@@ -26,6 +26,8 @@ public class BurpAnalyzedRequest {
2626
2727 private IHttpRequestResponse requestResponse ;
2828
29+ private YamlReader yamlReader ;
30+
2931 private Tags tags ;
3032
3133 public BurpAnalyzedRequest (IBurpExtenderCallbacks callbacks , Tags tags , IHttpRequestResponse requestResponse ) {
@@ -37,6 +39,8 @@ public BurpAnalyzedRequest(IBurpExtenderCallbacks callbacks, Tags tags, IHttpReq
3739 this .customBurpHelpers = new CustomBurpHelpers (callbacks );
3840 this .requestResponse = requestResponse ;
3941 this .customBurpUrl = new CustomBurpUrl (this .callbacks , requestResponse );
42+ // 配置文件
43+ this .yamlReader = YamlReader .getInstance (callbacks );
4044
4145 initParameters ();
4246 initJsonXmlFileParameters ();
@@ -288,7 +292,7 @@ public IHttpRequestResponse makeHttpRequest(String payload, String dnsLogUrl) {
288292 */
289293 public Integer isJSONOrXML (String str ) {
290294 try {
291- JSON .parse (str .replaceAll ("(\\ [(.*?)])" ,"\" test\" " ));
295+ JSON .parse (str .replaceAll ("(\\ [(.*?)])" ,"\" test\" " ). trim () );
292296 return 1 ;
293297 } catch (Exception e ) {
294298 }
@@ -351,18 +355,33 @@ private List<String> getHeaders(String payload, String dnsLog) {
351355 List <String > headers = this .analyzeRequest ().getHeaders ();
352356 int paramNumber = 1 ;
353357
354- for (int i =1 ; i <headers .size ();i ++){
355- if (headers .get (i ).contains ("User-Agent:" ) || headers .get (i ).contains ("token:" ) ||
356- headers .get (i ).contains ("Token:" ) || headers .get (i ).contains ("Bearer Token:" ) ||
357- headers .get (i ).contains ("X-Forwarded-For:" ) || headers .get (i ).contains ("Content-Type:" ) ||
358- headers .get (i ).contains ("Referer:" ) || headers .get (i ).contains ("referer:" ) ||
359- headers .get (i ).contains ("Origin:" )){
360- headers .set (i ,headers .get (i ) + payload .replace ("dns-url" ,(paramNumber ++)+ "." +"header" +"." +dnsLog ));
358+ List <String > headersNameBlacklist = this .yamlReader .getStringList ("scan.headersName.blacklist" );
359+ for (int i =2 ; i <headers .size ();i ++){
360+ boolean isBlackHeader = false ;
361+ for (String headerNameBlacklist : headersNameBlacklist ){
362+ if (headers .get (i ).startsWith (headerNameBlacklist )){
363+ isBlackHeader = true ;
364+ break ;
365+ }
361366 }
362- if (headers .get (i ).contains ("Accept-Language:" ) || headers .get (i ).contains ("Accept:" ) ||
363- headers .get (i ).contains ("Accept-Encoding:" )){
364- headers .set (i , headers .get (i ) + "," + payload .replace ("dns-url" ,(paramNumber ++) + "." +"header" + "." + dnsLog ));
367+ if (!isBlackHeader ){
368+ if (headers .get (i ).contains ("," )){
369+ headers .set (i , headers .get (i ) + "," + payload .replace ("dns-url" ,(paramNumber ++) + "." +"header" + "." + dnsLog ));
370+ } else {
371+ headers .set (i , headers .get (i ) + payload .replace ("dns-url" , (paramNumber ++) + "." + "header" + "." + dnsLog ));
372+ }
365373 }
374+ // if(headers.get(i).contains("User-Agent:") || headers.get(i).contains("token:") ||
375+ // headers.get(i).contains("Token:") || headers.get(i).contains("Bearer Token:") ||
376+ // headers.get(i).contains("X-Forwarded-For:") || headers.get(i).contains("Content-Type:") ||
377+ // headers.get(i).contains("Referer:") || headers.get(i).contains("referer:") ||
378+ // headers.get(i).contains("Origin:")){
379+ // headers.set(i,headers.get(i) + payload.replace("dns-url",(paramNumber++)+ "." +"header" +"."+dnsLog));
380+ // }
381+ // if(headers.get(i).contains("Accept-Language:") || headers.get(i).contains("Accept:") ||
382+ // headers.get(i).contains("Accept-Encoding:")){
383+ // headers.set(i, headers.get(i) + "," + payload.replace("dns-url",(paramNumber++) + "." +"header" + "."+ dnsLog));
384+ // }
366385 }
367386 return headers ;
368387 }
0 commit comments