search

RhinoSecurityLabs / IPRotate_Burp_Extension

Extension for Burp Suite which uses AWS API Gateway to rotate your IP on every request.
807 stars 144 forks source link

All requests return 404 error and IProtate shows error yet also says "enabled" #24

Closed sachalachin closed 4 years ago

sachalachin commented 4 years ago

Hi, The project I'm working on has now installed a rate limiter for all http requests which is working nicely. I hence discovered this extension which I intend to use to see if I can bypass this. Unfortunately, every time I try to use, say, burp Intruder, it just throws back 404 error with a "cannot POST" response.

The IP rotate extension seems to be connecting and submitting queries through the API (I can see from aws dashboard) yet it also gives me some errors in the burp suite extender output. I've triple checked that the keys I'm using are correct, and the extension says "enabled" which makes me wonder why it's not working.

I'm running win10, have installed python and boto3, and set up python environment for burp.

image

image

This is what intruder returns: HTTP/1.1 404 Not Found Date: Mon, 01 Jun 2020 11:57:10 GMT Content-Type: text/html; charset=utf-8 Content-Length: 144 Connection: close x-amzn-RequestId: xxxxxxxxxxx x-amzn-Remapped-Content-Length: 144 Content-Security-Policy: default-src 'none' x-amzn-Remapped-Connection: keep-alive x-amz-apigw-id: xxxxx= X-Content-Type-Options: nosniff x-amzn-Remapped-Date: Mon, 01 Jun 2020 11:57:10 GMT

<!DOCTYPE html>

Error 
Cannot POST /auth
DaveYesland commented 4 years ago

The errors in the first screenshot seem to be coming from the startAPIGateway function which is called to enable the gateways. That error should mean it was not even able to start the gateways, this typically happens when the keys you are using are invalid or have a trailing space after one of them or something. My guess is these errors and the "cannot POST /auth" error from the application are not related. Maybe these errors are from previous attempts to start the gateways?

Can you remove the extension then re add it, then enable the gateways and check the Burp console output before sending any requests to the application?

sachalachin commented 4 years ago

The errors in the first screenshot seem to be coming from the startAPIGateway function which is called to enable the gateways. That error should mean it was not even able to start the gateways, this typically happens when the keys you are using are invalid or have a trailing space after one of them or something. My guess is these errors and the "cannot POST /auth" error from the application are not related. Maybe these errors are from previous attempts to start the gateways?

Can you remove the extension then re add it, then enable the gateways and check the Burp console output before sending any requests to the application?

Thanks. I removed then re-added the extension, and the output from the UI (running gui) is as follows: Following regions and API IDs started: {'eu-west-3': u'ggcxsi5ypa', 'eu-north-1': u'q4t96qqs3h', 'eu-west-2': u'm3e6zq778e', 'eu-west-1': u'5jpv5k6j6l', 'sa-east-1': u'n71uzq4n0m', 'eu-central-1': u'qactsfqta1', 'us-east-1': u'cxp9oxu335', 'us-east-2': u'mlj4ytputl', 'us-west-1': u'jnck2wtjee', 'us-west-2': u'ur934myzw2'} List of endpoints being used: [u'ggcxsi5ypa.execute-api.eu-west-3.amazonaws.com', u'q4t96qqs3h.execute-api.eu-north-1.amazonaws.com', u'm3e6zq778e.execute-api.eu-west-2.amazonaws.com', u'5jpv5k6j6l.execute-api.eu-west-1.amazonaws.com', u'n71uzq4n0m.execute-api.sa-east-1.amazonaws.com', u'qactsfqta1.execute-api.eu-central-1.amazonaws.com', u'cxp9oxu335.execute-api.us-east-1.amazonaws.com', u'mlj4ytputl.execute-api.us-east-2.amazonaws.com', u'jnck2wtjee.execute-api.us-west-1.amazonaws.com', u'ur934myzw2.execute-api.us-west-2.amazonaws.com']

Now, there's nothing coming out of the error console, which seems to be better. I sent some demo requests, and there's no longer any POST error - success? Well, slightly, you see, the requests are still being rate limited and the response comes back as "error, host actively rate limited". For some reason it seems like it's not sending anything through the gateway and/or changing IPs, as it's an IP based rate limit. It's clear that the extension isn't being used because if I switch IPs with a native OS VPN, the rate limit is bypassed for a few requests before kicking in again on the new IP.

DaveYesland commented 4 years ago

There is an X-Forward-For header which is sent along with API Gateway requests, it contains your real IP, maybe they are using this to rate-limit. There is a recent update to handle this: https://github.com/RhinoSecurityLabs/IPRotate_Burp_Extension/commit/d561b5f18d8c64cc02e56d7c830e4126f36a6bab

Give that a shot but either way this seems to be something happening on the application side not an error in the extension.