GAP-Burp-Extension: find more potential parameters and potential links

GAP

This is an evolution of the original getAllParams extension for Burp. Not only does it find more potential parameters for you to investigate, but it also finds potential links to try these parameters on and produces a target-specific wordlist to use for fuzzing.

GAP Mode

There are 3 different modes for GAP, Parameters, Links, and Words. They can either be run separately, or together, depending on what you select. What each mode does will be explained below, but if you don’t need all enabled then unselecting them can use less memory and get results back quicker.

Parameters Mode

When the GAP Mode of Parameters is selected then GAP will try to find as many potential parameters based the following options:

• Include URL path words? – The words in the response URL path are included as potential parameters if the URL is in scope.
• Report “sus” parameters? – If a “sus” parameter is identified, a Burp custom Issue will be raised (unavailable in Burp Community Edition). There will be no markers in the Request/Response of the Issue showing where the named parameter can be found because including this functionality seriously increases the time GAP can take to run, so this is not a feature at the moment. For Burp Community Edition, the details of the parameter will be written to the extension output.

Request Parameters

These are mainly parameters that Burp itself identifies from HTTP requests and are part of the Burp Extender API IParameter interface

• Query string params – PARAM_URL; a parameter within the URL query string
• Message body params – PARAM_BODY; a parameter within the message body
• Param attribute in multi-part message body – PARAM_MULTIPART_ATTR; the value of a parameter attribute within a multi-part message body (such as the name of an uploaded file)
• JSON params – PARAM_JSON; an item of data within a JSON structure
• Cookie names – PARAM_COOKIE; an HTTP cookie name
• Items of data in XML structure – PARAM_XML
• Value of tag attribute in XML structure – PARAM_XML_ATTR

Additionally, GAP will also report any parameters in the Request where the Burp API doesn’t always successfully detect them:

• JSON format
• GraphQL request (COMING SOON)
• XML request (COMING SOON)

Response Parameters

These are potential parameters that can be found in the HTTP responses. These are identified by GAP itself rather than through the Burp Extender API.

• JSON params – if the response has a MIME type of JSON then the Key names will be retrieved
• Value of tag attributes in XML structure – if the response has a MIME type of XML then the XML attributes are retrieved
• Name and Id attributes of HTML input fields – if the response has a MIME type of HTML then the value of the NAME and ID attributes of any INPUT tags are retrieved
• Javascript variables and constants – javascript variables set with var, let or const are retrieved. NOTE: Improvements are needed to retrieve more variables as there are many ways that these can be declared and difficult to retrieve all from regex.
• Params from links found – THIS OPTION IS ONLY ENABLED IF LINKS MODE IS ALSO USED. Any URL query string parameters in potential Links found will be retrieved, only if they are clearly in scope, or there is just a path and no way of determining if it is in scope.

Links Mode

When the GAP Mode of Links is selected then GAP will try to find possible links based on the following. Also, only requests of a certain Content-Type are checked for potential links. This is determined by the constant CONTENTTYPE_EXCLUSIONS in the code (these are types such as images, video, audio, fonts, etc.)

• Prefix with selected target(s) – If checked, the root of each target selected in the Site Map will be prefixed to any links found that do not have a domain, e.g. /api/user/1
• Prefix with link(s) – If checked, the value(s) in the text field will be prefixed to any links found that do not have a domain, e.g. /api/user/1. Multiple domains can be provided, separated by a semicolon, e.g. http://example.com;https://sub.example.com
• Also include un-prefixed links – If the Prefix with selected target(s) or Prefix with link(s) option is checked then this option can be checked to include the original un-prefixed link in addition to the prefixed link.
• Include site map endpoints? – This will include endpoints from the Burp Site map (what was selected) in the potential Link list, if they are in scope.
• Include relative links? – If checked, links found that start with `./` or `../` will be included in the results.
• Link exclusions – If the option is selected it will be applied when run. The text field contains a comma separated list of values. If any of these values exists in a potential link found, then it will be excluded from the final list. There is a initial default list determined by the DEFAULT_EXCLUSIONS constant, but you can change this and save your settings. If the option is not selected, all links will be returned.

Words Mode

When the GAP Mode of Words is selected then GAP will produce a target specific wordlist from the responses searched.

• Create lowercase words? – Any word found that contains an uppercase letter will also be added as an all lowercase word.
• Create singular/plural word? – If checked, then for each word found, a suitable singular or plural version will also be added to the output.
• Include HTML comments? – If checked, all words within HTML comments will be considered.
• Include IMG ALT attribute? -If checked, all words with the ALT attribute of IMG tags will be considered.
• Include words with digits? – If un-checked, then any words with numeric digits will be excluded from output.
• Include URL path words? – Any path words in selected links will be added as words.
• Include potential params – This option is only shown if the Parameters Mode is enabled. If selected, all potential params will also be added to the word list.
• Maximum length of words – The maximum length of words that will be output (this excludes plurals of minimum length words). This can be a minimum of 3.
• Stop words – The term stop words comes from Natural Language Processing where they are common words that will be excluded from content. If a word exists in this list before running, then it will be excluded from output.

In addition to the options above, words will be taken from all responses with certain conditions:

• Only responses with content types are searched. The defaults are text/html,application/xml,application/json,text/plain,application/xhtml+xml,application/ld+json,text/xml
• Words from <meta> tag content where:
  • Property is og:title, og:description, title, og:site_name or fb:admins
  • Name is description, keywords, twitter:title, twitter:descriptionapplication-name, author, subject, copyright, abstract, topic, summary, owner, directory, category, og:title, og:type, og:site_name, og:description, csrf-param, apple-mobile-web-app-title, twitter:label1, twitter:data1, twitter:label2, twitter:data2 or twitter:title
• Words from <link> tag title where:
  • Rel is alternate, index, start, prev, next or search
• Words from the rest of the inner HTML of the page, excluding tags <style>, <script> and <link>

Install & Use