Expose recorded login API to the 'burpa scan' command

tristanlatr / burpa

Burp Automator - A Burp Suite Automation Tool. It provides a high level CLI and Python interfaces to Burp Suite scanner and can be used to setup Dynamic Application Security Testing (DAST).

GNU General Public License v3.0

190 stars 37 forks source link

Expose recorded login API to the 'burpa scan' command #5

Open tristanlatr opened 3 years ago

tristanlatr commented 3 years ago

It would quite simple to add --recorded-login-label <string> and --recorded-login-script <string or path> that fills the following active scan params:

{
""application_logins":"[
  {
    "label": String,
    "script": String
  }]
}

ganesh2183 commented 2 years ago

Hi @tristanlatr , Can we use 'recorded-login-script' command in Burpa. If so how to use, please share the example to use this.

tristanlatr commented 2 years ago

Hi @ganesh2183, this feature is not implemented yet.

Any contributions would be appreciated.

Please have a look at the active_scan method there: https://github.com/tristanlatr/burpa/blob/main/burpa/_burp_commander.py#L78 it's a good starting point to implement this feature.

ganesh2183 commented 2 years ago

@tristanlatr i have tried to add recorded login api in burpa command. when i pass recorded script in command, getting "json.decoder.JSONDecodeError: Invalid \escape: line 10 column 77 (char 560)".

Any idea why getting this error, how to fix this.

tristanlatr commented 2 years ago

This error means you are constructing an invalid JSON string in the data variable.

ganesh2183 commented 2 years ago

@tristanlatr i tried again, now i m getting as '400 Client Error: Bad Request...' Response: {"type":"ClientError","error":"could not parse recorded login sequence to JSON"}

Any idea what to do, how to fix this??

Can i share the code with my changes.

tristanlatr commented 2 years ago

Yes please open a pull request such that I can see your changes. Thanks.

ganesh2183 commented 2 years ago

This error means you are constructing an invalid JSON string in the data variable.

As you said there is issue with constructing the JSON string, the recorded script provided in command prompt/powershell as input for recorded_login_script argument it is not able to parse JSON string as expected by burp tool. It accepts if i replace in recorded script with triple backslash with double quotes from " to parse JSON. For ex: [{\\"name\\": \\"Burp Suite Navigation Recorder\\", \\"url\\": \\"https://example.com/login/index.html#/home\\", \\"isIframe\\": false}]

Also I tried using json.dumps() in code, still it is not working.

Can you help to fix the issue.

tristanlatr commented 2 years ago

Hello @ganesh2183,

Please read up on contributing with git to open one pull request with your changes, so I can test it and give a better review, and eventually, merge your work into this project.

Also, by looking at the code you proposed, it looks like you replaced the username/password authentication by the recorded login system. If you want to contribute, the changes should be compatible, so both options should be supported. Regarding the JSON parsing, maybe the script should be read from a file, that would be more simple for parsing the JSON ?

ganesh2183 commented 2 years ago

@tristanlatr Do you want me to do pull request again. i will add both authentication method.

I'm very new to python coding. Also can you help me how to add script to read json script file to parse the json. Is it possible to connect ?

ganesh2183 commented 2 years ago

@tristanlatr I have open one pull request with both authentication methods. Please have a look and let me know.

Need your help to add script to read json script fill to parse the json.

ganesh2183 commented 2 years ago

@tristanlatr Any update on this?