See changelog for 0.6

	modified:   CHANGELOG.md
	modified:   DetectDynamicJS.py
	modified:   README.md

Author: luh2

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+<a name="0.6"></a>
+## v0.6 (Marsellus Wallace)
+	- issue a third request to reduce false positives
+	- report authentication-based findings as (Medium, Firm)
+	- report generic dynamic as (Information, Certain), might be removed in future version
+	
 <a name="0.5"></a>
 ## v0.5 (Jules Winnfield)
 	- Bug fix

DetectDynamicJS.py

@@ -25,12 +25,13 @@
     from burp import IHttpRequestResponse
     from burp import IScanIssue
     from array import array
+    from time import sleep
     import difflib
 except ImportError:
     print "Failed to load dependencies. This issue maybe caused by using an unstable Jython version."
 
-VERSION = '0.5'
-VERSIONNAME = 'Jules Winnfield'
+VERSION = '0.6'
+VERSIONNAME = 'Marsellus Wallace'
 
 
 class BurpExtender(IBurpExtender, IScannerCheck, IExtensionStateListener, IHttpRequestResponse):
@@ -57,11 +58,12 @@ def extensionUnloaded(self):
     def doActiveScan(self, baseRequestResponse, insertionPoint):
         return []
 
-    # Burp Scanner invokes this method for each base request/response that is
-    # passively scanned
     def doPassiveScan(self, baseRequestResponse):
         # WARNING: NOT REALLY A PASSIVE SCAN!
-        # doPassiveScan issues always one request per request scanned
+        # doPassiveScan issues always at least one, if not two requests,
+        # per request scanned
+        # This is, because the insertionPoint idea doesn't work well
+        # for this test. 
         scan_issues = []
         possibleFileEndings = ["js", "jsp", "json"]
         possibleContentTypes = ["javascript", "ecmascript", "jscript", "json"]
@@ -107,16 +109,55 @@ def doPassiveScan(self, baseRequestResponse):
                 requestHeaders = request.tostring()[:requestBodyOffset].split('\r\n')
                 requestBody = request.tostring()[requestBodyOffset:]
                 modified_headers = "\n".join(header for header in requestHeaders if "Cookie" not in header)
-                newResponse = self._callbacks.makeHttpRequest(self._requestResponse.getHttpService(), self._helpers.stringToBytes(modified_headers+body))
+                newResponse = self._callbacks.makeHttpRequest(self._requestResponse.getHttpService(), self._helpers.stringToBytes(modified_headers+requestBody))
                 issue = self.compareResponses(newResponse, self._requestResponse)
                 if issue:
+                    # If response is script, check if script is dynamic
+                    if self.isScript(newResponse):
+                        # sleep, in case this is a generically time stamped script
+                        sleep(1)
+                        secondResponse = self._callbacks.makeHttpRequest(self._requestResponse.getHttpService(), self._helpers.stringToBytes(modified_headers+requestBody))
+                        isDynamic = self.compareResponses(secondResponse, newResponse)
+                        if isDynamic:
+                            issue = self.reportDynamicOnly(newResponse, self._requestResponse, secondResponse)
                     scan_issues.append(issue)
-            
         if len(scan_issues) > 0:
             return scan_issues
         else:
             return None
-
+    
+ 
+    def isScript(self, requestResponse):
+        """Determine if the response is a script"""
+        possibleContentTypes = ["javascript", "ecmascript", "jscript", "json"]
+        self._helpers = self._callbacks.getHelpers()
+        
+        url = self._helpers.analyzeRequest(requestResponse).getUrl()
+        url = str(url).split("?")[0]
+        
+        response = requestResponse.getResponse()
+        responseInfo = self._helpers.analyzeResponse(response)
+        mimeType = responseInfo.getStatedMimeType().split(';')[0]
+        inferredMimeType = responseInfo.getInferredMimeType().split(';')[0]
+        bodyOffset = responseInfo.getBodyOffset()
+        headers = response.tostring()[:bodyOffset].split('\r\n')
+        
+        contentLengthL = [x for x in headers if "content-length:" in x.lower()]
+        if len(contentLengthL) >= 1:
+            contentLength = int(contentLengthL[0].split(':')[1].strip())
+        else:
+            contentLength = 0
+        
+        if contentLength > 0:
+            contentType = ""
+            contentTypeL = [x for x in headers if "content-type:" in x.lower()]
+            if len(contentTypeL) == 1:
+                contentType = contentTypeL[0].lower()
+            statusCode = responseInfo.getStatusCode()
+            if (any(content in contentType for content in possibleContentTypes) or "script" in inferredMimeType or "script" in mimeType) and (int(statusCode) < 300 or int(statusCode) > 399):
+                return True
+        return False
+        
 
     def compareResponses(self, newResponse, oldResponse):
         """Compare two responses in respect to their body contents"""
@@ -133,25 +174,58 @@ def compareResponses(self, newResponse, oldResponse):
         result = None
         if str(nBody) != str(oBody):
             issuename = "Dynamic JavaScript Code Detected"
-            issuelevel = "Information"
+            issuelevel = "Medium"
             issuedetail = "These two files contain differing contents. Check the contents of the files to ensure that they don't contain sensitive information."
             issuebackground = "Dynamically generated JavaScript might contain session or user relevant information. Contrary to regular content that is protected by Same-Origin Policy, scripts can be included by third parties. This can lead to leakage of user/session relevant information."
             issueremediation = "Applications should not store user/session relevant data in JavaScript files with known URLs. If strict separation of data and code is not possible, CSRF tokens should be used."
-           
+            issueconfidence = "Firm"
             oOffsets = self.calculateHighlights(nBody, oBody, oBodyOffset)
             nOffsets = self.calculateHighlights(oBody, nBody, nBodyOffset)
             result = ScanIssue(self._requestResponse.getHttpService(),
                                self._helpers.analyzeRequest(self._requestResponse).getUrl(),
-                               issuename, issuelevel, issuedetail, issuebackground, issueremediation,
+                               issuename, issuelevel, issuedetail, issuebackground, issueremediation, issueconfidence,
                                [self._callbacks.applyMarkers(oldResponse, None, oOffsets), self._callbacks.applyMarkers(newResponse, None, nOffsets)])
         else:
             url = self._helpers.analyzeRequest(newResponse).getUrl()
             url = str(url)
-            print "File "+url+" is the same with and without cookies"
 
         return result
 
+    def reportDynamicOnly(self, firstResponse, originalResponse, secondResponse):
+        """Report Situation as Dynamic Only"""
+        issuename = "Dynamic JavaScript Code Detected"
+        issuelevel = "Information"
+        issueconfidence = "Certain"
+        issuedetail = "These files contain differing contents. Check the contents of the files to ensure that they don't contain sensitive information."
+        issuebackground = "Dynamically generated JavaScript might contain session or user relevant information. Contrary to regular content that is protected by Same-Origin Policy, scripts can be included by third parties. This can lead to leakage of user/session relevant information."
+        issueremediation = "Applications should not store user/session relevant data in JavaScript files with known URLs. If strict separation of data and code is not possible, CSRF tokens should be used."
 
+        nResponse = firstResponse.getResponse()
+        nResponseInfo = self._helpers.analyzeResponse(nResponse)
+        nBodyOffset = nResponseInfo.getBodyOffset()
+        nBody = nResponse.tostring()[nBodyOffset:]
+        
+        oResponse = originalResponse.getResponse()
+        oResponseInfo = self._helpers.analyzeResponse(oResponse)
+        oBodyOffset = oResponseInfo.getBodyOffset()
+        oBody = oResponse.tostring()[oBodyOffset:]
+
+        sResponse = secondResponse.getResponse()
+        sResponseInfo = self._helpers.analyzeResponse(sResponse)
+        sBodyOffset = sResponseInfo.getBodyOffset()
+        sBody = sResponse.tostring()[sBodyOffset:]
+        
+        oOffsets = self.calculateHighlights(nBody, oBody, oBodyOffset)
+        nOffsets = self.calculateHighlights(oBody, nBody, nBodyOffset)
+        sOffsets = self.calculateHighlights(oBody, sBody, sBodyOffset)
+        result = ScanIssue(self._requestResponse.getHttpService(),
+                           self._helpers.analyzeRequest(self._requestResponse).getUrl(),
+                           issuename, issuelevel, issuedetail, issuebackground, issueremediation, issueconfidence,
+                           [self._callbacks.applyMarkers(originalResponse, None, oOffsets),
+                            self._callbacks.applyMarkers(firstResponse, None, nOffsets),
+                            self._callbacks.applyMarkers(secondResponse, None, sOffsets)])
+        return result
+        
     def calculateHighlights(self, newBody, oldBody, bodyOffset):
         """find the exact points for highlighting the responses"""
         s = difflib.SequenceMatcher(None, oldBody, newBody)
@@ -186,14 +260,14 @@ def consolidateDuplicateIssues(self, existingIssue, newIssue):
             nResponseInfo = self._helpers.analyzeResponse(nResponse)
             nBodyOffset = nResponseInfo.getBodyOffset()
             nBody = nResponse.tostring()[nBodyOffset:]
-            newIssueResponses.append(nBody)
+#            newIssueResponses.append(nBody)
 
         for oldResponse in existingIssue.getHttpMessages():
             oResponse = oldResponse.getResponse()
             oResponseInfo = self._helpers.analyzeResponse(oResponse)
             oBodyOffset = oResponseInfo.getBodyOffset()
             oBody = oResponse.tostring()[oBodyOffset:]
-            existingIssueResponses.append(oBody)
+#            existingIssueResponses.append(oBody)
 
         for newIssueResp in newIssueResponses:
             for existingIssueResp in existingIssueResponses:
@@ -206,14 +280,15 @@ def consolidateDuplicateIssues(self, existingIssue, newIssue):
             return 0
 
 class ScanIssue(IScanIssue):
-    def __init__(self, httpservice, url, name, severity, detailmsg, background, remediation, requests):
+    def __init__(self, httpservice, url, name, severity, detailmsg, background, remediation, confidence, requests):
         self._url = url
         self._httpservice = httpservice
         self._name = name
         self._severity = severity
         self._detailmsg = detailmsg
         self._issuebackground = background
         self._issueremediation = remediation
+        self._confidence = confidence
         self._httpmsgs = requests
 
     def getUrl(self):
@@ -247,4 +322,4 @@ def getSeverity(self):
         return self._severity
 
     def getConfidence(self):
-        return "Certain"
+        return self._confidence

README.md

@@ -2,7 +2,10 @@
 
 The DetectDynamicJS Burp Extension provides an additional passive scanner that tries to find differing content in JavaScript files and aid in finding user/session data.
 
-Dynamically Generated JavaScript occasionally contains *data* in addition to code. Since, by default, scripts need to be able to be included by third parties, this can lead to leakage. The whole process of how to exploit this behavior is detailed in the paper [The Unexpected Dangers of Dynamic JavaScript](https://www.kittenpics.org/wp-content/uploads/2015/05/script-leakage.pdf) by Sebastian Lekies, Ben Stock, Martin Wentzel and Martin Johns. The paper inspired this extension. I hope this extension will ease the hunt for vulnerabilities described in the aforementioned paper. Release statement with additional information about the extension can be found on the official website [http://www.scip.ch/en/?labs.20151215](http://www.scip.ch/en/?labs.20151215).
+Dynamically Generated JavaScript occasionally contains *data* in addition to code. Since, by default, scripts need to be able to be included by third parties, this can lead to leakage. For more information about the reasons, the ways to find or how to exploit this issue, see [Cross-Site Script Inclusion](http://www.scip.ch/en/?labs.20160414).
+
+## Note on Release 0.6 (Marsellus Wallace)
+If necessary, the extension will now issue two requests to reduce false positives. Also, depending on how the issue was discovered, it might be rated as Information and not as Medium.
 
 ## Note on Release 0.3 (Mia Wallace)
 We decided to improve the usability by not requiring the user to request both the non-authenticated version and the authenticated version of the script. Instead, when calling a passive scan of the authenticated version of the script, the extension requests the non-authenticated version by itself. This has proven to be more comfortable. It should be noted that the extension is still a passive scanner module, despite the fact that it issues a request per scanned file.
@@ -16,13 +19,14 @@ Some default installations of Python might not install difflib. In that case you
 ![Screenshot of Issue](https://github.com/luh2/DetectDynamicJS/blob/master/screenshots/generic.png)
 ![Marked Difference in compared JS](https://github.com/luh2/DetectDynamicJS/blob/master/screenshots/secret.png)
 
+## Contributions
+If you want to improve the extension, please send me a pull request or open an issue. To ease accepting pull requests, if you send a pull request, please make sure it addresses only one change and not multiple ones at the same time.
+
 ## Various
 The extension has been tested with Kali Linux, Burp version 1.6.32 and newer, Jython installation (not stand-alone) 2.7rc1.
 
 If you test under Windows or use a different Burp version, please share if you experience problems.
 
-If you want to improve the extension, please send me a pull request or leave a comment.
-
 If you identify XSSI because of this extension, feel free to share!
 
 ## License