xnl-h4ck3r / gap-burp-extension Goto Github PK

Burp Extension to find potential endpoints, parameters, and generate a custom target wordlist

Python 100.00%

gap-burp-extension's Introduction

About - v5.4

This is an evolution of the original getAllParams extension for Burp. Not only does it find more potential parameters for you to investigate, but it also finds potential links to try these parameters on, and produces a target specific wordlist to use for fuzzing. The full Help documentation can be found here or from the Help icon on the GAP tab.

TL;DR

Installation

Visit Jython Offical Site, and download the latest stand alone JAR file, e.g. jython-standalone-2.7.3.jar.
Open Burp, go to Extensions -> Extension Settings -> Python Environment, set the Location of Jython standalone JAR file and Folder for loading modules to the directory where the Jython JAR file was saved.
On a command line, go to the directory where the jar file is and run java -jar jython-standalone-2.7.3.jar -m ensurepip.
Download the GAP.py and requirements.txt from this project and place in the same directory.
Install Jython modules by running java -jar jython-standalone-2.7.3.jar -m pip install -r requirements.txt.
Go to the Extensions -> Installed and click Add under Burp Extensions.
Select Extension type of Python and select the GAP.py file.

Using

Just select a target in your Burp scope (or multiple targets), or even just one subfolder or endpoint, and choose extension GAP:

Or you can right click a request or response in any other context and select GAP from the Extensions menu.

Then go to the GAP tab to see the results:

IMPORTANT Notes

If you don't need one of the modes, then un-check it as results will be quicker.

If you run GAP for one or more targets from the Site Map view, don't have them expanded when you run GAP... unfortunately this can make it a lot slower. It will be more efficient if you run for one or two target in the Site Map view at a time, as huge projects can have consume a lot of resources.

If you want to run GAP on one of more specific requests, do not select them from the Site Map tree view. It will be a lot quicker to run it from the Site Map Contents view if possible, or from proxy history.

It is hard to design GAP to display all controls for all screen resolutions and font sizes. I have tried to deal with the most common setups, but if you find you cannot see all the controls, you can hold down the Ctrl button and click the GAP logo header image to remove it to make more space.

The Words mode uses the beautifulsoup4 library and this can be quite slow, so be patient!

In Depth Instructions

Below is an in-depth look at the GAP Burp extension, from installing it successfully, to explaining all of the features.

NOTE: This video is from 16th July 2023 and explores v3.X, so any features added after this may not be featured.

TODO

Get potential parameters from the Request that Burp doesn't identify itself, e.g. XML, graphql, etc.
Improve performance of the link finding regular expressions.
Include the Request/Response markers in the raised Sus parameter Issues if I can find a way to not make performance really bad!
Deal with other size displays and font sizes better to make sure all controls are viewable.
If multiple Site Map tree targets are selected, write the files more efficiently. This can take forever in some cases.
Use an alternative to beautifulsoup4 that is faster to parse responses for Words.

Good luck and good hunting! If you really love the tool (or any others), or they helped you find an awesome bounty, consider BUYING ME A COFFEE! ☕ (I could use the caffeine!)

🤘 /XNL-h4ck3r

gap-burp-extension's People

Contributors

Stargazers

Watchers

Forkers

bbhunter arpeetrathi crackercat santosh143-alt okaayfine subhadipnag affilares madusec seqrity ti0sec polling-repo-continua hugoahosta attacker-codeninja fawadkhanfk afwu cloudsweight cream-sec zxc2007 85411021 bug-tools bbhunty danzajork bugbountydude slooppe pentagramz excloudx6 hack404-007 rickjms1337 0xsojalsec evcuq4hggjd74lhz abdilahrf fostane chh4y w4n95 zzhsec jasonlou vinnyvinoth ayushxtha lostnf gedskikas fahadskt gprime31 ronin-dojo emptysec1 alejandr0ar tinyx3k chanpu9 snowywhite rafay74 atlassion gabrieltetz kiks2627 bughunter0x9 icodein mohamedimthiyaj haka110 anotheronemoretime pt001 j4s0nmo0n fawzy111 flyingmachine123 semimitoz akbruster cihan-ozcan excloudx6 shamrocksu88 dutchcyberguy tamersp25 rlima999 jermainlaforce keyboardancer emadyay lucanmartin 0xnull-ops mrloup neiroline vaampz l34rner darkprof83 jorik041 vishnurajkv ronin-dojo codeanddie la3b0z matitanium r3pairmen bebiksior oakkaya 7shazi empty2081 0xgwyn xiju2003 atomxw peff1235 raytheon0x21 slavos1 s3kler danzee1 rick-vini ksmaheshkumar

gap-burp-extension's Issues

[Feature request] The possibility of using only the host of that file in the prefix, instead of using all the permutations

Hi,

When I select all the hosts from the sitemap and want to extract links (with the prefix with selected targets option) it seems to do all the combinations instead of just using the host from the file it's parsing.

Thank you

Difference between GAP.py and getAllParam.py?

Which one is the actual Burp extension as both seems to contain similar code.

thanks and regards

Parsing Entire Domain no longer works

If a specific .JS file is sent to the GAP extension, it is parsed fine, but if an entire domain (EG: www.something.com) from the target pane is sent to GAP, now it always finds no files to parse. Using latest version of GAP on latest version of Burp. Any ideas?

Java.lang.ExceptionInInitializerError

Hello when I try to add this extension to my burp I am getting below error;

Make the parameters in the "Potential params found" tab with "Show sus" option selected easier to copy

Hey :) fantastic job on this extension, however I have a suggestion that would make using it slightly smoother in certain scenarios.

Currently, if you have the "Show sus" option selected, the "Potential params found" tab looks like this:

However, it's not easy to copy & paste because of the [<VULNERABILITY-CLASS>] text after the parameters. It would be nice if there was an option to either 1) copy the "raw" parameters or 2) toggle the [<VULNERABILITY-CLASS>] text on/off to easily copy the parameters yourself

Thanks!

[Feature request] support for nested objects

Hello,

Would it be possible that nested objects are selected?
For example, if you find an object like {"user":{"address":{"street":"foobar street","number":1337}}} generate the following:

user
address
street
number
user[address]
user[address][street]
user[address][number]
address[street]
address[number]

This would be great for testing mass assignment (among other things)

I call the gap plugin from the sitemap, it doesn't work, but it can be used to call the gap plugin from inside the HTTP history

Request to add timestamp to autosaved files

Hi @xnl-h4ck3r

Thanks for making this extension and more importantly keep it actively maintained. Wanted to see if it would be good to have files saved automatically with a timestamp in the file name to avoid overwriting the previous once.
It helps for a person like me who can use this extension on same over periods of time while testing various different sections of the domains. I have a hacky version of this for my own use. I can make a PR if it sounds good.

Thanks!

Failed to load Python interpreter from Jython JAR file

Hi, I received the following error when installing the GAP extension in Burp Suite community edition.

java.lang.Exception: Failed to load Python interpreter from Jython JAR file
at burp.Zd17.ZX(Unknown Source)
at burp.Zns1.ZV(Unknown Source)
at burp.Zuzc.Zi(Unknown Source)
at burp.Zal.lambda$panelLoaded$0(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1589)

ImportError: No module named _winreg

There is issue with ImportError: No module named _winreg when try to install the requirements.txt,

my jython version is the last 2.7.3

java -jar C:/jython/jython.jar -m pip install -r ".\GAP-Burp-Extension\requirements.txt"

Traceback (most recent call last):
  File "C:\jython\Lib\runpy.py", line 161, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "C:\jython\Lib\runpy.py", line 72, in _run_code
    exec code in run_globals
  File "C:\jython\Lib\site-packages\pip\__main__.py", line 23, in <module>
    from pip._internal.cli.main import main as _main  # isort:skip # noqa
  File "C:\jython\Lib\site-packages\pip\_internal\cli\main.py", line 10, in <module>
    from pip._internal.cli.autocompletion import autocomplete
  File "C:\jython\Lib\site-packages\pip\_internal\cli\autocompletion.py", line 9, in <module>
    from pip._internal.cli.main_parser import create_main_parser
  File "C:\jython\Lib\site-packages\pip\_internal\cli\main_parser.py", line 7, in <module>
    from pip._internal.cli import cmdoptions
  File "C:\jython\Lib\site-packages\pip\_internal\cli\cmdoptions.py", line 25, in <module>
    from pip._internal.cli.progress_bars import BAR_TYPES
  File "C:\jython\Lib\site-packages\pip\_internal\cli\progress_bars.py", line 12, in <module>
    from pip._internal.utils.logging import get_indentation
  File "C:\jython\Lib\site-packages\pip\_internal\utils\logging.py", line 18, in <module>
    from pip._internal.utils.misc import ensure_dir
  File "C:\jython\Lib\site-packages\pip\_internal\utils\misc.py", line 34, in <module>
    from pip._internal.locations import get_major_minor_version, site_packages, user_site
  File "C:\jython\Lib\site-packages\pip\_internal\locations.py", line 30, in <module>
    USER_CACHE_DIR = appdirs.user_cache_dir("pip")
  File "C:\jython\Lib\site-packages\pip\_internal\utils\appdirs.py", line 23, in user_cache_dir
    return _appdirs.user_cache_dir(appname, appauthor=False)
  File "C:\jython\Lib\site-packages\pip\_vendor\appdirs.py", line 300, in user_cache_dir
    path = os.path.normpath(_get_win_folder("CSIDL_LOCAL_APPDATA"))
  File "C:\jython\Lib\site-packages\pip\_vendor\appdirs.py", line 474, in _get_win_folder_from_registry
    import _winreg
ImportError: No module named _winreg

There is any help with this error beacuse the winreg module is used py CPython not jython.

UnicodeDecodeError: 'utf-8' codec can't decode bytes in position 32-35: invalid data

I am getting this error while trying to install. I'm using Windows 10.

Traceback (most recent call last):
  File "<string>", line 1, in <module>
UnicodeDecodeError: 'utf-8' codec can't decode bytes in position 32-35: invalid data

	at org.python.core.codecs.strict_errors(codecs.java:204)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at org.python.core.JavaFunc.__call__(Py.java:2912)
	at org.python.core.PyObject.__call__(PyObject.java:433)
	at org.python.core.codecs.decoding_error(codecs.java:1603)
	at org.python.core.codecs.insertReplacementAndGetResume(codecs.java:1572)
	at org.python.core.codecs.PyUnicode_DecodeUTF8Stateful(codecs.java:1104)
	at org.python.core.codecs.PyUnicode_DecodeUTF8(codecs.java:1021)
	at org.python.core.Py.fileSystemDecode(Py.java:722)
	at org.python.core.Py.fileSystemDecode(Py.java:735)
	at org.python.modules.posix.PosixModule.asPath(PosixModule.java:1306)
	at org.python.modules.posix.PosixModule.absolutePath(PosixModule.java:1317)
	at org.python.modules.posix.PosixModule.chdir(PosixModule.java:300)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:190)
	at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:208)
	at org.python.core.PyObject.__call__(PyObject.java:461)
	at org.python.core.PyObject.__call__(PyObject.java:465)
	at org.python.pycode._pyx2.f$0(<string>:1)
	at org.python.pycode._pyx2.call_function(<string>)
	at org.python.core.PyTableCode.call(PyTableCode.java:173)
	at org.python.core.PyCode.call(PyCode.java:18)
	at org.python.core.Py.runCode(Py.java:1703)
	at org.python.core.Py.exec(Py.java:1747)
	at org.python.util.PythonInterpreter.exec(PythonInterpreter.java:268)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at burp.u7m.l(Unknown Source)
	at burp.dp8.I(Unknown Source)
	at burp.bsl.e(Unknown Source)
	at burp.rm2.lambda$panelLoaded$0(Unknown Source)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:833)

Import/Export Option for GAP settings?

It would be good to have Import/Export Option for GAP settings, similar to the save option. Would be useful for different projects and wont have to remember what was there previously.

[Feature request] Add parameters from burp history

Hy can you add a feature to add all parameters from proxy history, So after understanding target I start this externsion and I click on "get all params" and it comes. Like paramalyzer but they has no feature to copy all those parameters

WARNING: Could not import beauttifulsoup4 for word mode: No module named bs4

Extension not showing up in Burpsuite after installing

I have attempted both methods of installing GAP. While the extension successfully installs and loads. it does now show as a tab in Burpsuite, neither does it open when I send a request to it.

Could not import modules

Hi
Thank you for the great extension.
When i install new version 2.2 i got this errors WARNING: Could not import beautifulsoup4 for word mode: No module named bs4 & 10 WARNING: Could not import html5lib for more accurate parsing of words by beatifulsc
But extension works well.

Can't access Other options when display font-size are set to 16

when font-size is set to 15, 16 then other options can't be accessed. Can UI be made scrollable so the font-size doesn't affect it?

AttributeError("'NoneType' object has no attribute 'toString'",)

Hey there,

I love your tool! It has certainly helped me out countless times with my bounty hunting, so thank you!

I recently noticed this error starting to occur, and only on some burp files...see attachment.

Let me know your thoughts!

Question

I saw in the bottom picture of this tool that it has a generated query string of all parameters, is it possible that it also appends in the URL as you browse or at least check for it's reflection?

I'm thinking a way if it is possible to combine with this tool.

I get an error when running.

Hi, @xnl-h4ck3r! Thanks for making such a nice extension.
I'm trying to use it, but I'm getting an error. (use github cloned)

java.lang.NullPointerException: Cannot invoke "java.util.Collection.toArray()" because "c" is null
	at java.base/java.util.ArrayList.<init>(ArrayList.java:181)
	at burp.ziu.provideMenuItems(Unknown Source)
	at jdk.internal.reflect.GeneratedMethodAccessor150.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at burp.kjm.invoke(Unknown Source)
	at jdk.proxy2/jdk.proxy2.$Proxy56.provideMenuItems(Unknown Source)
	at burp.j0a.g(Unknown Source)
	at burp.t4.Y(Unknown Source)
	at burp.lc.p(Unknown Source)
	at burp.lc.R(Unknown Source)
	at burp.lc.D(Unknown Source)
	at burp.lc.t(Unknown Source)
	at burp.eg4.J(Unknown Source)
	at burp.eg4.S(Unknown Source)
	at burp.jms.j(Unknown Source)
	at burp.wbf.mousePressed(Unknown Source)
	at java.desktop/java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:288)
	at java.desktop/java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:287)
	at java.desktop/java.awt.Component.processMouseEvent(Component.java:6623)
	at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3389)
	at java.desktop/java.awt.Component.processEvent(Component.java:6391)
	at java.desktop/java.awt.Container.processEvent(Container.java:2266)
	at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:5001)
	at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2324)
	at java.desktop/java.awt.Component.dispatchEvent(Component.java:4833)
	at java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4948)
	at java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4572)
	at java.desktop/java.awt.LightweightDispatcher.dispatchEvent(Container.java:4516)
	at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2310)
	at java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2780)
	at java.desktop/java.awt.Component.dispatchEvent(Component.java:4833)
	at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:773)
	at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:722)
	at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:716)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:97)
	at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:746)
	at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:744)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
	at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:743)
	at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
	at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
	at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
java.lang.NullPointerException: Cannot invoke "java.util.Collection.toArray()" because "c" is null
	at java.base/java.util.ArrayList.<init>(ArrayList.java:181)
	at burp.ziu.provideMenuItems(Unknown Source)
	at jdk.internal.reflect.GeneratedMethodAccessor150.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at burp.kjm.invoke(Unknown Source)
	at jdk.proxy2/jdk.proxy2.$Proxy56.provideMenuItems(Unknown Source)
	at burp.j0a.g(Unknown Source)
	at burp.t4.Y(Unknown Source)
	at burp.lc.p(Unknown Source)
	at burp.lc.R(Unknown Source)
	at burp.lc.D(Unknown Source)
	at burp.lc.t(Unknown Source)
	at burp.eg4.J(Unknown Source)
	at burp.eg4.S(Unknown Source)
	at burp.jms.j(Unknown Source)
	at burp.wbf.mousePressed(Unknown Source)
	at java.desktop/java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:288)
	at java.desktop/java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:287)
	at java.desktop/java.awt.Component.processMouseEvent(Component.java:6623)
	at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3389)
	at java.desktop/java.awt.Component.processEvent(Component.java:6391)
	at java.desktop/java.awt.Container.processEvent(Container.java:2266)
	at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:5001)
	at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2324)
	at java.desktop/java.awt.Component.dispatchEvent(Component.java:4833)
	at java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4948)
	at java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4572)
	at java.desktop/java.awt.LightweightDispatcher.dispatchEvent(Container.java:4516)
	at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2310)
	at java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2780)
	at java.desktop/java.awt.Component.dispatchEvent(Component.java:4833)
	at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:773)
	at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:722)
	at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:716)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:97)
	at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:746)
	at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:744)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
	at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:743)
	at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
	at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
	at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)

Burp versrion is 2023.01, on Aarch64 OS X. Any help is appreciated. Thank you!

AttributeError: 'module' object has no attribute 'version'

Hi, I'm trying to install this extension but it shows me this error:

Any thoughts on this?

Attribute error

Using burp version 2022.12.5 tried previous versions also
This is the error I'm getting

"doEverything 1
AttributeError("'NoneType' object has no attribute 'toString'",)"

After sending target to GAP

Error installing beautifulsoup4

Hello, I'm trying to install the extension with your commands but it fails on the install of beautifulsoup4:

$ java -jar jython.jar -m pip install --trusted-host pypi.python.org --trusted-host  pypi.org -r ./tools/GAP-Burp-Extension/requirements.txt
DEPRECATION: A future version of pip will drop support for Python 2.7.
Collecting beautifulsoup4 (from -r ./tools/GAP-Burp-Extension/requirements.txt (line 1))
  ERROR: Could not find a version that satisfies the requirement beautifulsoup4 (from -r ./tools/GAP-Burp-Extension/requirements.txt (line 1)) (from versions: none)
ERROR: No matching distribution found for beautifulsoup4 (from -r ./tools/GAP-Burp-Extension/requirements.txt (line 1))

I can load the plugin but it trigger an error:

WARNING: Could not import beauttifulsoup4 for word mode: No module named bs4
GAP - Version 2.9
by @xnl_h4ck3r

The full Help documentation can be found at https://github.com/xnl-h4ck3r/GAP-Burp-Extension/blob/main/GAP%20Help.md or from the Help icon on the GAP tab

If you ever see anything in the Errors tab, please raise an issue on Github so I can fix it!
Want to buy me a coffee?! - https://ko-fi.com/B0B3CZKR5

WARNING: Could not import html5lib for more accurate parsing of words by beatifulsoup4 library.

Have you seen this error before ? :)

i got error while running gap in burp

The following error occurred when importing beauttifulsoup4: No module named bs4.
i installed beauttifulsoup4 then try but same error how to solve ?

Sitemap not working

Hi my version burp is 2024.1.1.1
When i right click on target in the sitemap and select the gap , gap play error sound and give no parameters found and no words and ...

Suggestion : Customize sus parameters

Hi,
First i would like to thank you for this big work, i like it because it has many analysis that helps.
My suggestion is what if you let users customize suspected parameters, i mean what if you let me add more regex to customize target more suspected ones.

Actually until now am using old "Hunt" extension to customize my suspected parameters list to get more scenarios.

Update
"i read the code it has list of parameters that can be modified, but some cases i would like regex to check for suspected parameters.
Example : blabla_url=http://..."

My regards.

error

Symptom An error occurs when the java -jar jython-stand 2.7.3.jar -m pip install -r requirements.txt command is executed on windows

Edit features : current version is unable to indentify keys that are not enclosed between ' or "

for example : pageName

        dataLayer.push({
            environment: 'prod',
            industryCategory: '###',
            pageName: '####',
            pageTitle: '#####',
            notifications: {
              bokadirekt: false,
              reviews: false,
            },
        })

to fix this I try adding this code to line 3350 ...
and it worked for me.
there are some false positive but it was ok for me.


  # Find keys without " or ' in json object
  try:
      js_keys = re.finditer(
          r"(?<!;)\s([\w\d]+)(?:\:\s*)(?=\"|\')?[\w\s-]*(?=\"|\')?(?!;)",
          body,
          re.IGNORECASE,
      )
      for key in js_keys:
          if key is not None and key.group() != "":
              self.addParameter(key.group().strip().split(':')[0],responseUrl)
  except Exception as e:
      pass

AssertionError on installing libraries

Output of java -jar jython-standalone-2.7.3.jar -m pip install -r requirements.txt

DEPRECATION: pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support pip 21.0 will remove support for this functionality.
WARNING: pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available.
Collecting beautifulsoup4
  Using cached beautifulsoup4-4.9.3-py2-none-any.whl (115 kB)
Collecting html5lib
  Using cached html5lib-1.1-py2.py3-none-any.whl (112 kB)
Collecting urllib3
  Using cached urllib3-1.26.15-py2.py3-none-any.whl (140 kB)
Collecting soupsieve<2.0,>1.2; python_version < "3.0"
  Using cached soupsieve-1.9.6-py2.py3-none-any.whl (33 kB)
Collecting six>=1.9
  Using cached six-1.16.0-py2.py3-none-any.whl (11 kB)
Collecting webencodings
  Using cached webencodings-0.5.1-py2.py3-none-any.whl (11 kB)
Requirement already satisfied: backports.functools-lru-cache; python_version < "3" in ./Lib/site-packages (from soupsieve<2.0,>1.2; python_version < "3.0"->beautifulsoup4->-r requirements.txt (line 1)) (1.6.4)
Installing collected packages: soupsieve, beautifulsoup4, six, webencodings, html5lib, urllib3
ERROR: Exception:
Traceback (most recent call last):
  File "/home/zyrgo/burp/Lib/site-packages/pip/_internal/cli/base_command.py", line 223, in _main
    status = self.run(options, args)
  File "/home/zyrgo/burp/Lib/site-packages/pip/_internal/cli/req_command.py", line 180, in wrapper
    return func(self, options, args)
  File "/home/zyrgo/burp/Lib/site-packages/pip/_internal/cli/req_command.py", line 180, in wrapper
    return func(self, options, args)
  File "/home/zyrgo/burp/Lib/site-packages/pip/_internal/commands/install.py", line 395, in run
    installed = install_given_reqs(
  File "/home/zyrgo/burp/Lib/site-packages/pip/_internal/commands/install.py", line 395, in run
    installed = install_given_reqs(
  File "/home/zyrgo/burp/Lib/site-packages/pip/_internal/req/__init__.py", line 82, in install_given_reqs
    requirement.install(
  File "/home/zyrgo/burp/Lib/site-packages/pip/_internal/req/req_install.py", line 816, in install
    install_wheel(
  File "/home/zyrgo/burp/Lib/site-packages/pip/_internal/operations/install/wheel.py", line 837, in install_wheel
    _install_wheel(
  File "/home/zyrgo/burp/Lib/site-packages/pip/_internal/operations/install/wheel.py", line 719, in _install_wheel
    assert os.path.exists(pyc_path)
AssertionError

I have followed all the instructions correctly

The following error occurred when importing beauttifulsoup4: 'tuple' object has no attribute 'major'

What can i do to solve the problem

bs4 warring

after installing the extension I got this warning

GAP not showing in Burpsuite

I have tried:

updating burp
reinstalling my python env
updating latest version of GAP
restarting burp / restarting PC

Extension says its installed but is not showing up in burp, other python extensions are working.

Not getting any error messages when installing:

Here we can see when the extension, but there is no tab in Burp to view the results

GAP doesn't collect words properly with "-"

Hello :-)

I've noticed that GAP doesn't collect words properly from URL paths that look like this:
/api/custom-polls/home/pending-draft-polls-count

Right now it collects only the following words:
api,custom,pools,home,pending,draft,polls,count

I think it should collect the following words:
api,custom-pools,custom,pools,home,pending-draft-polls-count,pending,draft,count

For some reason, it ignores words with "-". Is this intentional?

GAP install error

Hello during the installation of GAP I receive the error. Any idea how I can do?

java -jar jython-standalone-2.7.3.jar -m pip install -r requirements.txt
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
DEPRECATION: A future version of pip will drop support for Python 2.7.
ERROR: Invalid requirement: ""