CSPT - Burp Extension for Client-Site Path Traversal Exploitation

:rocket: Introduction

Welcome to the CSPT Burp Suite extension, a tool that provides advanced capabilities and automation for finding and exploiting Client-Side Path Traversal.

This extension is a Burp Suite Passive Scanner. It reads your proxy history and looks for query parameters reflected inside the path of any other query. Please note that it will not find any DOM-based or stored CSPT until you use the canary token feature.

We appreciate your trust in this extension. Happy testing!

:star2: Features

The CSPT user interface is equipped with two primary components: the CSPT Tab and the False Positive List.

:mag_right: CSPT

This tab is the core of the extension.

:mag_right: How to use it

Browse your target application
Go to the CSPT tab
Verify that the source and sink scopes are correct
Check the sink HTTP methods you want to search
Click on Scan

:crossed_swords: Understanding the scan results

The reflected values are on the left. Click one to see the associated sources and the potential sinks.
To confirm it is not a false positive, you can right-click on a source and use the "Copy URL With Canary" feature. Then copy this URL inside your browser. If this URL triggers a request with the canary token inside the path, it means that a CSPT is present and an issue will be created.
Instead of testing all the sources one-by-one, you can use the "Export Sources With Canary". It will copy all potential sources with canaries. Then you just need to open all the links with your browser (some browser extensions are able to do that).
You can also modify or regenerate a new canary token.
In case some results are false positives, you can discard them. They will not be displayed in the next scan.

:crossed_swords: Finding sinks

If you have identified a CSPT, you will want to find exploitable sinks. The extension can help you to do it by right-clicking on a sink to "Send sinks(host/method) To Organizer".

Note: Now that Bambdas are implemented in Burp Proxy, this may be a more convenient way to find sinks.

:memo: False Positives List

To discard false positives, you just need to right-click on a source and set either the Parameter or URL as a false positive.
The "False Positive List" summarizes all defined rules and can be modified.

:arrow_down: Installation

To successfully install the CSPT extension, ensure you meet the following requirements:

Burp:

Most recent version of "Professional" or "Community" (older versions not supported).

Java:

The Montoya API needs Java 17 or later.

:computer: Building the CSPT extension from git

Install Java 17+. For example, in Debian-based distros:

$ sudo apt install -y openjdk-17-jdk
$ java --version
openjdk 17.0.6 2023-01-17

Clone the repo:

$ git clone https://github.com/doyensec/CSPTBurpExtension
$ cd CSPTBurpExtension

Build the CSPT extension:

$ ./gradlew build

Load the file build/CSPTBurpExtension.jar into Burp as a Java extension.

:scroll: Developing

The CSPT Burp Extension uses IntelliJ Forms for its UI. The .form files contain the actual UI layouts, while the associated .java files are partially auto-generated and the UI methods should not be modified directly, as all modifications are lost at compile time.

While developing, to make sure IntelliJ IDEA generates updated .java files, set it as follows:

Go to Settings > Build, Execution, Deployment > Build Tools > Gradle and set Buiild and run using: to IntelliJ IDEA
Go to Settings > Editor > GUI Designer and set Generate GUI into: to Java source code

After editing a form, if the Java file is not generated automatically, click on Build > Recompile <file>.form while in form editor.

:handshake: Contributing

CSPT Burp Extension thrives on community contributions. Whether you're a developer, researcher, designer, or bug hunter, your expertise is invaluable to us. We welcome bug reports, feedback, and pull requests. Your participation helps us continue to improve the extension, making it a stronger tool for the community.

Interactions are best carried out through the GitHub issue tracker, but you can also reach us on social media (@Doyensec). We look forward to hearing from you!

:busts_in_silhouette: Contributors

A special thanks to our contributors. Your dedication and commitment have been instrumental in making this extension what it is today.

Current:

Maintainer: Maxence Schmitt @maxenceschmitt (Twitter)
Contributor: Savio Sisco @lokiuox (Github)

This project was made with support of Doyensec.

Doyensec Research

doyensec / CSPTBurpExtension

readme