buby 1.3.3-java → 1.5.0-java

data/lib/buby/implants/response_info.rb

@@ -0,0 +1,44 @@
+class Buby
+  module Implants
+    # This interface is used to retrieve key details about an HTTP response.
+    # Extensions can obtain an +IResponseInfo+ object for a given response by calling
+    # <code>IExtensionHelpers.analyzeResponse()</code>.
+    #
+    module ResponseInfo
+      # This method is used to obtain details of the HTTP cookies set in the
+      # response.
+      #
+      # @return [ICookie] A list of +ICookie+ objects representing the cookies
+      #   set in the response, if any.
+      #
+      def getCookies
+        __getCookies.tap{|cookies| Buby::Implants::Cookie.implant(cookies.first)}
+      end
+
+      # Install ourselves into the current +IResponseInfo+ java class
+      # @param [IResponseInfo] info
+      #
+      def self.implant(info)
+        unless info.implanted? || info.nil?
+          pp [:implanting, info, info.class] if $DEBUG
+          info.class.class_exec(info) do |info|
+            a_methods = %w{
+              getCookies
+            }
+            a_methods.each do |meth|
+              alias_method "__"+meth.to_s, meth
+            end
+            include Buby::Implants::ResponseInfo
+            a_methods.each do |meth|
+              java_class.ruby_names_for_java_method(meth).each do |ruby_meth|
+                define_method ruby_meth, Buby::Implants::ResponseInfo.instance_method(meth)
+              end
+            end
+            include Buby::Implants::Proxy
+          end
+        end
+        info
+      end
+    end
+  end
+end

data/lib/buby/{extends → implants}/scan_issue.rb

@@ -1,15 +1,14 @@
 require 'uri'
 
 class Buby
-
   class ScanIssuesList < BubyArrayWrapper
     def initialize(obj)
       ScanIssueHelper.implant(obj[0]) if obj.size > 0 
       super(obj)
     end
-
   end
 
+  # @deprecated this will change to the new style in the next release
   module ScanIssueHelper
     # Returns a Ruby URI object derived from the java.net.URL object
     def uri

data/lib/buby/implants/scan_queue_item.rb

@@ -0,0 +1,53 @@
+class Buby
+  module Implants
+
+    # This interface is used to retrieve details of items in the Burp Scanner
+    # active scan queue. Extensions can obtain references to scan queue items by
+    # calling {Buby#doActiveScan}.
+    #
+    module ScanQueueItem
+
+      # This method returns details of the issues generated for the scan queue
+      # item. 
+      # @note different items within the scan queue may contain duplicated
+      #   versions of the same issues - for example, if the same request has
+      #   been scanned multiple times. Duplicated issues are consolidated in the
+      #   main view of scan results. Extensions can register a
+      #   {Buby::ScannerListener} to get details only of unique, newly
+      #   discovered Scanner issues post-consolidation.
+      #
+      # @return [Array<IScanIssue>] Details of the issues generated for the scan
+      #   queue item.
+      #
+      def getIssues
+        __getIssues.tap{|issues| Buby::ScanIssueHelper.implant issues.first}
+      end
+
+      # Install ourselves into the current +IScanQueueItem+ java class
+      # @param [IScanQueueItem] item
+      #
+      def self.implant(item)
+        unless item.implanted? || item.nil?
+          pp [:implanting, item, item.class] if $DEBUG
+          item.class.class_exec(item) do |item|
+            a_methods = %w{
+              getIssues
+            }
+            a_methods.each do |meth|
+              alias_method "__"+meth.to_s, meth
+            end
+            include Buby::Implants::ScanQueueItem
+            a_methods.each do |meth|
+              java_class.ruby_names_for_java_method(meth).each do |ruby_meth|
+                define_method ruby_meth, Buby::Implants::ScanQueueItem.instance_method(meth)
+              end
+            end
+            include Buby::Implants::Proxy
+          end
+        end
+        item
+      end
+      
+    end
+  end
+end

data/lib/buby/implants/scanner_insertion_point.rb

@@ -0,0 +1,92 @@
+class Buby
+  module Implants
+
+    # This interface is used to define an insertion point for use by active
+    # Scanner checks. Extensions can obtain instances of this interface by
+    # registering an +IScannerCheck+, or can create instances for use by Burp's
+    # own scan checks by registering an +IScannerInsertionPointProvider+.
+    #
+    module ScannerInsertionPoint
+      INS_PARAM_URL            = 0x00;
+      INS_PARAM_BODY           = 0x01;
+      INS_PARAM_COOKIE         = 0x02;
+      INS_PARAM_XML            = 0x03;
+      INS_PARAM_XML_ATTR       = 0x04;
+      INS_PARAM_MULTIPART_ATTR = 0x05;
+      INS_PARAM_JSON           = 0x06;
+      INS_PARAM_AMF            = 0x07;
+      INS_HEADER               = 0x20;
+      INS_URL_REST             = 0x21;
+      INS_PARAM_NAME_URL       = 0x22;
+      INS_PARAM_NAME_BODY      = 0x23;
+      INS_USER_PROVIDED        = 0x40;
+      INS_EXTENSION_PROVIDED   = 0x41;
+      INS_UNKNOWN              = 0x7f;
+
+      # This method is used to build a request with the specified payload placed
+      # into the insertion point. Any necessary adjustments to the
+      # Content-Length header will be made by the Scanner itself when the
+      # request is issued, and there is no requirement for the insertion point
+      # to do this.
+      # 
+      # @note Burp's built-in scan checks do not apply any payload encoding
+      #   (such as URL-encoding) when dealing with an extension-provided
+      #   insertion point. Custom insertion points are responsible for
+      #   performing any data encoding that is necessary given the nature and
+      #   location of the insertion point.
+      #
+      # @param [String] payload The payload that should be placed into the
+      #   insertion point.
+      # @return [String] The resulting request.
+      #
+      def buildRequest(payload)
+        String.from_java_bytes(__buildRequest(payload.to_java_bytes))
+      end
+
+
+      # This method is used to determine the offsets of the payload value within
+      # the request, when it is placed into the insertion point. Scan checks may
+      # invoke this method when reporting issues, so as to highlight the
+      # relevant part of the request within the UI.
+      #
+      # @param [String, Array<byte>] payload The payload that should be placed
+      #   into the insertion point.
+      # @return [Array<Fixnum>, nil] An int[2] array containing the start and
+      #   end offsets of the payload within the request, or +nil+ if this is not
+      #   applicable (for example, where the insertion point places a payload
+      #   into a serialized data structure, the raw payload may not literally
+      #   appear anywhere within the resulting request).
+      #
+      def getPayloadOffsets(payload)
+        payload = payload.to_java_bytes if payload.respond_to? :to_java_bytes
+        __getPayloadOffsets(payload)
+      end
+
+      # Install ourselves into the current +IScannerInsertionPoint+ java class
+      # @param [IScannerInsertionPoint] point
+      #
+      def self.implant(point)
+        unless point.implanted? || point.nil?
+          pp [:implanting, point, point.class] if $DEBUG
+          point.class.class_exec(point) do |point|
+            a_methods = %w{
+              buildRequest
+              getPayloadOffsets
+            }
+            a_methods.each do |meth|
+              alias_method "__"+meth.to_s, meth
+            end
+            include Buby::Implants::ScannerInsertionPoint
+            a_methods.each do |meth|
+              java_class.ruby_names_for_java_method(meth).each do |ruby_meth|
+                define_method ruby_meth, Buby::Implants::ScannerInsertionPoint.instance_method(meth)
+              end
+            end
+            include Buby::Implants::Proxy
+          end
+        end
+        point
+      end
+    end
+  end
+end

data/lib/buby/implants/temp_file.rb

@@ -0,0 +1,43 @@
+class Buby
+  module Implants
+    # This interface is used to hold details of a temporary file that has been
+    # created via a call to {Buby#saveToTempFile}.
+    # 
+    module TempFile
+      # This method is used to retrieve the contents of the buffer that was
+      #   saved in the temporary file.
+      #
+      # @return [String] The contents of the buffer that was saved in the
+      #   temporary file.
+      #
+      def getBuffer
+        String.from_java_bytes __getBuffer
+      end
+
+      # Install ourselves into the current +ITempFile+ java class
+      # @param [ITempFile] file
+      #
+      def self.implant(file)
+        unless file.implanted? || file.nil?
+          pp [:implanting, file, file.class] if $DEBUG
+          file.class.class_exec(file) do |file|
+            a_methods = %w{
+              getBuffer
+            }
+            a_methods.each do |meth|
+              alias_method "__"+meth.to_s, meth
+            end
+            include Buby::Implants::TempFile
+            a_methods.each do |meth|
+              java_class.ruby_names_for_java_method(meth).each do |ruby_meth|
+                define_method ruby_meth, Buby::Implants::TempFile.instance_method(meth)
+              end
+            end
+            include Buby::Implants::Proxy
+          end
+        end
+        file
+      end
+    end
+  end
+end

data/lib/buby/implants/text_editor.rb

@@ -0,0 +1,63 @@
+class Buby
+  module Implants
+    # This interface is used to provide extensions with an instance of Burp's
+    # raw text editor, for the extension to use in its own UI. Extensions should
+    # call {Buby#createTextEditor} to obtain an instance of this interface.
+    #
+    module TextEditor
+
+      # This method is used to update the currently displayed text in the editor.
+      #
+      # @param txt [String] The text to be displayed.
+      # @return [void]
+      #
+      def setText(txt)
+        __setText(txt.to_java_bytes)
+      end
+
+      # This method is used to retrieve the currently displayed text.
+      #
+      # @return [String] The currently displayed text.
+      #
+      def getText
+        String.from_java_bytes __getText
+      end
+
+      # This method is used to obtain the currently selected text.
+      #
+      # @return [String, nil] The currently selected text, or +nil+ if the user
+      #   has not made any selection.
+      #
+      def getSelectedText
+        String.from_java_bytes __getSelectedText
+      end
+
+      # Install ourselves into the current +ITextEditor+ java class
+      # @param [ITextEditor] editor
+      #
+      def self.implant(editor)
+        unless editor.implanted? || editor.nil?
+          pp [:implanting, editor, editor.class] if $DEBUG
+          editor.class.class_exec(editor) do |editor|
+            a_methods = %w{
+              setText
+              getText
+              getSelectedText
+            }
+            a_methods.each do |meth|
+              alias_method "__"+meth.to_s, meth
+            end
+            include Buby::Implants::TextEditor
+            a_methods.each do |meth|
+              java_class.ruby_names_for_java_method(meth).each do |ruby_meth|
+                define_method ruby_meth, Buby::Implants::TextEditor.instance_method(meth)
+              end
+            end
+            include Buby::Implants::Proxy
+          end
+        end
+        editor
+      end
+    end
+  end
+end

data/lib/buby/implants.rb

@@ -0,0 +1,28 @@
+class Buby
+  module Implants
+    module Proxy
+      def implanted?
+        true
+      end
+    end
+  end
+end
+
+require 'buby/implants/jruby'
+require 'buby/implants/buby_array_wrapper'
+require 'buby/implants/context_menu_invocation'
+require 'buby/implants/cookie'
+require 'buby/implants/extension_helpers'
+require 'buby/implants/http_request_response'
+require 'buby/implants/intercepted_proxy_message'
+require 'buby/implants/intruder_attack'
+require 'buby/implants/message_editor'
+require 'buby/implants/message_editor_controller'
+require 'buby/implants/parameter'
+require 'buby/implants/request_info'
+require 'buby/implants/response_info'
+require 'buby/implants/scanner_insertion_point'
+require 'buby/implants/scan_issue'
+require 'buby/implants/scan_queue_item'
+require 'buby/implants/temp_file'
+require 'buby/implants/text_editor'

data/lib/buby/intruder_payload_generator.rb

@@ -0,0 +1,60 @@
+class Buby
+  # This interface is used for custom Intruder payload generators. Extensions
+  # that have registered an +IIntruderPayloadGeneratorFactory+ must return a new
+  # instance of this interface when required as part of a new Intruder attack.
+  #
+  class IntruderPayloadGenerator
+    include Java::Burp::IIntruderPayloadGenerator
+    include Java::Burp::IIntruderPayloadGeneratorFactory
+
+    # (see Buby::IntruderPayloadGeneratorFactory#getGeneratorName)
+    def self.getGeneratorName; self.name.to_java_string; end
+
+    # {include:Buby::IntruderPayloadGeneratorFactory#createNewInstance}
+    # @param (see Buby::IntruderPayloadGeneratorFactory#createNewInstance)
+    # @return (see #initialize)
+    def self.createNewInstance(attack)
+      Buby::Implants::IntruderAttack.implant(attack)
+      self.new(attack)
+    end
+
+    # @param (see Buby::IntruderPayloadGeneratorFactory#createNewInstance)
+    def initialize(attack)
+      @attack = attack
+    end
+
+    # This method is used by Burp to determine whether the payload generator is
+    # able to provide any further payloads.
+    #
+    # @return [Boolean] Extensions should return +false+ when all the available
+    #   payloads have been used up, otherwise +true+.
+    #
+    # @abstract
+    def hasMorePayloads; end
+    # (see #hasMorePayloads)
+    def more_payloads?; hasMorePayloads; end
+
+    # This method is used by Burp to obtain the value of the next payload.
+    #
+    # @param [Array<byte>] baseValue The base value of the current payload
+    #   position. This value may be +nil+ if the concept of a base value is not
+    #   applicable (e.g. in a battering ram attack).
+    # @return [Array<byte>] The next payload to use in the attack.
+    #
+    # @abstract Call super to get +baseValue+ as a +String+. Implementation's
+    #   responsibility to return byte array.
+    def getNextPayload(baseValue)
+      ret = baseValue
+      baseValue = String.from_java_bytes(baseValue) if baseValue
+      ret
+    end
+
+    # This method is used by Burp to reset the state of the payload generator so
+    # that the next call to {#getNextPayload} returns the first payload again.
+    # This method will be invoked when an attack uses the same payload generator
+    # for more than one payload position, for example in a sniper attack.
+    #
+    # @abstract
+    def reset; end
+  end
+end

data/lib/buby/intruder_payload_generator_factory.rb

@@ -0,0 +1,32 @@
+class Buby
+
+  # Extensions can implement this interface and then call
+  # {Buby#registerIntruderPayloadGeneratorFactory} to register a factory for
+  # custom Intruder payloads.
+  #
+  # @see IntruderPayloadGenerator
+  class IntruderPayloadGeneratorFactory
+    include Java::Burp::IIntruderPayloadGeneratorFactory
+
+    # This method is used by Burp to obtain the name of the payload generator.
+    # This will be displayed as an option within the Intruder UI when the user
+    # selects to use extension-generated payloads.
+    #
+    # @return [String] The name of the payload generator.
+    #
+    def getGeneratorName; self.class.name.to_java_string; end
+
+    # This method is used by Burp when the user starts an Intruder attack that
+    # uses this payload generator.
+    #
+    # @param [IIntruderAttack] attack object that can be queried to obtain
+    #   details about the attack in which the payload generator will be used.
+    # @return [IIntruderPayloadGenerator] A new payload generator for the
+    #   attack.
+    #
+    # @abstract
+    def createNewInstance(attack)
+      Buby::Implants::IntruderAttack.implant(attack)
+    end
+  end
+end

data/lib/buby/intruder_payload_processor.rb

@@ -0,0 +1,38 @@
+class Buby
+  # Extensions can implement this interface and then call
+  # {Buby#registerIntruderPayloadProcessor} to register a custom Intruder
+  # payload processor.
+  #
+  # @todo voodoo function wrapping?
+  class IntruderPayloadProcessor
+    include Java::Burp::IIntruderPayloadProcessor
+
+    # This method is used by Burp to obtain the name of the payload processor.
+    # This will be displayed as an option within the Intruder UI when the user
+    # selects to use an extension-provided payload processor.
+    #
+    # @return [String] The name of the payload processor.
+    #
+    def getProcessorName; self.class.name; end
+
+    # This method is invoked by Burp each time the processor should be applied
+    # to an Intruder payload.
+    #
+    # @param [Array[byte]] currentPayload The value of the payload to be
+    #   processed.
+    # @param [Array[byte]] originalPayload The value of the original payload
+    #   prior to processing by any already-applied processing rules.
+    # @param [Array[byte]] baseValue The base value of the payload position,
+    #   which will be replaced with the current payload.
+    # @return The value of the processed payload. This may be +nil+ to
+    #   indicate that the current payload should be skipped, and the attack
+    #   will move directly to the next payload.
+    #
+    def processPayload(currentPayload, originalPayload, baseValue)
+      currentPayload = String.from_java_bytes currentPayload
+      originalPayload = String.from_java_bytes originalPayload
+      baseValue = String.from_java_bytes baseValue
+      nil
+    end
+  end
+end