Initial release

Author: james-otten

LICENSE

@@ -0,0 +1,7 @@
+Copyright 2020 James Otten, Optiv Security Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,11 @@
+# Azure API Management Tracing Helper
+
+Burp extension to show Azure API Management [tracing](https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-api-inspector) output inside Burp.
+
+## Screenshots
+
+The "Azure API Management Tracing" tab shows pretty-printed tracing data.
+![tab](images/tab.png)
+
+Issues are created when tracing is identified.
+![issue](images/issue.png)

build.gradle

@@ -0,0 +1,23 @@
+plugins {
+    id 'java'
+}
+
+group 'com.optiv.azureapimanagementtracing'
+version '1.0-SNAPSHOT'
+
+sourceCompatibility = 1.8
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+    compile 'net.portswigger.burp.extender:burp-extender-api:1.7.13'
+    compile 'com.google.code.gson:gson:2.8.5'
+}
+
+task fatJar(type: Jar) {
+    baseName = project.name + '-all'
+    from { configurations.compile.collect { it.isDirectory() ? it : zipTree(it) } }
+    with jar
+}

images/issue.png

@@ -0,0 +1,2 @@
+rootProject.name = 'azure-api-management-tracing'
+

images/tab.png

@@ -0,0 +1,27 @@
+package burp;
+
+import com.optiv.azureapimanagementtracing.TraceScanner;
+import com.optiv.azureapimanagementtracing.TraceViewTabFactory;
+
+import java.io.PrintWriter;
+
+public class BurpExtender implements IBurpExtender {
+    private static final String name = "Azure API Management Request Tracing Helper";
+
+    @Override
+    public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
+        // Set our extension name
+        callbacks.setExtensionName(name);
+
+        // Register the custom editor tab
+        TraceViewTabFactory tabFactory = new TraceViewTabFactory(callbacks);
+        callbacks.registerMessageEditorTabFactory(tabFactory);
+
+        // Register the scanner
+        TraceScanner scanner = new TraceScanner(callbacks);
+        callbacks.registerScannerCheck(scanner);
+
+        PrintWriter stdout = new PrintWriter(callbacks.getStdout(), true);
+        stdout.println(name + " started");
+    }
+}

settings.gradle

@@ -0,0 +1,130 @@
+package com.optiv.azureapimanagementtracing;
+
+import burp.*;
+
+import java.net.URL;
+
+class ScanIssue implements IScanIssue {
+    public enum TraceIssueType {
+        RequestHeaderIncorrectValue,
+        ResponseHeader
+    }
+
+    private final IExtensionHelpers helpers;
+    private final IHttpRequestResponseWithMarkers requestResponse;
+    private final IHttpRequestResponseWithMarkers traceRequestResponse;
+    private final String traceUrl;
+    private final TraceIssueType issueType;
+
+    public ScanIssue(IExtensionHelpers helpers, IHttpRequestResponseWithMarkers requestResponse, TraceIssueType issueType) {
+        this.helpers = helpers;
+        this.requestResponse = requestResponse;
+        this.traceRequestResponse = null;
+        this.traceUrl = null;
+        this.issueType = issueType;
+    }
+
+    public ScanIssue(IExtensionHelpers helpers, IHttpRequestResponseWithMarkers requestResponse, IHttpRequestResponseWithMarkers traceInfo, String traceUrl, TraceIssueType issueType) {
+        this.helpers = helpers;
+        this.requestResponse = requestResponse;
+        this.traceRequestResponse = traceInfo;
+        this.traceUrl = traceUrl;
+        this.issueType = issueType;
+    }
+
+    @Override
+    public URL getUrl() {
+        return this.helpers.analyzeRequest(requestResponse.getHttpService(), this.requestResponse.getRequest()).getUrl();
+    }
+
+    @Override
+    public String getIssueName() {
+        switch (this.issueType) {
+            case RequestHeaderIncorrectValue:
+                return "Azure API Management Tracing";
+            case ResponseHeader:
+                return "Azure API Management Tracing Enabled";
+        }
+        return null;
+    }
+
+    @Override
+    public int getIssueType() {
+        return 0;
+    }
+
+    @Override
+    public String getSeverity() {
+        switch (this.issueType) {
+            case RequestHeaderIncorrectValue:
+                return "Information";
+            case ResponseHeader:
+                return "Medium";
+        }
+        return null;
+    }
+
+    @Override
+    public String getConfidence() {
+        switch (this.issueType) {
+            case RequestHeaderIncorrectValue:
+                return "Tentative";
+            case ResponseHeader:
+                return "Certain";
+        }
+        return null;
+    }
+
+    @Override
+    public String getIssueBackground() {
+        return "<p>Azure API Management allows developers to view tracing information when this option is configured by system administrators." +
+                " Trace information often contains technical information and URLs to backend services. Tracing can be enabled for each consumer/subscriber to the API.</p>" +
+                "<ul><li><a href='https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-api-inspector'>https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-api-inspector</a></li></ul>";
+    }
+
+    @Override
+    public String getRemediationBackground() {
+        switch (this.issueType) {
+            case RequestHeaderIncorrectValue:
+                return "Ensure that tracing is disabled in the Azure portal.";
+            case ResponseHeader:
+                return "<p>Disable tracing in the Azure portal for the current subscriber.</p>" +
+                        "<b>Vulnerability classifications</b><br/>" +
+                        "<ul><li><a href='https://cwe.mitre.org/data/definitions/200.html'>CWE-200: Information Exposure</a></li></ul>";
+        }
+        return null;
+    }
+
+    @Override
+    public String getIssueDetail() {
+        switch (this.issueType) {
+            case RequestHeaderIncorrectValue:
+                return "The HTTP request header 'Ocp-Apim-Trace' was found to be in use by the application.";
+            case ResponseHeader:
+                return "<p>Tracing was found to be enabled for the current user on the endpoint:</p>" +
+                        "<ul><li>" + this.getUrl().toString() + "</li></ul>" +
+                        "<p>The following temporary URL was returned in the HTTP response header \"Ocp-Apim-Trace-Location\":</p>" +
+                        "<ul><li><a href='" + this.traceUrl + "'>"+ this.traceUrl + "</a></li></ul>";
+        }
+        return null;
+    }
+
+    @Override
+    public String getRemediationDetail() {
+        return null;
+    }
+
+    @Override
+    public IHttpRequestResponseWithMarkers[] getHttpMessages() {
+        if (this.traceRequestResponse == null) {
+            return new IHttpRequestResponseWithMarkers[]{requestResponse};
+        }  else {
+            return new IHttpRequestResponseWithMarkers[]{requestResponse, traceRequestResponse};
+        }
+    }
+
+    @Override
+    public IHttpService getHttpService() {
+        return this.requestResponse.getHttpService();
+    }
+}

src/main/java/burp/BurpExtender.java

@@ -0,0 +1,111 @@
+package com.optiv.azureapimanagementtracing;
+
+import burp.*;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+public class TraceScanner implements IScannerCheck {
+    private final IBurpExtenderCallbacks callbacks;
+    private final IExtensionHelpers helpers;
+
+    public TraceScanner(IBurpExtenderCallbacks callbacks) {
+        this.callbacks = callbacks;
+        this.helpers = callbacks.getHelpers();
+    }
+
+    @Override
+    public List<IScanIssue> doPassiveScan(IHttpRequestResponse baseRequestResponse) {
+        List<IScanIssue> issues = new ArrayList<>();
+        ArrayList<int[]> reqMarkers = new ArrayList<>();
+        ArrayList<int[]> resMarkers = new ArrayList<>();
+
+        reqMarkers.add(Utils.getRequestHeaderOffsets(baseRequestResponse.getRequest(), this.helpers));
+        resMarkers.add(Utils.getResponseHeaderOffsets(baseRequestResponse.getResponse(), this.helpers));
+        IHttpRequestResponseWithMarkers markedRequestResponse = this.callbacks.applyMarkers(baseRequestResponse, reqMarkers, resMarkers);
+
+        if(resMarkers.get(0) != null) {
+            int start = resMarkers.get(0)[0] + Utils.responseHeaderSearchText.length();
+            int end = resMarkers.get(0)[1];
+            String url = this.helpers.bytesToString(Arrays.copyOfRange(baseRequestResponse.getResponse(), start, end));
+            IHttpRequestResponseWithMarkers traceRequestResponse = this.callbacks.applyMarkers(Utils.sendRequest(url, this.callbacks), null, null);
+            issues.add(new ScanIssue(helpers, markedRequestResponse, traceRequestResponse, url, ScanIssue.TraceIssueType.ResponseHeader));
+        } else {
+            // Only check for the request header if we didn't get the response header
+            byte[] request = baseRequestResponse.getRequest();
+            String requestHeaderValue = Utils.getRequestHeader(baseRequestResponse.getRequest(), this.helpers);
+
+            if(reqMarkers.get(0) != null) {
+                if (!requestHeaderValue.equals("true")) {
+                    // Add an info if the right header was there with the wrong value
+                    issues.add(new ScanIssue(helpers, markedRequestResponse, ScanIssue.TraceIssueType.RequestHeaderIncorrectValue));
+
+                    // The header was set, but not set to true. Try setting it to true
+                    ByteArrayOutputStream modifiedRequest = new ByteArrayOutputStream();
+                    try {
+                        modifiedRequest.write(Arrays.copyOfRange(request, 0, reqMarkers.get(0)[0]));
+                        modifiedRequest.write(this.helpers.stringToBytes("Ocp-Apim-Trace: true"));
+                        modifiedRequest.write(Arrays.copyOfRange(request, reqMarkers.get(0)[1], request.length));
+                    } catch (IOException e) {
+                        return issues;
+                    }
+
+                    issues.addAll(sendActiveRequest(baseRequestResponse, modifiedRequest));
+                    return issues;
+                }
+            } else {
+                //There was no header, try adding it
+                IRequestInfo requestInfo = this.helpers.analyzeRequest(request);
+
+                ByteArrayOutputStream modifiedRequest = new ByteArrayOutputStream();
+                try {
+                    modifiedRequest.write(Arrays.copyOfRange(request, 0, requestInfo.getBodyOffset() - 2));
+                    modifiedRequest.write(this.helpers.stringToBytes("Ocp-Apim-Trace: true\r\n\r\n"));
+                    modifiedRequest.write(Arrays.copyOfRange(request, requestInfo.getBodyOffset(), request.length));
+                } catch (IOException e) {
+                    return issues;
+                }
+
+                return sendActiveRequest(baseRequestResponse, modifiedRequest);
+            }
+        }
+
+        return issues.size() > 0 ? issues : null;
+    }
+
+    private List<IScanIssue> sendActiveRequest(IHttpRequestResponse baseRequestResponse, ByteArrayOutputStream outputStream) {
+        ArrayList<int[]> reqMarkersActive = new ArrayList<>();
+        ArrayList<int[]> resMarkersActive = new ArrayList<>();
+
+        byte[] modifiedRequest = outputStream.toByteArray();
+        IHttpRequestResponse checkRequestResponse = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), modifiedRequest);
+
+        reqMarkersActive.add(Utils.getRequestHeaderOffsets(modifiedRequest, this.helpers));
+        resMarkersActive.add(Utils.getResponseHeaderOffsets(checkRequestResponse.getResponse(), this.helpers));
+        IHttpRequestResponseWithMarkers marked = this.callbacks.applyMarkers(checkRequestResponse, reqMarkersActive, resMarkersActive);
+
+        if (resMarkersActive.get(0) != null) {
+            List<IScanIssue> issues = new ArrayList<>();
+            int start = resMarkersActive.get(0)[0] + Utils.responseHeaderSearchText.length();
+            int end = resMarkersActive.get(0)[1];
+            String url = this.helpers.bytesToString(Arrays.copyOfRange(checkRequestResponse.getResponse(), start, end));
+            IHttpRequestResponseWithMarkers traceRequestResponse = this.callbacks.applyMarkers(Utils.sendRequest(url, this.callbacks), null, null);
+            issues.add(new ScanIssue(helpers, marked, traceRequestResponse, url, ScanIssue.TraceIssueType.ResponseHeader));
+            return issues;
+        }
+        return null;
+    }
+
+    @Override
+    public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) {
+        return null;
+    }
+
+    @Override
+    public int consolidateDuplicateIssues(IScanIssue existingIssue, IScanIssue newIssue) {
+        return 0;
+    }
+}

src/main/java/com/optiv/azureapimanagementtracing/ScanIssue.java

@@ -0,0 +1,19 @@
+package com.optiv.azureapimanagementtracing;
+
+import burp.IBurpExtenderCallbacks;
+import burp.IMessageEditorController;
+import burp.IMessageEditorTab;
+import burp.IMessageEditorTabFactory;
+
+public class TraceViewTabFactory implements IMessageEditorTabFactory {
+    private final IBurpExtenderCallbacks callbacks;
+
+    public TraceViewTabFactory(IBurpExtenderCallbacks callbacks) {
+        this.callbacks = callbacks;
+    }
+
+    @Override
+    public IMessageEditorTab createNewInstance(IMessageEditorController controller, boolean editable) {
+        return new TraceViewerTab(controller, editable, callbacks);
+    }
+}