自动收集burpsuite scanenr模块扫描后的结果

0x00需求

在QA进行功能测试时，同时也进行安全测试，减少产品安全测试所花费的时间，将工具可以发现的安全问题，尽可能早的提出来。

0x01思路

找一台windows服务器，在该服务器上安装bp，bp的代理ip：本服务器ip，端口：8080
QA测试时浏览器挂上代理（代理ip：windows服务器的ip，端口：8080）
编写burpsuite插件，将burpsuite scanner模块发现的漏洞存储到sqlite数据库
QA在测试前，需要将测试的url添加到bp的scope中
QA测试完，可以访问响应页面，查看安全测试结果
0x02burpsuite 插件

插件需要继承IScannerListener，使用其newScanIssue函数获取所有的扫描结果

package burp;

@(#)IScanIssue.java
Copyright PortSwigger Ltd. All rights reserved.
This code may be used to extend the functionality of Burp Suite Community Edition
and Burp Suite Professional, provided that this usage does not violate the
license terms for those products.
/
/
This interface is used to retrieve details of Scanner issues. Extensions can
obtain details of issues by registering an <code>IScannerListener</code> or
by calling <code>IBurpExtenderCallbacks.getScanIssues()</code>. Extensions
can also add custom Scanner issues by registering an
<code>IScannerCheck</code> or calling
<code>IBurpExtenderCallbacks.addScanIssue()</code>, and providing their own
implementations of this interface. Note that issue descriptions and other
text generated by extensions are subject to an HTML whitelist that allows
only formatting tags and simple hyperlinks.
*/
public interface IScanIssue
{

/**
- This method returns the URL for which the issue was generated.
- @return The URL for which the issue was generated.
  */
  java.net.URL getUrl();
/**
- This method returns the name of the issue type.
- @return The name of the issue type (e.g. "SQL injection").
  */
  String getIssueName();
/**
- This method returns a numeric identifier of the issue type. See the Burp
- Scanner help documentation for a listing of all the issue types.
- @return A numeric identifier of the issue type.
  */
  int getIssueType();
/**
- This method returns the issue severity level.
- @return The issue severity level. Expected values are "High", "Medium",
- "Low", "Information" or "False positive".
- */
  String getSeverity();
/**
- This method returns the issue confidence level.
- @return The issue confidence level. Expected values are "Certain", "Firm"
- or "Tentative".
  */
  String getConfidence();
/**
- This method returns a background description for this type of issue.
- @return A background description for this type of issue, or
- <code>null</code> if none applies. A limited set of HTML tags may be
- used.
  */
  String getIssueBackground();
/**
- This method returns a background description of the remediation for this
- type of issue.
- @return A background description of the remediation for this type of
- issue, or <code>null</code> if none applies. A limited set of HTML tags
- may be used.
  */
  String getRemediationBackground();
/**
- This method returns detailed information about this specific instance of
- the issue.
- @return Detailed information about this specific instance of the issue,
- or <code>null</code> if none applies. A limited set of HTML tags may be
- used.
  */
  String getIssueDetail();
/**
- This method returns detailed information about the remediation for this
- specific instance of the issue.
- @return Detailed information about the remediation for this specific
- instance of the issue, or <code>null</code> if none applies. A limited
- set of HTML tags may be used.
  */
  String getRemediationDetail();
/*
- This method returns the HTTP messages on the basis of which the issue was
- generated.
- @return The HTTP messages on the basis of which the issue was generated.
- <b>Note:</b> The items in this array should be instances of
- <code>IHttpRequestResponseWithMarkers</code> if applicable, so that
- details of the relevant portions of the request and response messages are
- available.
  */
  IHttpRequestResponse[] getHttpMessages();
/*
- This method returns the HTTP service for which the issue was generated.
- @return The HTTP service for which the issue was generated.
  */
  IHttpService getHttpService();

}

**如上newScanIssue可以获取到扫描的所有结果,比如：
1.java.net.URL getUrl(); 扫描的url
2.String getIssueName(); 问题类型：如SQL injection（sql注入）
3.getSeverity(); 漏洞等级 "High", "Medium", "Low", "Information" or "False positive"
4.String getConfidence(); 确定程度 "Certain", "Firm" or "Tentative".

String getIssueBackground(); 漏洞背景
String getIssueDetail(); 漏洞详情
IHttpRequestResponse[] getHttpMessages(); 漏洞证明的请求、响应包
将以上信息获取后保存到数据库中即可
完整代码：

from burp import IBurpExtender
from burp import IScannerListener
from java.io import PrintWriter
from threading import Thread
from java.lang import Class
from java.sql import DriverManager, SQLException
import time
class BurpExtender(IBurpExtender, IScannerListener):

def registerExtenderCallbacks(self, callbacks):
    # keep a reference to our callbacks object
    self._callbacks = callbacks

    # set our extension name
    callbacks.setExtensionName("scann_test")

    # obtain our output stream
    self._stdout = PrintWriter(callbacks.getStdout(), True)

    self._helpers = callbacks.getHelpers()

    # register ourselves as an
    callbacks.registerScannerListener(self)

def newScanIssue(self,issue):

    #self._stdout.println(issue.getConfidence())  Certain", "Firm" * or "Tentative"
    #CREATE TABLE `scanner` (`id` INTEGER PRIMARY KEY,`time` varchar(100),ip varchar(50),`url` varchar(30) ,`degree` varchar(30) ,`level` varchar(100) ,`detail` text ,`issueType` varchar(200) ,`issueBackground` text,`remediationBackground` text,`remediationDetail` text,`requests` text,`response` text ,issueName varcahr(50))
    if(issue.getConfidence()):

        Class.forName("org.sqlite.JDBC").newInstance()
        JDBC_URL = "jdbc:sqlite:%s" % ("d:/scanner.db")
        dbConn = DriverManager.getConnection(JDBC_URL)
        sql="insert into `scanner` (time,ip,url,degree,level,detail,issueType,issueBackground,remediationBackground,remediationDetail,requests,response,issueName) values(?,?,?,?,?,?,?,?,?,?,?,?,?);"
        preStmt=dbConn.prepareStatement(sql)
        current_time=time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())

        requests=""
        response=""
        for message in issue.getHttpMessages():

            for i in range(len(message.getRequest())):
                if(message.getRequest()[i]<255 and message.getRequest()[i]>0):
                    requests=requests+chr(message.getRequest()[i])
            requests+="\n--------------------------\n" 
            if(len(message.getResponse())!=0):
                for i in range(len(message.getResponse())):
                    if(message.getResponse()[i]<255 and message.getResponse()[i]>0):
                        response=response+chr(message.getResponse()[i])
            response+="\n--------------------------\n"
        ip=issue.getHttpService().getHost()

        if(issue.getIssueDetail()):
            detail=issue.getIssueDetail()
        else:
            detail="none"

        if(issue.getIssueBackground()):
            issueBackground=issue.getIssueBackground()
        else:
            issueBackground="none"

        if(issue.getRemediationBackground()):
            remediationBackground=issue.getRemediationBackground()
        else:
            remediationBackground="none"

        if(issue.getRemediationDetail()):
            remediationDetail=issue.getRemediationDetail()
        else:
            remediationDetail="none"

        preStmt.setString(1, str(current_time))
        preStmt.setString(2, str(ip))
        preStmt.setString(3, str(issue.getUrl()))
        preStmt.setString(4,str(issue.getConfidence()))
        preStmt.setString(5,str(issue.getSeverity()))
        preStmt.setString(6,str(detail))
        preStmt.setString(7,str(issue.getIssueType()))
        preStmt.setString(8,str(issueBackground))
        preStmt.setString(9,str(remediationBackground))
        preStmt.setString(10,str(remediationDetail))
        preStmt.setString(11,str(requests))
        preStmt.setString(12,str(response))
        preStmt.setString(13,str(issue.getIssueName()))

        preStmt.addBatch()
        dbConn.setAutoCommit(False)
        preStmt.executeBatch()
        dbConn.setAutoCommit(True)
        dbConn.close()

        self._stdout.println("time:")
        self._stdout.println(current_time)

        self._stdout.print("ip")
        self._stdout.println(ip)

        self._stdout.println("qudingchengdu:"+issue.getConfidence())

        self._stdout.print("url:")
        self._stdout.println(issue.getUrl())

        self._stdout.println(issue.getIssueName())

        self._stdout.println("level:"+issue.getSeverity())

        self._stdout.print("detail:")
        if(issue.getIssueDetail()):
            self._stdout.println(issue.getIssueDetail())
        else:
            self._stdout.println("none")

        self._stdout.println("getIssueType():")
        self._stdout.println(issue.getIssueType())

        self._stdout.print("getIssueBackground")
        if(issue.getIssueBackground()):
            self._stdout.println(issue.getIssueBackground())
        else:
            self._stdout.println("none")

        self._stdout.print("getRemediationBackground():")
        if(issue.getRemediationBackground()):
            self._stdout.println(issue.getRemediationBackground())
        else:
            self._stdout.println("none")

        self._stdout.print("getRemediationDetail():")
        if(issue.getRemediationDetail()):
            self._stdout.println(issue.getRemediationDetail())
        else:
            self._stdout.println("none")

        self._stdout.println("---------------------------")

0x03 burpsuite 扫描结果（在数据库中展示）

自动收集burpsuite scanenr模块扫描后的结果

0x04 待存问题

scanner 扫描过程中过滤js，jpg等文件
将需要测试的url自动添加到scope中