mi">2</span><span class="o">&gt;/</span><span class="n">dev</span><span class="o">/</span><span class="n">null</span> </span></span></code></pre></td></tr></table> </div> </div><p>Grep all proxyHistory of all project files for &ldquo;graphql&rdquo; anywhere and output the URL where it was seen:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">find</span> <span class="o">.</span> <span class="o">-</span><span class="n">maxdepth</span> <span class="mi">1</span> <span class="o">-</span><span class="n">name</span> <span class="s2">&#34;*.burp&#34;</span> <span class="o">|</span> <span class="n">xargs</span> <span class="o">-</span><span class="n">I</span><span class="p">{}</span> \ </span></span><span class="line"><span class="cl"><span class="n">java</span> <span class="o">-</span><span class="n">jar</span> <span class="o">-</span><span class="n">Djava</span><span class="o">.</span><span class="n">awt</span><span class="o">.</span><span class="n">headless</span><span class="o">=</span><span class="bp">true</span> \ </span></span><span class="line"><span class="cl"><span class="o">-</span><span class="n">Xmx2G</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">opens</span><span class="o">=</span><span class="n">java</span><span class="o">.</span><span class="n">desktop</span><span class="o">/</span><span class="n">javax</span><span class="o">.</span><span class="n">swing</span><span class="o">=</span><span class="n">ALL</span><span class="o">-</span><span class="n">UNNAMED</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">opens</span><span class="o">=</span><span class="n">java</span><span class="o">.</span><span class="n">base</span><span class="o">/</span><span class="n">java</span><span class="o">.</span><span class="n">lang</span><span class="o">=</span><span class="n">ALL</span><span class="o">-</span><span class="n">UNNAMED</span> \ </span></span><span class="line"><span class="cl"><span class="o">~/</span><span class="n">Downloads</span><span class="o">/</span><span class="n">burpsuite_pro_v2022</span><span class="o">.</span><span class="mf">3.6</span><span class="o">.</span><span class="n">jar</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">user</span><span class="o">-</span><span class="n">config</span><span class="o">-</span><span class="n">file</span><span class="o">=</span><span class="n">ONLY_BURP_PROJECT_PARSER</span><span class="o">.</span><span class="n">json</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">project</span><span class="o">-</span><span class="n">file</span><span class="o">=</span><span class="p">{}</span> \ </span></span><span class="line"><span class="cl"><span class="n">proxyHistory</span> <span class="mi">2</span><span class="o">&gt;/</span><span class="n">dev</span><span class="o">/</span><span class="n">null</span> \ </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">grep</span> <span class="o">-</span><span class="n">Fi</span> <span class="s2">&#34;graphql&#34;</span> \ </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">jq</span> <span class="o">-</span><span class="n">c</span> <span class="s1">&#39;{&#34;url&#34;:.request.url}&#39;</span> <span class="o">|</span> <span class="n">cut</span> <span class="o">-</span><span class="n">d</span>\<span class="s2">&#34; -f4</span> </span></span></code></pre></td></tr></table> </div> </div><p>Grep for &ldquo;url=&rdquo; from proxyHistory in the url and uri only:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">find</span> <span class="o">.</span> <span class="o">-</span><span class="n">maxdepth</span> <span class="mi">1</span> <span class="o">-</span><span class="n">name</span> <span class="s2">&#34;*.burp&#34;</span> <span class="o">|</span> <span class="n">xargs</span> <span class="o">-</span><span class="n">I</span><span class="p">{}</span> \ </span></span><span class="line"><span class="cl"><span class="n">java</span> <span class="o">-</span><span class="n">jar</span> <span class="o">-</span><span class="n">Djava</span><span class="o">.</span><span class="n">awt</span><span class="o">.</span><span class="n">headless</span><span class="o">=</span><span class="bp">true</span> \ </span></span><span class="line"><span class="cl"><span class="o">-</span><span class="n">Xmx2G</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">opens</span><span class="o">=</span><span class="n">java</span><span class="o">.</span><span class="n">desktop</span><span class="o">/</span><span class="n">javax</span><span class="o">.</span><span class="n">swing</span><span class="o">=</span><span class="n">ALL</span><span class="o">-</span><span class="n">UNNAMED</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">opens</span><span class="o">=</span><span class="n">java</span><span class="o">.</span><span class="n">base</span><span class="o">/</span><span class="n">java</span><span class="o">.</span><span class="n">lang</span><span class="o">=</span><span class="n">ALL</span><span class="o">-</span><span class="n">UNNAMED</span> \ </span></span><span class="line"><span class="cl"><span class="o">~/</span><span class="n">Downloads</span><span class="o">/</span><span class="n">burpsuite_pro_v2022</span><span class="o">.</span><span class="mf">3.6</span><span class="o">.</span><span class="n">jar</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">user</span><span class="o">-</span><span class="n">config</span><span class="o">-</span><span class="n">file</span><span class="o">=</span><span class="n">ONLY_BURP_PROJECT_PARSER</span><span class="o">.</span><span class="n">json</span> \ </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">project</span><span class="o">-</span><span class="n">file</span><span class="o">=</span><span class="p">{}</span> \ </span></span><span class="line"><span class="cl"><span class="n">proxyHistory</span> <span class="mi">2</span><span class="o">&gt;/</span><span class="n">dev</span><span class="o">/</span><span class="n">null</span> \ </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">grep</span> <span class="o">-</span><span class="n">F</span> <span class="s2">&#34;{&#34;</span> \ </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">jq</span> <span class="o">-</span><span class="n">c</span> <span class="s1">&#39;{&#34;url&#34;:.request.url,&#34;uri&#34;:.request.uri}&#39;</span> \ </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">cut</span> <span class="o">-</span><span class="n">d</span>\<span class="s2">&#34; -f4,8 | tr -d </span><span class="se">\&#34;</span><span class="s2"> </span><span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="s2">| grep -iF &#34;</span><span class="n">url</span><span class="o">=</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="ymmv">YMMV </h2><p>Please keep in mind this plug-in follows a design philosophy of <a class="link" href="https://homepage.cs.uri.edu/~thenry/resources/unix_art/ch01s06.html" target="_blank" rel="noopener" >&ldquo;one tool for the job&rdquo;</a>. Grepping through the proxyHistory and only outputting a URL may not be the most accurate way to get the data you are looking for. Instead, maybe putting everything into MongoDB (ElasticSearch, etc) or a custom JSON search script works better. In this next post we will take this idea further.</p> <p>Please submit bugs and improvements to the Github project if you want!</p>https://silentrobots.com/odle-piping-security-data/Thu, 24 May 2018 00:00:00 +0000https://silentrobots.com/odle-piping-security-data/<img src="https://silentrobots.com/" alt="Featured image of post odle ruby gem: piping security data" /><p>I recently (May 2018) published <a class="link" href="https://github.com/BuffaloWill/odle" target="_blank" rel="noopener" >odle</a> which is a Ruby gem and binary that takes XML data from various security tools and outputs their JSON equivalent. The goal is to be (1) simple, (2) fast, and (3) work on many platforms with only one dependency – nokogiri.</p> <p><img src="https://silentrobots.com/images/external/odle.gif" alt="" loading="lazy" /> </p> <p>Quick Example of Piping Security Results</p> <p>Below are two examples using odle to convert output from one tool (e.g. burpsuite) as input for something else (e.g. nmap scans). From the command line I typically use odle with <a class="link" href="https://github.com/tomnomnom/gron" target="_blank" rel="noopener" >gron</a> which is an awesome tool that “makes json greppable” =).</p> <h2 id="convert-burp-to-nmap-script-scan">Convert Burp to nmap script scan </h2><p>Often I will take the passive data from one tool and feed it into another tool. One example is burp to something else; in this case, nmap script checks.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat burp-scan.xml <span class="p">|</span> odle --burp <span class="p">|</span> gron <span class="p">|</span> grep -i <span class="s1">&#39;affected_hosts&#39;</span> <span class="p">|</span> cut -d <span class="se">\&#34;</span> -f4 <span class="p">|</span> cut -d/ -f3 <span class="p">|</span> cut -d<span class="s1">&#39; &#39;</span> -f1 <span class="p">|</span> sort <span class="p">|</span> uniq <span class="p">|</span> xargs <span class="nb">printf</span> <span class="s2">&#34;nmap -sS -Pn -p 21 --script +ftp-anon %s \n&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">nmap -sS -Pn -p <span class="m">21</span> --script +ftp-anon apis.google.com </span></span><span class="line"><span class="cl">nmap -sS -Pn -p <span class="m">21</span> --script +ftp-anon developer.cdn.mozilla.net </span></span><span class="line"><span class="cl">nmap -sS -Pn -p <span class="m">21</span> --script +ftp-anon fakesite.com </span></span><span class="line"><span class="cl">nmap -sS -Pn -p <span class="m">21</span> --script +ftp-anon fonts.googleapis.com </span></span><span class="line"><span class="cl">nmap -sS -Pn -p <span class="m">21</span> --script +ftp-anon safebrowsing-cache.google.com </span></span><span class="line"><span class="cl">nmap -sS -Pn -p <span class="m">21</span> --script +ftp-anon safebrowsing.google.com </span></span></code></pre></td></tr></table> </div> </div><h2 id="run-nessus-results-through-aquatone">Run nessus results through aquatone </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat nessus_v2.xml <span class="p">|</span> odle --nessus <span class="p">|</span> ~/Downloads/gron <span class="p">|</span> grep -i <span class="s1">&#39;affected_hosts&#39;</span> <span class="p">|</span> cut -d <span class="se">\&#34;</span> -f4 <span class="p">|</span> cut -d/ -f3 <span class="p">|</span> cut -d<span class="s1">&#39; &#39;</span> -f1 <span class="p">|</span> sort <span class="p">|</span> uniq <span class="p">|</span> xargs <span class="nb">printf</span> <span class="s2">&#34;aquatone --discover %s \n&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">aquatone --discover admin.fb.com </span></span><span class="line"><span class="cl">aquatone --discover js.fb.com </span></span><span class="line"><span class="cl">aquatone --discover blah.fb.com </span></span></code></pre></td></tr></table> </div> </div><h2 id="install">Install </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gem install nokogiri </span></span><span class="line"><span class="cl">gem install odle </span></span></code></pre></td></tr></table> </div> </div><h2 id="bugs">Bugs </h2><p>I am sure there are plenty. Please submit an issue if you find one or if you would like to see other supported tools. I am also interested in inconsistencies between outputs, missing data, and other issues if you see them.</p>https://silentrobots.com/exploiting-cve-2016-4264-with-oxml_xxe/Sun, 02 Oct 2016 00:00:00 +0000https://silentrobots.com/exploiting-cve-2016-4264-with-oxml_xxe/<img src="https://silentrobots.com/" alt="Featured image of post Exploiting CVE-2016-4264 With OXML_XXE" /><p>Recently ColdFusion was <a class="link" href="http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt" target="_blank" rel="noopener" >shown vulnerable</a> to XXE based attacks in OXML documents; <a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4264" target="_blank" rel="noopener" >CVE-2016-4264</a>. The blog post linked gives an example building the file using python; cool!</p> <p>It’s easy to backdoor files in a similar fashion with <a class="link" href="https://github.com/BuffaloWill/oxml_xxe" target="_blank" rel="noopener" >OXML XXE</a>. The fastest way to do this is using the “Overwrite File inside DOCX/etc” function.</p> <p><img src="https://silentrobots.com/images/external/sr00.png" alt="" loading="lazy" /> </p> <p>You can add any XLSX at this point, OXML_XXE ships with a sample.xlsx.</p> <p><img src="https://silentrobots.com/images/external/sr1.png" alt="" loading="lazy" /> </p> <p>You will want to specify the XML file to overwrite; e.g. “[Content_Types.xml]”. The “_rels/.rels” file is another option.</p> <p><img src="https://silentrobots.com/images/external/sr2.png" alt="" loading="lazy" /> </p> <p>Finally add in the XML exploit. Below a Parameter Entity is used.</p> <p><img src="https://silentrobots.com/images/external/sr3.png" alt="" loading="lazy" /> </p> <p>Click “Build” to generate and download the file. To verify that the file is sound you can view the generated file in the “List Previously Built Files” menu option.</p> <p><img src="https://silentrobots.com/images/external/sr05.png" alt="" loading="lazy" /> </p> <p><img src="https://silentrobots.com/images/2022/05/image-1.png" alt="" loading="lazy" /> </p>https://silentrobots.com/finding-hosts-using-ssl-certificate-organization-and-censys/Tue, 27 Sep 2016 00:00:00 +0000https://silentrobots.com/finding-hosts-using-ssl-certificate-organization-and-censys/<img src="https://silentrobots.com/" alt="Featured image of post Finding Hosts Using SSL Certificate Organization And Censys" /><p>Finding hosts or domain names associated with a company where the domain name does not include the name of the company can sometimes be difficult. There are common ways to do it such as ASN or scope information (e.g. bug bounty ToE or IP block).</p> <p>One technique that I use (and I am guessing others do as well) is through an Organization field in a SSL Certificate that is shared by multiple domains. For example, a certificate from <a class="link" href="https://www.facebook.com/" target="_blank" rel="noopener" >https://www.facebook.com</a> and <a class="link" href="https://parse.com/" target="_blank" rel="noopener" >https://parse.com</a> are signed by the same organization.</p> <p><img src="https://silentrobots.com/images/external/facebook.png" alt="" loading="lazy" /> </p> <p>Notice the Organization in the SSL Certificate and compare to the image below</p> <p><img src="https://silentrobots.com/images/external/parse.png" alt="" loading="lazy" /> </p> <p>Notice the Organization in the SSL Certificate and compare to the image above</p> <p>This is an easy example. Parse is listed on the Facebook Mergers or Acquisitions page (<a class="link" href="https://en.wikipedia.org/wiki/List_of_mergers_and_acquisitions_by_Facebook" target="_blank" rel="noopener" >https://en.wikipedia.org/wiki/List_of_mergers_and_acquisitions_by_Facebook</a>) and the FB bug bounty terms (<a class="link" href="https://www.facebook.com/whitehat" target="_blank" rel="noopener" >https://www.facebook.com/whitehat</a>).</p> <p>However, consider a more complex example like <a class="link" href="https://hackerone.com/reports/154425" target="_blank" rel="noopener" >“HackerOne: Subdomain takeover on https://fastly.sc-cdn.net/”</a>.</p> <p>First, if you aren’t familiar with sub-domain take over <a class="link" href="https://shubs.io/high-frequency-security-bug-hunting-120-days-120-bugs/" target="_blank" rel="noopener" >this</a> and <a class="link" href="https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/" target="_blank" rel="noopener" >this</a> are awesome.</p> <p>In the case above, the subdomain fastly.sc-cdn.net is owned by Snapchat which is not obvious from the domain name. Personally, I do not know how ebrietas found that domain. DNS Bruteforcing would work. It could also be done by shared SSL Certificates on the Organization name.</p> <p>A few months back I wrote a <a class="link" href="https://gist.github.com/BuffaloWill/a4862b377404b15830b7cada1f6731a5" target="_blank" rel="noopener" >script</a> that uses the Censys API to look for domains with the same Organization field in the SSL certificate.</p> <p>For example:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ruby censys_cert_search.rb <span class="s1">&#39;Snapchat Inc.&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Page: <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;parsed.extensions.subject_alt_name.dns_names&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;se.snap-dev.net&#34;</span><span class="o">]</span>, <span class="s2">&#34;parsed.subject.common_name&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;se.snap-dev.net&#34;</span><span class="o">]}</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>+<span class="p">|</span> Checking se.snap-dev.net </span></span><span class="line"><span class="cl">se.snap-dev.net. <span class="m">300</span> IN A 107.178.248.183 </span></span><span class="line"><span class="cl">se.snap-dev.net. <span class="m">300</span> IN A 107.178.248.183 </span></span><span class="line"><span class="cl"><span class="p">|</span>+<span class="p">|</span> Checking se.snap-dev.net </span></span><span class="line"><span class="cl">se.snap-dev.net. <span class="m">300</span> IN A 107.178.248.183 </span></span><span class="line"><span class="cl">se.snap-dev.net. <span class="m">300</span> IN A 107.178.248.183 </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;parsed.extensions.subject_alt_name.dns_names&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;spectre.sc-corp.net&#34;</span><span class="o">]</span>, <span class="s2">&#34;parsed.subject.common_name&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;spectre.sc-corp.net&#34;</span><span class="o">]}</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>+<span class="p">|</span> Checking spectre.sc-corp.net </span></span><span class="line"><span class="cl">spectre.sc-corp.net. <span class="m">300</span> IN A 130.211.14.254 </span></span><span class="line"><span class="cl">spectre.sc-corp.net. <span class="m">300</span> IN A 130.211.14.254 </span></span><span class="line"><span class="cl"><span class="p">|</span>+<span class="p">|</span> Checking spectre.sc-corp.net </span></span><span class="line"><span class="cl">spectre.sc-corp.net. <span class="m">300</span> IN A 130.211.14.254 </span></span><span class="line"><span class="cl">spectre.sc-corp.net. <span class="m">300</span> IN A 130.211.14.254 </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>If you checkout the code, the script is:</p> <ol> <li>Using the Censys Certificate API to search on the Organization string matching ‘Snapchat Inc.’ (i.e. O=Snapchat Inc.*)</li> <li>Parsing out the Common Name and Alternate Names from the SSL Certificate response</li> <li>Performing a DNS lookup for each name found</li> </ol> <p>You can also run the script to skip over common names that could’ve been easily found in other ways (e.g. dev.snapchat.com). This focuses the effort on hard to find systems. Adding a third argument skips DNS lookup.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ruby censys_cert_search.rb <span class="s1">&#39;Snapchat Inc.&#39;</span> <span class="s1">&#39;*snapchat.com&#39;</span> <span class="nb">false</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Page: <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;parsed.extensions.subject_alt_name.dns_names&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;se.snap-dev.net&#34;</span><span class="o">]</span>, <span class="s2">&#34;parsed.subject.common_name&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;se.snap-dev.net&#34;</span><span class="o">]}</span> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;parsed.extensions.subject_alt_name.dns_names&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;spectre.sc-corp.net&#34;</span><span class="o">]</span>, <span class="s2">&#34;parsed.subject.common_name&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;spectre.sc-corp.net&#34;</span><span class="o">]}</span> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;parsed.extensions.subject_alt_name.dns_names&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;*.targeting.snapads.com&#34;</span>, <span class="s2">&#34;targeting.snapads.com&#34;</span><span class="o">]</span>, <span class="s2">&#34;parsed.subject.common_name&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;*.targeting.snapads.com&#34;</span><span class="o">]}</span> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;parsed.extensions.subject_alt_name.dns_names&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;*.snapchat.com&#34;</span>, <span class="s2">&#34;snapchat.com&#34;</span><span class="o">]</span>, <span class="s2">&#34;parsed.subject.common_name&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;*.snapchat.com&#34;</span><span class="o">]}</span> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;parsed.extensions.subject_alt_name.dns_names&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;rest-escluster.hydrasearch.sc-prod.net&#34;</span><span class="o">]</span>, <span class="s2">&#34;parsed.subject.common_name&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;rest-escluster.hydrasearch.sc-prod.net&#34;</span><span class="o">]}</span> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;parsed.extensions.subject_alt_name.dns_names&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;*.snapchat.com&#34;</span>, <span class="s2">&#34;snapchat.com&#34;</span><span class="o">]</span>, <span class="s2">&#34;parsed.subject.common_name&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;*.snapchat.com&#34;</span><span class="o">]}</span> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;parsed.extensions.subject_alt_name.dns_names&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;restfulgit.sc-corp.net&#34;</span><span class="o">]</span>, <span class="s2">&#34;parsed.subject.common_name&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;restfulgit.sc-corp.net&#34;</span><span class="o">]}</span> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;parsed.extensions.subject_alt_name.dns_names&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;attribution.snapads.com&#34;</span><span class="o">]</span>, <span class="s2">&#34;parsed.subject.common_name&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;attribution.snapads.com&#34;</span><span class="o">]}</span> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;parsed.extensions.subject_alt_name.dns_names&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;*.snapchat.com&#34;</span>, <span class="s2">&#34;snapchat.com&#34;</span>, <span class="s2">&#34;mail.support.snapchat.com&#34;</span><span class="o">]</span>, <span class="s2">&#34;parsed.subject.common_name&#34;</span><span class="o">=</span>&gt;<span class="o">[</span><span class="s2">&#34;*.snapchat.com&#34;</span><span class="o">]}</span> </span></span><span class="line"><span class="cl">.... </span></span></code></pre></td></tr></table> </div> </div><p>As you can see not perfect but I’ve found it really useful in the past. It was hack for something else and I’ll update as time permits.</p>https://silentrobots.com/cloud-metadata-url-list/Mon, 28 Mar 2016 00:00:00 +0000https://silentrobots.com/cloud-metadata-url-list/<img src="https://silentrobots.com/" alt="Featured image of post Cloud Metadata URL List" /><p>I landed the SSRF Cloud Metadata technique in a few different scenarios recently. If you haven’t seen the talk <a class="link" href="https://youtu.be/JTOWxi17k-w?t=1411" target="_blank" rel="noopener" >BHUSA 2014 - Bringing a Machete to the Amazon</a> I recommend it.</p> <p>To make life a little easier created a living URL list for Metadata broken down by cloud. There are a few more than he discusses in the talk but still has work to go. Submit a PR if you see some missing.</p> <p><a class="link" href="https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb" target="_blank" rel="noopener" >https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb</a></p>https://silentrobots.com/search-all-github-repositories-for-an-organization/Fri, 09 Jan 2015 00:00:00 +0000https://silentrobots.com/search-all-github-repositories-for-an-organization/<img src="https://silentrobots.com/" alt="Featured image of post Search all Github Repositories for an Organization" /><p><a class="link" href="https://github.com/BuffaloWill/gumbler" target="_blank" rel="noopener" >gumbler</a> is a script I wrote to search through git commits and introduced in the blog post <a class="link" href="https://silentrobots.com/blog/2014/10/06/gumbler/" >“Searching Through Git Commits”</a>. Recently I wanted to run Gumbler across all repositories for an organization, the steps are discussed below.</p> <p>First, we need to grab a list of repositories for the ORG. This can be done using the API</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">curl &#34;https://api.github.com/orgs/[ORG NAME]/repos?page=1&amp;per_page=10000&#34; &gt; repos.json </span></span><span class="line"><span class="cl">curl &#34;https://api.github.com/orgs/[ORG NAME]/repos?page=2&amp;per_page=10000&#34; &gt;&gt; repos.json </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>Note, the API limits the number of values returned so you will want to update the page count to make sure you get them all.</p> <p>Next we iterate through each repository, clone it, and run gumbler across the repo. A simple Ruby script is given below. Note, ignore any repos that were forked as they aren’t specific to the orgnization.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ruby" data-lang="ruby"><span class="line"><span class="cl"><span class="nb">require</span> <span class="s1">&#39;json&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># specify repos.json as an argument</span> </span></span><span class="line"><span class="cl"><span class="n">file</span> <span class="o">=</span> <span class="no">File</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="no">ARGV</span><span class="o">[</span><span class="mi">0</span><span class="o">]</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># parse the json</span> </span></span><span class="line"><span class="cl"><span class="n">data_hash</span> <span class="o">=</span> <span class="no">JSON</span><span class="o">.</span><span class="n">parse</span><span class="p">(</span><span class="n">file</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># iterate each hash</span> </span></span><span class="line"><span class="cl"><span class="n">data_hash</span><span class="o">.</span><span class="n">each</span> <span class="k">do</span> <span class="o">|</span><span class="nb">hash</span><span class="o">|</span> </span></span><span class="line"><span class="cl"> <span class="c1"># ignore forked repos</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">!</span><span class="p">(</span><span class="nb">hash</span><span class="o">[</span><span class="s2">&#34;fork&#34;</span><span class="o">]</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">puts</span> <span class="s2">&#34;|+| Testing </span><span class="si">#{</span><span class="nb">hash</span><span class="o">[</span><span class="s2">&#34;name&#34;</span><span class="o">]</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># clone the project</span> </span></span><span class="line"><span class="cl"> <span class="sb">`git clone https://github.com/[ORG]/</span><span class="si">#{</span><span class="nb">hash</span><span class="o">[</span><span class="s2">&#34;name&#34;</span><span class="o">]</span><span class="si">}</span><span class="sb">.git`</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># Gumbler requires full directory paths</span> </span></span><span class="line"><span class="cl"> <span class="sb">`ruby ~/gumbler/gumbler.rb -s -p </span><span class="si">#{</span><span class="nb">hash</span><span class="o">[</span><span class="s2">&#34;name&#34;</span><span class="o">]</span><span class="si">}</span><span class="sb"> ~/[ORG]/results/`</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">sleep</span><span class="p">(</span><span class="mi">3</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">end</span> </span></span><span class="line"><span class="cl"><span class="k">end</span> </span></span></code></pre></td></tr></table> </div> </div>https://silentrobots.com/searching-through-git-commits/Mon, 06 Oct 2014 00:00:00 +0000https://silentrobots.com/searching-through-git-commits/<img src="https://silentrobots.com/" alt="Featured image of post Searching Through Git Commits" /><p><a class="link" href="https://github.com/BuffaloWill/gumbler" target="_blank" rel="noopener" >gumbler</a> is a script I wrote to search through git commits. Examples from github are discussed below.</p> <h1 id="gitignore">.gitignore </h1><p>A gitignore file is used to specify files that should not be tracked by git (source <a class="link" href="https://git-scm.com/docs/gitignore" target="_blank" rel="noopener" >gitignore</a>). In the default case, gumbler will read the gitignore file for the project and search every revision for a case where a file from gitignore was committed. Possible use cases would be as a pen tester looking for reconnaisance data (e.g. developer usernames/passwords, staging hosts/services, etc.) or a developer to verify projects did not previously commit “secret” data.</p> <p>I am a big fan of what Netflix is doing with regards to open source and security. After looking through a number of their projects, I noticied Priam has a few commits with non-damaging files from the gitignore.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">$. git clone https://github.com/Netflix/Priam.git </span></span><span class="line"><span class="cl">Cloning into &#39;Priam&#39;... </span></span><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl">Checking connectivity... done. </span></span><span class="line"><span class="cl">$. ruby gumbler/gumbler.rb Priam/ gumbler_testing/tmp/ </span></span><span class="line"><span class="cl">|-| Jumping to remote @directory Priam/ </span></span><span class="line"><span class="cl">|-| Storing every revision </span></span><span class="line"><span class="cl">checking for *.com.. </span></span><span class="line"><span class="cl">checking for *.class.. </span></span><span class="line"><span class="cl">..... </span></span><span class="line"><span class="cl">|+| Looking for .classpath, Found it in BRANCH : 697fd66aae9beed107e13f49a741455f1d9d8dd9 .classpath. Storing it in gumbler_testing/tmp/. </span></span><span class="line"><span class="cl">|+| Looking for .classpath, Found it in BRANCH : 47bdb537789c034493e94d8977eae77ecbfd5b24 .classpath. Storing it in gumbler_testing/tmp/. </span></span><span class="line"><span class="cl">|+| Looking for .classpath, Found it in BRANCH : 442862d4a8d4d18d0e176ded8795dd45a24528fc .classpath. Storing it in gumbler_testing/tmp/. </span></span><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl">checking for .project.. </span></span><span class="line"><span class="cl">|+| Looking for .project, Found it in BRANCH : 697fd66aae9beed107e13f49a741455f1d9d8dd9 .project. Storing it in gumbler_testing/tmp/. </span></span><span class="line"><span class="cl">|+| Looking for .project, Found it in BRANCH : 0941d9e0e0dda3ee1d9d4dda757d59ffb641abcf .project. Storing it in gumbler_testing/tmp/. </span></span><span class="line"><span class="cl">|+| Looking for .project, Found it in BRANCH : 47bdb537789c034493e94d8977eae77ecbfd5b24 .project. Storing it in gumbler_testing/tmp/. </span></span><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl">checking for .settings.. </span></span><span class="line"><span class="cl">.... </span></span></code></pre></td></tr></table> </div> </div><p>.classpath or .project are not damaging in this case and, hence, are used as the example. On a pen test or in collaborative projects I have found much worse (cough usernames, passwords). This shouldn’t be that surprising.</p> <h1 id="searching-commit-logs">Searching Commit Logs </h1><p>Another use case for gumbler is to look through commit history. Using Ruby on Rails as an example, we can search from for any commit with “CVE” in it. Gumbler will output a diff from the files changed in the commit.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">$. ruby gumbler/gumbler.rb --grep CVE rails/ tmp/ </span></span><span class="line"><span class="cl">|!| skipping .gitignore, searching commit log for CVE </span></span><span class="line"><span class="cl">$. ls tmp/ </span></span><span class="line"><span class="cl">060c91cd59ab86583a8f2f52142960d3433f62f5-2012-05-30_15:13:03_-0700.diff 88cc1688d0cb828c17706b41a8bd27870f2a2beb-2013-01-08_12:11:18_-0800.diff </span></span><span class="line"><span class="cl">08d0a11a3f62718d601d39e617c834759cf59bbb-2014-02-18_15:38:50_-0300.diff 8be6913990c30f63618173da722148892348dcc9-2013-03-15_17:45:53_-0700.diff </span></span><span class="line"><span class="cl">0b58a7ff420d7ef4b643c521a62be7259dd2f5cb-2011-02-08_14:21:12_-0800.diff 8e577fe560d5756fcc67840ba304d79ada6804e4-2013-01-08_12:41:24_-0800.diff </span></span><span class="line"><span class="cl">0c7ac34aed1845044cd1911e5a775366d7ca41c1-2013-12-02_16:42:16_-0800.diff 9340f89849606dba02f44038171f3837f883fd4e-2012-05-30_15:09:13_-0700.diff </span></span><span class="line"><span class="cl">2392535f4085d88186097e3c23414e958fb1d16d-2013-03-18_10:17:32_-0700.diff 93fb4c1e62dc9605eecbfaffda2becc85890fa5f-2014-07-10_10:20:16_-0700.diff </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">$. cat 060c91cd59ab86583a8f2f52142960d3433f62f5-2012-05-30_15\:13\:03_-0700.diff </span></span><span class="line"><span class="cl">060c91cd59ab86583a8f2f52142960d3433f62f5-2012-05-30 15:13:03 -0700==&gt; 2012-05-30 15:13:03 -0700 Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this! Strip [nil] from parameters hash. </span></span><span class="line"><span class="cl">Thanks to Ben Murphy for reporting this! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">CVE-2012-2660 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">:100644 100644 aa5ba3e... 6757a53... M actionpack/lib/action_dispatch/http/request.rb </span></span><span class="line"><span class="cl">:100644 100644 c3f009a... 6ea66f9... M actionpack/test/dispatch/request/query_string_parsing_test.rb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb </span></span><span class="line"><span class="cl">index aa5ba3e..6757a53 100644 </span></span><span class="line"><span class="cl">--- a/actionpack/lib/action_dispatch/http/request.rb </span></span><span class="line"><span class="cl">+++ b/actionpack/lib/action_dispatch/http/request.rb </span></span><span class="line"><span class="cl">.... </span></span></code></pre></td></tr></table> </div> </div><p>As the README says, be careful using the tool as it uses Command Execution to search. A malicious git project could take advantage of this. Ping me with better ways to handle this.</p>