buby 1.1.7-java → 1.2.0-java

data/.gitignore

@@ -0,0 +1,7 @@
+*.sw?
+.DS_Store
+coverage
+rdoc
+pkg
+*.gem
+*.class

data/README.rdoc

@@ -44,8 +44,7 @@ You should be able to get up and running with just the gem and a copy of Burp.
 I've packaged up a pre-built buby.jar file containing the required classes 
 minus ofcourse, Burp itself. 
 
-  jruby -S gem sources -a http://gems.github.com # only have to do this once
-  jruby -S gem install emonti-buby
+  (sudo)? jruby -S gem install buby --source=http://gemcutter.org
 
 * IMPORTANT: The buby gem doesn't include a copy of Burp!  See manual step #5 
   below. For best results, you'll still want to make your burp.jar available 

data/Rakefile

@@ -8,15 +8,16 @@ begin
     gem.name = "buby"
     gem.summary = %q{Buby is a mashup of JRuby with the popular commercial web security testing tool Burp Suite from PortSwigger}
     gem.description = %q{Buby is a mashup of JRuby with the popular commercial web security testing tool Burp Suite from PortSwigger.  Burp is driven from and tied to JRuby with a Java extension using the BurpExtender API.  This extension aims to add Ruby scriptability to Burp Suite with an interface comparable to the Burp's pure Java extension interface.}
-    gem.email = "emonti@matasano.com"
+    gem.email = "emonti@matasano.com, td@matasano.com"
     gem.homepage = "http://emonti.github.com/buby"
-    gem.authors = ["Eric Monti - Matasano Security"]
+    gem.authors = ["Eric Monti, tduehr"]
     gem.platform = "java"
     gem.test_files = ["test/buby_test.rb"]
     gem.require_paths << 'java'
     gem.rdoc_options = ["--main", "README.rdoc"]
     gem.extra_rdoc_files = ["History.txt", "README.rdoc", "bin/buby"]
   end
+  Jeweler::GemcutterTasks.new
 rescue LoadError
   puts "Jeweler (or a dependency) not available. Install it with: sudo gem install jeweler"
 end

data/VERSION

@@ -1 +1 @@
-1.1.7
+1.2.0

data/buby.gemspec

@@ -1,19 +1,19 @@
 # Generated by jeweler
-# DO NOT EDIT THIS FILE
-# Instead, edit Jeweler::Tasks in Rakefile, and run `rake gemspec`
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
   s.name = %q{buby}
-  s.version = "1.1.7"
+  s.version = "1.2.0"
   s.platform = %q{java}
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.authors = ["Eric Monti - Matasano Security"]
-  s.date = %q{2009-12-29}
+  s.authors = ["Eric Monti, tduehr"]
+  s.date = %q{2010-08-29}
   s.default_executable = %q{buby}
   s.description = %q{Buby is a mashup of JRuby with the popular commercial web security testing tool Burp Suite from PortSwigger.  Burp is driven from and tied to JRuby with a Java extension using the BurpExtender API.  This extension aims to add Ruby scriptability to Burp Suite with an interface comparable to the Burp's pure Java extension interface.}
-  s.email = %q{emonti@matasano.com}
+  s.email = %q{emonti@matasano.com, td@matasano.com}
   s.executables = ["buby"]
   s.extra_rdoc_files = [
     "History.txt",
@@ -21,7 +21,7 @@ Gem::Specification.new do |s|
      "bin/buby"
   ]
   s.files = [
-    ".bnsignore",
+    ".gitignore",
      "History.txt",
      "README.rdoc",
      "Rakefile",
@@ -33,6 +33,7 @@ Gem::Specification.new do |s|
      "java/src/burp/IBurpExtender.java",
      "java/src/burp/IBurpExtenderCallbacks.java",
      "java/src/burp/IHttpRequestResponse.java",
+     "java/src/burp/IMenuItemHandler.java",
      "java/src/burp/IScanIssue.java",
      "java/src/burp/IScanQueueItem.java",
      "lib/buby.rb",
@@ -43,6 +44,7 @@ Gem::Specification.new do |s|
      "samples/drb_buby.rb",
      "samples/drb_sample_cli.rb",
      "samples/mechanize_burp.rb",
+     "samples/menu_copy_req.rb",
      "samples/poc_generator.rb",
      "samples/verb_tamperer.rb",
      "samples/watch_scan.rb",
@@ -50,8 +52,8 @@ Gem::Specification.new do |s|
   ]
   s.homepage = %q{http://emonti.github.com/buby}
   s.rdoc_options = ["--main", "README.rdoc"]
-  s.require_paths = ["lib", "java"]
-  s.rubygems_version = %q{1.3.5}
+  s.require_paths = ["lib", "java", "java"]
+  s.rubygems_version = %q{1.3.6}
   s.summary = %q{Buby is a mashup of JRuby with the popular commercial web security testing tool Burp Suite from PortSwigger}
   s.test_files = [
     "test/buby_test.rb"
@@ -67,3 +69,4 @@ Gem::Specification.new do |s|
   else
   end
 end
+

data/java/src/BurpExtender.java

@@ -291,5 +291,22 @@ public class BurpExtender implements IBurpExtender {
      */
     public final static int ACTION_DROP = 3;    
 
+    /**
+     * Causes Burp Proxy to follow the current interception rules to determine
+     * the appropriate action to take for the message, and then make a second
+     * call to processProxyMessage.
+     */
+    public final static int ACTION_FOLLOW_RULES_AND_REHOOK = 0x10;
+    /**
+     * Causes Burp Proxy to present the message to the user for manual
+     * review or modification, and then make a second call to
+     * processProxyMessage.
+     */
+    public final static int ACTION_DO_INTERCEPT_AND_REHOOK = 0x11;
+    /**
+     * Causes Burp Proxy to skip user interception, and then make a second call
+     * to processProxyMessage.
+     */
+    public final static int ACTION_DONT_INTERCEPT_AND_REHOOK = 0x12;
 }
 

data/java/src/burp/IBurpExtender.java

@@ -3,8 +3,11 @@ package burp;
 /*
  * @(#)IBurpExtender.java
  *
- * Copyright 2008 PortSwigger Ltd. All rights reserved.
- * Use is subject to license terms - see http://portswigger.net/
+ * Copyright PortSwigger Ltd. All rights reserved.
+ * 
+ * This code may be used to extend the functionality of Burp Suite and Burp
+ * Suite Professional, provided that this usage does not violate the 
+ * license terms for those products. 
  */
 
 /**
@@ -27,9 +30,10 @@ package burp;
  * class burp.BurpExtender, use the following command to launch Burp Suite and 
  * load the IBurpExtender implementation:<p>
  *
- * <PRE>
- *    java -classpath burp.jar;BurpProxyExtender.jar burp.StartBurp
- * </PRE>
+ * <PRE>    java -classpath burp.jar;BurpProxyExtender.jar burp.StartBurp</PRE>
+ * 
+ * (On Linux-based platforms, use a colon character instead of the semi-colon 
+ * as the classpath separator.)
  */
 
 public interface IBurpExtender
@@ -44,7 +48,6 @@ public interface IBurpExtender
      */
     public void setCommandLineArgs(String[] args);
     
-    
     /**
      * This method is invoked by Burp Proxy whenever a client request or server
      * response is received. It allows implementations to perform logging 
@@ -108,10 +111,25 @@ public interface IBurpExtender
     /** 
      * Causes Burp Proxy to drop the message and close the client connection.
      */
-    public final static int ACTION_DROP = 3;    
-    
-    
-    
+    public final static int ACTION_DROP = 3;
+    /**
+     * Causes Burp Proxy to follow the current interception rules to determine
+     * the appropriate action to take for the message, and then make a second
+     * call to processProxyMessage.
+     */
+    public final static int ACTION_FOLLOW_RULES_AND_REHOOK = 0x10;
+    /**
+     * Causes Burp Proxy to present the message to the user for manual
+     * review or modification, and then make a second call to
+     * processProxyMessage.
+     */
+    public final static int ACTION_DO_INTERCEPT_AND_REHOOK = 0x11;
+    /**
+     * Causes Burp Proxy to skip user interception, and then make a second call
+     * to processProxyMessage.
+     */
+    public final static int ACTION_DONT_INTERCEPT_AND_REHOOK = 0x12;
+
     /**
      * This method is invoked on startup. It registers an instance of the 
      * <code>IBurpExtenderCallbacks</code> interface, providing methods that 
@@ -125,12 +143,38 @@ public interface IBurpExtender
      */
     public void registerExtenderCallbacks(burp.IBurpExtenderCallbacks callbacks);
     
-    
-    
     /**
      * This method is invoked immediately before Burp Suite exits. 
      * It allows implementations to carry out any clean-up actions necessary
      * (e.g. flushing log files or closing database resources).
      */
     public void applicationClosing();
+    
+    /**
+     * This method is invoked whenever any of Burp's tools makes an HTTP request 
+     * or receives a response. It allows extensions to intercept and modify the 
+     * HTTP traffic of all Burp tools. For each request, the method is invoked 
+     * after the request has been fully processed by the invoking tool and is 
+     * about to be made on the network. For each response, the method is invoked
+     * after the response has been received from the network and before any 
+     * processing is performed by the invoking tool.
+     * 
+     * @param toolName The name of the Burp tool which is making the request.
+     * @param messageIsRequest Indicates whether the message is a request or 
+     * response.
+     * @param messageInfo Details of the HTTP message.
+     */
+    public void processHttpMessage(
+            String toolName, 
+            boolean messageIsRequest, 
+            IHttpRequestResponse messageInfo);
+    
+    /** 
+     * This method is invoked whenever Burp Scanner discovers a new, unique 
+     * issue, and can be used to perform customised reporting or logging of issues. 
+     * 
+     * @param issue Details of the new scan issue.
+     */
+    public void newScanIssue(IScanIssue issue);
+    
 }

data/java/src/burp/IBurpExtenderCallbacks.java

@@ -3,8 +3,11 @@ package burp;
 /*
  * @(#)IBurpExtenderCallbacks.java
  *
- * Copyright 2008 PortSwigger Ltd. All rights reserved.
- * Use is subject to license terms - see http://portswigger.net/
+ * Copyright PortSwigger Ltd. All rights reserved.
+ * 
+ * This code may be used to extend the functionality of Burp Suite and Burp
+ * Suite Professional, provided that this usage does not violate the 
+ * license terms for those products. 
  */
 
 /**
@@ -31,6 +34,7 @@ public interface IBurpExtenderCallbacks
      * @param useHttps Flags whether the protocol is HTTPS or HTTP.
      * @param request The full HTTP request.
      * @return The full response retrieved from the remote server.
+     * @throws java.lang.Exception
      */
     public byte[] makeHttpRequest(
             String host,
@@ -50,6 +54,7 @@ public interface IBurpExtenderCallbacks
      * @param tabCaption An optional caption which will appear on the Repeater 
      * tab containing the request. If this value is <code>null</code> then a 
      * default tab index will be displayed.
+     * @throws java.lang.Exception
      */
     public void sendToRepeater(
             String host,
@@ -68,6 +73,7 @@ public interface IBurpExtenderCallbacks
      * @param port The port of the remote HTTP server.
      * @param useHttps Flags whether the protocol is HTTPS or HTTP.
      * @param request The full HTTP request.
+     * @throws java.lang.Exception
      */
     public void sendToIntruder(
             String host,
@@ -83,6 +89,7 @@ public interface IBurpExtenderCallbacks
      * Spider will process the application's response in the normal way.
      * 
      * @param url The new seed URL to begin spidering from.
+     * @throws java.lang.Exception
      */
     public void sendToSpider(
             java.net.URL url) throws Exception;
@@ -97,8 +104,10 @@ public interface IBurpExtenderCallbacks
      * @param port The port of the remote HTTP server.
      * @param useHttps Flags whether the protocol is HTTPS or HTTP.
      * @param request The full HTTP request.
+     * @return The resulting scan queue item.
+     * @throws java.lang.Exception
      */
-    public void doActiveScan(
+    public IScanQueueItem doActiveScan(
             String host,
             int port,
             boolean useHttps,
@@ -113,6 +122,7 @@ public interface IBurpExtenderCallbacks
      * @param useHttps Flags whether the protocol is HTTPS or HTTP.
      * @param request The full HTTP request.
      * @param response The full HTTP response.
+     * @throws java.lang.Exception
      */
     public void doPassiveScan(
             String host,
@@ -128,6 +138,7 @@ public interface IBurpExtenderCallbacks
      * @param url The URL to query.
      * @return Returns <code>true</code> if the URL is within the current 
      * Suite-wide scope.
+     * @throws java.lang.Exception
      */
     boolean isInScope(java.net.URL url) throws Exception;
     
@@ -136,6 +147,7 @@ public interface IBurpExtenderCallbacks
      * scope.
      * 
      * @param url The URL to include in the Suite-wide scope.
+     * @throws java.lang.Exception
      */
     void includeInScope(java.net.URL url) throws Exception;
     
@@ -144,6 +156,7 @@ public interface IBurpExtenderCallbacks
      * scope.
      * 
      * @param url The URL to exclude from the Suite-wide scope.
+     * @throws java.lang.Exception
      */
     void excludeFromScope(java.net.URL url) throws Exception;
 
@@ -154,58 +167,102 @@ public interface IBurpExtenderCallbacks
      * @param message The alert message to display.
      */
     public void issueAlert(String message);
-
-    /**
-     * New stuff added as of v1.2.11.
-     * The new IBurpExtenderCallbacks interface adds several new methods 
-     * which you can invoke to query and update Burp's state, and to parse raw 
-     * HTTP messages for parameters and headers.
-     */
-
+    
     /**
-     * no javadoc yet from PortSwigger
+     * This method returns details of all items in the proxy history.
+     * 
+     * @return The contents of the proxy history.
      */
     public IHttpRequestResponse[] getProxyHistory();
-
+    
     /**
-     * no javadoc yet from PortSwigger
+     * This method returns details of items in the site map.
+     * 
+     * @param urlPrefix This parameter can be used to specify a URL prefix, in 
+     * order to extract a specific subset of the site map. The method performs 
+     * a simple case-sensitive text match, returning all site 
+     * map items whose URL begins with the specified prefix. If this parameter 
+     * is null, the entire site map is returned.
+     * @return Details of items in the site map.
      */
     public IHttpRequestResponse[] getSiteMap(String urlPrefix);
-
-    /** 
-     * This method returns all of the current scan issues for URLs matching 
-     * the specified literal prefix. 
-     * The prefix can be null to match all issues.
-     *
-     * Added in v1.2.15.
-     */
-    public IScanIssue[] getScanIssues(String urlPrefix);
-
+    
     /**
-     * no javadoc yet from PortSwigger
+     * This method can be used to restore Burp's state from a specified 
+     * saved state file. This method blocks until the restore operation is 
+     * completed, and must not be called from the event thread.
+     * 
+     * @param file The file containing Burp's saved state.
+     * @throws java.lang.Exception
      */
     public void restoreState(java.io.File file) throws Exception;
-
+    
     /**
-     * no javadoc yet from PortSwigger
+     * This method can be used to save Burp's state to a specified file. 
+     * This method blocks until the save operation is completed, and must not be 
+     * called from the event thread.
+     * 
+     * @param file The file to save Burp's state in.
+     * @throws java.lang.Exception
      */
     public void saveState(java.io.File file) throws Exception;
-
+    
     /**
-     * no javadoc yet from PortSwigger
+     * This method parses the specified request and returns details of each
+     * request parameter.
+     * 
+     * @param request The request to be parsed.
+     * @return An array of:
+     * <code>String[] { name, value, type }</code> 
+     * containing details of the parameters contained within the request.
+     * @throws java.lang.Exception
      */
     public String[][] getParameters(byte[] request) throws Exception;
-
+    
     /**
-     * no javadoc yet from PortSwigger
+     * This method parses the specified request and returns details of each
+     * HTTP header.
+     * 
+     * @param message The request to be parsed.
+     * @return An array of HTTP headers.
+     * @throws java.lang.Exception
      */
     public String[] getHeaders(byte[] message) throws Exception;
+    
+    /**
+     * This method returns all of the current scan issues for URLs matching the 
+     * specified literal prefix. 
+     * 
+     * @param urlPrefix This parameter can be used to specify a URL prefix, in 
+     * order to extract a specific subset of scan issues. The method performs 
+     * a simple case-sensitive text match, returning all scan issues whose URL 
+     * begins with the specified prefix. If this parameter is null, all issues 
+     * are returned.
+     * @return Details of the scan issues.
+     */
+    public IScanIssue[] getScanIssues(String urlPrefix);
+    
+    /**
+     * 
+     * This method can be used to register a new menu item which will appear 
+     * on the various context menus that are used throughout Burp Suite to 
+     * handle user-driven actions.
+     * 
+     * @param menuItemCaption The caption to be displayed on the menu item.
+     * @param menuItemHandler The handler to be invoked when the user clicks
+     * on the menu item.
+     */
+    public void registerMenuItem(
+            String menuItemCaption,
+            IMenuItemHandler menuItemHandler);
 
     /**
-     * Shuts down burp programatically. If the method returns, the user
-     * cancelled the shutdown prompt.
-     *
-     * Available in v1.2.17+.
+     * This method can be used to shut down Burp programmatically, with an 
+     * optional prompt to the user. If the method returns, the user cancelled 
+     * the shutdown prompt.
+     * 
+     * @param promptUser Indicates whether to prompt the user to confirm the 
+     * shutdown.
      */
-    public void exitSuite(boolean promptUser); 
+    public void exitSuite(boolean promptUser);
 }

data/java/src/burp/IHttpRequestResponse.java

@@ -1,32 +1,125 @@
 package burp;
 
-import java.net.URL;
+/*
+ * @(#)IHttpRequestResponse.java
+ *
+ * Copyright PortSwigger Ltd. All rights reserved.
+ * 
+ * This code may be used to extend the functionality of Burp Suite and Burp
+ * Suite Professional, provided that this usage does not violate the 
+ * license terms for those products. 
+ */
+
+/**
+ * This interface is used to allow extensions to access details of HTTP messages
+ * that are processed within Burp.
+ * 
+ * Note that the setter methods generally can only be used before the message 
+ * has been forwarded to the application (e.g. using 
+ * IBurpExtender.processHttpMessage()) and not in read-only contexts (e.g. using 
+ * IBurpExtender.getProxyHistory()). Conversely, the getter methods relating to 
+ * response details can only be used after the message has been forwarded to the
+ * application.
+ */
 
 public interface IHttpRequestResponse
 {
-
-  public String getHost();
-
-  public int getPort();
-
-  public String getProtocol();
-
-  public void setHost(String host) throws Exception;
-
-  public void setPort(int port) throws Exception;
-
-  public void setProtocol(String protocol) throws Exception;
-
-  public byte[] getRequest() throws Exception;
-
-  public java.net.URL getUrl() throws Exception;
-
-  public void setRequest(byte[] message) throws Exception;
-
-  public byte[] getResponse() throws Exception;
-
-  public void setResponse(byte[] message) throws Exception;
-
-  public short getStatusCode() throws Exception;
-
+    /**
+     * Returns the name of the application host.
+     * 
+     * @return The name of the application host.
+     */
+    String getHost();
+    
+    /**
+     * Returns the port number used by the application.
+     * 
+     * @return The port number used by the application.
+     */
+    int getPort();
+    
+    /**
+     * Returns the protocol used by the application.
+     * 
+     * @return The protocol used by the application.
+     */
+    String getProtocol();
+    
+    /**
+     * Sets the name of the application host to which the request should 
+     * be sent.
+     * 
+     * @param host The name of the application host to which the request should 
+     * be sent.
+     * @throws java.lang.Exception
+     */
+    void setHost(String host) throws Exception;
+    
+    /**
+     * Sets the port number to which the request should be sent.
+     * 
+     * @param port The port number to which the request should be sent.
+     * @throws java.lang.Exception
+     */
+    void setPort(int port) throws Exception;
+    
+    /**
+     * Sets the protocol which should be used by the request.
+     * 
+     * @param protocol The protocol which should be used by the request. Valid 
+     * values are "http" and "https".
+     * @throws java.lang.Exception
+     */
+    void setProtocol(String protocol) throws Exception;
+    
+    /**
+     * Returns the full request contents.
+     * 
+     * @return The full request contents.
+     * @throws java.lang.Exception
+     */
+    byte[] getRequest() throws Exception;
+    
+    /**
+     * Returns the URL within the request.
+     * 
+     * @return The URL within the request.
+     * @throws java.lang.Exception
+     */
+    java.net.URL getUrl() throws Exception;
+    
+    /**
+     * Sets the request contents which should be sent to the application.
+     * 
+     * @param message The request contents which should be sent to the 
+     * application.
+     * @throws java.lang.Exception
+     */
+    void setRequest(byte[] message) throws Exception; 
+    
+    /**
+     * Returns the full response contents.
+     * 
+     * @return The full response contents.
+     * @throws java.lang.Exception
+     */
+    byte[] getResponse() throws Exception; 
+    
+    /**
+     * Sets the response contents which should be processed by the 
+     * invoking Burp tool.
+     * 
+     * @param message The response contents which should be processed by the 
+     * invoking Burp tool.
+     * @throws java.lang.Exception
+     */
+    void setResponse(byte[] message) throws Exception;
+    
+    /**
+     * Returns the HTTP status code contained within the response.
+     * 
+     * @return The HTTP status code contained within the response.
+     * @throws java.lang.Exception
+     */
+    short getStatusCode() throws Exception;
 }

data/java/src/burp/IMenuItemHandler.java

@@ -0,0 +1,40 @@
+package burp;
+
+/*
+ * @(#)IMenuItemHandler.java
+ *
+ * Copyright PortSwigger Ltd. All rights reserved.
+ *
+ * This code may be used to extend the functionality of Burp Suite and Burp
+ * Suite Professional, provided that this usage does not violate the
+ * license terms for those products.
+ */
+
+/**
+ * This interface is used by implementations of the <code>IBurpExtender</code>
+ * interface to provide to Burp Suite a handler for one or more custom menu
+ * items, which appear on the various context menus that are used throughout
+ * Burp Suite to handle user-driven actions.
+ *
+ * Extensions which need to add custom menu items to Burp should provide an
+ * implementation of this interface, and use the <code>registerMenuItem</code>
+ * method of <code>IBurpExtenderCallbacks</code> to register each custom menu
+ * item.
+ */
+
+public interface IMenuItemHandler
+{
+    /**
+     * This method is invoked by Burp Suite when the user clicks on a custom
+     * menu item which the extension has registered with Burp.
+     *
+     * @param menuItemCaption The caption of the menu item which was clicked.
+     * This parameter enables extensions to provide a single implementation
+     * which handles multiple different menu items.
+     * @param messageInfo Details of the HTTP message(s) for which the context
+     * menu was displayed.
+     */
+    public void menuItemClicked(
+            String menuItemCaption,
+            IHttpRequestResponse[] messageInfo);
+}

data/java/src/burp/IScanIssue.java

@@ -1,32 +1,106 @@
 package burp;
 
-import java.net.URL;
+/*
+ * @(#)IScanIssue.java
+ *
+ * Copyright PortSwigger Ltd. All rights reserved.
+ * 
+ * This code may be used to extend the functionality of Burp Suite and Burp
+ * Suite Professional, provided that this usage does not violate the 
+ * license terms for those products. 
+ */
+
+/**
+ * This interface is used to allow extensions to access details of issues 
+ * generated by Burp Scanner.
+ */
 
 public interface IScanIssue
 {
-
-  public String getHost();
-
-  public int getPort();
-
-  public String getProtocol();
-
-  public java.net.URL getUrl();
-
-  public String getIssueName();
-
-  public String getSeverity();
-
-  public String getConfidence();
-
-  public String getIssueBackground();
-
-  public String getRemediationBackground();
-
-  public String getIssueDetail();
-
-  public String getRemediationDetail();
-
-  public IHttpRequestResponse[] getHttpMessages();
-
+    /**
+     * Returns the name of the application host.
+     * 
+     * @return The name of the application host.
+     */
+    String getHost();
+    
+    /**
+     * Returns the port number used by the application.
+     * 
+     * @return The port number used by the application.
+     */
+    int getPort();
+    
+    /**
+     * Returns the protocol used by the application.
+     * 
+     * @return The protocol used by the application.
+     */
+    String getProtocol();
+    
+    /**
+     * Returns the URL for which the issue was generated.
+     * 
+     * @return The URL for which the issue was generated.
+     */
+    java.net.URL getUrl();
+    
+    /**
+     * Returns a descriptive name of the issue type.
+     * 
+     * @return A descriptive name of the issue type (e.g. "SQL injection").
+     */
+    String getIssueName();
+    
+    /**
+     * Returns a descriptive name of the issue severity level.
+     * 
+     * @return A descriptive name of the issue severity level (e.g. "High").
+     */
+    String getSeverity();
+    
+    /**
+     * Returns a descriptive name of the issue confidence level.
+     * 
+     * @return A descriptive name of the issue confidence level (e.g. "Certain").
+     */
+    String getConfidence();
+    
+    /**
+     * Returns a general description of this type of issue.
+     * 
+     * @return A general description of this type of issue.
+     */
+    String getIssueBackground();
+    
+    /**
+     * Returns a general description of the remediation for this type of issue.
+     * 
+     * @return A general description of the remediation for this type of issue.
+     */
+    String getRemediationBackground();
+    
+    /**
+     * Returns detailed information about the specific instance of the issue.
+     * 
+     * @return If available, detailed information about the specific instance of 
+     * the issue.
+     */
+    String getIssueDetail();
+    
+    /**
+     * Returns detailed information about the remediation for the specific 
+     * instance of the issue.
+     * 
+     * @return If available, detailed information about the remediation for the 
+     * specific instance of the issue.
+     */
+    String getRemediationDetail();
+    
+    /**
+     * Returns the HTTP messages on the basis of which the issue was generated.
+     * 
+     * @return The HTTP messages on the basis of which the issue was generated.
+     */
+    IHttpRequestResponse[] getHttpMessages();
 }

data/java/src/burp/IScanQueueItem.java

@@ -1,20 +1,76 @@
 package burp;
 
-public interface IScanQueueItem
-{
-
-  public String getStatus();
-
-  public byte getPercentageComplete();
-
-  public int getNumRequests();
+/*
+ * @(#)IScanQueueItem.java
+ *
+ * Copyright PortSwigger Ltd. All rights reserved.
+ * 
+ * This code may be used to extend the functionality of Burp Suite and Burp
+ * Suite Professional, provided that this usage does not violate the 
+ * license terms for those products. 
+ */
 
-  public int getNumErrors();
-
-  public int getNumInsertionPoints();
-
-  public void cancel();
-
-  public IScanIssue[] getIssues();
+/**
+ * This interface is used to allow extensions to access details of items in the 
+ * Burp Scanner active scan queue.
+ */
 
+public interface IScanQueueItem
+{
+    /**
+     * Returns a description of the status of the scan queue item.
+     * 
+     * @return A description of the status of the scan queue item.
+     */
+    String getStatus();
+    
+    /**
+     * Returns an indication of the percentage completed for the scan queue item.
+     * 
+     * @return An indication of the percentage completed for the scan queue item.
+     */
+    byte getPercentageComplete();
+    
+    /**
+     * Returns the number of requests that have been made for the scan queue item.
+     * 
+     * @return The number of requests that have been made for the scan queue item.
+     */
+    int getNumRequests();
+    
+    /**
+     * Returns the number of network errors that have occurred for the scan 
+     * queue item.
+     * 
+     * @return The number of network errors that have occurred for the scan 
+     * queue item.
+     */
+    int getNumErrors();
+    
+    /**
+     * Returns the number of attack insertion points being used for the scan 
+     * queue item.
+     * 
+     * @return The number of attack insertion points being used for the scan 
+     * queue item.
+     */
+    int getNumInsertionPoints();
+    
+    /**
+     * This method allows the scan queue item to be cancelled.
+     */
+    void cancel();
+    
+    /**
+     * This method returns details of the issues generated for the scan queue item.
+     * 
+     * Note that different items within the scan queue may contain duplicated 
+     * versions of the same issues - for example, if the same request has been 
+     * scanned multiple times. Duplicated issues are consolidated in the main view 
+     * of scan results. You can implementIBurpExtender.newScanIssue to get details 
+     * only of unique, newly discovered scan issues post-consolidation.
+     * 
+     * @return Details of the issues generated for the scan queue item.
+     */
+    IScanIssue[] getIssues();
 }

data/lib/buby.rb

@@ -334,6 +334,19 @@ class Buby
   alias exit_suite exitSuite
   alias close exitSuite
 
+  # This method can be used to register a new menu item which will appear 
+  # on the various context menus that are used throughout Burp Suite to 
+  # handle user-driven actions.
+  # 
+  # @param menuItemCaption The caption to be displayed on the menu item.
+  # @param menuItemHandler The handler to be invoked when the user clicks
+  # on the menu item.
+  # 
+  def registerMenuItem(menuItemCaption, menuItemHandler)
+    _check_and_callback(:registerMenuItem, menuItemCaption, menuItemHandler)
+    issueAlert("Handler #{menuItemHandler} registered for \"#{menuItemCaption}\"")
+  end
+
   ### Event Handlers ###
 
   # This method is called by the BurpExtender java implementation upon 
@@ -371,15 +384,21 @@ class Buby
     pp([:got_callbacks, cb]) if $DEBUG
   end
 
-  ACTION_FOLLOW_RULES   = BurpExtender::ACTION_FOLLOW_RULES
-  ACTION_DO_INTERCEPT   = BurpExtender::ACTION_DO_INTERCEPT
-  ACTION_DONT_INTERCEPT = BurpExtender::ACTION_DONT_INTERCEPT
-  ACTION_DROP           = BurpExtender::ACTION_DROP
+  ACTION_FOLLOW_RULES              = BurpExtender::ACTION_FOLLOW_RULES
+  ACTION_DO_INTERCEPT              = BurpExtender::ACTION_DO_INTERCEPT
+  ACTION_DONT_INTERCEPT            = BurpExtender::ACTION_DONT_INTERCEPT
+  ACTION_DROP                      = BurpExtender::ACTION_DROP
+  ACTION_FOLLOW_RULES_AND_REHOOK   = BurpExtender::ACTION_FOLLOW_RULES_AND_REHOOK
+  ACTION_DO_INTERCEPT_AND_REHOOK   = BurpExtender::ACTION_DO_INTERCEPT_AND_REHOOK
+  ACTION_DONT_INTERCEPT_AND_REHOOK = BurpExtender::ACTION_DONT_INTERCEPT_AND_REHOOK
 
-  # seems we need to specifically render our 'message' to a string here in
-  # java. Otherwise there's flakiness when converting certain binary non-ascii
+  # Seems we need to specifically render our 'message' to a string here in
+  # ruby. Otherwise there's flakiness when converting certain binary non-ascii
   # sequences. As long as we do it here, it should be fine.
   #
+  # Note: This method maps to the 'processProxyMessage' method in the java 
+  # implementation of BurpExtender.
+  #
   # This method just handles the conversion to and from evt_proxy_message
   # which expects a message string 
   def evt_proxy_message_raw msg_ref, is_req, rhost, rport, is_https, http_meth, url, resourceType, status, req_content_type, message, action
@@ -401,6 +420,9 @@ class Buby
   #
   # Note: This method maps to the 'processProxyMessage' method in the java 
   # implementation of BurpExtender.
+  # 
+  # See also, evt_proxy_message_raw which is actually called before this
+  # in the BurpExtender processProxyMessage handler.
   #
   # Below are the parameters descriptions based on the IBurpExtender 
   # javadoc. Where applicable, decriptions have been modified for 

data/samples/menu_copy_req.rb

@@ -0,0 +1,44 @@
+module CopyRequest
+  def copyRequest(req)
+    req = case
+    when req.is_a?(Numeric)
+      # offset to match UI
+      self.proxy_history[req-1].req_str
+    when req.kind_of?(String)
+      req
+    when (req.respond_to?(:java_class) and req.java_class.to_s == "[B")
+      String.from_java_bytes(req)
+    when req.respond_to?(:req_str)
+      req.req_str
+    else
+      warn "unknown request type... ducking"
+      req
+    end
+    
+    java.awt.Toolkit.getDefaultToolkit.getSystemClipboard.setContents(java.awt.datatransfer.StringSelection.new(req), nil)
+    req
+  end
+  alias copy_request copyRequest
+  
+  def init_CopyRequest
+    CopyRequestHandler.init_handler("Copy request(s)", self)
+  end
+end
+
+module CopyRequestHandler
+  class << self
+    attr_accessor :_burp
+    attr_reader :menuItemCaption
+  end
+  
+  def self.init_handler(menuItemCaption, _burp = $burp)
+    @menuItemCaption = menuItemCaption
+    @_burp = _burp
+    @_burp.registerMenuItem(menuItemCaption, self)
+  end
+  
+  def self.menuItemClicked(menuItemCaption, messageInfo)
+    messageInfo = Buby::HttpRequestResponseList.new(messageInfo).map{|x| x.req_str}.join("\r\n\r\n#{'='*50}\r\n\r\n")
+    java.awt.Toolkit.getDefaultToolkit.getSystemClipboard.setContents(java.awt.datatransfer.StringSelection.new(messageInfo), nil)
+  end
+end

metadata

@@ -1,84 +1,94 @@
 --- !ruby/object:Gem::Specification 
 name: buby
 version: !ruby/object:Gem::Version 
-  version: 1.1.7
+  prerelease: false
+  segments: 
+    - 1
+    - 2
+    - 0
+  version: 1.2.0
 platform: java
 authors: 
-- Eric Monti - Matasano Security
+  - Eric Monti, tduehr
 autorequire: 
 bindir: bin
 cert_chain: []
 
-date: 2009-12-29 00:00:00 -06:00
+date: 2010-08-29 00:00:00 -05:00
 default_executable: buby
 dependencies: []
 
 description: Buby is a mashup of JRuby with the popular commercial web security testing tool Burp Suite from PortSwigger.  Burp is driven from and tied to JRuby with a Java extension using the BurpExtender API.  This extension aims to add Ruby scriptability to Burp Suite with an interface comparable to the Burp's pure Java extension interface.
-email: emonti@matasano.com
+email: emonti@matasano.com, td@matasano.com
 executables: 
-- buby
+  - buby
 extensions: []
 
 extra_rdoc_files: 
-- History.txt
-- README.rdoc
-- bin/buby
+  - History.txt
+  - README.rdoc
+  - bin/buby
 files: 
-- .bnsignore
-- History.txt
-- README.rdoc
-- Rakefile
-- VERSION
-- bin/buby
-- buby.gemspec
-- java/buby.jar
-- java/src/BurpExtender.java
-- java/src/burp/IBurpExtender.java
-- java/src/burp/IBurpExtenderCallbacks.java
-- java/src/burp/IHttpRequestResponse.java
-- java/src/burp/IScanIssue.java
-- java/src/burp/IScanQueueItem.java
-- lib/buby.rb
-- lib/buby/extends.rb
-- lib/buby/extends/buby_array_wrapper.rb
-- lib/buby/extends/http_request_response.rb
-- lib/buby/extends/scan_issue.rb
-- samples/drb_buby.rb
-- samples/drb_sample_cli.rb
-- samples/mechanize_burp.rb
-- samples/poc_generator.rb
-- samples/verb_tamperer.rb
-- samples/watch_scan.rb
-- test/buby_test.rb
+  - .gitignore
+  - History.txt
+  - README.rdoc
+  - Rakefile
+  - VERSION
+  - bin/buby
+  - buby.gemspec
+  - java/buby.jar
+  - java/src/BurpExtender.java
+  - java/src/burp/IBurpExtender.java
+  - java/src/burp/IBurpExtenderCallbacks.java
+  - java/src/burp/IHttpRequestResponse.java
+  - java/src/burp/IMenuItemHandler.java
+  - java/src/burp/IScanIssue.java
+  - java/src/burp/IScanQueueItem.java
+  - lib/buby.rb
+  - lib/buby/extends.rb
+  - lib/buby/extends/buby_array_wrapper.rb
+  - lib/buby/extends/http_request_response.rb
+  - lib/buby/extends/scan_issue.rb
+  - samples/drb_buby.rb
+  - samples/drb_sample_cli.rb
+  - samples/mechanize_burp.rb
+  - samples/menu_copy_req.rb
+  - samples/poc_generator.rb
+  - samples/verb_tamperer.rb
+  - samples/watch_scan.rb
+  - test/buby_test.rb
 has_rdoc: true
 homepage: http://emonti.github.com/buby
 licenses: []
 
 post_install_message: 
 rdoc_options: 
-- --main
-- README.rdoc
+  - --main
+  - README.rdoc
 require_paths: 
-- lib
-- java
+  - lib
+  - java
+  - java
 required_ruby_version: !ruby/object:Gem::Requirement 
   requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      version: "0"
-  version: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+          - 0
+        version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement 
   requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      version: "0"
-  version: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+          - 0
+        version: "0"
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.3.5
+rubygems_version: 1.3.6
 signing_key: 
 specification_version: 3
 summary: Buby is a mashup of JRuby with the popular commercial web security testing tool Burp Suite from PortSwigger
 test_files: 
-- test/buby_test.rb
+  - test/buby_test.rb

data/.bnsignore

@@ -1,27 +0,0 @@
-# The list of files that should be ignored by Mr Bones.
-# Lines that start with '#' are comments.
-#
-# A .gitignore file can be used instead by setting it as the ignore
-# file in your Rakefile:
-#
-#   PROJ.ignore_file = '.gitignore'
-#
-# For a project with a C extension, the following would be a good set of
-# exclude patterns (uncomment them if you want to use them):
-# *.[oa]
-
-.*
-*~
-*.swp
-.*.swp
-announcement.txt
-coverage*/
-doc
-pkg
-experimental
-reference
-lib/burp.jar
-*.class
-*.gem
-.DS_Store 
-