bscan 2.0.1 → 3.0.0

data/lib/bscan/modules/injector.rb

@@ -1,5 +1,15 @@
 require 'bscan/utils/bscan_helper.rb'
 
+=begin
+  Copyright (c) 2015, Oleg Gryb
+  All rights reserved.
+  
+  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+=end
+
 module Injector
   
   COMMENT_START='# '
@@ -13,13 +23,18 @@ module Injector
     @prop_pref += args[2] + '.' if args[2] && args[2].length > 0
     @mid = args[2]?"Injector.#{args[2]}.":'Injector.' 
     msg = args[1]
-
+    
     if not msg
       inject_to_pattern
       return
     end
     
-    url = msg.url.dup.to_s
+    msg_info = @burp_cb.getHelpers().analyzeRequest(msg)
+    msg_body = msg.getRequest()[msg_info.getBodyOffset()..-1]
+    msg_hdrs = msg_info.getHeaders()
+    msg_url = msg_info.getUrl().toString()
+    
+    url = msg_url.dup.to_s
     Log 2, "#{@mid}run for #{url}"
     begin
       if (url =~ /([^?]+)\?(.+)/)
@@ -48,7 +63,7 @@ module Injector
         injs.close
       end
       
-      inject_to_body msg if @config['bscan.injector.one.inject_to_body'] == 'true'
+      inject_to_body(msg, msg_hdrs) if @config['bscan.injector.one.inject_to_body'] == 'true'
       
     rescue Exception => e
       Log 0, "#{@mid}run Exception: #{e.message}"
@@ -69,6 +84,7 @@ module Injector
       file = open_in_path(f)
       req = file.read
       req.gsub!(/\^M\n/,"\r\n")
+      replace_params(req)
       file.close
 
       injs = open_in_path(@config[prop('file')])
@@ -97,10 +113,10 @@ module Injector
     
   end
  
-  def inject_to_body msg
+  def inject_to_body msg,msg_hdrs
     scanf = false
-    Log 2, "#{@mid}inject_to_body req: #{msg.req_str}"
-    msg.request_headers.each do |a|
+    Log 2, "#{@mid}inject_to_body req: #{msg.getRequest()}"
+    msg_hdrs.each do |a|
      Log 2, "#{@mid}inject_to_body hdr: #{a[0]} #{a[1]}"
      if a.size > 1 and a[0] =~ /content-type/i and a[1] =~ /application\/x-www-form-urlencoded/i
         scanf = true
@@ -108,7 +124,7 @@ module Injector
       end
     end  
     return if not scanf
-    m=msg.req_str.match(/\r?\n\r?\n/)
+    m=msg.getRequest().match(/\r?\n\r?\n/)
     return if m.size < 1
     start_pos = m.end(0)
 
@@ -119,8 +135,8 @@ module Injector
         next if (l =~ /^#{COMMENT_START}/ or l.length < 1)
         Log 2, "#{@mid}inject_to_body injecting: #{l}"
         pos=start_pos
-        while (m=msg.req_str.match(/([^=]+)=([^=]+)/,pos)) 
-          req = msg.req_str[0..m.begin(2)-1] + l + msg.req_str[m.end(2)..-1]
+        while (m=msg.getRequest().match(/([^=]+)=([^=]+)/,pos)) 
+          req = msg.getRequest()[0..m.begin(2)-1] + l + msg.getRequest()[m.end(2)..-1]
           req.sub!(/content-length\s*:\s*\d+/i, "Content-Length: "+(req.length-start_pos).to_s)
           Log 2, "#{@mid}inject_to_body #{pos} #{req}"
           @activity[0]=true

data/lib/bscan/modules/jboss_vulns.rb

@@ -1,5 +1,15 @@
 require 'bscan/utils/bscan_helper.rb'
 
+=begin
+  Copyright (c) 2015, Oleg Gryb
+  All rights reserved.
+  
+  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+=end
+
 module JbossVulns
 
   def run *args

data/lib/bscan/modules/kill_apache.rb

@@ -5,6 +5,16 @@ require "timeout"
 
 require 'bscan/utils/bscan_helper.rb'
 
+=begin
+  Copyright (c) 2015, Oleg Gryb
+  All rights reserved.
+  
+  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+=end
+
 module KillApache
   def run *args
     @config ||= @bscan_config

data/lib/bscan/modules/many_threads.rb

@@ -1,5 +1,15 @@
 require 'bscan/utils/bscan_helper.rb'
 
+=begin
+  Copyright (c) 2015, Oleg Gryb
+  All rights reserved.
+  
+  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+=end
+
 module ManyThreads
 
   def run *args

data/lib/bscan/modules/slowloris.rb

@@ -5,6 +5,16 @@ require "openssl"
 
 require 'bscan/utils/bscan_helper.rb'
 
+=begin
+  Copyright (c) 2015, Oleg Gryb
+  All rights reserved.
+  
+  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+=end
+
 module Slowloris
   
   def run *args

data/lib/bscan/utils/bscan_helper.rb

@@ -5,7 +5,16 @@ require "openssl"
 require "uri"
 
 
-
+=begin
+  Copyright (c) 2015, Oleg Gryb
+  All rights reserved.
+  
+  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+=end
+  
 class String
   def camelize
     self.split(/[^a-z0-9]/i).map{|w| w.capitalize}.join
@@ -18,6 +27,8 @@ end
 module BscanHelper
 
   attr_reader :modules_only
+  attr_reader :url_prefs
+  attr_reader :run_proxy
   attr_reader :bscan_config
   attr_accessor :stat
   attr_accessor :activity
@@ -48,6 +59,10 @@ module BscanHelper
     end
   end
   
+  def get_bool_prop nm
+    @bscan_config[nm] == 'true' or @bscan_config[nm] == 'yes'
+  end
+  
   def copy_vars from
     from.instance_variables.each do |nm| 
       self.instance_variable_set(nm, from.instance_variable_get(nm))
@@ -59,6 +74,18 @@ module BscanHelper
       @prop_pref + nm   
   end
   
+  def get_action
+    actions = @bscan_config['bscan.action']
+    actions = [actions] if not actions.kind_of?(Array)
+    actions
+  end
+  
+  def get_action_params
+    params = @bscan_config['bscan.action_params']
+    params = [params] if not params.kind_of?(Array)
+    params
+  end
+  
   def get_par k,defv,str=false
     p = @bscan_config[prop(k)] 
     p = p.to_i if !str && p && p.to_i.to_s == p
@@ -102,7 +129,7 @@ module BscanHelper
 #    msg.url = trg
     path = $1 if trg =~ /\/\/[^\/]+(\/.*)/
     path = '/' if (not path) or (path.length < 1)
-    req = msg.req_str.sub(/(GET|POST|)\s*(.+)\s*HTTP/, "\\1 #{path} HTTP")
+    req = msg.getRequest().to_s.sub(/(POST|GET|DELETE|PUT|TRACE|HEAD)\s*(.+)\s*HTTP/, "\\1 #{path} HTTP")
     
     send_req req, msg.getProtocol, inj
     
@@ -114,13 +141,24 @@ module BscanHelper
       port = '80' if proto == 'http'
       port = '443' if proto == 'https'
     end  
-    path = $2 if req =~/(GET|POST|)\s+(.+)\s+HTTP/
+    path = $2 if req =~/(POST|GET|DELETE|PUT|TRACE|HEAD)\s+(.+)\s+HTTP/
     ["#{proto}://#{host}:#{port}"+path,host,port.to_i]
   end
+  
+  def excluded? u
+    exts = @burp_config['target.hideextensionsitems']
+    if exts
+      exts.split(',').each do |ex|
+        return true if u =~ /.*\.#{ex}$/i 
+      end
+    end
+    false
+  end
 
   def send_only req, proto, inj
      begin
       trg,host,port = get_url_host_port req,proto
+      return nil if excluded? trg
       https = proto == "https" ? true : false
       start = Time.now   
       Log 2, "#{@mid}send_req make_req: '#{trg}' '#{host}' '#{port}'\n#{req}"
@@ -178,7 +216,7 @@ module BscanHelper
     path = uri.path 
     path += '?' + uri.query if uri.query 
     make_request_socket host, port, ('https'==proto),
-      req.sub(/^(POST|GET)\s+\/[^\s]+/, "\\1 #{path}")
+      req.sub(/^(POST|GET|DELETE|PUT|TRACE|HEAD)\s+\/[^\s]+/, "\\1 #{path}")
   end
   
   
@@ -214,6 +252,7 @@ module BscanHelper
   
   def send_req req, proto, inj
       rsp,rt,trg,host,port = send_only req, proto, inj
+      return if not rsp
       https = proto == "https" ? true : false
       if not @modules_only
         Log 2, "#{@mid}send_req do_passive: '#{trg}' '#{host}' '#{port}'\n#{req}\n#{rsp}"
@@ -242,7 +281,7 @@ module BscanHelper
     if (mt and mt > 0 and time > mt)
       issue = Issue.new "#{@mid.chop}: Long Response Time", u, "Medium", "Retest", req, rsp, "Response time is longer that #{mt}"
     end
-    if (rsp =~ /#{esc(inj)}/  and @config[prop('check_replay')]=='true')
+    if (rsp =~ /#{esc(inj)}/  and @config[prop('check_replay')]=='true') and inj.size >= 5 and inj =~ /[<>]/
       issue = Issue.new "#{@mid.chop}: Possible XSS", u, "High", "Retest", req, rsp, "The following input has been replayed in a response #{inj}"
     end
     
@@ -302,6 +341,21 @@ module BscanHelper
       end
     end
   end    
+  
+  def get_rr obj, method
+    if obj.respond_to? method
+      obj.send(method)
+    else
+      case method
+      when 'req_str'
+        obj.getRequest().to_s
+      when 'rsp_str'
+        obj.getResponse().to_s
+      else
+        'ERROR: METHOD NOT DEFINED'
+      end
+    end      
+  end
 
   def write_issue_state issue
 #   Log 2,"INSPECT: #{issue.http_messages[0].methods}  #{issue.http_messages[0].inspect}  #{issue.http_messages[0].to_s} "
@@ -311,7 +365,7 @@ module BscanHelper
     @stat['low'] += 1 if issue.severity =~ /Low/i
     @stat['urls'] += "  #{issue.url}\n"
     
-    Log 2,"BscanHelper.write_issue_state #{not @istream} #{issue.http_messages[0].methods}  #{issue.http_messages[0].to_s} "
+    Log 2,"BscanHelper.write_issue_state #{not @istream} #{issue.http_messages[0].methods}  #{get_rr(issue.http_messages[0],'req_str')}  #{get_rr(issue.http_messages[0],'rsp_str')}"
     @istream or return
     begin 
       @istream.println '#'*70
@@ -320,8 +374,8 @@ module BscanHelper
       @istream.println "Background: #{issue.issue_background}"
       @istream.println "Details: #{issue.issue_detail}" 
       @istream.println "Remediation: #{issue.remediation_background}"
-      @istream.println "Request: #{issue.http_messages[0].req_str}" 
-      @istream.println "Response: #{issue.http_messages[0].rsp_str}"
+      @istream.println "Request: #{get_rr(issue.http_messages[0],'req_str')}" 
+      @istream.println "Response: #{get_rr(issue.http_messages[0],'rsp_str')}"
       # sync_save_state issue throws exceptions
       @istream.flush 
     rescue Exception => e
@@ -377,7 +431,7 @@ module BscanHelper
           Process.exit!(2)
         end
     else
-      @log = $stdout
+      @log = java.lang.System.out
     end
 
     Log 2, "BscanHelper.init_internals CMD_PARAMS: #{@cmd_params}"
@@ -385,10 +439,14 @@ module BscanHelper
       Log 2,"BscanHelper.init_internals #{k}:#{v}"
     end
     
+    @burp_cb = nil
     @bscan_config = @cmd_params['bscan_config']
     @burp_config = @cmd_params['burp_config']
     @issues = @bscan_config['bscan.issues']
     @modules_only = (@bscan_config['bscan.modules_only'] and @bscan_config['bscan.modules_only'] == 'true') 
+    @run_proxy ||= (@bscan_config['bscan.run_proxy'] and @bscan_config['bscan.run_proxy'] == 'true') 
+    @url_prefs ||= @bscan_config['bscan.report_url_prefix']
+    @url_prefs = [@url_prefs] if @url_prefs and not @url_prefs.kind_of?(Array)
     @modules ||= @bscan_config['bscan.modules']
     @modules ||= [] if not @modules
     @modules = [@modules] if not @modules.kind_of?(Array)
@@ -423,7 +481,101 @@ module BscanHelper
     @bscan_config[pref + 'static_request'] == 'true'  
   end
   
+  def send_to_spider url
+    url = Java::JavaNet::URL.new(url.to_s) unless url.kind_of?(Java::JavaNet::URL)
+    @burp_cb.sendToSpider(url) if @burp_cb
+  end
+  
+  def do_passive_scan host, port, https, req, resp
+    req = req.to_java_bytes if req.kind_of?(String)
+    resp = resp.to_java_bytes if resp.kind_of?(String)
+    @burp_cb.doPassiveScan(host, port, https, req, resp)  if @burp_cb
+  end
+  
+  def do_active_scan host, port, https, req
+    req = req.to_java_bytes if req.kind_of?(String)
+    @burp_cb.doActiveScan(host, port, https, req)  if @burp_cb
+  end
+  
+  def is_in_scope(url)
+    case url
+       when Java::Burp::IHttpRequestResponse,  Java::Burp::IRequestInfo
+         url = url.getUrl
+       else
+         url = Java::JavaNet::URL.new(url.to_s) unless url.is_a? Java::JavaNet::URL
+    end
+    @burp_cb.isInScope(url)  if @burp_cb
+   end
+  
+  def include_in_scope(url)
+    case url
+       when Java::Burp::IHttpRequestResponse,  Java::Burp::IRequestInfo
+         url = url.getUrl
+       else
+         url = Java::JavaNet::URL.new(url.to_s) unless url.is_a? Java::JavaNet::URL
+    end
+    @burp_cb.includeInScope(url)  if @burp_cb
+  end
+  def save_config
+    @burp_cb.saveConfig().to_hash
+  end
+  def to_map h
+    m = Java.java.util.HashMap.new
+    h.each_pair do |k,v|
+      m.put(k,v)
+    end
+    m
+  end
+  
+  def load_config config,burp_defaults=nil
+    @load_config_flag = true
+    begin
+      @burp_extender.loadConfig(config.to_java, burp_defaults)
+      Log 2, "BscanHelper.load_config finished"
+    rescue Exception => e
+       Log 0, "BscanHelper.load_config\nException: #{e.message}"
+      Log 0,  e.backtrace.join("\n")
+    end
+   @load_config_flag = false
+  end
+  def hdr_nbr params,par
+    start = 0
+    while params['spider.customheader' + start.to_s] and  params['spider.customheader' + start.to_s] != par
+      start += 1
+    end
+    start
+  end
   
+  def add_spider_headers params
+    acts = get_action
+    pars = get_action_params
+    Log 3, "BscanHelper.add_spider_headers #{acts[0]} #{pars[0]}"
+    i = -1
+    acts.each do |a|
+      i += 1
+      case a
+      when 'add_header'
+        start = hdr_nbr params,pars[i]
+        Log 3, "BscanHelper.add_spider_headers #{a} #{pars[i]} #{start}"
+        params['spider.customheader' + start.to_s] = pars[i] if not params['spider.customheader' + start.to_s] 
+      end
+    end
+  end
 
+  def replace_params inp
+    while inp =~ /#\{bscan\.(\w+)\}/ do
+      v = @bscan_config['bscan.global.'+ $1 ]
+      if not v
+        Log 0, "BscanHelper.replace_params can't replace #{$1} was bscan.global.#{$1} defined?" 
+        next   
+      end
+      Log 3, "BscanHelper.replace_params #{$1} -> " + v
+      inp.sub!(/#\{bscan\.(\w+)\}/, v)
+    end
+  end
+  
+  def exit_suite prompt
+    @burp_cb.exitSuite(prompt.to_java(Java::boolean))
+  end
 
-end
+end

data/lib/bscan/utils/mailer.rb

@@ -1,3 +1,14 @@
+
+=begin
+  Copyright (c) 2015, Oleg Gryb
+  All rights reserved.
+  
+  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+=end
+
 require 'net/smtp'
 require 'socket'