Burp WP a.k.a. WordPress Scanner
Find known vulnerabilities in WordPress plugins and themes using Burp Suite proxy.
TL;DR: WPScan like plugin for Burp by Kacper Szurek.
Usage
Install extension. Browse WordPress sites through Burp proxy. Vulnerable plugins and themes will appear on the issue list.
If you have Burp Pro, issues will also appear inside Scanner tab. Interesting things will be highlighted.
Table of contents
- Usage
- Installation
- Issue type
- Options
- Offline database
- Intruder payload generator
- Detect plugins using wp-ajax.php
- License
- Changelog
Installation
WordPress Scanner is available inside BApp Store.
- Inside Burp go to Extender->BApp Store
- Choose WordPress Scanner
- Click Install button
You can also install Burp WP manually:
- Download Jython standalone JAR, for example version 2.7
- Go to Extender->Options. Set path inside
Location of Jython standalone JAR file
- Download newest Burp WP
- Go to Extender->Extensions. Click Add. Set
Extension type
toPython
. Set path insideExtension file
.
- Burp WP should appear inside
Burp Extensions list
. Also you will see new tab.
Issue type
There are 3 types:
- Default type (always enabled)
{issue_type} inside {(plugin|theme)} {plugin_name} version {detected_version}
It has High severity
. If version is detected using readme.txt
, Certain confidence
is set. Otherwise we use Firm confidence
.
- Plugin vulnerabilities regarding detected version (option 4 enabled)
Potential {issue_type} inside {(plugin|theme)} {plugin_name} fixed in {version_number}
It has Information severity
and Certain confidence
.
- Print info about discovered plugins (option 5 enabled)
Found {(plugin|theme)} {plugin_name}
or if plugin version is detected:
Found {(plugin|theme)} {plugin_name} version {detected_version}
It has Information severity
and Certain confidence
if is detected. Otherwise Firm confidence
is used.
Options
- Update button
List of vulnerable plugins and themes is downloaded from WPscan. Before downloading, sha512
of files is being checked to see if there is a new version available.
This button also checks if new Burp WP version exist and allows simple auto update mechanism.
- Use readme.txt for detecting plugins version
Sometimes it's possible to detect plugin version through its resource because some of them have ?ver=
string.
For example:
http://www.example.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.9.2
Version can be checked using simple regular expression:
re.compile("ver=([0-9\.]+)", re.IGNORECASE)
But this approach is very buggy. Instead more advanced heuristics are used.
Most plugins contains readme.txt
file:
=== Plugin Name ===
Donate link: http://example.com/
Stable tag: 4.3
Here is a short description of the plugin.
== Changelog ==
= 1.0 =
* A change since the previous version.
So current plugin version can be obtained from Stable tag
or Changelog
.
This idea is from WPScan versionable.rb.
- Scan full response body
By default only request URL is used for finding plugins and themes.
This works just fine but in some cases you may want to parse full response body. Use with caution as this might be slow.
- Print all plugin vulnerabilities regarding detected version
By default issue is only added when vulnerable plugin version is detected plugin_version < fixed_version
.
If you want to print all known vulnerabilities for detected plugin regarding its version - use this option.
- Print info about discovered plugins even if they don't have known vulnerabilities
Normally plugins/themes which are not vulnerable are ignored.
If you want to have information about installed plugins on given website, even if they are not vulnerable - use this option.
- Enable auto update
Auto update database once per 24 h.
It also checks if new Burp WP version exists.
- Enable debug mode
For development purpose.
You can see output inside: Extender->Extensions->Burp WP->Output tab
- What detect
Decide if you want to search for vulnerable plugins, themes or both.
- Custom wp-content
Detection mechanism is based on wp-content
string.
But it can be changed by website owner. Here you can customize this option.
- Clear issues list button
This button will remove all issues from issues list inside extension tab.
- Force update button
Similar to Update button
but it downloads new database even if newest one is already installed.
- Reset settings to default
Restore extension state to factory defaults.
- Discover plugins using wp-ajax.php See Detect plugins using wp-ajax.php.
Offline database
All vulnerabilities are provided by WPscan - see Vulnerability Database.
Burp WP supports offline mode.
If you operate from high-security network without Internet access you can easily copy database file from normal Burp WP instance to your offline one.
Then use Choose file
option.
If it's valid Burp WP database it will be imported automatically.
Intruder payload generator
Because proxy requests and responses are used it's not possible to discover all plugins and themes installed on a specific website.
You can try to get more information manually using intruder payload generator.
Right click on URL inside Proxy->HTTP history and choose Send to Burp WP Intruder.
This will replace request method to GET, remove all parameters and set payload position marker.
Now go to Intruder->Tab X->Positions. Correct URL so it points to WordPress homepage.
Inside Payloads tab uncheck Payload encoding so /
won't be converted to %2f
.
Then set Payload type to Extension generated. Now click Select generator:
There are 3 generators:
- WordPress Plugins
- WordPress Themes
- WordPress Plugins and themes
Detect plugins using wp-ajax.php
This is new technique available since Burp WP 0.2.
It discovers plugins based on calls to wp-admin/admin-ajax.php
endpoint.
Custom action database is used for this.
Basically when plugin send request to /admin-ajax.php?action=akismet_recheck_queue
Burp WP makes reverse lookup in action database.
License
MIT License
Copyright (c) 2018 Kacper Szurek
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
The WPScan data is licensed separately. Please find the WPScan license here.
Changelog
- 0.2 - Add discovery plugins using
wp-ajax.php?action
- 0.1.1 - Updates are downloaded through Burp proxy, fix clear list issues button, implement doPassiveScan function
- 0.1 - Beta version