FlowMate: BurpSuite extension that brings taint analysis to web applications
FlowMate
Have you ever wondered how to consider all input-to-output correlations of a web application during a pentest? With FlowMate, you no longer have to. FlowMate is our BurpSuite extension designed to introduce taint analysis to web applications. It achieves this by monitoring all parameters sent to a target application and identifying their appearances in the corresponding responses.
This tool operates from either a black-box or grey-box perspective, eliminating the need for any modifications to the underlying infrastructure or the application itself. Moreover, it generates a visual graph that encompasses all parameters in the background. Whenever you require more intricate insights into a specific parameter, value, or URL, you can effortlessly refer to the integrated Neo4J browser to access the graph. This can be accomplished either through a single query in the Neo4J browser or by using the provided built-in query view.
Key Features
Some key features of FlowMate are:
- Track parameter values of all applications added to the BurpSuite project scope.
- Store all data points in a local and file-based Neo4J instance.
- Integrates the Neo4J Browser directly to visualize and browse the resulting graph. No installation needed.
- Enables you to define Sessions within the plugin to ease tracking cross-session parameters.
- Performs automatic audit steps on the created graph to generate Findings with points of interest.
How to Use
FlowMate is used best during the reconnaissance phase in a security assessment. The following steps explain on how to get started:
- Load FlowMate into your BurpSuite with a project for your current assessment already created
- After loading finished add the target application to the BurpSuite internal Scope. Only in-scope targets are tracked by FlowMate
- Activate the detection by checking both boxes on the Getting Started tab of FlowMate
- Browse the application following the General best practices below
- Stop the detection before starting manual analysis. This prevents payloads and duplicate values from polluting the graph.
- Profit from the data flow graph created for you!
What can you get from the graph?
- You can lookup in which locations an specific parameter you are testing reappers in the application including the near surrounding of the match giving a first impression on which payloads might be useful for exploitation
- You can more easily identify occurrences of a parameter in not directly visible places, such as in hidden input fields or when a value is used in resources like stylesheets or scripts for example
- In conjunction with the session tracking feature you can track cross-session parameter occurrences. In case of attack vectors like Cross-Site Scripting (XSS) this may lead to attacks on higher privileged accounts (privilege escalation, account takeover)
- If your target application consists of multiple domains, for example APIs and the actual web frontend, the graph helps to detect cross-domain occurrences of parameter matches
- You can identify unsafe behavior of the application directly from the graph. Some examples here are:
- A user password is included in the applications sources in cleartext
- Security enhancements such as CSRF tokens are not changed in a secure manner
General best practices
- Enter unique and long enough values (generally more than 6 characters) when browsing an application with FlowMate enabled
- Do not enter payloads during this phase
- Browse all user roles and functionality available
Install
Copyright (C) 2023 usdAG