The Burp Suite extension Highlighter And Extractor (HaE) makes it possible to collect, categorise and highlight requests and/or responses according to their content. This helps detect vulnerable code patterns, errors, reflections and much more in a passive enumeration process.
learn-bug-bounty
PimpMyBurp #7: How HaE Burp Suite extension can help you in your daily hunting session
January 18, 2023
Usage
The HaE extension relies on regular expressions (regex), this allows HaE to collect patterns and highlight them to us.
In order to extract patterns from requests and/or responses, we need to add a new rule containing our regex that gives an indication of a possible vulnerability or interesting response behaviour. This ensures that requests and/or responses are highlighted and commented according to the detected pattern.
Features
The HaE extension offers the following features:
- Review patterns in request/response using regex.
- Highlight and comment on the requests that contain a pattern match.
- If more than one pattern matches, it annotates the request with all discovered patterns and selects a custom marker depending on how many matches it received.
- Support DFA/NFA regex engines
Add rules
You can take advantage of the feature by the tool Regexr. It helps you to debug and test the pattern before adding it to a rule in HaE.
The graphical user interface (GUI) is simple to use. Simply just add a rule, name it and add a regex. The name of the added rule will be the comment once the pattern is detected in the selected source.
Collect and categorise
These tools are useful when creating your own rule patterns:
I like to keep my patterns related to a category to get a clearer feedback when I analyse my intercepted requests and responses. The HaE extension offers many patterns by default, but the best solution is to create your own unique patterns. To get a good result without getting a lot of garbage and false positives, use more strict patterns that have a greater chance of being valid.
Here’s an example of how to turn a bad pattern into a good pattern: the regex pattern below attempts to collect all files that have the .log extension.
This regex [a-zA-Z0-9-_]+.log (bad) collects all files with the .log extension, but it also collects false positives, such as the console.log() JavaScript function.
To avoid this, you can instead create a regex pattern as follows: ([a-zA-Z0-9-_]+.log)([^([{]). The regex is not bulletproof, but it avoids most false positives.
Below you will find some patterns that I have created myself and that I find very useful. These patterns gave me quick information about the target and also allowed me to passively detect code patterns that may be vulnerable.
Recon
(wordpress|wp-([a-zA-Z]+))
(cdn.shopify.com|_shopify|shopify_)
(nginx|apache|akamai|cloudflare|iis|varnish|fastly)
(admin|administrator).
(mysql|mssql|sqlite|postgresql|)
JavaScript DOM
(createElement("script"))
(URLSearchParams|location.search|(.split(("|'|`)(?|&)))
.(write|innerHTML)(.*((+|,)( ?)(element|location|window|document).[a-zA-Z])
TraceError
(([A-Z]):\|(t|T)he server could not|database connection|syntax error, |error, unexpected |PHP (Syntax|Parse) error:|(php|PHP):|in ([a-zA-Z0-9-/_.]+) on line (d+))
Files & Endpoints
/(admin|administrator)/
(admin|administrator).?
(api|rest|soap|v(1|2|3)|wp-json|swagger|)(.?)(jsp|json|/|)
([a-zA-Z0-9+].(php|asp|aspx|py|rb|go|pl|sql|xml|jsp|java))(]|}|)|"|'|`|/|d|s)
([a-zA-Z0-9+].(bak|log|csv))(]|}|)|"|'|`|/|d|s)
(((user|database|sql|db|dashboard|backup|restore|old|saved|storage|internal|access|secret|password)(s?)).(php|asp|aspx|py|rb|go|pl|sql|xml|jsp|java|doc|docs|xls|xlsx|csv|db|sql|bak|log|csv))(]|}|)|"|'|`|/|d|s)
XSS
[^s+-([{\=.?.)](""|''|``|(\\|\\\\)([^\]|"|'|`))
It is important to back up your Yaml configuration file which contains all the patterns. The patterns from HaE can be found at the following location: /$HOME/.config/HaE/Config.yml. You can copy the Yaml file to an another directory with the following command: cp /$HOME/.config/HaE/Config.yml /$HOME/Desktop/HaE_bak.yml
Test your patterns
The best way to test your regex patterns that will be used within HaE is to start a vulnerable docker like DVWA or OWASP Juice Shop and just crawl it.
Hunt in the wild
I collected a few different targets myself and quickly tested them out in the wild to see what kind of patterns I could collect just by crawling around on a few domains. It worked great!
It is important to have a mix of targets using different techniques. This will help you to discover more quickly how effective your HaE configuration is. The extension passively extracts the patterns you have added and gives you quick feedback on which patterns you need to adjust and improve to avoid false positives/negatives.
This Burp extension will save you time for discovery and give you more time for exploitation!