This is an evolution of the original getAllParams extension for Burp Suite. Not only does it find more potential parameters for you to investigate, but it also finds potential links to try these parameters on. This is to be used instead of the original getAllParams extension if you want to make use of the additional link functionality. This code is far from perfect, but any constructive criticism is very much welcome! I hope this tool helps you.
Respect and thanks go to @HolyBugx for help with ideas, testing and patience!
A shout out to Gerben Javado and his amazing tool Link Finder who's regular expression (regex) provided the starting point for the Link mode in GAP.
- Get
GAP.py(https://github.com/xnl-h4ck3r/burp-extensions/blob/main/GAP.py) - Point Burp Suite to the Jython .jar file in Extender > Options > Python Environment
- On Extensions tab, click Add
- Set Extension type to Python and select the
GAP.pyfile - Click Next and you're good to go 🤘
When the GAP Mode of Parameters is selected then GAP will try to find as many potential parameters based the following options:
These are parameters that Burp itself identifies from HTTP requests and are part of the Burp Extender API IParameter interface.- Query string params - PARAM_URL; a parameter within the URL query string
- Message body params - PARAM_BODY; a parameter within the message body
- Param attribute within a multi-part message body - PARAM_MULTIPART_ATTR; the value of a parameter attribute within a multi-part message body (such as the name of an uploaded file)
- JSON params - PARAM_JSON; an item of data within a JSON structure
- Cookie names - PARAM_COOKIE; an HTTP cookie name
- Items of data within an XML structure - PARAM_XML
- Value of tag attribute within XML structure - PARAM_XML_ATTR
These are potential parameters that can be found in the HTTP responses. These are identified by GAP itself rather than through the Burp Extender API.
- JSON params - if the response has a MIME type of JSON then the Key names will be retrieved
- Value of tag attributes within XML structure - if the response has a MIME type of XML then the XML attributes are retrieved
- Name and Id attributes of HTML input fields - if the response has a MIME type of HTML then the value of the NAME and ID attributes of any INPUT tags are retrieved
- Javascript variables and constants - javascript variables set with
var,letorconstare retrieved. NOTE: Improvements are needed to retrieve more variables as there are many ways that these can be declared and difficult to retrieve all from regex. - Name attribute of Meta tags - if the response has a MIME type of HTML then the NAME attribute of any META tags are retrieved
- Params from links found - THIS OPTION IS ONLY ENABLED IF LINKS MODE IS ALSO USED. Any URL query string parameters in potential Links found will be retrieved, only if they are clearly in scope, or there is just a path and no way of determining if it is in scope.
- Include the list of common params in list (e.g. used for redirects)? - Common parameter names are often used across targets, mainly for redirects. These can be included in the potential parameter list by checking this option. The list is stored in constant
COMMON_PARAMS. NOTE: Some values are the same, but different case in places as these will be treated differently - Build concatenated query string with param value - If checked, the potential parameters found will be built into a query string, each with the value given in the text box (defaults to XNLV) followed by a unique number.
- Include URL path words in parameter list? - The words in the response URL path are included as potential parameters if the URL is in scope.
When the GAP Mode of Links is selected then GAP will try to find possible links based on the following. Also, only requests of a certain Content-Type are checked for potential links. This is determined by the constant CONTENTTYPE_EXCLUSIONS in the code (these are types such as images, video, audio, fonts, etc.)
- Include site map endpoints in link list? - This will include endpoints from the Burp Site map in the potential Link list, if they are in scope.
- Link exclusions - The field contains a comma separated list of values. If any of these values exists in a potential link found, then it will be excluded from the final list. There is a initial default list determined by the
DEFAULT_EXCLUSIONSconstant, but you can change this and save your settings.
- Potential parameters found - This text are will show all unique potential parameters, one per line.
- The latest generated query string of all parameters - This is a generated URL query string combining all potential parameters found, all with the value specified in the Output option Build concatenated query string with param value, followed by a sequential number. This can be added to an endpoint and the response searched for the param value (e.g. XNLV by default) and if reflected the number will indicate which parameter was reflected.
- Potential links found - This text area will show potential links found. Without any of the other options described below selected, all unique endpoints found are displayed, one per line.
- Show origin endpoint - If this feature is ticked, the potential link will be followed by the HTTP request endpoint (in square brackets) that the link was found in. A link could have been found in more than one request, so this view can show duplicate links, one per origin endpoint.
- In scope only - If this feature is ticked, and the potential links contain a host, then this link will be checked against the Burp Target Scope. If it is not in scope then the link will be removed from the output. NOTE: This does not take any Burp Exclude from scope entries into account. Also, if it is not possible to determine the scope (e.g. it may just be a path without a host) then it will be included as in scope to avoid omitting anything potentially useful.
- Link filter - any value entered in the Filter input field followed by ENTER or pressing Apply filter will determine which links will be displayed. This can depend on the values of the following two options:
- Negative match - If selected, any link containing the Filter text will NOT be displayed. If unselected, then only links containing the filter will be displayed.
- Case sensitive - If selected, the value is the Filter input field will be case sensitive when determining which Links to display.
.js to only show the links to javascript files. As soon as you clear the filter, the original results are redisplayed.An additional feature of GAP is to automatically include links of valid
.js.map (javascript source map) files. These are identified by responses that contain the //# sourceMappingURL line, or have a HTTP header of SourceMap or X-SourceMap.To find links, a complex regex is used to look for different formats and contexts for potential links and files. This regex was initially based on the one used in Link Finder by Gerben Javado, but has been evolved to try and identify more with minimal false positives. The results of GAP can be written to files as well as being displayed in the tool.
- Auto save output to directory - If this option is checked then when GAP completes a run, a file will be created with the potential parameters (if Parameters mode is selected) and with potential links (if Links mode is selected). These files will be created in the specified directory. If the directory is invalid then the users home directory will be used.
- Choose... - the button can be used to select the required directory to store output files.
[host]_GAP_params.txt and [host]_GAP_links.txt where [host] is the first selected host name in the site map that GAP was run against.
When GAP is first started, it will start with default settings.
Any changes made to the configuration settings of GAP can be saved for future use by clicking the Save options button.
If for any reason you want to revert to the default configuration options, you can click the Restore defaults button.
If you have any problems with GAP, you can report an issue on Github. Before you report an issue, please look at the Extender -> Extensions tab in Burp, click on the GAP extension in the list and include details of any output displayed on the Errors tab with your issue. If you know of a parameter or link that you believe GAP should/shouldn't have identified then please provide as much info as possible, e.g. the options you had selected, the relevant endpoint, etc. Thank you for trying out GAP!
Good luck and good hunting! If you really love the tool (or any others), or they helped you find an awesome bounty, consider BUYING ME A COFFEE! ☕ (I could use the caffeine!)
@xnl-h4ck3r 🤘