search

CoreyD97 / Stepper

A natural evolution of Burp Suite's Repeater tool
GNU Affero General Public License v3.0
194 stars 38 forks source link

Stepper Sequence fails - Variable values with "\" are considered as regex and not parsed as values properly #49

Closed iamyuthan closed 3 years ago

iamyuthan commented 3 years ago

Dear @CoreyD97, I take this moment to first thank you for developing this extender and logger++. And, thank you for making these open-source. Thank you very much for extending your innovations to help others.

Now let me elaborate the bug to you. While grepping the value for a variable from a response, if the value has a backslash "\" (e.g., rsdj4\xdehe\0gfgd), the variable is not parsed by stepper anywhere as the exact value; instead, it considers it as regex function escape value and removes it from the result.

Example:

Response:

{"token":"jfdf7\fdf_435fd\b-fgr8"}

Stepper assigning the variable value properly as below:

(Variable) token - jfdf7\fdf_435fd\b-fgr8

While using it inside stepper sequence or anywhere outside the stepper extender, it results like below:

Inside Stepper (Sequence):

Input: $VAR:token$

Output: jfdf7fdf_435fdb-fgr8

Outside Stepper (Anywhere out side stepper like Repeater, Proxy, other extenders, etc.):

Input: $VAR:Sequence:token$

Output: jfdf7fdf_435fdb-fgr8

Because of this constantly the sequence of requests fails where the values have backslashes.

CoreyD97 commented 3 years ago

First up, thanks for the kind words, folks like you are why I develop my apps :)

As for the issue, this seems to be caused by the Matcher.replaceAll method treating backslashes as escape characters rather than literals.

Since my last commit to try to fix #38, I replaced the use of the pattern matcher with a byte-based matcher which should also fix this issue. If you want to give it a try in the meantime, that release is linked in that ticket.

Thanks

iamyuthan commented 3 years ago

First up, thanks for the kind words, folks like you are why I develop my apps :)

As for the issue, this seems to be caused by the Matcher.replaceAll method treating backslashes as escape characters rather than literals.

Since my last commit to try to fix #38, I replaced the use of the pattern matcher with a byte-based matcher which should also fix this issue. If you want to give it a try in the meantime, that release is linked in that ticket.

Thanks

Hey @CoreyD97, I appreciate your prompt attention to my request.

I am not from a development background; can you please help me to understand it better?

I am using the Stepper available in BappStore. I tried downloading the latest version by cloning the git in my windows, but the installation failed while building it with Gradle. The following error is thrown.

image

Also, I have checked issue #38, but I couldn’t find the solution for my issue. I tried downloading the package provided under issue #38, and it throws an error as follows.

image image

Kindly guide me on how to install the latest version manually to the Burp.

iamyuthan commented 3 years ago

@CoreyD97, please provide the instructions for me to install the bundle manually in windows.