Add FlowMate codebase

pom.xml

@@ -0,0 +1,141 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>de.usd</groupId>
+    <artifactId>flowmate</artifactId>
+    <version>1.0</version>
+
+    <properties>
+        <maven.compiler.source>17</maven.compiler.source>
+        <maven.compiler.target>17</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <build>
+        <plugins>
+            <plugin>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <version>3.2.0</version>
+                <configuration>
+                    <descriptors>
+                        <descriptor>src/assembly/jar-descriptor.xml</descriptor>
+                    </descriptors>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>jar-with-dependencies</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>single</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+    <dependencies>
+        <!-- https://mvnrepository.com/artifact/org.json/json -->
+        <dependency>
+            <groupId>net.portswigger.burp.extensions</groupId>
+            <artifactId>montoya-api</artifactId>
+            <version>2023.3</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.neo4j/neo4j-bolt -->
+        <dependency>
+            <groupId>org.neo4j</groupId>
+            <artifactId>neo4j-bolt</artifactId>
+            <version>5.5.0</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.neo4j/neo4j -->
+        <dependency>
+            <groupId>org.neo4j</groupId>
+            <artifactId>neo4j</artifactId>
+            <version>5.5.0</version>
+        </dependency>
+        <dependency>
+            <groupId>org.neo4j</groupId>
+            <artifactId>neo4j-ogm-core</artifactId>
+            <version>4.0.3</version>
+        </dependency>
+        <dependency>
+            <groupId>org.neo4j</groupId>
+            <artifactId>neo4j-ogm-bolt-driver</artifactId>
+            <version>4.0.3</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.neo4j.client/neo4j-browser -->
+        <dependency>
+            <groupId>org.neo4j.client</groupId>
+            <artifactId>neo4j-browser</artifactId>
+            <version>5.4.0</version>
+        </dependency>
+        <dependency>
+            <groupId>org.neo4j.app</groupId>
+            <artifactId>neo4j-server</artifactId>
+            <version>5.5.0</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.neo4j/neo4j-native -->
+        <dependency>
+            <groupId>org.neo4j</groupId>
+            <artifactId>neo4j-native</artifactId>
+            <version>5.5.0</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.jsoup/jsoup -->
+        <dependency>
+            <groupId>org.jsoup</groupId>
+            <artifactId>jsoup</artifactId>
+            <version>1.15.3</version>
+        </dependency>
+        <dependency>
+            <groupId>org.json</groupId>
+            <artifactId>json</artifactId>
+            <version>20220320</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.10</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+            <version>1.10.0</version>
+        </dependency>
+        <dependency>
+            <groupId>com.miglayout</groupId>
+            <artifactId>miglayout</artifactId>
+            <version>3.7.4</version>
+        </dependency>
+        <dependency>
+            <groupId>com.opencsv</groupId>
+            <artifactId>opencsv</artifactId>
+            <version>5.2</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.projectlombok/lombok -->
+        <dependency>
+            <groupId>org.projectlombok</groupId>
+            <artifactId>lombok</artifactId>
+            <version>1.18.26</version>
+            <scope>provided</scope>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.openjfx/javafx-controls -->
+        <dependency>
+            <groupId>org.openjfx</groupId>
+            <artifactId>javafx-controls</artifactId>
+            <version>19.0.2.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.commonmark</groupId>
+            <artifactId>commonmark</artifactId>
+            <version>0.20.0</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/com.github.wnameless.json/json-flattener -->
+        <dependency>
+            <groupId>com.github.wnameless.json</groupId>
+            <artifactId>json-flattener</artifactId>
+            <version>0.16.4</version>
+        </dependency>
+    </dependencies>
+</project>

src/assembly/jar-descriptor.xml

@@ -0,0 +1,25 @@
+<!-- Based on jar-with-dependencies, one of the defaults available in Maven -->
+<assembly xmlns="http://maven.apache.org/ASSEMBLY/3.2.0"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://maven.apache.org/ASSEMBLY/3.2.0 https://maven.apache.org/xsd/assembly-3.2.0.xsd">
+    <id>jar-with-dependencies</id>
+    <formats>
+        <format>jar</format>
+    </formats>
+    <includeBaseDirectory>false</includeBaseDirectory>
+    <dependencySets>
+        <dependencySet>
+            <outputDirectory>/</outputDirectory>
+            <useProjectArtifact>true</useProjectArtifact>
+            <unpack>true</unpack>
+            <scope>runtime</scope>
+        </dependencySet>
+    </dependencySets>
+
+    <!-- This element added to make sure files in META-INF/services are merged from all packages. -->
+    <containerDescriptorHandlers>
+        <containerDescriptorHandler>
+            <handlerName>metaInf-services</handlerName>
+        </containerDescriptorHandler>
+    </containerDescriptorHandlers>
+</assembly>

src/main/java/META-INF/MANIFEST.MF

@@ -0,0 +1,3 @@
+Manifest-Version: 1.0
+Main-Class: BurpExtender
+

src/main/java/audit/AuditFinding.java

@@ -0,0 +1,27 @@
+package audit;
+
+public abstract class AuditFinding {
+
+    public String name; 
+    public FindingSeverity severity;
+
+
+    public AuditFinding(String name, FindingSeverity severity){
+        this.name = name;
+        this.severity = severity;
+    }
+
+    public abstract String getShortDescription();
+    public abstract String getLongDescription();
+
+    public String getLabelRepresentation(){
+        return String.format("Name: <b>%s</b><br>Severity: <b>%s</b><br>Description: %s", this.name, this.severity, this.getShortDescription());
+    }
+
+    public enum FindingSeverity{
+        INFORMATIONAL,
+        LOW,
+        MIDDLE,
+        HIGH
+    }
+}

src/main/java/audit/CrossSessionAudit.java

@@ -0,0 +1,61 @@
+package audit;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Vector;
+
+import audit.AuditFinding.FindingSeverity;
+import db.MatchHelperClass;
+import db.entities.ParameterMatch;
+import gui.AuditFindingView;
+
+public class CrossSessionAudit {
+
+    private AuditFindingView auditFindingView;
+
+    public CrossSessionAudit(AuditFindingView auditFindingView){
+        this.auditFindingView = auditFindingView;
+    }
+
+    public void performAudit(ParameterMatch match, String sessionName, MatchHelperClass matchHelper){
+        var inputValueSession = match.getInputValue().getSession();
+
+        if(sessionName == null || sessionName.equals("not set")
+           || inputValueSession == null || inputValueSession.equals("not set")
+           || inputValueSession.equals(sessionName) ){
+            return;
+        }
+
+        AuditFinding finding = buildAuditFinding(matchHelper.getInputParameterObj().getName(), inputValueSession, sessionName);
+        this.auditFindingView.addFinding(finding);
+    }
+
+    public void identifyAudits(String paramName, String sessionEntered, String sessionMatched) {
+        AuditFinding finding = buildAuditFinding(paramName, sessionEntered, sessionMatched);
+        this.auditFindingView.addFinding(finding);
+    }
+
+    private AuditFinding buildAuditFinding(String paramName, String sessionEntered, String sessionMatched){
+        return new CrossSessionAuditFinding(paramName, sessionEntered, sessionMatched);
+    }
+
+    public void sessionRename(String oldName, String newName){
+        var allFindings = this.auditFindingView.getAuditFindings();
+        var newFindings = new Vector<AuditFinding>();
+        for(var finding : allFindings){
+            if(!finding.getClass().getName().equals(CrossSessionAuditFinding.class.getName())){
+                //No rename if not CrossSessionAuditFinding
+                newFindings.add(finding);
+                continue;
+            }
+            var crossSessionFinding = (CrossSessionAuditFinding)finding;
+            crossSessionFinding.renameSession(oldName, newName);
+            newFindings.add(crossSessionFinding);
+        }
+        this.auditFindingView.setAuditFindings(newFindings);
+    }
+    public void renderFindings() {
+        this.auditFindingView.renderFindings();
+    }
+
+}

src/main/java/audit/CrossSessionAuditFinding.java

@@ -0,0 +1,71 @@
+package audit;
+
+public class CrossSessionAuditFinding extends AuditFinding {
+
+    public String parameterName;
+    public String sessionEntered;
+    public String sessionFound;
+
+    private static final String name = "Cross-Session Parameter Match";
+
+
+
+    public CrossSessionAuditFinding(String parameterName, String sessionEntered, String sessionFound) {
+        super(name, FindingSeverity.MIDDLE);
+        this.parameterName = parameterName;
+        this.sessionEntered = sessionEntered;
+        this.sessionFound = sessionFound;
+
+    }
+
+
+    public void renameSession(String oldName, String newName){
+        if(sessionEntered.equals(oldName)){
+            this.sessionEntered = newName;
+        }
+        else if(sessionFound.equals(oldName)){
+            this.sessionFound = newName;
+        }
+    }
+
+    @Override
+    public String getShortDescription() {
+        return String.format("The parameter %s was entered in session %s and found in session %s", this.parameterName, this.sessionEntered, this.sessionFound);
+    }
+
+    @Override
+    public String getLongDescription() {
+        String htmlTemplate = """
+        <h1>Description</h1>
+
+        FlowMate identified a <b>data flow that crosses session-boundaries</b>. When the parameter is injectable for Cross-Site Scripting, this may allow vertical or horizontal privilege escalation within the application.
+        
+        This is particularily interesting if the parameter value can be modified by a low-privileged user and is subsequently displayed to a higher-privileged user.
+        
+        As an example, consider the username of an application that can be set by a regular user and is displayed to an administrator in context of user management.
+        
+        Note that this might be a false positive, if there are multiple sessions for the same user created within FlowMate.
+        
+        <h1>Details</h1>
+        
+        The following cross-session data flow has been identified:
+        
+        <ul>
+            <li>Parameter (Value): PARAMETER_NAME</li>
+            <li>Input Location (Session): SESSION_ENTERED</li>
+            <li>Output Location (Session): SESSION_FOUND</li>
+        </ul>
+        
+        <h1>How to Test</h1>
+        
+        <ol>
+            <li>Create a XSS payload based on the output context of the parameter. You can use the match preview or search for the value in the response</li>
+            <li>Inject the payload in the input location of the parameter</li>
+            <li>Check the output location whether the payload triggers or not. Refine your payload</li>
+            <li>If the vulnerability is exploitable, you have likely identified a path for privilege escalation</li>
+        </ol>            
+        """;
+
+        return htmlTemplate.replace("PARAMETER_NAME", this.parameterName).replace("SESSION_ENTERED", this.sessionEntered).replace("SESSION_FOUND", this.sessionFound);
+    }
+}