自动收集burpsuite scanenr模块扫描后的结果
自动收集burpsuite scanenr模块扫描后的结果
0x00需求
在QA进行功能测试时,同时也进行安全测试,减少产品安全测试所花费的时间,将工具可以发现的安全问题,尽可能早的提出来。
0x01思路
- 找一台windows服务器,在该服务器上安装bp,bp的代理ip:本服务器ip,端口:8080
- QA测试时浏览器挂上代理(代理ip:windows服务器的ip,端口:8080)
- 编写burpsuite插件,将burpsuite scanner模块发现的漏洞存储到sqlite数据库
- QA在测试前,需要将测试的url添加到bp的scope中
- QA测试完,可以访问响应页面,查看安全测试结果
0x02burpsuite 插件
插件需要继承IScannerListener,使用其newScanIssue函数获取所有的扫描结果
package burp;
/*
- @(#)IScanIssue.java
- Copyright PortSwigger Ltd. All rights reserved.
- This code may be used to extend the functionality of Burp Suite Community Edition
- and Burp Suite Professional, provided that this usage does not violate the
- license terms for those products.
/
/ - This interface is used to retrieve details of Scanner issues. Extensions can
- obtain details of issues by registering an
IScannerListener
or - by calling
IBurpExtenderCallbacks.getScanIssues()
. Extensions - can also add custom Scanner issues by registering an
IScannerCheck
or callingIBurpExtenderCallbacks.addScanIssue()
, and providing their own- implementations of this interface. Note that issue descriptions and other
- text generated by extensions are subject to an HTML whitelist that allows
only formatting tags and simple hyperlinks.
*/
public interface IScanIssue
{/**
- This method returns the URL for which the issue was generated.
- @return The URL for which the issue was generated.
*/
java.net.URL getUrl();
/**
- This method returns the name of the issue type.
- @return The name of the issue type (e.g. "SQL injection").
*/
String getIssueName();
/**
- This method returns a numeric identifier of the issue type. See the Burp
- Scanner help documentation for a listing of all the issue types.
- @return A numeric identifier of the issue type.
*/
int getIssueType();
/**
- This method returns the issue severity level.
- @return The issue severity level. Expected values are "High", "Medium",
- "Low", "Information" or "False positive".
*/
String getSeverity();
/**
- This method returns the issue confidence level.
- @return The issue confidence level. Expected values are "Certain", "Firm"
- or "Tentative".
*/
String getConfidence();
/**
- This method returns a background description for this type of issue.
- @return A background description for this type of issue, or
null
if none applies. A limited set of HTML tags may be- used.
*/
String getIssueBackground();
/**
- This method returns a background description of the remediation for this
- type of issue.
- @return A background description of the remediation for this type of
- issue, or
null
if none applies. A limited set of HTML tags - may be used.
*/
String getRemediationBackground();
/**
- This method returns detailed information about this specific instance of
- the issue.
- @return Detailed information about this specific instance of the issue,
- or
null
if none applies. A limited set of HTML tags may be - used.
*/
String getIssueDetail();
/**
- This method returns detailed information about the remediation for this
- specific instance of the issue.
- @return Detailed information about the remediation for this specific
- instance of the issue, or
null
if none applies. A limited - set of HTML tags may be used.
*/
String getRemediationDetail();
/*
- This method returns the HTTP messages on the basis of which the issue was
- generated.
- @return The HTTP messages on the basis of which the issue was generated.
- Note: The items in this array should be instances of
IHttpRequestResponseWithMarkers
if applicable, so that- details of the relevant portions of the request and response messages are
- available.
*/
IHttpRequestResponse[] getHttpMessages();
/*
- This method returns the HTTP service for which the issue was generated.
- @return The HTTP service for which the issue was generated.
*/
IHttpService getHttpService();
}
**如上newScanIssue可以获取到扫描的所有结果,比如:
1.java.net.URL getUrl(); 扫描的url
2.String getIssueName(); 问题类型: 如SQL injection(sql注入)
3.getSeverity(); 漏洞等级 "High", "Medium", "Low", "Information" or "False positive"
4.String getConfidence(); 确定程度 "Certain", "Firm" or "Tentative".
- String getIssueBackground(); 漏洞背景
- String getIssueDetail(); 漏洞详情
- IHttpRequestResponse[] getHttpMessages(); 漏洞证明的请求、响应包
将以上信息获取后保存到数据库中即可
完整代码:
from burp import IBurpExtender
from burp import IScannerListener
from java.io import PrintWriter
from threading import Thread
from java.lang import Class
from java.sql import DriverManager, SQLException
import time
class BurpExtender(IBurpExtender, IScannerListener):
def registerExtenderCallbacks(self, callbacks): # keep a reference to our callbacks object self._callbacks = callbacks # set our extension name callbacks.setExtensionName("scann_test") # obtain our output stream self._stdout = PrintWriter(callbacks.getStdout(), True) self._helpers = callbacks.getHelpers() # register ourselves as an callbacks.registerScannerListener(self)def newScanIssue(self,issue): #self._stdout.println(issue.getConfidence()) Certain", "Firm" * or "Tentative" #CREATE TABLE `scanner` (`id` INTEGER PRIMARY KEY,`time` varchar(100),ip varchar(50),`url` varchar(30) ,`degree` varchar(30) ,`level` varchar(100) ,`detail` text ,`issueType` varchar(200) ,`issueBackground` text,`remediationBackground` text,`remediationDetail` text,`requests` text,`response` text ,issueName varcahr(50)) if(issue.getConfidence()): Class.forName("org.sqlite.JDBC").newInstance() JDBC_URL = "jdbc:sqlite:%s" % ("d:/scanner.db") dbConn = DriverManager.getConnection(JDBC_URL) sql="insert into `scanner` (time,ip,url,degree,level,detail,issueType,issueBackground,remediationBackground,remediationDetail,requests,response,issueName) values(?,?,?,?,?,?,?,?,?,?,?,?,?);" preStmt=dbConn.prepareStatement(sql) current_time=time.strftime("%Y-%m-%d %H:%M:%S", time.localtime()) requests="" response="" for message in issue.getHttpMessages(): for i in range(len(message.getRequest())): if(message.getRequest()[i]<255 and message.getRequest()[i]>0): requests=requests+chr(message.getRequest()[i]) requests+="\n--------------------------\n" if(len(message.getResponse())!=0): for i in range(len(message.getResponse())): if(message.getResponse()[i]<255 and message.getResponse()[i]>0): response=response+chr(message.getResponse()[i]) response+="\n--------------------------\n" ip=issue.getHttpService().getHost() if(issue.getIssueDetail()): detail=issue.getIssueDetail() else: detail="none" if(issue.getIssueBackground()): issueBackground=issue.getIssueBackground() else: issueBackground="none" if(issue.getRemediationBackground()): remediationBackground=issue.getRemediationBackground() else: remediationBackground="none" if(issue.getRemediationDetail()): remediationDetail=issue.getRemediationDetail() else: remediationDetail="none" preStmt.setString(1, str(current_time)) preStmt.setString(2, str(ip)) preStmt.setString(3, str(issue.getUrl())) preStmt.setString(4,str(issue.getConfidence())) preStmt.setString(5,str(issue.getSeverity())) preStmt.setString(6,str(detail)) preStmt.setString(7,str(issue.getIssueType())) preStmt.setString(8,str(issueBackground)) preStmt.setString(9,str(remediationBackground)) preStmt.setString(10,str(remediationDetail)) preStmt.setString(11,str(requests)) preStmt.setString(12,str(response)) preStmt.setString(13,str(issue.getIssueName())) preStmt.addBatch() dbConn.setAutoCommit(False) preStmt.executeBatch() dbConn.setAutoCommit(True) dbConn.close() self._stdout.println("time:") self._stdout.println(current_time) self._stdout.print("ip") self._stdout.println(ip) self._stdout.println("qudingchengdu:"+issue.getConfidence()) self._stdout.print("url:") self._stdout.println(issue.getUrl()) self._stdout.println(issue.getIssueName()) self._stdout.println("level:"+issue.getSeverity()) self._stdout.print("detail:") if(issue.getIssueDetail()): self._stdout.println(issue.getIssueDetail()) else: self._stdout.println("none") self._stdout.println("getIssueType():") self._stdout.println(issue.getIssueType()) self._stdout.print("getIssueBackground") if(issue.getIssueBackground()): self._stdout.println(issue.getIssueBackground()) else: self._stdout.println("none") self._stdout.print("getRemediationBackground():") if(issue.getRemediationBackground()): self._stdout.println(issue.getRemediationBackground()) else: self._stdout.println("none") self._stdout.print("getRemediationDetail():") if(issue.getRemediationDetail()): self._stdout.println(issue.getRemediationDetail()) else: self._stdout.println("none") self._stdout.println("---------------------------")
0x03 burpsuite 扫描结果(在数据库中展示)
0x04 待存问题
scanner 扫描过程中过滤js,jpg等文件
将需要测试的url自动添加到scope中