buby 1.2.0-java → 1.3.0-java

data/History.txt

@@ -1,3 +1,10 @@
+== 1.2.1 / 2011-01-27
+  * Fixed burp -v to print version... somewhat
+
+== 1.2.0 / 2010-08-29
+  * added menu item support from 1.3
+  * added some additional processing constants from 1.3
+
 == 1.1.7 / 2009-12-29
   * fix evt_proxy_message_raw bridge to modify proxy messages (broken in 1.1.6)
   * switched from bones to jeweler for project mgmt

data/README.rdoc

@@ -1,6 +1,6 @@
 buby
-  by Eric Monti
-  http://emonti.github.com/buby
+  by Eric Monti, Timur Duehr
+  http://tduehr.github.com/buby
 
 == DESCRIPTION:
 
@@ -55,7 +55,7 @@ minus ofcourse, Burp itself.
 Here are manual instructions if you want or need to build things yourself:
 
 ==== Step 1. Download buby from github
-  git clone git://github.com/emonti/buby.git
+  git clone git://github.com/tduehr/buby.git
 
 ==== Step 2. Compile BurpExtender.java. Include jruby.jar in the classpath:
 
@@ -253,14 +253,15 @@ And, assuming 'www.example.com' checks for valid request verbs, you should see s
 
 == CREDIT:
 * Burp and Burp Suite are trademarks of PortSwigger(ltd) 
-  Copyright 2008 PortSwigger Ltd. All rights reserved.
+  Copyright 2011 PortSwigger Ltd. All rights reserved.
   See http://portswigger.net for license terms.
 
-* This ruby library and the accompanying BurpExtender.java implementation are 
-  written by Eric Monti @ Matasano Security. Matasano Security claims no 
+* This ruby library and the accompanying BurpExtender.java implementation was 
+  originally written by Eric Monti @ Matasano Security. This ruby library is 
+  currently maintained by Timur Duehr @ Matasano Security.Matasano Security claims no 
   professional or legal affiliation with PortSwigger LTD.
 
-  However, the author would like to express his personal and professional 
+  However, the authors would like to express their personal and professional 
   respect and admiration to Burp's authors and appreciation to PortSwigger for 
   the availability of the IBurpExtender extension API.
 
@@ -270,7 +271,7 @@ And, assuming 'www.example.com' checks for valid request verbs, you should see s
 == LICENSE:
 
 * Burp and Burp Suite are trademarks of PortSwigger Ltd.
-  Copyright 2008 PortSwigger Ltd. All rights reserved.
+  Copyright 2011 PortSwigger Ltd. All rights reserved.
   See http://portswigger.net for license terms.
 
 * The Buby Ruby library and its accompanying BurpExtender implementation are
@@ -279,6 +280,7 @@ And, assuming 'www.example.com' checks for valid request verbs, you should see s
 (The MIT License)
 
 Copyright (C) 2009 Eric Monti, Matasano Security
+Copyright (C) 2010-2011 Timur Duehr, Matasano Security
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the 'Software'), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 

data/Rakefile

@@ -9,7 +9,7 @@ begin
     gem.summary = %q{Buby is a mashup of JRuby with the popular commercial web security testing tool Burp Suite from PortSwigger}
     gem.description = %q{Buby is a mashup of JRuby with the popular commercial web security testing tool Burp Suite from PortSwigger.  Burp is driven from and tied to JRuby with a Java extension using the BurpExtender API.  This extension aims to add Ruby scriptability to Burp Suite with an interface comparable to the Burp's pure Java extension interface.}
     gem.email = "emonti@matasano.com, td@matasano.com"
-    gem.homepage = "http://emonti.github.com/buby"
+    gem.homepage = "http://tduehr.github.com/buby"
     gem.authors = ["Eric Monti, tduehr"]
     gem.platform = "java"
     gem.test_files = ["test/buby_test.rb"]

data/VERSION

@@ -1 +1 @@
-1.2.0
+1.3.0

data/buby.gemspec

@@ -1,69 +1,65 @@
 # Generated by jeweler
 # DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
   s.name = %q{buby}
-  s.version = "1.2.0"
+  s.version = "1.3.0"
   s.platform = %q{java}
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Eric Monti, tduehr"]
-  s.date = %q{2010-08-29}
+  s.date = %q{2011-06-14}
   s.default_executable = %q{buby}
   s.description = %q{Buby is a mashup of JRuby with the popular commercial web security testing tool Burp Suite from PortSwigger.  Burp is driven from and tied to JRuby with a Java extension using the BurpExtender API.  This extension aims to add Ruby scriptability to Burp Suite with an interface comparable to the Burp's pure Java extension interface.}
   s.email = %q{emonti@matasano.com, td@matasano.com}
   s.executables = ["buby"]
   s.extra_rdoc_files = [
     "History.txt",
-     "README.rdoc",
-     "bin/buby"
+    "README.rdoc",
+    "bin/buby"
   ]
   s.files = [
-    ".gitignore",
-     "History.txt",
-     "README.rdoc",
-     "Rakefile",
-     "VERSION",
-     "bin/buby",
-     "buby.gemspec",
-     "java/buby.jar",
-     "java/src/BurpExtender.java",
-     "java/src/burp/IBurpExtender.java",
-     "java/src/burp/IBurpExtenderCallbacks.java",
-     "java/src/burp/IHttpRequestResponse.java",
-     "java/src/burp/IMenuItemHandler.java",
-     "java/src/burp/IScanIssue.java",
-     "java/src/burp/IScanQueueItem.java",
-     "lib/buby.rb",
-     "lib/buby/extends.rb",
-     "lib/buby/extends/buby_array_wrapper.rb",
-     "lib/buby/extends/http_request_response.rb",
-     "lib/buby/extends/scan_issue.rb",
-     "samples/drb_buby.rb",
-     "samples/drb_sample_cli.rb",
-     "samples/mechanize_burp.rb",
-     "samples/menu_copy_req.rb",
-     "samples/poc_generator.rb",
-     "samples/verb_tamperer.rb",
-     "samples/watch_scan.rb",
-     "test/buby_test.rb"
+    "History.txt",
+    "README.rdoc",
+    "Rakefile",
+    "VERSION",
+    "bin/buby",
+    "buby.gemspec",
+    "java/buby.jar",
+    "java/src/BurpExtender.java",
+    "java/src/burp/IBurpExtender.java",
+    "java/src/burp/IBurpExtenderCallbacks.java",
+    "java/src/burp/IHttpRequestResponse.java",
+    "java/src/burp/IMenuItemHandler.java",
+    "java/src/burp/IScanIssue.java",
+    "java/src/burp/IScanQueueItem.java",
+    "lib/buby.rb",
+    "lib/buby/extends.rb",
+    "lib/buby/extends/buby_array_wrapper.rb",
+    "lib/buby/extends/http_request_response.rb",
+    "lib/buby/extends/scan_issue.rb",
+    "samples/drb_buby.rb",
+    "samples/drb_sample_cli.rb",
+    "samples/mechanize_burp.rb",
+    "samples/menu_copy_req.rb",
+    "samples/poc_generator.rb",
+    "samples/verb_tamperer.rb",
+    "samples/watch_scan.rb",
+    "test/buby_test.rb"
   ]
-  s.homepage = %q{http://emonti.github.com/buby}
+  s.homepage = %q{http://tduehr.github.com/buby}
   s.rdoc_options = ["--main", "README.rdoc"]
   s.require_paths = ["lib", "java", "java"]
-  s.rubygems_version = %q{1.3.6}
+  s.rubygems_version = %q{1.5.1}
   s.summary = %q{Buby is a mashup of JRuby with the popular commercial web security testing tool Burp Suite from PortSwigger}
-  s.test_files = [
-    "test/buby_test.rb"
-  ]
+  s.test_files = ["test/buby_test.rb"]
 
   if s.respond_to? :specification_version then
-    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
     s.specification_version = 3
 
-    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
     else
     end
   else

data/java/src/BurpExtender.java

@@ -15,7 +15,7 @@ import org.jruby.runtime.builtin.IRubyObject;
  * for Burp Suite which provides glue between a Ruby runtime and Burp.
  *
  * This is a complete implementation of the Burp Extender interfaces available
- * as of Burp Suite 1.2/1.2.05
+ * as of Burp Suite 1.4
  */
 public class BurpExtender implements IBurpExtender { 
     public final static String INIT_METH =      "evt_extender_init";
@@ -185,11 +185,11 @@ public class BurpExtender implements IBurpExtender {
         };
 
         // slurp back in the action value in-case it's been changed
-        action[0] = ((int[]) JavaUtil.convertRubyToJava(r_action))[0];
+        action[0] = ((int[])r_action.toJava(int[].class))[0];
 
         IRubyObject ret = r_obj.callMethod(ctx(r_obj), PROXYMSG_METH, pxy_msg);
         if(ret != r_msg) {
-          return (byte[]) JavaUtil.convertRubyToJava(ret);
+          return (byte []) ret.toJava(byte[].class);
         }
       }
 

data/java/src/burp/IBurpExtenderCallbacks.java

@@ -1,5 +1,8 @@
 package burp;
 
+import java.util.List;
+import java.util.Map;
+
 /*
  * @(#)IBurpExtenderCallbacks.java
  *
@@ -95,9 +98,9 @@ public interface IBurpExtenderCallbacks
             java.net.URL url) throws Exception;
 
     /**
-     * This method can be used to send an HTTP request to the Burp Scanner 
-     * tool to perform an active vulnerability scan. If the request is not 
-     * within the current active scanning scope, the user will be asked if 
+     * This method can be used to send an HTTP request to the Burp Scanner
+     * tool to perform an active vulnerability scan. If the request is not
+     * within the current active scanning scope, the user will be asked if
      * they wish to proceed with the scan.
      *
      * @param host The hostname of the remote HTTP server.
@@ -112,7 +115,32 @@ public interface IBurpExtenderCallbacks
             int port,
             boolean useHttps,
             byte[] request) throws Exception;
-    
+
+    /**
+     * This method can be used to send an HTTP request to the Burp Scanner
+     * tool to perform an active vulnerability scan, based on a custom list
+     * of insertion points that are to be scanned. If the request is not
+     * within the current active scanning scope, the user will be asked if
+     * they wish to proceed with the scan.
+     *
+     * @param host The hostname of the remote HTTP server.
+     * @param port The port of the remote HTTP server.
+     * @param useHttps Flags whether the protocol is HTTPS or HTTP.
+     * @param request The full HTTP request.
+     * @param insertionPointOffsets A list of index pairs representing the
+     * positions of the insertion points that should be scanned. Each item in
+     * the list must be an int[2] array containing the start and end offsets
+     * for the insertion point.
+     * @return The resulting scan queue item.
+     * @throws java.lang.Exception
+     */
+    public IScanQueueItem doActiveScan(
+            String host,
+            int port,
+            boolean useHttps,
+            byte[] request,
+            List<int[]> insertionPointOffsets) throws Exception;
+
     /**
      * This method can be used to send an HTTP request to the Burp Scanner 
      * tool to perform a passive vulnerability scan.
@@ -186,7 +214,17 @@ public interface IBurpExtenderCallbacks
      * @return Details of items in the site map.
      */
     public IHttpRequestResponse[] getSiteMap(String urlPrefix);
-    
+
+
+    /**
+     * This method can be used to add an item to Burp's site map with the
+     * specified request/response details. This will overwrite the details
+     * of any existing matching item in the site map.
+     *
+     * @param item Details of the item to be added to the site map
+     */
+    public void addToSiteMap(IHttpRequestResponse item);
+
     /**
      * This method can be used to restore Burp's state from a specified 
      * saved state file. This method blocks until the restore operation is 
@@ -256,6 +294,42 @@ public interface IBurpExtenderCallbacks
             String menuItemCaption,
             IMenuItemHandler menuItemHandler);
 
+    /**
+     *
+     * This method causes Burp to save all of its current configuration as a
+     * Map of name/value Strings.
+     *
+     * @return A Map of name/value Strings reflecting Burp's current
+     * configuration.
+     */
+    public Map saveConfig();
+
+    /**
+     *
+     * This method causes Burp to load a new configuration from the Map of
+     * name/value Strings provided. Any settings not specified in the Map will
+     * be restored to their default values. To selectively update only some
+     * settings and leave the rest unchanged, you should first call
+     * <code>saveConfig</code> to obtain Burp's current configuration, modify
+     * the relevant items in the Map, and then call <code>loadConfig</code>
+     * with the same Map.
+     *
+     * @param config A map of name/value Strings to use as Burp's new
+     * configuration.
+     */
+    public void loadConfig(Map config);
+
+
+    /**
+     * 
+     * This method sets the interception mode for Burp Proxy.
+     * 
+     * @param enabled Indicates whether interception of proxy messages should 
+     * be enabled.
+     */
+    public void setProxyInterceptionEnabled(boolean enabled);
+
+
     /**
      * This method can be used to shut down Burp programmatically, with an 
      * optional prompt to the user. If the method returns, the user cancelled 
@@ -265,4 +339,12 @@ public interface IBurpExtenderCallbacks
      * shutdown.
      */
     public void exitSuite(boolean promptUser);
+    
+    /**
+     *  This method can be used to determine the version of the loaded burp at runtime.
+     *  This is included in the Javadoc for the extension interfaces but not the supplied interface files.
+     *  @return String array containing the product name, major version, and minor version.
+     */
+     public String[] getBurpVersion();
+
 }

data/java/src/burp/IHttpRequestResponse.java

@@ -122,4 +122,20 @@ public interface IHttpRequestResponse
      * @throws java.lang.Exception
      */
     short getStatusCode() throws Exception;
+
+    /**
+     * Returns the user-annotated comment for this item, if applicable.
+     *
+     * @return The user-annotated comment for this item, or null if none is set.
+     */
+    String getComment() throws Exception;
+
+    /**
+     * Sets the user-annotated comment for this item.
+     *
+     * @param comment The comment to be associated with this item.
+     * @throws Exception
+     */
+    void setComment(String comment) throws Exception;
+
 }

data/lib/buby.rb

@@ -61,7 +61,7 @@ include_class 'BurpExtender'
 #
 # Credit:
 # * Burp and Burp Suite are trade-marks of PortSwigger Ltd.
-#     Copyright 2008 PortSwigger Ltd. All rights reserved.
+#     Copyright 2011 PortSwigger Ltd. All rights reserved.
 #     See http://portswigger.net for license terms.
 #
 # * This ruby library and the accompanying BurpExtender.java implementation 
@@ -81,6 +81,11 @@ include_class 'BurpExtender'
 #
 class Buby
 
+  VERSION = 
+    if File.file?(f=::File.expand_path(File.join(::File.dirname(__FILE__), "../VERSION")))
+      File.read(f).chomp
+    end
+
   # :stopdoc:
   LIBPATH = ::File.expand_path(::File.dirname(__FILE__)) + ::File::SEPARATOR
   PATH = ::File.dirname(LIBPATH) + ::File::SEPARATOR
@@ -122,9 +127,14 @@ class Buby
   #  * port = The port of the remote HTTP server.
   #  * https = Flags whether the protocol is HTTPS or HTTP.
   #  * req  = The full HTTP request. (String or Java bytes[])
-  def doActiveScan(host, port, https, req)
+  #  * insertionPointOffsets = A list of index pairs representing the
+  #  * positions of the insertion points that should be scanned. Each item in
+  #  * the list must be an int[2] array containing the start and end offsets
+  #  * for the insertion point. *1.4+* only
+  
+  def doActiveScan(host, port, https, req, ip_off)
     req = req.to_java_bytes if req.is_a? String
-    _check_cb.doActiveScan(host, port, https, req)
+    getBurpVersion ? _check_cb.doActiveScan(host, port, https, req, ip_off) : _check_cb.doActiveScan(host, port, https, req)
   end
   alias do_active_scan doActiveScan
   alias active_scan doActiveScan
@@ -224,7 +234,7 @@ class Buby
   #  * url = The new seed URL to begin spidering from.
   def sendToSpider(url)
     url = java.net.URL.new(url) if url.is_a? String
-    _check_cb.includeInScope(url)
+    _check_cb.sendToSpider(url)
   end
   alias send_to_spider sendToSpider
   alias spider sendToSpider
@@ -342,10 +352,81 @@ class Buby
   # @param menuItemHandler The handler to be invoked when the user clicks
   # on the menu item.
   # 
+  # This method is only available with Burp 1.3.07 and higher.
   def registerMenuItem(menuItemCaption, menuItemHandler)
     _check_and_callback(:registerMenuItem, menuItemCaption, menuItemHandler)
     issueAlert("Handler #{menuItemHandler} registered for \"#{menuItemCaption}\"")
   end
+  alias register_menu_item registerMenuItem
+
+  ### 1.3.09 methods ###
+
+  # This method can be used to add an item to Burp's site map with the
+  # specified request/response details. This will overwrite the details
+  # of any existing matching item in the site map.
+  # 
+  # @param item Details of the item to be added to the site map
+  #
+  # This method is only available with Burp 1.3.09+
+  def addToSiteMap(item)
+    _check_and_callback(:addToSiteMap, item)
+  end
+  alias add_to_site_map addToSiteMap
+
+  # This method causes Burp to save all of its current configuration as a
+  # Map of name/value Strings.
+  #
+  # @return A Map of name/value Strings reflecting Burp's current
+  # configuration.
+  #
+  # This method is only available with Burp 1.3.09+
+  def saveConfig
+    _check_and_callback(:saveConfig).to_hash
+  end
+  alias save_config saveConfig
+  alias config saveConfig
+
+  # This method causes Burp to load a new configuration from the Map of
+  # name/value Strings provided. Any settings not specified in the Map will
+  # be restored to their default values. To selectively update only some
+  # settings and leave the rest unchanged, you should first call
+  # <code>saveConfig</code> to obtain Burp's current configuration, modify
+  # the relevant items in the Map, and then call <code>loadConfig</code>
+  # with the same Map.
+  #
+  # @param config A map of name/value Strings to use as Burp's new
+  # configuration.
+  #
+  # This method is only available with Burp 1.3.09+
+  def loadConfig(conf)
+    _check_and_callback(:loadConfig, conf)
+  end
+  alias load_config loadConfig
+  alias config= loadConfig
+
+  ## 1.4 methods ##
+
+  # This method sets the interception mode for Burp Proxy.
+  # 
+  # @param enabled Indicates whether interception of proxy messages should 
+  # be enabled.
+  # 
+  def setProxyInterceptionEnabled(enabled)
+    _check_and_callback(:setProxyInterceptionEnabled, enabled)
+  end
+  alias proxy_interception_enabled setProxyInterceptionEnabled
+
+  # This method can be used to determine the version of the loaded burp at runtime.
+  # This is included in the Javadoc for the extension interfaces but not the supplied interface files.
+  # @return String array containing the product name, major version, and minor version.
+  def getBurpVersion
+    begin
+      _check_and_callback(:getBurpVersion)
+    rescue
+      nil
+    end
+  end
+  alias burp_version getBurpVersion
 
   ### Event Handlers ###
 

metadata

@@ -1,12 +1,8 @@
 --- !ruby/object:Gem::Specification 
 name: buby
 version: !ruby/object:Gem::Version 
-  prerelease: false
-  segments: 
-    - 1
-    - 2
-    - 0
-  version: 1.2.0
+  prerelease: 
+  version: 1.3.0
 platform: java
 authors: 
   - Eric Monti, tduehr
@@ -14,7 +10,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-08-29 00:00:00 -05:00
+date: 2011-06-14 00:00:00 -05:00
 default_executable: buby
 dependencies: []
 
@@ -29,7 +25,6 @@ extra_rdoc_files:
   - README.rdoc
   - bin/buby
 files: 
-  - .gitignore
   - History.txt
   - README.rdoc
   - Rakefile
@@ -58,7 +53,7 @@ files:
   - samples/watch_scan.rb
   - test/buby_test.rb
 has_rdoc: true
-homepage: http://emonti.github.com/buby
+homepage: http://tduehr.github.com/buby
 licenses: []
 
 post_install_message: 
@@ -70,23 +65,21 @@ require_paths:
   - java
   - java
 required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
-        segments: 
-          - 0
         version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
-        segments: 
-          - 0
         version: "0"
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.3.6
+rubygems_version: 1.5.1
 signing_key: 
 specification_version: 3
 summary: Buby is a mashup of JRuby with the popular commercial web security testing tool Burp Suite from PortSwigger

data/.gitignore

@@ -1,7 +0,0 @@
-*.sw?
-.DS_Store
-coverage
-rdoc
-pkg
-*.gem
-*.class