search

synopsys-sig / ATOR-Burp

78 stars 33 forks source link

"Error Condition Replacement" cannot suppose request body #37

Open 1135 opened 1 year ago

1135 commented 1 year ago

In the step:

3.Error Condition Replacement: Mark the trigger condition and also mark the place on request where replacement needs to taken (map the extraction)

In fact, I could not choose position in HTTP request Body anyway! So sad.

I could choose position in HTTP request headers only.

Is it designed?

Will you support this function as soon as possible?

Thanks.

aditi-sharma27 commented 1 year ago

@1135 Hi, ATOR can perform replacement in both the header and body of requests. If you encounter any issues with selection and replacement in body of request, please share a sample request and we'll be happy to assist.

1135 commented 1 year ago 
POST /api/access/save HTTP/1.1
Host: 10.1.1.1:8181
Content-Length: 4402
originalUrl: http://10.1.1.1:8181
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Content-Type: application/json; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: userId=2;
Connection: close

{"product_id":"token"}

The position of "token" could not selected using "From selecting"

image
tlh2857 commented 1 year ago

I'm having the exact same problem

tlh2857 commented 1 year ago

@aditi-synopsys - do you have any suggestions as to how to fix this or help troubleshoot? Much appreciated!

aditi-sharma27 commented 1 year ago

@tlh2857 Thanks for raising this. We are working on it. Allow us sometime, we will let you know once we roll out this fix.

56754765875876 commented 11 months ago

I am having this problem as well. Under the Error Condition Replacement tab I am not able to select a position within the JSON request body. Attempting to do so shows no visible changes, and this error message is logged in the extension output: Exception in FROM SELECTION Cannot invoke "String.indexOf(String)" because "repextheader[0]" is null. Looks like this is the problem area: https://github.com/synopsys-sig/ATOR-Burp/blob/master/src/main/java/burp/MenuAllListener.java#L180

repextheader = ExtStringCreator.extractheader(repextselected, headers, bodyText);
bounds[0] = repextheader[0].indexOf(repextselected);
bounds[1] = bounds[0] + repextselected.length();

@aditi-synopsys Earlier in this issue you stated ATOR can perform replacement in both the header and body of requests. I read through the source code (albeit briefly) to find where the error is happening, and I noticed this: https://github.com/synopsys-sig/ATOR-Burp/blob/master/src/main/java/burp/ExtStringCreator.java#L136

public static String[] extractheader(String selectedText, String headers, String bodyText) {
    String[] ret = new String[2];
    ret[0] = ret[1] = null;
    boolean selectionTag = false;
    try {
        String[] headersList = headers.split("\\n");
        if (selectedText.equals("") || selectedText == null) {
            return null;
        }
        for(int i = 0; i < headersList.length; i++)
        {
            boolean matchedText = headersList[i].contains(selectedText); 
            if(matchedText) {
                selectionTag = true; // set true if selected text present in headers
                String[] matchedLine =headersList[i].split(" ");
                ret[0] = headersList[i];
                ret[1] = matchedLine[0];
                }
        }
        //bodyText = Extraction.removeNewLine(bodyText);
        if ((!selectionTag) && (isAlphaAndEquals(bodyText))){
            // to do if body format is like- csrftoken=jndjndienifh
            // currently handled in else part
        }
        if ((!selectionTag) && (isJSONValid(bodyText))){
            // to do- json body
        }
        else {

            Map<String, String> query_pairs = splitQuery(bodyText);
            String decodedSelectedText = URLDecoder.decode(selectedText, "UTF-8").strip();

            for (Map.Entry<String, String> query : query_pairs.entrySet()) {
               // Printing all elements of a Map
                if (query.getKey().equals(decodedSelectedText)) {
                    // to do
                }
                else if (query.getValue().equals(decodedSelectedText)) {
                    ret[0] = URLEncoder.encode(query.getKey(), "UTF-8").strip()+"="+URLEncoder.encode(query.getValue(), "UTF-8").strip();
                    ret[1] = query.getKey(); //key
                }   
           }
        }
    }
    catch(Exception e) {
        BurpExtender.callbacks.printOutput("Exception in header finding "+ e.getMessage());
    }
    return ret;

}

It looks like replacing text inside the body of JSON requests is not implemented. Specifically, this snippet:

if ((!selectionTag) && (isJSONValid(bodyText))){
    // to do- json body
}

For now, it seems this plugin does not support JSON request bodies. This is still an awesome BurpSuite plugin, it's proven very helpful and I've recommended this to everyone. It's frustrating, though, when even BurpSuite support recommends ATOR for this exact problem: https://forum.portswigger.net/thread/use-macros-and-session-handling-with-parameters-in-json-3353c2d2

Workaround

Downgrading to ATOR V2.1 solves the problem and works like a charm. I'm not totally sure why the latest version does extra-fancy request parsing, there's likely a use case the maintainers wish to support. Silently dropping support for JSON request bodies broke a big use case for this plugin, though.

EDIT: Turns out the older version only allows replacing static bodies.