Web_Hacking/LoggerPlusPlus.md

# Logger++ (BurpSuite Extension)
[Logger++](https://portswigger.net/bappstore/470b7057b86f41c396a97903377f3d81) is a multithreaded logging extension for Burp Suite. This extension allows advanced filters to be defined to highlight interesting entries or filter logs to only those which match the filter.

Special thanks to [Borna Nematzadeh](https://github.com/bnematzadeh/LoggerPlusPlus-API-Filters)

-----
**Detect API Endpoints**
* REST/RPC
  * `Request.Path CONTAINS "api" or Request.Host CONTAINS "api"`
    * Example: /api/v1/users, api.target.com/v1/users
  * `Request.Path CONTAINS "v1"`: Change the "v" based on logged requests
* GraphQL
  * `Request.Path CONTAINS "graphql"`
    * Example: /api/graphql

-----
**API Operations**
* REST
  * Read (Example: GET /api/users)
    * `Request.Method == "GET"`
  * Create (Example: POST /api/users)
    * `Request.Method == "POST"`
  * Update (Example: PUT /api/users/1)
    * `Request.Method == "PUT"`
  * Delete (Example: DELETE api/users/1)
    * `Request.Method == "DELETE"`
  * Create, Update, Delete
    * `Request.Method IN ["POST","PUT","DELETE"]`
  * API Endpoint + Different API Operations (Example: GET /v1/users)
    * Filter GET Requests in this API: `Request.Method == "GET" AND Request.Path CONTAINS "v1"`
 
* GraphQL
  * Read (Query)
    * `!(Request.Body CONTAINS "mutation" or Request.Body CONTAINS "subscription")`
  * Create, Update, Delete (Mutation)
    * `Request.Body CONTAINS "mutation"`

-----
**Cheat Sheet for finding API vulnerability by logger++ filters**

* **SSRF**
  * `(Request.Query MATCHES ".*(http%3A%2F%2F|https%3A%2F%2F)?(www.)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}.*" OR Request.Body MATCHES ".*(http%3A%2F%2F|https%3A%2F%2F)?(www.)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}.*")`

* **Open Redirect**
  * `(Request.Query MATCHES ".*(http%3A%2F%2F|https%3A%2F%2F)?(www.)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}.*" OR Request.Body MATCHES ".*(http%3A%2F%2F|https%3A%2F%2F)?(www.)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}.*") AND Response.Status IN [301,302]`

* **API Key Disclosure**
  *  `Response.Body CONTAINS "apiKey" AND Response.Headers CONTAINS "application/javascript"`
 
* **Broken Authentication (Token-Based Authentication)**
  * `Request.Headers CONTAINS "Authorization"`
 
* **CORS**
  * `!(Request.Headers CONTAINS "Authorization: JWT") AND (Response.Headers CONTAINS "Access-Control-Allow-Credentials" OR Response.Headers CONTAINS "Access-Control-Allow-Origin")`

* **Excessive Data Exposure**
  * `Request.Method == "GET" AND Response.Body CONTAINS "FIELD"`
 
* **XSS**
  * **Check for reflected parameters**
    * `Response.Reflections > 0`
   
* **Lack of Resources and Rate Limiting**
  * DOS
    * REST: `Request.HasGetParam == true AND Request.Query CONTAINS "limit"`
    * GraphQL: `Request.Body CONTAINS "limit"`

* **Mass Assignment**
  * The API takes data that client provides and stores it without proper filtering for whitelisted properties
    * a. Find the API objects
      * Example:
        * /api/users: User Object
        * /api/products: Product Object
        * /api/items: Item Object
    * b. Find the object properties from GET Requests. Use the following filter to do this:
      * `Request.Method == "GET" AND Request.Path CONTAINS "ResourceName"`
        * Example: `Request.Method == "GET" AND Request.Path CONTAINS "user"`
    * c. Add object properties from the previous step to related POST/PUT requests. Use the following filter:
      * `Request.Method IN ["POST","PUT"]`

* **Injection and Broken Object Level**
  * REST/RPC
    * Path Parameters
       * Example: /api/posts/1
    * Query String Parameters
      * `Request.HasGetParam == true`
    * POST/PUT Request Parameters
      * `Request.Method IN ["POST","PUT"]`
  * GraphQL
      * `Request.Body MATCHES ".*variables\":{.*"`
Create LoggerPlusPlus.md 2023-08-28 08:04:13 +03:00			`# Logger++ (BurpSuite Extension)`
Update LoggerPlusPlus.md 2023-10-05 09:12:26 +03:00			`[Logger++](https://portswigger.net/bappstore/470b7057b86f41c396a97903377f3d81) is a multithreaded logging extension for Burp Suite. This extension allows advanced filters to be defined to highlight interesting entries or filter logs to only those which match the filter.`
Create LoggerPlusPlus.md 2023-08-28 08:04:13 +03:00
Update LoggerPlusPlus.md 2023-09-07 10:27:16 +03:00			`Special thanks to [Borna Nematzadeh](https://github.com/bnematzadeh/LoggerPlusPlus-API-Filters)`

Create LoggerPlusPlus.md 2023-08-28 08:04:13 +03:00			`-----`
			`Detect API Endpoints`
			`* REST/RPC`
			* `Request.Path CONTAINS "api" or Request.Host CONTAINS "api"`
			`* Example: /api/v1/users, api.target.com/v1/users`
			* `Request.Path CONTAINS "v1"`: Change the "v" based on logged requests
			`* GraphQL`
			* `Request.Path CONTAINS "graphql"`
			`* Example: /api/graphql`

			`-----`
			`API Operations`
			`* REST`
			`* Read (Example: GET /api/users)`
			* `Request.Method == "GET"`
			`* Create (Example: POST /api/users)`
			* `Request.Method == "POST"`
			`* Update (Example: PUT /api/users/1)`
			* `Request.Method == "PUT"`
			`* Delete (Example: DELETE api/users/1)`
			* `Request.Method == "DELETE"`
			`* Create, Update, Delete`
			* `Request.Method IN ["POST","PUT","DELETE"]`
			`* API Endpoint + Different API Operations (Example: GET /v1/users)`
			* Filter GET Requests in this API: `Request.Method == "GET" AND Request.Path CONTAINS "v1"`

			`* GraphQL`
			`* Read (Query)`
			* `!(Request.Body CONTAINS "mutation" or Request.Body CONTAINS "subscription")`
			`* Create, Update, Delete (Mutation)`
			* `Request.Body CONTAINS "mutation"`

			`-----`
			`Cheat Sheet for finding API vulnerability by logger++ filters`

			`* SSRF`
			* `(Request.Query MATCHES ".(http%3A%2F%2F\|https%3A%2F%2F)?(www.)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)\.[a-z]{2,5}." OR Request.Body MATCHES ".(http%3A%2F%2F\|https%3A%2F%2F)?(www.)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)\.[a-z]{2,5}.")`

			`* Open Redirect`
			* `(Request.Query MATCHES ".(http%3A%2F%2F\|https%3A%2F%2F)?(www.)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)\.[a-z]{2,5}." OR Request.Body MATCHES ".(http%3A%2F%2F\|https%3A%2F%2F)?(www.)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)\.[a-z]{2,5}.") AND Response.Status IN [301,302]`

			`* API Key Disclosure`
			* `Response.Body CONTAINS "apiKey" AND Response.Headers CONTAINS "application/javascript"`

			`* Broken Authentication (Token-Based Authentication)`
			* `Request.Headers CONTAINS "Authorization"`

			`* CORS`
			* `!(Request.Headers CONTAINS "Authorization: JWT") AND (Response.Headers CONTAINS "Access-Control-Allow-Credentials" OR Response.Headers CONTAINS "Access-Control-Allow-Origin")`

			`* Excessive Data Exposure`
			* `Request.Method == "GET" AND Response.Body CONTAINS "FIELD"`

			`* XSS`
			`* Check for reflected parameters`
			* `Response.Reflections > 0`

			`* Lack of Resources and Rate Limiting`
			`* DOS`
			* REST: `Request.HasGetParam == true AND Request.Query CONTAINS "limit"`
			* GraphQL: `Request.Body CONTAINS "limit"`

			`* Mass Assignment`
			`* The API takes data that client provides and stores it without proper filtering for whitelisted properties`
			`* a. Find the API objects`
			`* Example:`
			`* /api/users: User Object`
			`* /api/products: Product Object`
			`* /api/items: Item Object`
			`* b. Find the object properties from GET Requests. Use the following filter to do this:`
			* `Request.Method == "GET" AND Request.Path CONTAINS "ResourceName"`
			* Example: `Request.Method == "GET" AND Request.Path CONTAINS "user"`
			`* c. Add object properties from the previous step to related POST/PUT requests. Use the following filter:`
			* `Request.Method IN ["POST","PUT"]`

			`* Injection and Broken Object Level`
			`* REST/RPC`
			`* Path Parameters`
			`* Example: /api/posts/1`
			`* Query String Parameters`
			* `Request.HasGetParam == true`
			`* POST/PUT Request Parameters`
			* `Request.Method IN ["POST","PUT"]`
			`* GraphQL`
			* `Request.Body MATCHES ".variables\":{."`