0x00需求

在QA進行功能測試時，同時也進行安全測試，減少產品安全測試所花費的時間，將工具可以發現的安全問題，盡可能早的提出來。

0x01思路

1. 找一臺windows服務器，在該服務器上安裝bp，bp的代理ip：本服務器ip，端口：8080
2. QA測試時瀏覽器掛上代理（代理ip：windows服務器的ip，端口：8080）
3. 編寫burpsuite插件，將burpsuite scanner模塊發現的漏洞存儲到sqlite數據庫
4. QA在測試前，需要將測試的url添加到bp的scope中
5. QA測試完，可以訪問響應頁面，查看安全測試結果

   0x02burpsuite 插件

   插件需要繼承IScannerListener，使用其newScanIssue函數獲取所有的掃描結果
   

package burp;

/*

• @(#)IScanIssue.java
• Copyright PortSwigger Ltd. All rights reserved.
• This code may be used to extend the functionality of Burp Suite Community Edition
• and Burp Suite Professional, provided that this usage does not violate the
• license terms for those products.
  
  /
  /
• This interface is used to retrieve details of Scanner issues. Extensions can
• obtain details of issues by registering an <code>IScannerListener</code> or
• by calling <code>IBurpExtenderCallbacks.getScanIssues()</code>. Extensions
• can also add custom Scanner issues by registering an
• <code>IScannerCheck</code> or calling
• <code>IBurpExtenderCallbacks.addScanIssue()</code>, and providing their own
• implementations of this interface. Note that issue descriptions and other
• text generated by extensions are subject to an HTML whitelist that allows

• only formatting tags and simple hyperlinks.
  */
  public interface IScanIssue
  {

  /**

  • This method returns the URL for which the issue was generated.
  • @return The URL for which the issue was generated.
    */
    java.net.URL getUrl();

  /**

  • This method returns the name of the issue type.
  • @return The name of the issue type (e.g. "SQL injection").
    */
    String getIssueName();

  /**

  • This method returns a numeric identifier of the issue type. See the Burp
  • Scanner help documentation for a listing of all the issue types.
  • @return A numeric identifier of the issue type.
    */
    int getIssueType();

  /**

  • This method returns the issue severity level.
  • @return The issue severity level. Expected values are "High", "Medium",
  • "Low", "Information" or "False positive".

  • */
    String getSeverity();

  /**

  • This method returns the issue confidence level.
  • @return The issue confidence level. Expected values are "Certain", "Firm"
  • or "Tentative".
    */
    String getConfidence();

  /**

  • This method returns a background description for this type of issue.
  • @return A background description for this type of issue, or
  • <code>null</code> if none applies. A limited set of HTML tags may be
  • used.
    */
    String getIssueBackground();

  /**

  • This method returns a background description of the remediation for this
  • type of issue.
  • @return A background description of the remediation for this type of
  • issue, or <code>null</code> if none applies. A limited set of HTML tags
  • may be used.
    */
    String getRemediationBackground();

  /**

  • This method returns detailed information about this specific instance of
  • the issue.
  • @return Detailed information about this specific instance of the issue,
  • or <code>null</code> if none applies. A limited set of HTML tags may be
  • used.
    */
    String getIssueDetail();

  /**

  • This method returns detailed information about the remediation for this
  • specific instance of the issue.
  • @return Detailed information about the remediation for this specific
  • instance of the issue, or <code>null</code> if none applies. A limited
  • set of HTML tags may be used.
    */
    String getRemediationDetail();

  /*

  • This method returns the HTTP messages on the basis of which the issue was
  • generated.
  • @return The HTTP messages on the basis of which the issue was generated.
  • <b>Note:</b> The items in this array should be instances of
  • <code>IHttpRequestResponseWithMarkers</code> if applicable, so that
  • details of the relevant portions of the request and response messages are
  • available.
    */
    IHttpRequestResponse[] getHttpMessages();

  /*

  • This method returns the HTTP service for which the issue was generated.
  • @return The HTTP service for which the issue was generated.
    */
    IHttpService getHttpService();

}

**如上newScanIssue可以獲取到掃描的所有結果,比如：
1.java.net.URL getUrl(); 掃描的url
2.String getIssueName(); 問題類型： 如SQL injection（sql註入）
3.getSeverity(); 漏洞等級 "High", "Medium", "Low", "Information" or "False positive"
4.String getConfidence(); 確定程度 "Certain", "Firm" or "Tentative".

5. String getIssueBackground(); 漏洞背景
6. String getIssueDetail(); 漏洞詳情
7. IHttpRequestResponse[] getHttpMessages(); 漏洞證明的請求、響應包
   將以上信息獲取後保存到數據庫中即可
   完整代碼：

from burp import IBurpExtender
from burp import IScannerListener
from java.io import PrintWriter
from threading import Thread
from java.lang import Class
from java.sql import DriverManager, SQLException
import time
class BurpExtender(IBurpExtender, IScannerListener):

def registerExtenderCallbacks(self, callbacks):
    # keep a reference to our callbacks object
    self._callbacks = callbacks

    # set our extension name
    callbacks.setExtensionName("scann_test")

    # obtain our output stream
    self._stdout = PrintWriter(callbacks.getStdout(), True)

    self._helpers = callbacks.getHelpers()

    # register ourselves as an
    callbacks.registerScannerListener(self)

def newScanIssue(self,issue):

    #self._stdout.println(issue.getConfidence())  Certain", "Firm" * or "Tentative"
    #CREATE TABLE `scanner` (`id` INTEGER PRIMARY KEY,`time` varchar(100),ip varchar(50),`url` varchar(30) ,`degree` varchar(30) ,`level` varchar(100) ,`detail` text ,`issueType` varchar(200) ,`issueBackground` text,`remediationBackground` text,`remediationDetail` text,`requests` text,`response` text ,issueName varcahr(50))
    if(issue.getConfidence()):

        Class.forName("org.sqlite.JDBC").newInstance()
        JDBC_URL = "jdbc:sqlite:%s" % ("d:/scanner.db")
        dbConn = DriverManager.getConnection(JDBC_URL)
        sql="insert into `scanner` (time,ip,url,degree,level,detail,issueType,issueBackground,remediationBackground,remediationDetail,requests,response,issueName) values(?,?,?,?,?,?,?,?,?,?,?,?,?);"
        preStmt=dbConn.prepareStatement(sql)
        current_time=time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())

        requests=""
        response=""
        for message in issue.getHttpMessages():

            for i in range(len(message.getRequest())):
                if(message.getRequest()[i]<255 and message.getRequest()[i]>0):
                    requests=requests+chr(message.getRequest()[i])
            requests+="\n--------------------------\n" 
            if(len(message.getResponse())!=0):
                for i in range(len(message.getResponse())):
                    if(message.getResponse()[i]<255 and message.getResponse()[i]>0):
                        response=response+chr(message.getResponse()[i])
            response+="\n--------------------------\n"
        ip=issue.getHttpService().getHost()

        if(issue.getIssueDetail()):
            detail=issue.getIssueDetail()
        else:
            detail="none"

        if(issue.getIssueBackground()):
            issueBackground=issue.getIssueBackground()
        else:
            issueBackground="none"

        if(issue.getRemediationBackground()):
            remediationBackground=issue.getRemediationBackground()
        else:
            remediationBackground="none"

        if(issue.getRemediationDetail()):
            remediationDetail=issue.getRemediationDetail()
        else:
            remediationDetail="none"

        preStmt.setString(1, str(current_time))
        preStmt.setString(2, str(ip))
        preStmt.setString(3, str(issue.getUrl()))
        preStmt.setString(4,str(issue.getConfidence()))
        preStmt.setString(5,str(issue.getSeverity()))
        preStmt.setString(6,str(detail))
        preStmt.setString(7,str(issue.getIssueType()))
        preStmt.setString(8,str(issueBackground))
        preStmt.setString(9,str(remediationBackground))
        preStmt.setString(10,str(remediationDetail))
        preStmt.setString(11,str(requests))
        preStmt.setString(12,str(response))
        preStmt.setString(13,str(issue.getIssueName()))

        preStmt.addBatch()
        dbConn.setAutoCommit(False)
        preStmt.executeBatch()
        dbConn.setAutoCommit(True)
        dbConn.close()

        self._stdout.println("time:")
        self._stdout.println(current_time)

        self._stdout.print("ip")
        self._stdout.println(ip)

        self._stdout.println("qudingchengdu:"+issue.getConfidence())

        self._stdout.print("url:")
        self._stdout.println(issue.getUrl())

        self._stdout.println(issue.getIssueName())

        self._stdout.println("level:"+issue.getSeverity())

        self._stdout.print("detail:")
        if(issue.getIssueDetail()):
            self._stdout.println(issue.getIssueDetail())
        else:
            self._stdout.println("none")

        self._stdout.println("getIssueType():")
        self._stdout.println(issue.getIssueType())

        self._stdout.print("getIssueBackground")
        if(issue.getIssueBackground()):
            self._stdout.println(issue.getIssueBackground())
        else:
            self._stdout.println("none")

        self._stdout.print("getRemediationBackground():")
        if(issue.getRemediationBackground()):
            self._stdout.println(issue.getRemediationBackground())
        else:
            self._stdout.println("none")

        self._stdout.print("getRemediationDetail():")
        if(issue.getRemediationDetail()):
            self._stdout.println(issue.getRemediationDetail())
        else:
            self._stdout.println("none")

        self._stdout.println("---------------------------")

0x03 burpsuite 掃描結果（在數據庫中展示）

0x04 待存問題

scanner 掃描過程中過濾js，jpg等文件
將需要測試的url自動添加到scope中

自動收集burpsuite scanenr模塊掃描後的結果