Class: Buby::ScannerInsertionPoint Abstract

Inherits:

Object

• Object
• Buby::ScannerInsertionPoint

Includes:

Java::Burb::IScannerInsertionPoint

Defined in:

lib/buby/scanner_insertion_point.rb

Overview

This class is abstract.

Subclass for specific insertion point flavors used.

This interface is used to define an insertion point for use by active Scanner checks. Extensions can obtain instances of this interface by registering an IScannerCheck, or can create instances for use by Burp’s own scan checks by registering an IScannerInsertionPointProvider.

Constant Summary

INS_PARAM_URL =

0x00

INS_PARAM_BODY =

0x01

INS_PARAM_COOKIE =

0x02

INS_PARAM_XML =

0x03

INS_PARAM_XML_ATTR =

0x04

INS_PARAM_MULTIPART_ATTR =

0x05

INS_PARAM_JSON =

0x06

INS_PARAM_AMF =

0x07

INS_HEADER =

0x20

INS_URL_REST =

0x21

INS_PARAM_NAME_URL =

0x22

INS_PARAM_NAME_BODY =

0x23

INS_USER_PROVIDED =

0x40

INS_EXTENSION_PROVIDED =

0x41

INS_UNKNOWN =

0x7f

Instance Method Summary

• #buildRequest(payload) ⇒ Array<byte> abstract

  This method is used to build a request with the specified payload placed into the insertion point.

• #getBaseValue ⇒ String abstract

  This method returns the base value for this insertion point.

• #getInsertionPointName ⇒ String

  This method returns the name of the insertion point.

• #getInsertionPointType ⇒ Fixnum

  This method returns the type of the insertion point.

• #getPayloadOffsets(payload) ⇒ Array<Fixnum> abstract

  This method is used to determine the offsets of the payload value within the request, when it is placed into the insertion point.

• #initialize(*args) ⇒ ScannerInsertionPoint constructor abstract

  A new instance of ScannerInsertionPoint.

Constructor Details

#initialize(name = nil, type = INS_UNKNOWN, base_value = nil, offsets = nil) ⇒ ScannerInsertionPoint #initialize(hash) ⇒ ScannerInsertionPoint

This method is abstract.

Subclass and override for the specific insertion point flavors used by the implementation.

Returns a new instance of ScannerInsertionPoint.

Overloads:

• #initialize(name = nil, type = INS_UNKNOWN, base_value = nil, offsets = nil) ⇒ ScannerInsertionPoint

  Parameters:

  • name (String) (defaults to: nil)
  • type (Fixnum) (defaults to: INS_UNKNOWN)
  • base_value (String) (defaults to: nil)
  • offsets (Array<Fixnum>) (defaults to: nil)
• #initialize(hash) ⇒ ScannerInsertionPoint

  Parameters:

  • hash (Hash) —

    Hash containing instance information

# File 'lib/buby/scanner_insertion_point.rb', line 38

def initialize(*args)
  if args.first.kind_of? Hash
    hsh = args.first
    @type = hsh[:type] || hsh['type']
  else
    @name, @type, @base_vlaue, @offsets = args
  end
end

Instance Method Details

#buildRequest(payload) ⇒ Array<byte>

This method is abstract.

TODO:

figure out wrapping these calls (method_missing magic?)

Note:

Burp’s built-in scan checks do not apply any payload encoding (such as URL-encoding) when dealing with an extension-provided insertion point. Custom insertion points are responsible for performing any data encoding that is necessary given the nature and location of the insertion point.

This method is used to build a request with the specified payload placed into the insertion point. Any necessary adjustments to the Content-Length header will be made by the Scanner itself when the request is issued, and there is no requirement for the insertion point to do this.

Parameters:

• payload (Array<byte>) —

  The payload that should be placed into the insertion point.

Returns:

• (Array<byte>) —

  The resulting request.

# File 'lib/buby/scanner_insertion_point.rb', line 86

def buildRequest(payload)
  # ...
end

#getBaseValue ⇒ String

This method is abstract.

This method returns the base value for this insertion point.

Returns:

• (String) —

  the base value that appears in this insertion point in the base request being scanned, or nil if there is no value in the base request that corresponds to this insertion point.

# File 'lib/buby/scanner_insertion_point.rb', line 63

def getBaseValue
  @base_value
end

#getInsertionPointName ⇒ String

This method returns the name of the insertion point.

Returns:

• (String) —

  The name of the insertion point (for example, a description of a particular request parameter).

# File 'lib/buby/scanner_insertion_point.rb', line 52

def getInsertionPointName
  @name || self.class.name
end

#getInsertionPointType ⇒ Fixnum

This method returns the type of the insertion point.

Returns:

• (Fixnum) —

  The type of the insertion point. Available types are defined in Buby::ScannerInsertionPoint.

# File 'lib/buby/scanner_insertion_point.rb', line 114

def getInsertionPointType
  @type || INS_UNKNOWN
end

#getPayloadOffsets(payload) ⇒ Array<Fixnum>

This method is abstract.

TODO:

figure out wrapping these calls (method_missing magic?)

This method is used to determine the offsets of the payload value within the request, when it is placed into the insertion point. Scan checks may invoke this method when reporting issues, so as to highlight the relevant part of the request within the UI.

Parameters:

• payload (Array<byte>) —

  The payload that should be placed into the insertion point.

Returns:

• (Array<Fixnum>) —

  An int array containing the start and end offsets of the payload within the request, or nil if this is not applicable (for example, where the insertion point places a payload into a serialized data structure, the raw payload may not literally appear anywhere within the resulting request).

# File 'lib/buby/scanner_insertion_point.rb', line 105

def getPayloadOffsets(payload)
  @offsets
end