diff --git a/LoggerPlusPlus.md b/LoggerPlusPlus.md new file mode 100644 index 0000000..fe849e5 --- /dev/null +++ b/LoggerPlusPlus.md @@ -0,0 +1,88 @@ +# Logger++ (BurpSuite Extension) +Logger++ is a multithreaded logging extension for Burp Suite. This extension allows advanced filters to be defined to highlight interesting entries or filter logs to only those which match the filter. + +----- +**Detect API Endpoints** +* REST/RPC + * `Request.Path CONTAINS "api" or Request.Host CONTAINS "api"` + * Example: /api/v1/users, api.target.com/v1/users + * `Request.Path CONTAINS "v1"`: Change the "v" based on logged requests +* GraphQL + * `Request.Path CONTAINS "graphql"` + * Example: /api/graphql + +----- +**API Operations** +* REST + * Read (Example: GET /api/users) + * `Request.Method == "GET"` + * Create (Example: POST /api/users) + * `Request.Method == "POST"` + * Update (Example: PUT /api/users/1) + * `Request.Method == "PUT"` + * Delete (Example: DELETE api/users/1) + * `Request.Method == "DELETE"` + * Create, Update, Delete + * `Request.Method IN ["POST","PUT","DELETE"]` + * API Endpoint + Different API Operations (Example: GET /v1/users) + * Filter GET Requests in this API: `Request.Method == "GET" AND Request.Path CONTAINS "v1"` + +* GraphQL + * Read (Query) + * `!(Request.Body CONTAINS "mutation" or Request.Body CONTAINS "subscription")` + * Create, Update, Delete (Mutation) + * `Request.Body CONTAINS "mutation"` + +----- +**Cheat Sheet for finding API vulnerability by logger++ filters** + +* **SSRF** + * `(Request.Query MATCHES ".*(http%3A%2F%2F|https%3A%2F%2F)?(www.)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}.*" OR Request.Body MATCHES ".*(http%3A%2F%2F|https%3A%2F%2F)?(www.)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}.*")` + +* **Open Redirect** + * `(Request.Query MATCHES ".*(http%3A%2F%2F|https%3A%2F%2F)?(www.)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}.*" OR Request.Body MATCHES ".*(http%3A%2F%2F|https%3A%2F%2F)?(www.)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}.*") AND Response.Status IN [301,302]` + +* **API Key Disclosure** + * `Response.Body CONTAINS "apiKey" AND Response.Headers CONTAINS "application/javascript"` + +* **Broken Authentication (Token-Based Authentication)** + * `Request.Headers CONTAINS "Authorization"` + +* **CORS** + * `!(Request.Headers CONTAINS "Authorization: JWT") AND (Response.Headers CONTAINS "Access-Control-Allow-Credentials" OR Response.Headers CONTAINS "Access-Control-Allow-Origin")` + +* **Excessive Data Exposure** + * `Request.Method == "GET" AND Response.Body CONTAINS "FIELD"` + +* **XSS** + * **Check for reflected parameters** + * `Response.Reflections > 0` + +* **Lack of Resources and Rate Limiting** + * DOS + * REST: `Request.HasGetParam == true AND Request.Query CONTAINS "limit"` + * GraphQL: `Request.Body CONTAINS "limit"` + +* **Mass Assignment** + * The API takes data that client provides and stores it without proper filtering for whitelisted properties + * a. Find the API objects + * Example: + * /api/users: User Object + * /api/products: Product Object + * /api/items: Item Object + * b. Find the object properties from GET Requests. Use the following filter to do this: + * `Request.Method == "GET" AND Request.Path CONTAINS "ResourceName"` + * Example: `Request.Method == "GET" AND Request.Path CONTAINS "user"` + * c. Add object properties from the previous step to related POST/PUT requests. Use the following filter: + * `Request.Method IN ["POST","PUT"]` + +* **Injection and Broken Object Level** + * REST/RPC + * Path Parameters + * Example: /api/posts/1 + * Query String Parameters + * `Request.HasGetParam == true` + * POST/PUT Request Parameters + * `Request.Method IN ["POST","PUT"]` + * GraphQL + * `Request.Body MATCHES ".*variables\":{.*"`