WebSocket and bug fixes

.github/workflows/gradle.yml

@@ -0,0 +1,84 @@
+# This workflow will build a Java project with Gradle
+# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle
+name: Java CI with Gradle
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK 19
+        uses: actions/setup-java@v3
+        with:
+          distribution: 'oracle'
+          java-version: '19'
+          cache: 'gradle'
+      - name: Grant execute permission for gradlew
+        run: chmod +x gradlew
+      - name: Build with Gradle
+        run: ./gradlew build
+      - name: Creating the jar file
+        run: ./gradlew jar
+      - name: Upload artifact
+        uses: actions/upload-artifact@v3
+        with:
+          path: ./releases/*.jar
+          name: Downloadable Extension File
+      - name: Get previous tag for the branch
+        id: get_previous_tag
+        run: |
+          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
+            PREFIX="MainBranch_"
+          else
+            PREFIX="NotMainBranch_"
+          fi
+          echo "PREFIX=$PREFIX" >> $GITHUB_ENV
+          PREVIOUS_TAG=$(curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+                             https://api.github.com/repos/${{ github.repository }}/git/refs/tags \
+                             | jq -r ".[] | select(.ref | startswith(\"refs/tags/${PREFIX}\")) | .ref" \
+                             | sort -V | tail -n 1 | sed "s|refs/tags/||")
+
+          # Check if we found a tag
+          if [[ -z "$PREVIOUS_TAG" ]]; then
+              echo "No previous tag found for prefix ${PREFIX}."
+              echo "PREVIOUS_TAG=" >> $GITHUB_ENV
+          else
+              echo "PREVIOUS_TAG=$PREVIOUS_TAG" >> $GITHUB_ENV
+          fi
+      - name: Delete the previous tag
+        if: env.PREVIOUS_TAG != ''
+        run: |
+          gh release delete ${{ env.PREVIOUS_TAG }} -y
+          git push origin --delete ${{ env.PREVIOUS_TAG }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract new version
+        id: get_version
+        run: |
+          VERSION=$(grep "^version" build.gradle | awk -F\' '{print $2}' | tr -d \')
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+      - name: Set release tag based on branch
+        id: vars
+        run: |
+          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
+            echo "RELEASE_TAG=${PREFIX}${VERSION}" >> $GITHUB_ENV
+          else
+            echo "RELEASE_TAG=${PREFIX}${VERSION}" >> $GITHUB_ENV
+          fi
+      - name: Create Release using GitHub CLI
+        run: |
+          gh release create ${{ env.RELEASE_TAG }} ./releases/*.jar \
+            --title "Release ${{ env.RELEASE_TAG }}" \
+            --notes "This jar file has been built by GitHub automatically." \
+            --repo ${{ github.repository }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -19,3 +19,8 @@ gradle-app.setting
 
 # Intellij
 .idea
+
+/out/
+gradle-app.setting
+.git
+/releases/*

README.md

@@ -4,16 +4,18 @@ A BurpSuite extension to aid pentesting web applications that use Blazor Server/
 ## Build
 
 ### Prerequisites
-- Install [Java 18](https://www.oracle.com/java/technologies/javase/jdk18-archive-downloads.html) on your building machine.
+- Install [Java 19](https://www.oracle.com/java/technologies/javase/jdk19-archive-downloads.html) on your building machine.
 - Install [Gradle](https://gradle.org/install/) on your building machine.
-- Ensure the `JAVA_HOME` environment variable is set to the JDK 18 path if you have multiple versions of Java installed.
+- Ensure the `JAVA_HOME` environment variable is set to the JDK 19 path if you have multiple versions of Java installed.
     - _NOTE: This project requires Java 17+._
 
 ### Build Steps
 1. Clone the repository with `git clone https://github.com/AonCyberLabs/BlazorTrafficProcessor`
 2. `cd BlazorTrafficProcessor`
 3. `gradle build`
-4. The built JAR file will be located at `BlazorTrafficProcessor/build/libs/BlazorTrafficProcessor-1.0.jar`
+4. The built JAR file will be located at `./build/libs/` or `./releases/`
+
+Note: The latest build should be automatically compiled by GitHub workflows (Actions)
 
 ## Usage
 
@@ -167,4 +169,14 @@ Deserialized:
   }
 ]
 ```
+
+#### Contributors
+
+SignalR header support added by [@R4ML1N](https://github.com/R4ML1N)
+
+WebSocket support has been added by Soroush Dalili [@irsdl](https://github.com/irsdl)
+
+
+#### Copyright
+
 Copyright 2023 Aon plc

build.gradle

@@ -4,33 +4,44 @@ plugins {
 }
 
 group 'com.gdssecurity'
-version '1.0'
-sourceCompatibility = 17
+version '1.1'
+sourceCompatibility = 19
 
 repositories {
     mavenCentral()
 }
 
 dependencies {
-    implementation 'org.msgpack:msgpack-core:0.9.3'
-    implementation 'net.portswigger.burp.extensions:montoya-api:2023.4'
-    implementation 'org.json:json:20220924'
-    implementation 'org.apache.parquet:parquet-common:1.12.3'
+    implementation 'org.msgpack:msgpack-core:0.9.6'
+    implementation 'net.portswigger.burp.extensions:montoya-api:2023.10.4'
+    implementation 'org.json:json:20230227'
+    implementation 'org.apache.parquet:parquet-common:1.13.1'
     implementation 'javax.xml.bind:jaxb-api:2.3.1'
-    testImplementation 'org.junit.jupiter:junit-jupiter-api:5.8.1'
-    testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.8.1'
+    testImplementation 'org.junit.jupiter:junit-jupiter-api:5.10.0'
+    testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.10.0'
 }
 
 test {
-    useJUnitPlatform()
+    //useJUnitPlatform()
 }
 
-jar {
+jar{
     duplicatesStrategy = DuplicatesStrategy.EXCLUDE
-    manifest {
-        attributes "Main-Class": "com.gdssecurity.BlazorTrafficProcessor"
-    }
+    archivesBaseName = project.name
     from {
-        configurations.runtimeClasspath.collect { it.isDirectory() ? it : zipTree(it) }
+        (configurations.runtimeClasspath).collect { it.isDirectory() ? it : zipTree(it) }
+    }{
+        exclude "META-INF/*.SF"
+        exclude "META-INF/*.DSA"
+        exclude "META-INF/*.RSA"
+        exclude "META-INF/*.txt"
     }
 }
+
+tasks.withType(JavaCompile) {
+    options.compilerArgs << "-Xlint:unchecked"
+}
+
+tasks.withType(Jar) {
+    destinationDirectory = file("$rootDir/releases/")
+}

gradle/wrapper/gradle-wrapper.properties

@@ -0,0 +1,6 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.0-bin.zip
+networkTimeout=10000
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists

gradlew

@@ -55,7 +55,7 @@
 #       Darwin, MinGW, and NonStop.
 #
 #   (3) This script is generated from the Groovy template
-#       https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
 #       within the Gradle project.
 #
 #       You can find Gradle at https://github.com/gradle/gradle/.
@@ -80,10 +80,10 @@ do
     esac
 done
 
-APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
-
-APP_NAME="Gradle"
+# This is normally unused
+# shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
+APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
 
 # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
 DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
@@ -143,12 +143,16 @@ fi
 if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
     case $MAX_FD in #(
       max*)
+        # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC3045
         MAX_FD=$( ulimit -H -n ) ||
             warn "Could not query maximum file descriptor limit"
     esac
     case $MAX_FD in  #(
       '' | soft) :;; #(
       *)
+        # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC3045
         ulimit -n "$MAX_FD" ||
             warn "Could not set maximum file descriptor limit to $MAX_FD"
     esac
@@ -205,6 +209,12 @@ set -- \
         org.gradle.wrapper.GradleWrapperMain \
         "$@"
 
+# Stop when "xargs" is not available.
+if ! command -v xargs >/dev/null 2>&1
+then
+    die "xargs is not available"
+fi
+
 # Use "xargs" to parse quoted args.
 #
 # With -n1 it outputs one arg per line, with the quotes and backslashes removed.

gradlew.bat

@@ -14,7 +14,7 @@
 @rem limitations under the License.
 @rem
 
-@if "%DEBUG%" == "" @echo off
+@if "%DEBUG%"=="" @echo off
 @rem ##########################################################################
 @rem
 @rem  Gradle startup script for Windows
@@ -25,7 +25,8 @@
 if "%OS%"=="Windows_NT" setlocal
 
 set DIRNAME=%~dp0
-if "%DIRNAME%" == "" set DIRNAME=.
+if "%DIRNAME%"=="" set DIRNAME=.
+@rem This is normally unused
 set APP_BASE_NAME=%~n0
 set APP_HOME=%DIRNAME%
 
@@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome
 
 set JAVA_EXE=java.exe
 %JAVA_EXE% -version >NUL 2>&1
-if "%ERRORLEVEL%" == "0" goto execute
+if %ERRORLEVEL% equ 0 goto execute
 
 echo.
 echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
@@ -75,13 +76,15 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
 
 :end
 @rem End local scope for the variables with windows NT shell
-if "%ERRORLEVEL%"=="0" goto mainEnd
+if %ERRORLEVEL% equ 0 goto mainEnd
 
 :fail
 rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
 rem the _cmd.exe /c_ return code!
-if  not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
-exit /b 1
+set EXIT_CODE=%ERRORLEVEL%
+if %EXIT_CODE% equ 0 set EXIT_CODE=1
+if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
+exit /b %EXIT_CODE%
 
 :mainEnd
 if "%OS%"=="Windows_NT" endlocal

src/main/java/com/gdssecurity/BlazorTrafficProcessor.java

@@ -25,6 +25,7 @@
 import com.gdssecurity.providers.BTPContextMenuItemsProvider;
 import com.gdssecurity.providers.BTPHttpRequestEditorProvider;
 import com.gdssecurity.providers.BTPHttpResponseEditorProvider;
+import com.gdssecurity.providers.BTPWebSocketEditorProvider;
 import com.gdssecurity.views.BTPView;
 
 /**
@@ -48,8 +49,11 @@ public void initialize(MontoyaApi api) {
         // Request/Response Editor Providers
         BTPHttpRequestEditorProvider requestEditorProvider = new BTPHttpRequestEditorProvider(this._montoya);
         BTPHttpResponseEditorProvider responseEditorProvider = new BTPHttpResponseEditorProvider(this._montoya);
+        BTPWebSocketEditorProvider webSocketEditorProvider = new BTPWebSocketEditorProvider(this._montoya);
+
         this._montoya.userInterface().registerHttpRequestEditorProvider(requestEditorProvider);
         this._montoya.userInterface().registerHttpResponseEditorProvider(responseEditorProvider);
+        this._montoya.userInterface().registerWebSocketMessageEditorProvider(webSocketEditorProvider);
 
         // Request/Response Handlers (for Highlighting + Downgrade WS to HTTP)
         BTPHttpResponseHandler downgradeHandler = new BTPHttpResponseHandler(this._montoya);

src/main/java/com/gdssecurity/MessageModel/DisplayErrorMessage.java

@@ -0,0 +1,31 @@
+package com.gdssecurity.MessageModel;
+
+import burp.api.montoya.MontoyaApi;
+import com.gdssecurity.helpers.BTPConstants;
+import org.json.JSONObject;
+
+import java.io.IOException;
+
+public class DisplayErrorMessage extends GenericMessage {
+    public DisplayErrorMessage(String msg, MontoyaApi api) {
+        super(new JSONObject().put(BTPConstants.EXTENSION_NAME + " Error", msg), api);
+    }
+    public DisplayErrorMessage(JSONObject msg, MontoyaApi api) {
+        super(msg, api);
+    }
+
+    @Override
+    boolean validateJson(JSONObject msg) {
+        return true;
+    }
+
+    @Override
+    void initBlazorFromJson() throws IOException {
+
+    }
+
+    @Override
+    void initJsonFromMessage() throws IOException {
+
+    }
+}

src/main/java/com/gdssecurity/MessageModel/GenericMessage.java

@@ -106,7 +106,10 @@ public String toJsonString() {
      * @return - a byte array containing the raw BlazorPack bytes
      */
     public byte[] toBlazorBytes() {
-        return this.blazorMessage.toByteArray();
+        if(this.blazorMessage != null)
+            return this.blazorMessage.toByteArray();
+        else
+            return new byte[]{};
     }
 
 }