Burp Suite User Forum

Login to post

Sending an unmodified and a modified HTTP request

Bill | Last updated: Jun 24, 2019 05:20PM UTC

I am trying to write an extension that when the user makes a request the extension will send two requests, an unmodified request so that the browser will load normally and one where a parameter is added at the end of the URL to test the website's response. I have been able to either make the website load but the parameter not being added consistently (sometimes added correctly, sometimes not added at all, and sometimes added multiple times) or the parameter is added properly and the website will not load. This is the basics of what I have now (which is the inconsistent adding but websites are loading): public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) { if (!messageIsRequest) { executor.submit(() -> modifyAndProcessHttpMessage(toolFlag, messageInfo, this)); } } public static void modifyAndProcessHttpMessage(int toolFlag, IHttpRequestResponse messageInfo, BurpExtender burp) { // stringbuilder to create new request with size of the request plus a little for variable StringBuilder modifiedRequest = new StringBuilder(burp.helpers.bytesToString(messageInfo.getRequest()).length() + 32); // create copy of response IHttpRequestResponse newRequest = cloneIHttpRequestResponse(messageInfo); // split at new line String[] allLines = burp.helpers.bytesToString(newRequest.getRequest()).split("\\r?\\n"); // split first line String[] firstLine = allLines[0].split(" "); // temp to hold first line StringBuilder tempFirst = new StringBuilder(allLines[0].length() + 16); // check the first char if (burp.helpers.bytesToString(newRequest.getRequest()).charAt(0) == 'G') { // check if there are variables in the path to determine concat if (firstLine[1].contains("?")) { firstLine[1] = firstLine[1].concat("&asdf=1234"); } else { firstLine[1] = firstLine[1].concat("?asdf=1234"); } // temp to hold first line StringBuilder temp = new StringBuilder(allLines[0].length() + 16); // recreate first line for (int i = 0; i < firstLine.length; i++) { temp.append(firstLine[i] + " "); } // set the first line in all lines to the first line allLines[0] = temp.toString(); // recreate request for (int i = 0; i < allLines.length; i++) { modifiedRequest.append(allLines[i] + "\n"); } // the final request in string form String finalRequestString = modifiedRequest.toString(); // change from string to bytes and set request newRequest.setRequest(burp.helpers.stringToBytes(finalRequestString)); } else if (burp.helpers.bytesToString(newRequest.getRequest()).charAt(0) == 'P') { // make sure it is post and not put if (burp.helpers.bytesToString(newRequest.getRequest()).charAt(1) == 'O') { // check if there are variables in the path to determine concat if (firstLine[1].contains("?")) { firstLine[1] = firstLine[1].concat("&qwer=5678"); } else { firstLine[1] = firstLine[1].concat("?qwer=5678"); } // recreate first line for (int i = 0; i < firstLine.length; i++) { tempFirst.append(firstLine[i] + " "); } // set the first line in all lines to the first line allLines[0] = tempFirst.toString(); // recreate request for (int i = 0; i < allLines.length; i++) { modifiedRequest.append(allLines[i] + "\n"); } // the final request in string form String finalRequestString = modifiedRequest.toString(); // change from string to bytes and set request newRequest.setRequest(burp.helpers.stringToBytes(finalRequestString)); } else { // don't need to do anything if it is not post or get } } else { // don't need to do anything if it is not post or get } // make request that will test the page IHttpRequestResponse modifiedRequestResponse = burp.callbacks.makeHttpRequest(newRequest.getHttpService(), newRequest.getRequest()); if (modifiedRequestResponse.getResponse() == null) { modifiedRequestResponse.setResponse(new byte[0]); } } There's been a lot of different versions of this and a lot of different tests tried so this code might have some janky parts from previous attempts. Any help and/or advice would be greatly appreciated! Thanks!

PortSwigger Agent | Last updated: Jun 25, 2019 10:33AM UTC

Hi Bill, This is an interesting extension. One thing you need to consider is how to display output to the user. If the browser makes one request, you can only return one response to the user. You'll need to work out what to do with the other response. One idea: compare the two responses. If they are different, create an issue, something like "Server response varies when ?qwer parameter present" I think the code you've sent will cause an infinite look. When you call makeHttpRequest, this will trigger a new callback to processHttpMessage, resulting in uncontrolled recursion. You can avoid this by checking toolFlag and exiting if it equals TOOL_EXTENDER. Also, can I encourage you to look at IExtensionHelpers.addParameter - this is usually a better way to add a parameter. You code using tempFirst looks quite prone to bugs. You may want to look at the Auto Repeater extension which has some similarities.

You need to Log in to post a reply. Or register here, for free.