"HeaderScan" Burp Pro Plugin (http://portswigger.net/burp/extender/)
HedaerScan is a Burp Pro plugin that extends a scope of an automated web scan with some very promissing entry points.
Certain web apps process particular HTTP headers, that aren't necessarily present in a typical Browser generated requests (especially when you are analyzing them form an unauthenticated surface). From my proffesional experience I have already pwn'ed few applications with this approach, so I thought it would be good to automate this in some way.
So what does it do?
It takes every original HTTP request that goes into your Burp ActiveScan queue and automatically generates extra scanning tasks (with an additional header to fuzz).
As a result for every resource in your testing scope, you will let Burp addditionally scan values of the following headers (taken from HTTP RFC):
{"X-Sfg-Data","Accept","Accept-Charset","Accept-Encoding",
"Accept-Language","Accept-Datetime","Authorization",
"Cache-Control","Connection","Cookie","Content-Length"
,"Content-MD5","Content-Type","Date" ,"Expect","From",
"Host","If-Match","If-Modified-Since","If-None-Match",
"If-Range","If-Unmodified-Since","Max-Forwards","Pragma",
"Proxy-Authorization","Range","Referer","TE","Upgrade",
"User-Agent","Via","Warning","X-Requested-With",
"DNT","X-Forwarded-For","X-Forwarded-Proto",
"Front-End-Https","x-att-deviceid","x-wap-profile",
"Proxy-Connection"};
- It's written in Java, so you can try it without any additional setup.
- It will fuzz only Headers that aren't present in the original request (blind fuzzing)
- It will generate additional scan only once for every URI (excluding parameters).
- You can disable it (config tab) or just use send_to menu option :P
- No ads, and backdoors included.
Lets say that we want to send to ActiveScan queue the following request:
GET / HTTP/1.1
Host: www.example.pl
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
HeaderScan will generate additional active scan tasks (32 - for every header that isn't present in the original request). Each scan will have a predefined scanning offset, so only header values are analyzed by Burp :
GET / HTTP/1.1
Host:www.example.pl
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US,en;q=0.5
Accept-Encoding:gzip, deflate
Cookie:PREF=ID=cc48904a176c0c3f
Connection:keep-alive
If-Match:FUZZME
Only FUZZME will be fuzzed by Burp.
Use either the compiled version in dist directory or use the whole project file in Netbeans.