kacperszurek/burp_wp

Find known vulnerabilities in WordPress plugins and themes using Burp Suite proxy. WPScan like plugin for Burp.

Burp WP a.k.a. WordPress Scanner

Find known vulnerabilities in WordPress plugins and themes using Burp Suite proxy.

TL;DR: WPScan like plugin for Burp by Kacper Szurek.

Usage

Install extension. Browse WordPress sites through Burp proxy. Vulnerable plugins and themes will appear on the issue list.

If you have Burp Pro, issues will also appear inside Scanner tab. Interesting things will be highlighted.

Table of contents

• Usage
• Installation
• Issue type
• Options
• Offline database
• Intruder payload generator
• Detect plugins using wp-ajax.php
• License
• Changelog

Installation

WordPress Scanner is available inside BApp Store.

1. Inside Burp go to Extender->BApp Store
2. Choose WordPress Scanner

3. Click Install button

You can also install Burp WP manually:

1. Download Jython standalone JAR, for example version 2.7
2. Go to Extender->Options. Set path inside Location of Jython standalone JAR file

3. Download newest Burp WP
4. Go to Extender->Extensions. Click Add. Set Extension type to Python. Set path inside Extension file.

5. Burp WP should appear inside Burp Extensions list. Also you will see new tab.

Issue type

There are 3 types:

1. Default type (always enabled)

{issue_type} inside {(plugin|theme)} {plugin_name} version {detected_version}

It has High severity. If version is detected using readme.txt, Certain confidence is set. Otherwise we use Firm confidence.

2. Plugin vulnerabilities regarding detected version (option 4 enabled)

Potential {issue_type} inside {(plugin|theme)} {plugin_name} fixed in {version_number}

It has Information severity and Certain confidence.

3. Print info about discovered plugins (option 5 enabled)

Found {(plugin|theme)} {plugin_name}

or if plugin version is detected:

Found {(plugin|theme)} {plugin_name} version {detected_version}

It has Information severity and Certain confidence if is detected. Otherwise Firm confidence is used.

Options

1. Update button

List of vulnerable plugins and themes is downloaded from WPscan. Before downloading, sha512 of files is being checked to see if there is a new version available.

This button also checks if new Burp WP version exist and allows simple auto update mechanism.

2. Use readme.txt for detecting plugins version

Sometimes it's possible to detect plugin version through its resource because some of them have ?ver= string.

For example:

http://www.example.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.9.2

Version can be checked using simple regular expression:

re.compile("ver=([0-9\.]+)", re.IGNORECASE)

But this approach is very buggy. Instead more advanced heuristics are used.

Most plugins contains readme.txt file:

=== Plugin Name ===
Donate link: http://example.com/
Stable tag: 4.3

Here is a short description of the plugin.

== Changelog ==

= 1.0 =
* A change since the previous version.

So current plugin version can be obtained from Stable tag or Changelog.

This idea is from WPScan versionable.rb.

3. Scan full response body

By default only request URL is used for finding plugins and themes.

This works just fine but in some cases you may want to parse full response body. Use with caution as this might be slow.

4. Print all plugin vulnerabilities regarding detected version

By default issue is only added when vulnerable plugin version is detected plugin_version < fixed_version.

If you want to print all known vulnerabilities for detected plugin regarding its version - use this option.

5. Print info about discovered plugins even if they don't have known vulnerabilities

Normally plugins/themes which are not vulnerable are ignored.

If you want to have information about installed plugins on given website, even if they are not vulnerable - use this option.

6. Enable auto update

Auto update database once per 24 h.

It also checks if new Burp WP version exists.

7. Enable debug mode

For development purpose.

You can see output inside: Extender->Extensions->Burp WP->Output tab

8. What detect

Decide if you want to search for vulnerable plugins, themes or both.

9. Custom wp-content

Detection mechanism is based on wp-content string.

But it can be changed by website owner. Here you can customize this option.

10. Clear issues list button

This button will remove all issues from issues list inside extension tab.

11. Force update button

Similar to Update button but it downloads new database even if newest one is already installed.

12. Reset settings to default

Restore extension state to factory defaults.

13. Discover plugins using wp-ajax.php See Detect plugins using wp-ajax.php.

Offline database

All vulnerabilities are provided by WPscan - see Vulnerability Database.

Burp WP supports offline mode.

If you operate from high-security network without Internet access you can easily copy database file from normal Burp WP instance to your offline one.

Then use Choose file option.

If it's valid Burp WP database it will be imported automatically.

Intruder payload generator

Because proxy requests and responses are used it's not possible to discover all plugins and themes installed on a specific website.

You can try to get more information manually using intruder payload generator.

Right click on URL inside Proxy->HTTP history and choose Send to Burp WP Intruder.

This will replace request method to GET, remove all parameters and set payload position marker.

Now go to Intruder->Tab X->Positions. Correct URL so it points to WordPress homepage.

Inside Payloads tab uncheck Payload encoding so / won't be converted to %2f.

Then set Payload type to Extension generated. Now click Select generator:

There are 3 generators:

1. WordPress Plugins
2. WordPress Themes
3. WordPress Plugins and themes

Detect plugins using wp-ajax.php

This is new technique available since Burp WP 0.2.

It discovers plugins based on calls to wp-admin/admin-ajax.php endpoint.

Custom action database is used for this.

Basically when plugin send request to /admin-ajax.php?action=akismet_recheck_queue Burp WP makes reverse lookup in action database.

License

MIT License

Copyright (c) 2018 Kacper Szurek

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The WPScan data is licensed separately. Please find the WPScan license here.

Changelog

• 0.2 - Add discovery plugins using wp-ajax.php?action
• 0.1.1 - Updates are downloaded through Burp proxy, fix clear list issues button, implement doPassiveScan function
• 0.1 - Beta version