-
Notifications
You must be signed in to change notification settings - Fork 48
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
2740f53
commit b14ed9c
Showing
1 changed file
with
27 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,9 +1,32 @@ | ||
| Burpy v0.1 | ||
| ===== | ||
| =========== | ||
|
|
||
| This portable python tool,parses Burp Suite (http://portswigger.net) log and performs series of tests and finally generate HTML report. | ||
|
|
||
| This portable python tool,parses Burp Suite (http://portswigger.net) log and performs series of tests and generate HTML report. | ||
| Using this library you can easily manipulate (Add remove headers , parameter ,change methods) raw http requests on the fly. | ||
|
|
||
| This tool also includes on raw http request manipulation library (rawweb.py). | ||
| You can easily write your own module specific to any web application. One example is given below. | ||
|
|
||
| Using this library you can easily manupulate (Add remove headers , parameter , methods) raw http requests. | ||
| Below mentioned burpy module adds a new header to any request, remove Referrer header from request, remove csrf token from request and fire the request. | ||
| If generic CSRF error is returned, it means token validation is present in server side. If server respond is a different manner it log this crafted request in html report. | ||
|
|
||
|
|
||
| from rawweb import * | ||
| def main(raw_stream,ssl): # create a mail subroutine (mandatory) | ||
| title = ["Possible XSRF", #Test title for reporting when test is successful | ||
| "Removed XSRF token from request"]# Brief description of test how you are manipulating the request(Will help you to reproduce issues) | ||
| raw = RawWeb(raw_stream) # Initiate rawweb library | ||
| raw.addheaders({'Header1':'Value1'}) # Add new headers to that request | ||
| raw.removeheaders(['Referrer']) # Remove Referrer header if exist in raw request | ||
| final = raw.removeparam("auth_token") # final will hold the final request to be fired.(For reporting) | ||
| result = raw.fire(ssl) | ||
| #result[0] => 200 => Integer | ||
| #result[1] => OK => String | ||
| #result[2] => Response headers => dictionary | ||
| #result[3] => body => string | ||
| if 'csrf error' in body: | ||
| # Generic CSRF error is in response body. Hence return "FALSE" | ||
| return "FALSE" | ||
| else: | ||
| # As the generic csrf error is not present in body, treat this as suspicious and +ve result. | ||
| return title,final,result[0],result[1],result[2],result[3] |