Light

dnet / burp-oauth Goto Github PK

View Code? Open in Web Editor NEW

42.0 6.0 7.0 57 KB

OAuth plugin for Burp Suite Extender

Home Page: https://techblog.vsza.hu/posts/Testing_OAuth_APIs_with_Burp_Suite.html

License: MIT License

Java 100.00%

burp-oauth's Introduction

OAuth plugin for Burp Suite

Building

Install the dependencies, in case of libraries, put the JARs into lib
Copy OAuthConfig.sample.java to src/burp/OAuthConfig.java and modify it to your needs
Execute ant, and you'll have the plugin ready in burp-oauth.jar

Dependencies

JDK 1.6+ (tested on OpenJDK 6 and Oracle JDK 7 + 8, recommended Debian/Ubuntu package: openjdk-8-jdk)
Apache ANT (Debian/Ubuntu package: ant)
oauth-signpost https://github.com/mttkay/signpost
Apache Commons Codecs: http://commons.apache.org/codec/
JUnit 4+ (only required for testing)

License

The whole project is available under MIT license, see LICENSE.txt.

Known limitations

Configuration has to be done at compile time using OAuthConfig.java

burp-oauth's People

Contributors

Stargazers

Watchers

Forkers

silentsignal redcentriccyber zhangqin 00derp vdbaan nirvana-msu

burp-oauth's Issues

Authorization header is missing

When using this extension and send a request to scanner, the OAuth header is missing from some of the requests but it is in some... it is very strange behaviour. you can monitor it via Logger++ or by using another burp suite in front of it.
Also, it did not add itself to the following request:

POST /oauth1/somethinghere HTTP/1.1
User-Agent: Java/1.8.0_66
Host: 192.168.200.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 9

name=test

However, by converting the above POST request to GET, it was adding the appropriate header.

Feature request: update only

I need to use this extension only to update the requests that already have OAuth header. That would be great if we could have an option in a config file to enable or disable this.

Feature request: integration with UI

This has already been done here: https://github.com/JGillam/burp-oauther
It would be great to merge them and add additional UI features as necessary to it.
Alternatively, a config.xml (or properties file) can be used to keep the current configuration. So the extension reads it during load time.

Feature request: custom scope

It would be great if we could enable this extension for the current scope or a special regular expression in the URL (for example when "oauth" is in the URL).

Additional invalid request

This extension sends an invalid additional request per each valid request. This can be monitored using Logger++ or other extensions in front of Burp.
Problems in the additional request are as follows:

it adds the OAuth header twice
it adds the header before the HTTP verb

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.