New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Https fix #1

Merged
merged 8 commits into from Feb 14, 2017

Conversation

Projects
None yet
3 participants
@aapomm
Contributor

aapomm commented Feb 2, 2017

Trello

  • Replaced ruby's Net::HTTP with Burp API
@dormi

This comment has been minimized.

Show comment
Hide comment
@dormi

dormi Feb 3, 2017

we may bump the version to 0.0.3

dormi commented Feb 3, 2017

we may bump the version to 0.0.3

Show outdated Hide outdated burp-dradis.rb
# Build the initial request

This comment has been minimized.

@dormi

dormi Feb 3, 2017

I reimagined this part like this:

# Build initial request
req_as_bytes  = @helpers.toggleRequestMethod(@helpers.build_http_request(url))
req_as_string = String.from_java_bytes(req_as_bytes)
 
# Edit the request headers
req_as_string.sub! "Content-Length: 0", "Content-Length: #{payload.length}"
req_as_string.sub! "Content-Type: application/x-www-form-urlencoded", "Content-Type: application/json"
req_as_string.sub! "application/json", "application/json\n#{auth_headers}" #FIXME: this seems unclear to me

# Add body
req_as_string << payload

# Send request
response = @callbacks.make_http_request(host, port, use_ssl, req_as_string.to_java_bytes)

I was trying to:

@dormi

dormi Feb 3, 2017

I reimagined this part like this:

# Build initial request
req_as_bytes  = @helpers.toggleRequestMethod(@helpers.build_http_request(url))
req_as_string = String.from_java_bytes(req_as_bytes)
 
# Edit the request headers
req_as_string.sub! "Content-Length: 0", "Content-Length: #{payload.length}"
req_as_string.sub! "Content-Type: application/x-www-form-urlencoded", "Content-Type: application/json"
req_as_string.sub! "application/json", "application/json\n#{auth_headers}" #FIXME: this seems unclear to me

# Add body
req_as_string << payload

# Send request
response = @callbacks.make_http_request(host, port, use_ssl, req_as_string.to_java_bytes)

I was trying to:

This comment has been minimized.

@aapomm

aapomm Feb 6, 2017

Contributor

Using build_http_message as opposed to build_http_request gives me the ability to do the header adding but the initial http method, url, and host is omitted from the http message. This means I'll have to the ugly concatenation regardless.

@aapomm

aapomm Feb 6, 2017

Contributor

Using build_http_message as opposed to build_http_request gives me the ability to do the header adding but the initial http method, url, and host is omitted from the http message. This means I'll have to the ugly concatenation regardless.

@dormi

This comment has been minimized.

Show comment
Hide comment
@dormi

dormi Feb 6, 2017

Tested your changes @aapomm, work great.


One more question:

In burp suite, we are giving the option to use Dradis CE. But I'm not sure if token authentication would work in CE. I guess not.
Should we remove the radio from Burp, or use add basic http authentication?
captura de pantalla 2017-02-06 a las 12 23 52

dormi commented Feb 6, 2017

Tested your changes @aapomm, work great.


One more question:

In burp suite, we are giving the option to use Dradis CE. But I'm not sure if token authentication would work in CE. I guess not.
Should we remove the radio from Burp, or use add basic http authentication?
captura de pantalla 2017-02-06 a las 12 23 52

@aapomm

This comment has been minimized.

Show comment
Hide comment
@aapomm

aapomm Feb 6, 2017

Contributor

@dormi It should work for Dradis CE if you use the shared password as the API Token.

Contributor

aapomm commented Feb 6, 2017

@dormi It should work for Dradis CE if you use the shared password as the API Token.

@dormi

This comment has been minimized.

Show comment
Hide comment
@dormi

dormi Feb 6, 2017

Indeed it works!
I was using port 3000, and the port is hardcoded to 80.

I think that making ports configurable should be a separated feature.

dormi commented Feb 6, 2017

Indeed it works!
I was using port 3000, and the port is hardcoded to 80.

I think that making ports configurable should be a separated feature.

Build the HTTP request from scratch
Instead of using Burp's API to build it and then replace / substrings of
the result.
@etdsoft

This comment has been minimized.

Show comment
Hide comment
@etdsoft

etdsoft Feb 13, 2017

Member

I think we're going down a slippery slope here by using Burp to build a request and then calling gsub to replace the bits and pieces that we don't want to use.

I implemented an alternative approach in which we just build the HTTP request message from scratch here:

#2

I've also broken down the main method into two: 1) build the request; 2) send the request.

Let me know what you think.

Member

etdsoft commented Feb 13, 2017

I think we're going down a slippery slope here by using Burp to build a request and then calling gsub to replace the bits and pieces that we don't want to use.

I implemented an alternative approach in which we just build the HTTP request message from scratch here:

#2

I've also broken down the main method into two: 1) build the request; 2) send the request.

Let me know what you think.

@etdsoft etdsoft merged commit ce34587 into master Feb 14, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment