Re: [W3af-develop] importResults burp logs

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Jon,

On Sat, Jul 25, 2009 at 2:16 PM, Andres Riancho<and...@gm...> wrote:
> Steven,
>
> On Sat, Jul 25, 2009 at 12:40 PM, Steven
> Pinkham<ste...@ma...> wrote:
>> Andres Riancho wrote:
>>> Jon,
>>>
>>> On Fri, Jul 24, 2009 at 3:06 PM, jrose<jr...@ow...> wrote:
>>>> Hey,
>>>>
>>>> I've extended the importResult plugin to parse burp logs for input since I
>>>> often use burp when reviewing applications.
>>>
>>> I also use burp frequently and I never saw how to save/export the
>>> proxy logs. After some searching in the burpsuite help I found the the
>>> save state appears in the professional version only. Is that right?
>>
>> Save state and proxy logs are two different things.  Save state is only
>> for the Pro version, but proxy log saving is in all versions. At least
>> it used to be, doubt he has changed it in the latest version. Go to
>> Options tab, look for logging options.
>
> Thanks!
>
>> sqlmap also is able to take those burp logs and test the parameters for
>> SQL injection, which is cool.  Burp is so widely used it's a good idea
>> to be able to integrate with it.
>
> @Jon: You should also take a look at this, maybe the sqlmap guys
> already have a 100% working module for this and we are reinventing the
> wheel. I would have that!

For what I understand from the sqlmap code (Line 195 of options.py):

    if os.path.isfile(conf.list):
        __feedTargetsDict(conf.list, addedTargetUrls)

    elif os.path.isdir(conf.list):
        files = os.listdir(conf.list)
        files.sort()

        for reqFile in files:
            if not re.search("([\d]+)\-request", reqFile):
                continue

            __feedTargetsDict(os.path.join(conf.list, reqFile), addedTargetUrls)

And from the configuration file (Line 7 sqlmap.conf):

    # Parse targets from Burp or WebScarab logs
    # Valid: Burp proxy (http://portswigger.net/suite/) requests log file path
    # or WebScarab proxy
(http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
    # 'conversations/' folder path
    list =

I think that webscarab and burpsuite use the same log format. The only
difference is that webscarab saves the information across multiple
files inside a "conversations" directory, and burp uses only one file.

With all this new information, I patched the original importResults.py
file. It still needs to get improved a little bit, because the parser
is reading all the requests, not only the requests that are from the
w3af target host.

http://w3af.svn.sourceforge.net/viewvc/w3af?view=rev&revision=2995

Please test the code with your log files and let me know if it's
working properly, THANKS!

Cheers,

> Cheeers,
>
>> --
>>  | Steven E. Pinkham                      |
>>  | Security Researcher, Maven Security    |
>>  | http://www.mavensecurity.com           |
>>  | GPG public key ID CD31CAFB             |
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> W3af-develop mailing list
>> W3a...@li...
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>
>
>
> --
> Andrés Riancho
> Founder, Bonsai - Information Security
> http://www.bonsai-sec.com/
> http://w3af.sf.net/
>

-- 
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/