Security research involves a lot of failure. It’s a perpetual balancing act between taking small steps with a predictable but boring outcome, and trying out wild concepts that are so crazy they might just work… but probably won’t.
安全研究涉及很多失败。这是一个永恒的平衡行为,既要采取可预测但无聊的结果的小步骤,又要尝试疯狂的概念,这些概念太疯狂了,可能会起作用……但可能不会。
At PortSwigger Research, we’ve observed that making it easy to try out wild ideas is really valuable, because it minimises the cost of failure, encouraging ambitious experiments and leading to exciting discoveries.
在PortSwigger Research,我们观察到,让尝试疯狂想法变得容易真的很有价值,因为它最大限度地减少了失败的成本,鼓励了雄心勃勃的实验,并带来了令人兴奋的发现。
We try many of our ideas out by coding custom Burp extensions, and running them on a 20gb project file which contains the homepage of ~every website that we’re legally allowed to test. You can find more details on how we generate this project file in Cracking the Lens.
我们通过编写自定义 Burp 扩展来尝试我们的许多想法,并在一个 20gb 的项目文件上运行它们,该文件包含我们合法允许测试的 ~每个网站的主页。您可以在 Cracking the Lens 中找到有关如何生成此项目文件的更多详细信息。
Burp Suite recently launched a powerful new feature called Bambdas that lets users code mini-extensions directly inside the proxy, complete with code-autocomplete, syntax-highlighting and instant evaluation. We quickly found that this made it even easier to mine the project file for vulnerabilities by eliminating the need to use a separate IDE and providing instant feedback.
Burp Suite 最近推出了一项名为 Bambdas 的强大新功能,允许用户直接在代理中编写迷你扩展,并完成代码自动完成、语法突出显示和即时评估。我们很快发现,由于无需使用单独的 IDE 并提供即时反馈,这使得挖掘项目文件中的漏洞变得更加容易。
We quickly ended up with a bunch of Bambdas for spotting HTTP endpoints exhibiting unusual behaviour – here’s a few of our favourites which flagged at least one real website:
我们很快就得到了一堆 Bambdas,用于发现表现出异常行为的 HTTP 端点 – 以下是我们最喜欢的一些标记至少一个真实网站的端点:
Large redirect responses 大型重定向响应
This Bambda will flag redirect responses with a body over 1000 bytes – this can indicate sites that forgot to terminate script execution when the user fails authentication, typically leading to information disclosure:
此 Bambda 将标记正文超过 1000 字节的重定向响应 – 这可能表示当用户身份验证失败时忘记终止脚本执行的站点,通常会导致信息泄露:
return requestResponse.hasResponse() &&
requestResponse.response().statusCode() <= 399 &&
requestResponse.response().statusCode() >= 300 &&
requestResponse.response().body().length() > 1000;
Responses with multiple </html> tags
具有多个标签的响应
What if a page fails to exit a script at the right point, but isn’t serving a redirect response? In some cases this will result in the response containing multiple closing HTML tags. Our initial attempt to find these got a bunch of false positives from JavaScript files so we filtered those out by only showing responses with a HTML content-type. This approach revealed a page that we’re pretty sure is meant to be behind authentication, and a completely unexpected source code leak.
如果页面未能在正确的时间点退出脚本,但没有提供重定向响应,该怎么办?在某些情况下,这将导致响应包含多个结束 HTML 标记。我们最初试图找到这些结果时,会从 JavaScript 文件中得到一堆误报,因此我们通过仅显示具有 HTML 内容类型的响应来过滤掉这些误报。这种方法揭示了一个我们非常确定的页面,该页面应该位于身份验证后面,并且完全出乎意料地泄露了源代码。
return requestResponse.response().statedMimeType() == MimeType.HTML &&
utilities().byteUtils().countMatches(
requestResponse.response().body().getBytes(), "</html>".getBytes()) > 1;
Incorrect content-length 内容长度不正确
I love to exploit sketchy HTTP middleware and one thing some of the worst middleware does is inject extra content into responses but fail to correct the Content-Length. This one is super easy to detect:
我喜欢利用粗略的HTTP中间件,一些最糟糕的中间件所做的一件事就是在响应中注入额外的内容,但无法纠正Content-Length。这个非常容易检测:
int realContentLength = requestResponse.response().body().length();
int declaredContentLength = Integer.parseInt(
requestResponse.response().headerValue("Content-Length"));
return declaredContentLength != realContentLength;
Malformed HTTP header HTTP 标头格式不正确
Finally, I decided to look for responses containing a space in the header name. I wasn’t really looking for anything in particular, and it yielded a bunch of servers running SMTP on port 443!
最后,我决定查找标头名称中包含空格的响应。我并不是真的在寻找任何特别的东西,它产生了一堆在端口 443 上运行 SMTP 的服务器!
return requestResponse.response().headers().stream().anyMatch(
e -> e.name().contains(" "));
I’ll pass you over to Gareth now for some of his.
我现在把你交给加雷斯,让他听一些。
Find all JSON endpoints with no or text/html mime type
查找所有没有 TEXT / html MIME 类型的 JSON 终结点
I absolutely love Bambdas and as James mentioned they provide a quick way to easily test your proxy history and find interesting nuggets that have been missed by standard filtering. When writing a Bambda it’s useful to have a question in mind. One of those questions was “What sites are still using an invalid content-type for JSON responses?”. Browsers nowadays are pretty strict when it comes to content sniffing however, if a site declares a text/html mime type with JSON data HTML will be rendered of course! I wrote a couple of lines of code and in no time I was finding stuff that I didn’t know existed in my massive project file.
我非常喜欢 Bambdas,正如 James 所提到的,它们提供了一种快速的方法来轻松测试您的代理历史记录并找到标准过滤遗漏的有趣金块。在写 Bambda 时,记住一个问题是很有用的。其中一个问题是“哪些网站仍在使用无效的内容类型进行 JSON 响应?现在的浏览器在内容嗅探方面非常严格,但是,如果一个网站声明了一个带有 JSON 数据的 text/html mime 类型,HTML 当然会被呈现出来!我写了几行代码,很快就找到了我不知道存在于我庞大的项目文件中的东西。
if(!requestResponse.hasResponse()) {
return false;
}
var response = requestResponse.response();
if (response.hasHeader("Content-Type")) {
if (!response.headerValue("Content-Type").contains("text/html")) {
return false;
}
}
String body = response.bodyToString().trim();
boolean looksLikeJson = body.startsWith(“{“) || body.startsWith(“[“);
if(!looksLikeJson) {
return false;
}
return true;
Find all GraphQL endpoints
查找所有 GraphQL 端点
Next I need to find a lot of GraphQL endpoints for some testing I was doing. Using traditional filtering you can find common endpoints that for example contain /graphql, but what happens when you want to find endpoints that are not at a common location? This is where Bambdas come in, you can use a couple lines of Java to find parameters named “query” and the value contains a new line. Wham and there are a load of non-standard endpoints for testing!
接下来,我需要找到很多 GraphQL 端点来进行一些测试。使用传统筛选,您可以找到包含 /graphql 的常见端点,但是当您想要查找不在公共位置的端点时,会发生什么情况?这就是 Bambdas 的用武之地,您可以使用几行 Java 来查找名为“query”的参数,并且该值包含一个新行。哇,还有一大堆非标准端点用于测试!
var req = requestResponse.request();
if(!req.hasParameters()) {
return false;
}
var types = new HttpParameterType[]{
HttpParameterType.JSON, HttpParameterType.BODY, HttpParameterType.URL
};
for(HttpParameterType type: types) {
if(req.hasParameter(“query”, type)) {
var value = req.parameterValue(“query”, type);
if(type == HttpParameterType.JSON) {
if(value.contains(“\\n”)) {
return true;
}
} else {
if(value.toLowerCase().contains(“%0a”)) {
return true;
}
}
}
}
return false;
Find JSONP for CSP bypass
查找用于 CSP 旁路的 JSONP
Let’s say you’ve got XSS but the site is protected by CSP, what you need to do is find scripts on the site that you can control because the CSP allows “same site” script resources. You can easily do this with a Bambda! The next Bambda looks for JSONP endpoints. It first looks for a parameter that looks like a callback with 4 or more characters. Then it searches the response to see if it’s reflected with an opening parenthesis. This was surprisingly effective and found lots of JSONP for me!
假设你有 XSS,但站点受 CSP 保护,你需要做的是在站点上查找可以控制的脚本,因为 CSP 允许“同一站点”脚本资源。你可以用Bambda轻松做到这一点!下一个 Bambda 查找 JSONP 端点。它首先查找一个看起来像具有 4 个或更多字符的回调的参数。然后,它会搜索响应,查看它是否用左括号反映。这出乎意料地有效,并为我找到了很多 JSONP!
var req = requestResponse.request();
var res = requestResponse.response();
var paramRegex = Pattern.compile("^[a-zA-Z][.\\w]{4,}$");
if(res == null || res.body().length() == 0) return false;
if(!req.hasParameters()) return false;
var body = res.bodyToString().trim();
var params = req.parameters();
for(var param: params) {
var value = param.value();
if(param.type() != HttpParameterType.URL)continue;
if(paramRegex.matcher(value).find()) {
var start = “(?:^|[^\\w’\”.])”;
var end = “\\s*[(]”;
var callbackRegex = Pattern.compile(start+Pattern.quote(value)+end);
if(callbackRegex.matcher(body).find())return true;
}
}
return false;
Conclusion 结论
All these Bambdas put together represents under an hour of R&D time, enabling some really playful research. We’re excited to see what the rest of the community unearths over the coming months, and we’re building a curated repo of the best at https://github.com/PortSwigger/bambdas.
所有这些Bambdas加在一起代表了不到一个小时的研发时间,使一些非常有趣的研究成为可能。我们很高兴看到社区的其他成员在未来几个月内发掘出什么,我们正在构建一个精选的 https://github.com/PortSwigger/bambdas 最佳存储库。
原文始发于James Kettle 詹姆斯·凯特尔:Finding that one weird endpoint, with Bambdas
相关文章
