Class: Buby::ScannerInsertionPoint Abstract

Inherits:
Object
  • Object
show all
Includes:
Java::Burb::IScannerInsertionPoint
Defined in:
lib/buby/scanner_insertion_point.rb

Overview

This class is abstract.

Subclass for specific insertion point flavors used.

This interface is used to define an insertion point for use by active Scanner checks. Extensions can obtain instances of this interface by registering an IScannerCheck, or can create instances for use by Burp’s own scan checks by registering an IScannerInsertionPointProvider.

Constant Summary collapse

INS_PARAM_URL =
0x00
INS_PARAM_BODY =
0x01
0x02
INS_PARAM_XML =
0x03
INS_PARAM_XML_ATTR =
0x04
INS_PARAM_MULTIPART_ATTR =
0x05
INS_PARAM_JSON =
0x06
INS_PARAM_AMF =
0x07
INS_HEADER =
0x20
INS_URL_REST =
0x21
INS_PARAM_NAME_URL =
0x22
INS_PARAM_NAME_BODY =
0x23
INS_USER_PROVIDED =
0x40
INS_EXTENSION_PROVIDED =
0x41
INS_UNKNOWN =
0x7f

Instance Method Summary collapse

Constructor Details

#initialize(name = nil, type = INS_UNKNOWN, base_value = nil, offsets = nil) ⇒ ScannerInsertionPoint #initialize(hash) ⇒ ScannerInsertionPoint

This method is abstract.

Subclass and override for the specific insertion point flavors used by the implementation.

Returns a new instance of ScannerInsertionPoint.

Overloads:

  • #initialize(name = nil, type = INS_UNKNOWN, base_value = nil, offsets = nil) ⇒ ScannerInsertionPoint

    Parameters:

    • name (String) (defaults to: nil)
    • type (Fixnum) (defaults to: INS_UNKNOWN)
    • base_value (String) (defaults to: nil)
    • offsets (Array<Fixnum>) (defaults to: nil)
  • #initialize(hash) ⇒ ScannerInsertionPoint

    Parameters:

    • hash (Hash)

      Hash containing instance information



38
39
40
41
42
43
44
45
# File 'lib/buby/scanner_insertion_point.rb', line 38

def initialize(*args)
  if args.first.kind_of? Hash
    hsh = args.first
    @type = hsh[:type] || hsh['type']
  else
    @name, @type, @base_vlaue, @offsets = args
  end
end

Instance Method Details

#buildRequest(payload) ⇒ Array<byte>

This method is abstract.
TODO:

figure out wrapping these calls (method_missing magic?)

Note:

Burp’s built-in scan checks do not apply any payload encoding (such as URL-encoding) when dealing with an extension-provided insertion point. Custom insertion points are responsible for performing any data encoding that is necessary given the nature and location of the insertion point.

This method is used to build a request with the specified payload placed into the insertion point. Any necessary adjustments to the Content-Length header will be made by the Scanner itself when the request is issued, and there is no requirement for the insertion point to do this.

Parameters:

  • payload (Array<byte>)

    The payload that should be placed into the insertion point.

Returns:

  • (Array<byte>)

    The resulting request.



86
87
88
# File 'lib/buby/scanner_insertion_point.rb', line 86

def buildRequest(payload)
  # ...
end

#getBaseValueString

This method is abstract.

This method returns the base value for this insertion point.

Returns:

  • (String)

    the base value that appears in this insertion point in the base request being scanned, or nil if there is no value in the base request that corresponds to this insertion point.



63
64
65
# File 'lib/buby/scanner_insertion_point.rb', line 63

def getBaseValue
  @base_value
end

#getInsertionPointNameString

This method returns the name of the insertion point.

Returns:

  • (String)

    The name of the insertion point (for example, a description of a particular request parameter).



52
53
54
# File 'lib/buby/scanner_insertion_point.rb', line 52

def getInsertionPointName
  @name || self.class.name
end

#getInsertionPointTypeFixnum

This method returns the type of the insertion point.

Returns:



114
115
116
# File 'lib/buby/scanner_insertion_point.rb', line 114

def getInsertionPointType
  @type || INS_UNKNOWN
end

#getPayloadOffsets(payload) ⇒ Array<Fixnum>

This method is abstract.
TODO:

figure out wrapping these calls (method_missing magic?)

This method is used to determine the offsets of the payload value within the request, when it is placed into the insertion point. Scan checks may invoke this method when reporting issues, so as to highlight the relevant part of the request within the UI.

Parameters:

  • payload (Array<byte>)

    The payload that should be placed into the insertion point.

Returns:

  • (Array<Fixnum>)

    An int array containing the start and end offsets of the payload within the request, or nil if this is not applicable (for example, where the insertion point places a payload into a serialized data structure, the raw payload may not literally appear anywhere within the resulting request).



105
106
107
# File 'lib/buby/scanner_insertion_point.rb', line 105

def getPayloadOffsets(payload)
  @offsets
end