Have you ever wondered how to consider all input-to-output correlations of a web application during a pentest? With FlowMate, you no longer have to. FlowMate is our BurpSuite extension designed to introduce taint analysis to web applications. It achieves this by monitoring all parameters sent to a target application and identifying their appearances in the corresponding responses.
This tool operates from either a black-box or grey-box perspective, eliminating the need for any modifications to the underlying infrastructure or the application itself. Moreover, it generates a visual graph that encompasses all parameters in the background. Whenever you require more intricate insights into a specific parameter, value, or URL, you can effortlessly refer to the integrated Neo4J browser to access the graph. This can be accomplished either through a single query in the Neo4J browser or by using the provided built-in query view.
Some key features of FlowMate are:
- Track parameter values of all applications added to the BurpSuite project scope.
- Matching of parameters can be performed live while browsing, or deferred in order to reduce load times while manually browsing the application.
- Store all data points in a local and file-based Neo4J instance.
- Integrates the Neo4J Browser directly to visualize and browse the resulting graph. No installation needed.
- Enables you to define Sessions within the plugin to ease tracking cross-session parameters.
- Performs automatic audit steps on the created graph to generate Findings with points of interest.
- Has the capability to define filters for parameters in order to reduce noise in the resulting data flow graph.
A video demonstrating the end-to-end use of FlowMate is available on our YouTube channel.
FlowMate is used best during the reconnaissance phase in a security assessment. The following steps explain on how to get started:
- Load FlowMate into your BurpSuite with a project for your current assessment already created
- After loading finished add the target application to the BurpSuite internal Scope. Only in-scope targets are tracked by FlowMate
- Activate the detection by checking both boxes on the Getting Started tab of FlowMate. You can choose Live or Deferred matching. Deferred is recommended for bigger applications as Live matching might slow down the browsing experience if hundreds of parameters are matched against every response.
- Browse the application following the General best practices below
- Stop the detection before starting manual analysis. This prevents payloads and duplicate values from polluting the graph
- Profit from the data flow graph created for you!
- Enter unique and long enough values (generally more than 6 characters) when browsing an application with FlowMate enabled
- Do not enter payloads during this phase
- Browse all user roles and functionality available
- You can lookup in which locations an specific parameter you are testing reappers in the application including the near surrounding of the match giving a first impression on which payloads might be useful for exploitation
- You can more easily identify occurrences of a parameter in not directly visible places, such as in hidden input fields or when a value is used in resources like stylesheets or scripts for example
- In conjunction with the session tracking feature you can track cross-session parameter occurrences. In case of attack vectors like Cross-Site Scripting (XSS) this may lead to attacks on higher privileged accounts (privilege escalation, account takeover)
- If your target application consists of multiple domains, for example APIs and the actual web frontend, the graph helps to detect cross-domain occurrences of parameter matches
- You can directly identify unsafe behavior of the application from the graph. Some examples include:
- A user password is included in the applications sources in cleartext
- Security enhancements such as CSRF tokens are not changed in a secure manner
- Download the latest pre-built jar file from the Release page
- Follow the steps to install an extension from JAR file here: Installing an extension from a file
- Clone the repository, switch into it and run
mvn package. Thetargetfolder then contains a built version of FlowMate - Follow the steps to install an extension from JAR file here: Installing an extension from a file
If you encounter issues with FlowMate please report to us via a GitHub Issue. Error Logs are written to the logfile in ~/.flowmate folder on your system running the plugin as well as the error log console in the BurpSuite Extension tab ("Extension" Tab > "Installed" Tab > Select "FlowMate" > "Errors" Tab).
Supplying us with this information as well as a short description of when the error occurs helps us to troubleshoot and fix the issue. Furthermore, keeping the BurpState might help if we have questions back to you.