Skip to content

Commit

Permalink
SRePlay v2.0 ....
Browse files Browse the repository at this point in the history
  • Loading branch information
@d3vilbug
d3vilbug committed Apr 23, 2021
1 parent 333be2e commit a8e315a
Show file tree
Hide file tree
Showing 5 changed files with 198 additions and 79 deletions.
28 changes: 21 additions & 7 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,9 @@

**Burpsuite Plugin to bypass strict RePlay protection**

<img src="https://i.imgur.com/TQmGDqD.png" />
<img src="https://i.imgur.com/dY17I6A.png" />



### Requirements
- Burpsuite
Expand All @@ -18,13 +20,26 @@ It is design for a scenario where we can't replay requests more than once as the

- It will extract the value of token from the last response and automatically update the request with the new token on the fly

### Usage Guide

The detailed usage guide can be found <a href="">SRePlay - Bypass Strict Replay Protection</a>.

### How it works
- Provide the Host URL (e.g https://abc.com)
- Provide token parameter name to capture and replace token
- One initial value for parameter
- Click on *`Start SRePlay`*
- Provide `Host URL`
- Provide `Response parameter name`
- Provide `Request parameter name`
- Provide `Parameter Initial Value`
- Press `Start SRePlay`

<img src="https://i.imgur.com/IfmjO7r.png">



### SRePlay in Action

<img src="https://i.imgur.com/69W1CL8.gif">


<img src="https://i.imgur.com/bbaOXmH.png" />

### Limitation
- Will only work with single thread on Scanner and Intruder
Expand All @@ -36,4 +51,3 @@ It is design for a scenario where we can't replay requests more than once as the

### Improvements
- Multi-session / threading support
- Repeater / Intruder / Scanner UI customization
2 changes: 1 addition & 1 deletion build.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ plugins {
}

group 'com.bugzy.burp.SReplay'
version '1.0'
version '2.0'

repositories {
mavenCentral()
Expand Down
54 changes: 35 additions & 19 deletions src/main/java/burp/BurpExtender.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
*/
public class BurpExtender implements IBurpExtender, IHttpListener, ITab{

public String ExtensionName = "Strict Replay (SRePlay)";
public String ExtensionName = "SRePlay";
public String TabName = "SRePlay";
public String myHeader = "SRePlay: Bypass";

Expand All @@ -30,7 +30,8 @@ public class BurpExtender implements IBurpExtender, IHttpListener, ITab{

public SRePlay _SRePlay;
public String _host;
public String _parameter;
public String _req_parameter;
public String _res_parameter;
public String _value;


Expand All @@ -42,7 +43,9 @@ public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
this.stderr = new PrintWriter(callbacks.getStderr(), true);
this.callbacks.setExtensionName(this.ExtensionName);
this._SRePlay = new SRePlay(this);




this.callbacks.addSuiteTab(this);
this.stdout.println("SRePlay - Installed !!!");
}
Expand All @@ -67,7 +70,6 @@ public void stop_SRePlay(){
this.callbacks.removeHttpListener(this);
}


public String get_host(String _url){
try{
URL abc = new URL(_url);
Expand All @@ -77,14 +79,12 @@ public String get_host(String _url){
return _url;
}
}



@Override
public String getTabCaption() {
return this.TabName;
}


@Override
public Component getUiComponent() {
return this._SRePlay;
Expand All @@ -102,8 +102,7 @@ private String update_req_json(byte[] _req, String _param, String _value){
if(_fi < 0) { return messageBody; }

_fi = _fi + _param.length() + 3;
int _si = messageBody.indexOf("\",", _fi);

int _si = messageBody.indexOf("\"", _fi);

messageBody = messageBody.substring(0, _fi) + _value + messageBody.substring(_si, messageBody.length());
return messageBody;
Expand All @@ -112,25 +111,31 @@ private String update_req_json(byte[] _req, String _param, String _value){

@Override
public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) {
if(this._repeater && (toolFlag == IBurpExtenderCallbacks.TOOL_REPEATER)) {}
else if(this._intruder && (toolFlag == IBurpExtenderCallbacks.TOOL_INTRUDER)) {}
else if(this._scanner && (toolFlag == IBurpExtenderCallbacks.TOOL_SCANNER)) {}
else { return; }


if(messageIsRequest){
IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
String URL = new String(reqInfo.getUrl().toString());
List headers = reqInfo.getHeaders();

if(IBurpExtenderCallbacks.TOOL_REPEATER != toolFlag && IBurpExtenderCallbacks.TOOL_INTRUDER != toolFlag && IBurpExtenderCallbacks.TOOL_SCANNER != toolFlag){ return; }


if(this._host.contains(get_host(URL))){
print_output("PHTM-Req :: Host URL Detected", URL);

byte[] _request = messageInfo.getRequest();

if(reqInfo.getContentType() == 4){
String messageBody = update_req_json(_request, _parameter, _value);
String messageBody = update_req_json(_request, _req_parameter, _value);
headers.add(this.myHeader);
_request = this.helpers.buildHttpMessage(headers, messageBody.getBytes());
}
else {
IParameter _p = this.helpers.getRequestParameter(_request, _parameter);
IParameter _p = this.helpers.getRequestParameter(_request, _req_parameter);
if (_p == null || _p.getName().toString().length() == 0){ return; }
IParameter _newP = this.helpers.buildParameter(_parameter, _value, _p.getType());
IParameter _newP = this.helpers.buildParameter(_req_parameter, _value, _p.getType());
_request = this.helpers.removeParameter(_request, _p);
_request = this.helpers.addParameter(_request, _newP);
headers.add(this.myHeader);
Expand All @@ -139,8 +144,11 @@ public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequ
String tmpreq = new String(_request);
String messageBody = new String(tmpreq.substring(reqInfo2.getBodyOffset())).trim();
_request = this.helpers.buildHttpMessage(headers, messageBody.getBytes());

}


print_output("PHTM-Req :: Final Encrypted Request", new String(_request));

messageInfo.setRequest(_request);
}

Expand All @@ -150,18 +158,26 @@ public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequ
String URL = new String(reqInfo.getUrl().toString());
List headers = reqInfo.getHeaders();

if(IBurpExtenderCallbacks.TOOL_REPEATER != toolFlag && IBurpExtenderCallbacks.TOOL_INTRUDER != toolFlag && IBurpExtenderCallbacks.TOOL_SCANNER != toolFlag){ return; }

if(!headers.contains(this.myHeader)){
return;
}


if(this._host.contains(get_host(URL))){
print_output("PHTM-Res :: Host URL Detected", URL);

byte[] _response = messageInfo.getResponse();
IParameter _p = this.helpers.getRequestParameter(_response, _parameter);
IParameter _p = this.helpers.getRequestParameter(_response, _res_parameter);
if (_p == null || _p.getName().toString().length() == 0){ return; }
this._value = _p.getValue().toString();

print_output("PHTM-Res :: new parameter value", _p.getValue().toString());
}

}
}




}
85 changes: 61 additions & 24 deletions src/main/java/burp/SRePlay.form
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
<AuxValue name="FormSettings_listenerGenerationStyle" type="java.lang.Integer" value="0"/>
<AuxValue name="FormSettings_variablesLocal" type="java.lang.Boolean" value="false"/>
<AuxValue name="FormSettings_variablesModifier" type="java.lang.Integer" value="2"/>
<AuxValue name="designerSize" type="java.awt.Dimension" value="-84,-19,0,5,115,114,0,18,106,97,118,97,46,97,119,116,46,68,105,109,101,110,115,105,111,110,65,-114,-39,-41,-84,95,68,20,2,0,2,73,0,6,104,101,105,103,104,116,73,0,5,119,105,100,116,104,120,112,0,0,1,44,0,0,3,-100"/>
<AuxValue name="designerSize" type="java.awt.Dimension" value="-84,-19,0,5,115,114,0,18,106,97,118,97,46,97,119,116,46,68,105,109,101,110,115,105,111,110,65,-114,-39,-41,-84,95,68,20,2,0,2,73,0,6,104,101,105,103,104,116,73,0,5,119,105,100,116,104,120,112,0,0,1,-115,0,0,3,-52"/>
</AuxValues>

<Layout class="org.netbeans.modules.form.compat2.layouts.DesignBoxLayout"/>
Expand Down Expand Up @@ -43,13 +43,22 @@
<EmptySpace min="-2" pref="31" max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<Group type="103" groupAlignment="0" max="-2" attributes="0">
<Component id="jLabel2" alignment="0" min="-2" max="-2" attributes="0"/>
<Component id="jLabel1" alignment="0" min="-2" max="-2" attributes="0"/>
<Component id="jTextField2" alignment="0" pref="307" max="32767" attributes="0"/>
<Component id="jTextField1" alignment="0" max="32767" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" attributes="0">
<Group type="103" groupAlignment="0" attributes="0">
<Component id="jLabel2" alignment="0" min="-2" max="-2" attributes="0"/>
<Component id="jLabel1" alignment="0" min="-2" max="-2" attributes="0"/>
<Component id="jTextField1" alignment="0" min="-2" pref="251" max="-2" attributes="0"/>
</Group>
<EmptySpace pref="113" max="32767" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Component id="jTextField4" alignment="1" min="-2" pref="249" max="-2" attributes="0"/>
<Component id="jLabel5" alignment="1" min="-2" max="-2" attributes="0"/>
</Group>
</Group>
<Component id="jTextField2" max="32767" attributes="0"/>
</Group>
<EmptySpace pref="276" max="32767" attributes="0"/>
<EmptySpace min="-2" pref="18" max="-2" attributes="0"/>
<Component id="jPanel3" min="-2" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="39" max="-2" attributes="0"/>
</Group>
Expand All @@ -73,28 +82,39 @@
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<EmptySpace min="-2" pref="22" max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Component id="jPanel3" alignment="0" min="-2" max="-2" attributes="0"/>
<Group type="102" alignment="0" attributes="0">
<Group type="103" groupAlignment="0" max="-2" attributes="0">
<Group type="102" attributes="0">
<Component id="jLabel1" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<EmptySpace type="unrelated" max="-2" attributes="0"/>
<Component id="jTextField2" min="-2" max="-2" attributes="0"/>
<EmptySpace type="separate" max="-2" attributes="0"/>
<Component id="jLabel2" min="-2" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="16" max="-2" attributes="0"/>
<Component id="jTextField1" min="-2" max="-2" attributes="0"/>
<Group type="103" groupAlignment="3" attributes="0">
<Component id="jLabel2" alignment="3" min="-2" max="-2" attributes="0"/>
<Component id="jLabel5" alignment="3" min="-2" max="-2" attributes="0"/>
</Group>
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" attributes="0">
<EmptySpace min="-2" pref="16" max="-2" attributes="0"/>
<Component id="jTextField4" min="-2" max="-2" attributes="0"/>
</Group>
<Group type="102" alignment="0" attributes="0">
<EmptySpace type="unrelated" max="-2" attributes="0"/>
<Component id="jTextField1" min="-2" max="-2" attributes="0"/>
</Group>
</Group>
</Group>
<Component id="jPanel3" max="32767" attributes="0"/>
</Group>
<EmptySpace type="separate" max="-2" attributes="0"/>
<Component id="jLabel3" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<EmptySpace type="unrelated" max="-2" attributes="0"/>
<Component id="jTextField3" min="-2" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="37" max="-2" attributes="0"/>
<Group type="103" groupAlignment="3" attributes="0">
<Component id="jButton1" alignment="3" min="-2" max="-2" attributes="0"/>
<Component id="jButton2" alignment="3" min="-2" max="-2" attributes="0"/>
</Group>
<EmptySpace pref="7" max="32767" attributes="0"/>
<EmptySpace pref="86" max="32767" attributes="0"/>
</Group>
</Group>
</DimensionLayout>
Expand All @@ -109,7 +129,7 @@
</Component>
<Component class="javax.swing.JLabel" name="jLabel2">
<Properties>
<Property name="text" type="java.lang.String" value="Parameter to capture and replace"/>
<Property name="text" type="java.lang.String" value="Response Parameter to capture"/>
</Properties>
</Component>
<Component class="javax.swing.JTextField" name="jTextField1">
Expand All @@ -120,7 +140,6 @@
<Component class="javax.swing.JButton" name="jButton1">
<Properties>
<Property name="text" type="java.lang.String" value="Start SRePlay"/>
<Property name="actionCommand" type="java.lang.String" value="Start SRePlay"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="jButton1ActionPerformed"/>
Expand Down Expand Up @@ -156,15 +175,19 @@
<Group type="102" attributes="0">
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<Component id="jCheckBox3" min="-2" max="-2" attributes="0"/>
<EmptySpace max="32767" attributes="0"/>
</Group>
<Group type="102" alignment="0" attributes="0">
<Component id="jCheckBox1" min="-2" max="-2" attributes="0"/>
<EmptySpace pref="46" max="32767" attributes="0"/>
<EmptySpace max="32767" attributes="0"/>
<Component id="jCheckBox2" min="-2" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="31" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="21" max="-2" attributes="0"/>
</Group>
<Group type="102" alignment="0" attributes="0">
<Component id="jCheckBox3" min="-2" max="-2" attributes="0"/>
<EmptySpace max="32767" attributes="0"/>
<Component id="jLabel4" min="-2" max="-2" attributes="0"/>
<EmptySpace min="0" pref="9" max="32767" attributes="0"/>
</Group>
</Group>
</Group>
Expand All @@ -173,14 +196,16 @@
<DimensionLayout dim="1">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<EmptySpace max="-2" attributes="0"/>
<EmptySpace pref="7" max="32767" attributes="0"/>
<Component id="jLabel4" min="-2" max="-2" attributes="0"/>
<EmptySpace type="separate" max="-2" attributes="0"/>
<Group type="103" groupAlignment="3" attributes="0">
<Component id="jCheckBox1" alignment="3" min="-2" max="-2" attributes="0"/>
<Component id="jCheckBox2" alignment="3" min="-2" max="-2" attributes="0"/>
</Group>
<EmptySpace type="separate" max="-2" attributes="0"/>
<Component id="jCheckBox3" min="-2" max="-2" attributes="0"/>
<EmptySpace pref="28" max="32767" attributes="0"/>
<EmptySpace min="-2" pref="16" max="-2" attributes="0"/>
</Group>
</Group>
</DimensionLayout>
Expand All @@ -201,8 +226,20 @@
<Property name="text" type="java.lang.String" value="Scanner"/>
</Properties>
</Component>
<Component class="javax.swing.JLabel" name="jLabel4">
<Properties>
<Property name="text" type="java.lang.String" value="Select where to override the token"/>
</Properties>
</Component>
</SubComponents>
</Container>
<Component class="javax.swing.JLabel" name="jLabel5">
<Properties>
<Property name="text" type="java.lang.String" value="Request Parameter to replace with"/>
</Properties>
</Component>
<Component class="javax.swing.JTextField" name="jTextField4">
</Component>
</SubComponents>
</Container>
</SubComponents>
Expand Down
Loading

0 comments on commit a8e315a

Please sign in to comment.