search

ilmila / J2EEScan

J2EEScan is a plugin for Burp Suite Proxy. The goal of this plugin is to improve the test coverage during web application penetration tests on J2EE applications.
GNU General Public License v2.0
645 stars 186 forks source link

Refactoring on the "passive" rules #3

Closed h3xstream closed 9 years ago

h3xstream commented 9 years ago

I wanted to add a passive rule. Prior integrating the new rule, I wanted to suggest a modular way to organize the different type of analysis. All the passive analysis were placed in the HTTPMatcher utility class.

h3xstream commented 9 years ago

Small precision regarding the creation of the string respBody was changed.

The response content used to be converted to string and then substring. bodyOffset is referring to bytes offset. A string contains char instead of bytes. (A char can contain multiple bytes)

For this reason if the headers contain extended unicode characters*, the substring operation would skip some of the first byte of the body. Also, their is potential OutOfBoundException for empty response body.

* In theory, only ASCII (ISO/IEC 8859-1) characters should be used.. But their could be a confusion during the String creation that form a Unicode character. Also the body could be using a different encoding..

h3xstream commented 9 years ago

I have push the actual rule implementation 48f98b238101142f246bcccd1b5fcd24273d21e0

Move Pattern instance from local variable to static field

It avoid recompiling the regex on each scan or loop iteration. (Better explanation http://stackoverflow.com/a/1721778)

Dependency changes

I upgrade JUnit and added Mockito. Feel free to refuse this change. I can do the test with easymock.

Also : Sorry for the load of changes all at once.