Tagoletta/AccessContextFuzzer

GitHub: Tagoletta/AccessContextFuzzer

一款 Burp Suite 扩展,用于自动化检测 Web 应用的访问控制绕过、路径穿越和 Web 缓存欺骗漏洞。

Stars: 5 | Forks: 1

Access Context Fuzzer Banner

Access Context Fuzzer

A comprehensive Burp Suite extension for testing access control, path traversal, and Web Cache Deception vulnerabilities — all in one tool.

Developed with 🛡️ by Tagoletta

InstallationFeaturesUsageWeb Cache DeceptionBuildContributing

Burp Extension Java 17+ Montoya API License Download Latest

## 📥 Installation ### Option 1: Download Pre-built JAR (Recommended) 1. Go to **[Releases](https://github.com/Tagoletta/AccessContextFuzzer/releases/latest)** 2. Download the latest `access-context-fuzzer-*-jar-with-dependencies.jar` 3. Open **Burp Suite** → **Extensions** → **Add** 4. Select the downloaded JAR file 5. The **"Access Context"** tab will appear in Burp Suite

Installation

### Option 2: Build from Source See [Building from Source](#-building-from-source) below. ## 🎯 What is Access Context Fuzzer? **Access Context Fuzzer** is a Burp Suite extension designed for security researchers and penetration testers who need to systematically test for **access control bypass** and **Web Cache Deception (WCD)** vulnerabilities. Instead of manually crafting dozens of header and path variations, this extension **automatically generates and tests hundreds of bypass variants** in seconds — then highlights exactly which ones behave differently from the baseline.

Extension Overview

## 🌟 What's New in v2.4.0 **Web Cache Deception — detection that actually confirms** - 🐛 **Critical: Turkish-locale `toUpperCase()`/`toLowerCase()` broke all cache detection.** On a Turkish-locale JVM, `"hit".toUpperCase()` yields `"HİT"` (dotted capital İ, U+0130) — so `xCache.toUpperCase().contains("HIT")` was always `false`, and the same trap silently broke `private` → `prıvate` and `no-store` matching. Every `X-Cache` / `Cache-Control` / `Vary` comparison in `ScanEngine` and `HttpUtils` now uses `Locale.ROOT`. This is why cacheable responses were reported as `MISS` even though every resend was really a `HIT`. - 🎯 **`/` delimiter for path-mapping WCD:** The Delimiter + Extension phase now also tests `/path/abc.js` (the exact vector behind PortSwigger's *"Exploiting path mapping"* lab), not just query/encoded delimiters. - 🔁 **Automatic MISS→HIT confirmation:** When a variant returns a cacheable `200` `X-Cache: MISS` with `max-age`/`s-maxage`, the scanner resends the *same* request a few times inside the cache window. If `X-Cache` flips to `HIT`, the row is flagged **`🎯 WCD CONFIRMED (MISS→HIT)`** and shown as `HIT ✅` — the cache-warming step is now automatic instead of a manual Repeater round-trip. **Verify WCD — warm + no-auth replay** - 🔓 **Rewritten `Verify WCD` (right-click):** The old one-shot no-auth replay produced false negatives (a cold cache returns `302 / MISS` even on a cacheable URL). It now (1) **warms** the cache with your current auth until the entry is `HIT`, then (2) **replays without cookies/auth** and compares bodies. A confirmed leak requires a no-auth `HIT` whose body matches the authenticated response (or contains sensitive data) — cleanly separating `✅ CONFIRMED WCD` from `⚠️ HIT but content differs` and `❌ not cached without auth`. Works on whichever message (request **or** response) is open. **New: 🎯 WCD Findings tab** - 🗂️ A dedicated tab collects every WCD result — both the scanner's automatic MISS→HIT confirmations and manual verifications — with URL, auth/no-auth status, `X-Cache`, verdict, and timestamp. **Double-click a row to open the request/response that proves it.** No more transient popups with no history. **UI & reporting** - 🏷️ **Status moved to a proper label:** The cramped, text-truncated progress bar now shows just the bar; the run summary lives in a clean label — `✅ Done — N sent | M findings | B 🎯 bypass | W 🎯 WCD cacheable | Re-run available`. - 🎯 **Cache HITs count as findings:** Confirmed MISS→HIT results are now included in the bypass tally and surfaced via a dedicated *WCD cacheable* counter (previously always reported `0 bypasses`). - 🔎 **Tightened "interesting":** Only real findings (bypass, WCD confirmed, cache-hit, sensitive data, custom-rule hits) count as *interesting* and pass the *Show Only Interesting* filter — baseline noise (`STATUS_CHANGE` / `WORD_DELTA` / `LEN_DELTA` / `X-Cache:miss`) no longer inflates the count. - 🌐 **English dialogs:** The WCD verification and scan-summary dialogs are now fully English. **Settings** - ⚙️ **OPSEC & Network moved to Settings:** The *Check External IP* / *Delay* panel was removed from the Header, Path, and Selection tabs and consolidated into a single section at the top of **Settings & History**, separated from per-engine payload options. - 💾 **Single, persisted delay:** The three per-engine delays are unified into one `Delay (ms)` that all engines share and that is saved across restarts (key `acf.delay`; a legacy `acf.path.delay` is migrated automatically). ## 🌟 What's New in v2.3.2 **Bug Fixes** - 🐛 **Swing EDT violations in scan startup:** `startFuzzing()` ran on a background thread but read `JTextArea`, `JSpinner`, and `JCheckBox` values directly — a race condition with the EDT. All UI values are now snapshotted via `ScanConfig` on the EDT before the task is submitted. - 🐛 **Swing EDT violations in context-menu handlers:** Payload builders (`HeaderPayloadBuilder`, `PathPayloadBuilder`, `SelectionPayloadBuilder`) were being constructed inside the executor lambda, reading multiple `JCheckBox` components off the EDT. Builders are now called on the EDT before task submission. - 🐛 **`flashTab` Timer created off EDT:** The `javax.swing.Timer` inside `flashTab()` was being constructed and started from the background fuzzing thread. Wrapped in `SwingUtilities.invokeLater()`. Additionally, the `JTabbedPane.indexOfComponent()` and `getTitleAt()` reads that fed `flashTab()` were themselves still on the background thread — moved inside the `invokeLater` lambda so all Swing reads happen on the EDT. - 🐛 **DiffDialog false diff on CRLF responses:** `split("\n")` left trailing `\r` on each element when responses used Windows line endings, causing identical lines to appear as "changed". Changed to `split("\r?\n")`. - 🐛 **Invalid custom rule regex silently discarded:** A bad pattern in the Custom Detection Rules panel was swallowed by `catch (Exception ignored)` with no feedback. Now logged to Burp's output panel. - 🐛 **`btnPreview` useless executor roundtrip:** The Preview Payloads button submitted to the background thread pool only to immediately dispatch back to the EDT via `invokeLater`. Removed the intermediate hop. - 🐛 **Duplicate `buildOpsecPanel` / `createTextAreaPanel` in every tab:** `HeaderEngineTab`, `PathEngineTab`, and `SelectionEngineTab` each declared private copies of methods already defined as `public static` in `ResultsPanel`. All three now delegate to the canonical implementations. - 🐛 **`historyModel.getRowCount()` off EDT in scan history:** `appendScanHistory()` read `DefaultTableModel.getRowCount()` from the background fuzzing thread to compute the next row number, then wrapped only `addRow()` in `invokeLater`. Both the read and the write are now inside the `invokeLater` lambda. - 🐛 **Parallel-mode timeout leaves HTTP request running:** On a `TimeoutException`, the timed-out `Future` was left running — the underlying HTTP connection stayed open until the remote server closed it. `future.cancel(true)` is now called before creating the fallback `FuzzResult`. - 🐛 **`Desktop.getDesktop().browse()` blocking on EDT:** The About tab's hyperlink listener called `Desktop.browse()` directly on the Event Dispatch Thread. This is a blocking OS call that can freeze the entire Burp UI. Moved to a dedicated daemon thread. - 🐛 **Custom path/payload/header `split("\\n")` broken on Windows:** Newlines typed in the Custom Paths (Path engine), Custom Payloads (Selection engine), Custom IPs, and Custom Headers (Header engine) text areas use `\r\n` on Windows. Splitting on `\n` left a trailing `\r` on each entry, producing payloads or header values with literal carriage-return characters. Changed to `split("\\r?\\n")` in all four locations. - 🐛 **Hardcoded `User-Agent: AccessContext/3.0` in OPSEC check:** The IP-verification request to api.ipify.org sent a stale hardcoded version string. Now reads `ExtensionContext.VERSION` so the UA always matches the installed release. **Performance** - ⚡ **Single `bodyToString()` call per response:** `wordCount`, `lineCount`, `getTitle`, `detectSensitiveData`, and `bodyHash` each called `rr.response().bodyToString()` independently — up to 5 redundant body conversions per variant. A `bodyStr()` helper now fetches the body once per response; all analysis methods accept the pre-fetched string via overloaded signatures. - ⚡ **ThreadLocal `MessageDigest` for MD5 hashing:** `MessageDigest.getInstance("MD5")` triggered a security-provider lookup on every call. Replaced with a `ThreadLocal` that is reused (`md.reset()`) across calls on the same thread — zero lookups after warm-up. - ⚡ **`ThemeColors.isDark()` result cached:** Every table cell repaint called `UIManager.getColor("Panel.background")` through `isDark()`. The result is now cached in a `volatile boolean` and refreshed only when the Look & Feel changes via a `UIManager` property listener. ## 🌟 What's New in v2.3.1 **Bug Fixes** - 🐛 **Session drift dialog (EDT fix):** The mid-scan confirmation dialog was being called via `JOptionPane.showConfirmDialog()` directly from the background fuzzing thread. Replaced with `SwingUtilities.invokeAndWait()` — potential deadlock on certain JVM/OS combinations. - 🐛 **Null body crash in `bodyHash()`:** `.body()` returns null on 204/HEAD responses. Was silently swallowed by the catch block but still caused unnecessary exception overhead. Added an explicit null check. - 🐛 **CSV newline escaping:** Multi-flag Notes entries contain embedded `\n` characters. These weren't being escaped before writing, breaking row boundaries in Excel and most CSV parsers. **Performance** - ⚡ **Regex pre-compilation:** Custom detection rules (Settings tab) were calling `Pattern.compile()` on every response — O(variants × rules) compilations per scan. Rules are now compiled once at scan start into a cached `List`. - ⚡ **Allocation-free word/line counting:** `wordCount()` was doing `body.split("\\s+").length` — allocates a full `String[]` just to discard it. Replaced with `StringTokenizer.countTokens()`. `lineCount()` similarly replaced with a single-pass `char` loop. - ⚡ **`getTitle()` static pattern:** `Pattern.compile()` was called on every invocation. Moved to a `private static final` field. ## 🌟 What's New in v2.3.0 - 📊 **Cache Status Column:** Results table now has a dedicated **Cache** column showing `HIT ✅`, `MISS`, `PRIVATE 🚫`, `NO-STORE 🚫`, `HIT/Vary:Cookie`, or the raw `X-Cache` value. WCD triage without reading the Notes column. - 🌐 **CDN Profile Selector:** Pick your target's CDN (Cloudflare, Akamai, Fastly, CloudFront, Nginx, Varnish) in the Path engine. Delimiter payloads are filtered to that CDN's known delimiter set — less noise, more signal. - 🏋️ **Fat GET:** New checkbox in Path engine. Sends the request as a GET with a body. CDNs key the cache on path and ignore the body; some origins behave differently. Surfaces WCD vectors that path-only testing misses. - 🗂️ **Extended Static Extensions:** Delimiter + Extension phase now covers 19 file types (was 6): `.js .css .png .jpg .gif .ico .woff .woff2 .svg .ttf .eot .mp4 .webp .avif .pdf .xml .json .txt .html`. - 🔬 **Normalization Discrepancy Extras:** Four additional Norm Discrepancy payloads: `%252F` (double-encoded slash), BOM + extension, `%00.css` (null byte), `%c0%af` (overlong UTF-8). - 🔑 **Sensitive Data Detection:** Every response body is automatically scanned for JWT tokens, CSRF tokens, email fields, Bearer tokens, and API keys. Matches are flagged as `SENSITIVE_DATA:JWT` (etc.) in Notes and highlighted pink. Confirms WCD exploitation when an unauthenticated cache replay returns sensitive content. - 📋 **WCD Scan Summary:** After a Path engine scan, a popup summarises cache findings — HIT count, private/no-store count, Vary:Cookie count, and which specific variants look exploitable. - 🔓 **Verify WCD (No-Auth):** New right-click context menu item. Replays the URL without cookies or auth headers in a fresh connection. If the cached response still returns authenticated content, it's a confirmed WCD finding — shown in a before/after comparison dialog. - 🏗️ **Internal Refactor (1 file → 17 files):** The monolithic `AccessContextFuzzer.java` (was ~2000 lines) is now a proper multi-package structure: `burp.core`, `burp.util`, `burp.payload`, `burp.ui`. No behaviour changes — the entry point is now 123 lines. Makes contributing significantly more approachable. ## 🌟 What's New in v2.2.0 - 💾 **Settings Persistence (A):** All checkboxes, spinners, delays, and custom rules now auto-save using Burp's native Preferences API and are restored on next load. - ⚡ **Parallel Fuzzing Mode (B):** Toggle `Parallel Mode` in the new **⚙ Settings & History** tab to send multiple requests simultaneously. Configurable thread count (2–20). Ordered collection preserves row numbering. Disables delay and session drift check. - 📊 **Scan Summary (D):** Progress bar updates to a rich summary at end of scan — `Done! ✅ 147 sent | 12 interesting | 3 🎯 bypasses | Re-run available`. - 🔍 **Response Diff Viewer (E):** Right-click any row → **Compare with Baseline** for a side-by-side HTML diff showing which lines changed between the baseline and the variant response. - 📝 **Custom Detection Rules (G):** Define regex patterns in the Settings tab using `regex=LABEL` format. Matches in any response body are highlighted as `CUSTOM:LABEL` in the Notes column. - 🔀 **Expanded Bypass Detection (H):** Now detects redirect-based bypasses (`🔀 REDIRECT BYPASS?` for 403→30x) and same-status body changes on 2xx (`⚠️ BODY_BYPASS?`). - 🛡️ **Configurable WAF Threshold (I):** The WAF block threshold (consecutive connection resets before auto-stop) is now a spinner in Settings — default 5, range 1–50. - 📋 **Scan History Tab (J):** A new **⚙ Settings & History** tab logs every completed scan with engine type, target URL, timestamp, payload count, interesting count, bypass count, and baseline status. - 👁️ **Payload Preview (K):** Click **👁 Preview Payloads** on any engine tab to see a full categorized list of all variants that would be sent — without actually running the scan. ## 🌟 What's New in v2.1.0 - 🔧 **Thread Safety:** Fixed thread leak on extension unload via `taskExecutor.shutdownNow()`. - 🖥️ **Swing EDT Fix:** `flashTab()` converted from raw `Thread.sleep()` to a proper `javax.swing.Timer`. - ♻️ **DRY Refactor:** Eliminated 3× duplicate OPSEC panel code with `buildOpsecPanel()` helper. - 📣 **Error Visibility:** All silently swallowed exceptions now log to `api.logging().logToError()`. - 📂 **CSV Export Fix:** Export failure now shows an error dialog instead of failing silently. ## 🌟 What's New in v2.0 (The "Smart Fuzz" Update) Access Context Fuzzer has been significantly upgraded to tackle modern web applications, aggressive WAFs, and complex API gateways: - 🧠 **MD5 Body Hash Engine & "Interesting" Filter:** Detects hidden state changes (`BODY_DIFF`) even when the status code remains the same. Click **"🔍 Show Only Interesting"** to instantly filter out noise. - 🛡️ **Adaptive Rate Limiting Anti-WAF:** Automatically doubles the delay upon `429 Too Many Requests` or `503`, and halts the scan if the WAF starts dropping connections (`status -1`). - ⏱️ **Real-Time Fuzz Estimation:** The progress bar now dynamically estimates `(~1:45 remaining)` based on rolling RTT averages. - 🔄 **Session Drift Detection:** Re-verifies your baseline every 50 requests. If your session expires (`SESSION_DRIFT`), it pauses the scan and warns you. - 🗂️ **Bulk "Send to Repeater":** Multi-select support! Send all "Interesting" variants to the Repeater with a single click. - 🎯 **Scan Profiles:** 1-click preset buttons (`⚡ Quick Scan`, `🔥 Full Scan`, `🎯 WCD Only`) instantly configure the payloads. - 🧬 **Deep Protocol Injection:** Added WebDAV verbs, case-tampering (`gEt`), HTTP/2 pseudo-header injection (`:authority`), and obscure unicode traversals. ### Why This Tool? | Problem | Without This Tool | With Access Context Fuzzer | |---------|-------------------|---------------------------| | Header bypass testing | Manually add `X-Forwarded-For`, `X-Real-IP`, etc. one by one | **40+ header variants** tested simultaneously | | Path normalization bugs | Guess which encoding tricks work | **Systematic fuzzing** of URL encoding, double encoding, IIS Unicode, dot-segments | | Web Cache Deception | Complex multi-step manual testing | **Automated 4-phase WCD pipeline** with cache header detection | | Result analysis | Compare responses manually | **Smart color-coded diff** — status changes, word deltas, length anomalies highlighted automatically | ## ✨ Features ### 🔹 Three Fuzzing Engines Access Context Fuzzer provides three independent fuzzing engines, each accessible via its own tab:

Three Fuzzing Tabs

### 1️⃣ Header Bypass Tests access control enforcement by injecting **IP spoofing and host manipulation headers**.

Header Bypass Tab

**What it tests:** | Category | Headers | Example | |----------|---------|---------| | **IP Spoofing** | `X-Forwarded-For`, `X-Real-IP`, `X-Client-IP`, `True-Client-IP`, `CF-Connecting-IP`, and 30+ more | `X-Forwarded-For: 127.0.0.1` | | **Host Override** | `X-Forwarded-Host`, `X-Host`, `X-Original-Host` | `X-Host: allowed-origin.com` | | **Custom IPs** | User-defined list | Any IP you specify | | **Custom Headers** | User-defined `Header: Value` pairs | Load from wordlist file | **Use case:** Testing if the application relies on easily spoofable headers for access control decisions (e.g., admin panels restricted by IP). ### 2️⃣ Path / GET Bypass Tests path-level access control by manipulating the **URL path** using various encoding and normalization techniques.

Path Bypass Tab

**What it tests:** | Technique | Checkbox | Example | Purpose | |-----------|----------|---------|--------| | **URL Encoding** | `Path Normalization` | `/%61%64%6d%69%6e` | Bypass path-matching rules | | **Double URL Encoding** | `Path Normalization` | `/%2561%2564%256d%2569%256e` | Exploit double-decode vulnerabilities | | **IIS Unicode Encoding** | `Path Normalization` | IIS short/wide Unicode variants | Target IIS-specific normalization | | **Case Flipping** | `Advanced Encoders` | `/Admin`, `/ADMIN` | Case-sensitive path matching | | **Trailing Slash** | `Advanced Encoders` | `/admin/` | Path normalization differences | | **Dot-Segment Injection** | `Advanced Encoders` | `/path/..;/admin` | Tomcat/Spring path traversal | | **Double Slash Prefix** | `Advanced Encoders` | `//admin` | Proxy path confusion | | **JSON Suffix** | `Advanced Encoders` | `/admin.json` | Content negotiation bypass | | **Semicolon Suffix** | `Advanced Encoders` | `/admin;` | Parameter delimiter abuse | | **X-Rewrite-URL** | `Rewrite Tricks` | Header: `/admin` | Frontend/backend path discrepancy | | **X-Original-URL** | `Rewrite Tricks` | Header: `/admin` | URL override | | **X-Accel-Redirect** | `Rewrite Tricks` | Header: `/admin` | **Nginx / OpenResty** internal redirect bypass | | **Custom Paths** | — | User-defined paths | Load from wordlist file | ### 3️⃣ Selection Fuzz Allows you to **select specific text** within a request and fuzz just that portion with various encodings.

Selection Fuzz Tab

**What it tests:** | Encoder | Description | |---------|-------------| | **URL Encode** | Standard percent-encoding of selected text | | **Double URL Encode** | Double-layer encoding | | **IIS Unicode Encode** | IIS-specific Unicode mapping | | **UTF-8 Fullwidth Slash** | Fullwidth character substitution | | **Custom Payloads** | User-defined replacements from file or manual input | **Use case:** When you've identified a specific parameter or path segment that might be vulnerable, select it and test encoding-specific bypasses. ### 🔹 Web Cache Deception (WCD) Testing A dedicated 4-phase pipeline for discovering and exploiting Web Cache Deception vulnerabilities. Each phase maps directly to a checkbox in the **"Built-in Payloads"** panel:

WCD Settings Panel

#### Phase 1: Delimiter Discovery Identifies which characters the **origin server** treats as path delimiters. /my-account?abc → 200 = '?' is a delimiter /my-account#abc → 200 = '#' is a delimiter /my-account%23abc → 200 = '%23' (encoded #) is a delimiter /my-account%3fabc → 200 = '%3f' (encoded ?) is a delimiter #### Phase 2: Delimiter + Extension Tests if the **cache** treats responses differently when combined with static file extensions. /my-account?abc.js → Check X-Cache header /my-account%23abc.css → Check X-Cache header #### Phase 3: Normalization Discrepancy Tests whether the origin server and cache **handle encoded dot-segments differently**. /aaa/..%2fmy-account → 404 = origin doesn't normalize /aaa/..%2fresources/test → X-Cache:hit = cache DOES normalize! /resources/..%2ftest → No cache = confirms /resources prefix rule #### Phase 4: Cache Deception Exploits Generates **combined exploit payloads** using discovered delimiters + cache normalization. /my-account%23%2f%2e%2e%2fresources → 200 + X-Cache:hit = EXPLOIT! 🎯

WCD Results with X-Cache

### 🔹 Smart Results Table Every fuzzing result is displayed in an intelligent, color-coded table:

Smart Results Table

| Column | Description | |--------|-------------| | **#** | Row index | | **Variant** | Name of the test (e.g., `DELIM: '?'`, `WCD: '%23' + traversal`) | | **Status** | HTTP status code | | **Cache** | Cache status: `HIT ✅`, `MISS`, `PRIVATE 🚫`, `NO-STORE 🚫`, `HIT/Vary:Cookie`, or raw `X-Cache` value | | **Words** | Word count of the response body | | **Lines** | Line count of the response body | | **Length** | Response body length in bytes | | **Title** | Extracted HTML `` tag | | **RTT(ms)** | Round-trip time in milliseconds | | **Notes** | Auto-detected anomalies and sensitive data matches | **Automatic anomaly detection in Notes:** | Tag | Meaning | |-----|---------| | `SENSITIVE_DATA:JWT` | Response body contains a JWT token (also: `CSRF`, `EMAIL`, `BEARER`, `SECRET`) | | `🎯 POTENTIAL BYPASS` | Baseline was a 40x error, but payload returned 2xx — strong bypass signal | | `🔀 REDIRECT BYPASS?` | 401/403 baseline changed to a 30x redirect — possible auth bypass via redirect | | `⚠️ BODY_BYPASS?` | Same 2xx status but body content changed — possible auth bypass with same code | | `🔍 PATH_CONFUSION` | 404 baseline returned a non-404 response — path traversal or confusion | | `CUSTOM:LABEL` | Response body matched a user-defined regex rule from the Settings tab | | `STATUS_CHANGE` | Response status differs from baseline | | `WORD_DELTA` | Word count differs from baseline | | `LEN_DELTA` | Body length differs by >50 bytes | | `BODY_DIFF` | MD5 hash of the response body differs from baseline despite same status | | `RATE_LIMITED(429)` | Target is rate limiting. Delay automatically increased. | | `⚠️ SESSION_DRIFT` | Original session is invalidated mid-scan | | `X-Cache:hit` | Response served from cache | | `X-Cache:miss` | Response not in cache (first request) | | `CC:public,max-age=30` | Cache-Control header value | | `Age:15` | Cache age in seconds | **Color coding:** - 🩷 **Pink rows** — Sensitive data in response body (`SENSITIVE_DATA:*`) - 🟡 **Gold rows** — Potential bypass detected (`🎯 POTENTIAL BYPASS`) - 🔵 **Sky-blue rows** — Redirect bypass hint (`🔀 REDIRECT BYPASS?`) - 🟠 **Orange rows** — Body-based bypass hint (`⚠️ BODY_BYPASS?`) - 🟣 **Lavender rows** — Custom rule match (`CUSTOM:LABEL`) - 🟢 **Green rows** — 2xx Success response - 💙 **Light Blue rows** — 3xx Redirects - 🟡 **Light Yellow rows** — 429 Rate Limited - 🔴 **Red rows** — 5xx Server errors - ⚪ **Grey rows** — -1 Connection Resets (WAF dropping packets) **Dynamic Sorting & Filtering:** Use the **"🔍 Show Only Interesting"** button to hide completely normal baseline-matching responses. Click any column header to instantly sort results by **Status Code**, **Word Count**, **Length**, or **RTT**. No need to scroll through hundreds of rows; **one click reveals your bypass**. ### 🔹 Request / Response Viewer **Double-click** any row to open a dedicated inspection window powered by **Burp Suite's native HTTP editors** (`HttpRequestEditor` / `HttpResponseEditor` from the Montoya API). This is not a plain text viewer — it is the same editor component used in Burp's own Repeater and Proxy tabs. <p align="center"> <img src="https://static.pigsec.cn/wp-content/uploads/repos/cas/08/082d4c6724beae6a3f0de7a321eae09a7b5bc03bd4e07516e283252558675e15.png" alt="Request/Response Viewer" width="900"/> </p> The viewer opens as a **non-modal split pane** (request on the left, response on the right) with full tab support: | Tab | Description | |-----|-------------| | **Raw** | Full HTTP message exactly as sent/received, including headers and body | | **Pretty** | Syntax-highlighted, auto-formatted view (JSON, HTML, XML) | | **Hex** | Byte-level hexadecimal view for binary analysis | | **Render** | **Live HTML preview** of the response — instantly see if the page contains API keys, tokens, or sensitive data without reading raw HTML | ### 🔹 Re-run Fuzzing Changed your settings? No need to go back to HTTP history — click **▶ Re-run Fuzzing** to re-execute with updated configuration. <p align="center"> <img src="https://static.pigsec.cn/wp-content/uploads/repos/cas/92/9232fcdf149befa9dc0ebb3e9a6d40211a30f1191fcf90be9a1a1eb1b38030f4.png" alt="Re-run Fuzzing Button" width="600"/> </p> - ✅ Modify checkboxes, add custom payloads, change delay - ✅ Click **▶ Re-run** — uses the same base request with new settings - ✅ Previous results are cleared automatically ### 🔹 Load Wordlists from File Every custom text area includes **📂 Load File** and **✕ Clear** buttons. <p align="center"> <img src="https://static.pigsec.cn/wp-content/uploads/repos/cas/31/31adacfa6a6b4e3b81cd8817e0df09f10356907ac164ca2922a92faf513c7ce1.png" alt="Load File Feature" width="700"/> </p> - Supports `.txt`, `.lst`, `.csv`, `.list` files - **Appends** to existing content (combine manual + file payloads) - Shows line count feedback after loading - Works with all custom fields: IPs, Headers, Paths, Payloads ### 🔹 OPSEC & Network Safety Each tab includes an **IP verification check** to ensure your traffic is properly anonymized. <p align="center"> <img src="https://static.pigsec.cn/wp-content/uploads/repos/cas/78/786496ee5c7459dc288a156ef9ada8189363fd23e1b8b1ac82832710625b60aa.png" alt="OPSEC Check" width="600"/> </p> - Click **Check External IP** to verify your public IP - **OPSEC Warning Dialog** — if you haven't verified your IP, the extension **blocks fuzzing** and shows a confirmation dialog to prevent accidental exposure of your real IP - Configurable **delay (ms)** between requests to avoid rate limiting and WAF detection ### 🔹 Export & Integration | Feature | How | |---------|-----| | **Send to Repeater** | Extensively supports Multi-select (`Ctrl`+Click, `Shift`+Click). Right-click to find **"Send All Selected"** or **"Send All Interesting"**. | | **Export CSV** | Click *Export CSV* to save all tabular results | | **Site Map** | All fuzzing requests are natively integrated and added to Burp's Site Map | ## 🏆 Proven: PortSwigger Lab Success Access Context Fuzzer has been tested and **proven effective** against official PortSwigger Web Security Academy labs: <p align="center"> <img src="https://static.pigsec.cn/wp-content/uploads/repos/cas/5c/5c65183b16cae1a5f4ca5b6e32ed943c9937ed982dd57cc7c0a92a339b591874.png" alt="Lab Success Showcase" width="800"/> </p> | Status | Lab | Technique Used | Extension Feature | |--------|-----|---------------|-------------------| | ✅ Solved | **URL-based access control can be circumvented** | Root-level URL rewrite via `X-Original-URL` header | `Header Bypass` tab — `URL Rewrite Override` checkbox | | ✅ Solved | **Host header authentication bypass** | Host manipulation via `X-Forwarded-Host` | `Header Bypass` tab — IP/Host spoofing | | ✅ Solved | **Authentication bypass via information disclosure** | Custom header `X-Custom-IP-Authorization: 127.0.0.1` | `Header Bypass` tab — Custom Headers | | ✅ Solved | **Exploiting cache server normalization for WCD** | Delimiter + encoded dot-segment + cache prefix | `Cache Deception Combos` checkbox | ## 📦 Installation ### From JAR (Recommended) 1. Download the latest `access-context-fuzzer-*-jar-with-dependencies.jar` from [Releases](../../releases) 2. In Burp Suite, go to **Extensions** → **Installed** → **Add** 3. Set **Extension type** to **Java** 4. Select the downloaded JAR file 5. Click **Next** — the **Access Context** tab appears <p align="center"> <img src="https://static.pigsec.cn/wp-content/uploads/repos/cas/f3/f3a1b1597c3cfb8aebc8d848e3357d9dcee6bf61499b97fec0e8942cd3bea18e.png" alt="Installation Steps" width="700"/> </p> ### Requirements - Burp Suite Professional or Community Edition **2023.1+** - Java **17** or higher <a id="usage"></a> ## 🚀 Usage ### Quick Start 1. Browse to your target in Burp's built-in browser 2. Find a request in **Proxy → HTTP History** 3. Right-click the request and choose: | Menu Item | When to Use | |-----------|-------------| | **Access Context: Header Fuzz** | Testing header-based access control (IP restrictions, host checks) | | **Access Context: Path Fuzz** | Testing path-based access control (URL normalization, encoding bypass) | | **Access Context: Fuzz Selection** | Testing a specific selected portion of the request | <p align="center"> <img src="https://static.pigsec.cn/wp-content/uploads/repos/cas/a1/a1ceb696a454495c97956361c14cd5276f92b738b331204d311472477d055c7a.png" alt="Context Menu" width="500"/> </p> 4. The extension switches to the appropriate tab and begins fuzzing 5. Watch the progress bar and results table populate in real-time 6. Look for **green highlighted rows** with `STATUS_CHANGE` or `WORD_DELTA` in Notes ### Workflow: Web Cache Deception Lab A step-by-step guide for testing WCD vulnerabilities: Step 1: Enable "Delimiter Fuzzing" checkbox → Find delimiters that return 200 (e.g., ?, #, %23) Step 2: Enable "Delimiter + Extension" checkbox → Check Notes column for X-Cache headers Step 3: Enable "Norm Discrepancy" checkbox → Set Cache Prefix to "/resources" → Find normalization differences between origin and cache Step 4: Enable "Cache Deception Combos" checkbox → Look for rows with Status=200 AND X-Cache:hit → That row's path is your exploit payload! Step 5: Double-click the exploit row → Verify API key / sensitive data in the Render tab → Copy the path for your exploit server <a id="building-from-source"></a> ## 🏗 Building from Source ### Prerequisites - **JDK 17+** (OpenJDK or Oracle JDK) - **Maven 3.6+** ### Maven # Clone the repository git clone https://github.com/Tagoletta/AccessContextFuzzer.git cd AccessContextFuzzer # Compile mvn compile # Build JAR with dependencies mvn package # Output: target/access-context-fuzzer-2.4.0-jar-with-dependencies.jar ### Project Structure AccessContextFuzzer/ ├── src/ │ └── main/ │ └── java/ │ └── burp/ │ ├── AccessContextFuzzer.java # Entry point (123 lines) │ ├── core/ │ │ ├── ExtensionContext.java # Shared state / DI container │ │ ├── ScanEngine.java # Scan orchestration, WCD logic │ │ ├── FuzzerEngine.java # Per-engine UI state │ │ ├── FuzzResult.java # Data class: response + RTT │ │ └── Variant.java # Data class: name + request │ ├── payload/ │ │ ├── HeaderPayloadBuilder.java # Header bypass variants │ │ ├── PathPayloadBuilder.java # Path + WCD variants │ │ └── SelectionPayloadBuilder.java # Selection encoding variants │ ├── ui/ │ │ ├── HeaderEngineTab.java │ │ ├── PathEngineTab.java │ │ ├── SelectionEngineTab.java │ │ ├── ResultsPanel.java │ │ ├── SettingsTab.java │ │ └── DiffDialog.java │ └── util/ │ ├── HttpUtils.java # Static helpers: status, cache, diff │ └── EncoderUtils.java # URL/Unicode encoding helpers ├── img/ # README screenshots ├── .github/ │ └── workflows/ │ └── release.yml # Auto-build & release on tag push ├── pom.xml # Maven build config ├── .gitignore └── README.md ## 🧪 Test Coverage Matrix The following table summarizes all test variants generated by the extension: ### Header Bypass Variants | # | Variant | Header | Value | |---|---------|--------|-------| | 1-8 | IP Spoofing (127.0.0.1) | `X-Forwarded-For`, `X-Real-IP`, `X-Client-IP`, `True-Client-IP`, `CF-Connecting-IP`, `X-Cluster-Client-IP`, `Fastly-Client-IP`, `X-Azure-ClientIP` | `127.0.0.1` | | 9-16 | IP Spoofing (Custom IPs) | Same headers as above | User-defined IPs | | 17-19 | Host Override | `X-Forwarded-Host`, `X-Host`, `X-Original-Host` | User-defined hosts | | 20-30 | WebDAV & Method Swap | `METHOD` | `MKCOL`, `COPY`, `PROPPATCH`, `GET`, `gEt`, `post` | | 31-38 | Content-Type Override | `Content-Type`, `Accept` | `application/xml`, `text/html` | | 39-45 | HTTP/2 & Scheme Injection | `:authority`, `:path`, `X-Forwarded-Scheme`, `Front-End-Https` | `localhost`, `https`, `on` | | 46+ | Custom Headers | User-defined | User-defined | ### Path Bypass Variants | # | Variant | Checkbox | Example | Technique | |---|---------|----------|---------|----------| | 1 | URL Encode | `Path Normalization` | `/%61%64%6d%69%6e` | Single URL encoding | | 2 | Double URL Encode | `Path Normalization` | `/%2561%2564%256d%2569%256e` | Double encoding | | 3 | IIS Unicode | `Path Normalization` | IIS-mapped characters | IIS short filename | | 4 | Case Flip | `Advanced Encoders` | `/Admin`, `/ADMIN` | Case sensitivity | | 5 | Trailing Slash | `Advanced Encoders` | `/admin/` | Path normalization | | 6 | Dot-Segment | `Advanced Encoders` | `/..;/admin` | Tomcat/Spring bypass | | 7 | Overlong UTF-8 & Unicode | `Advanced Encoders` | `..%c0%af`, `%ef%bc%8f`, `..%5c` | Apache/IIS deep bypass | | 8 | Double Slash | `Advanced Encoders` | `//admin` | **Nginx/OpenResty** proxy path confusion — targets misconfigurations in `location` block matching | | 9 | JSON Suffix | `Advanced Encoders` | `/admin.json` | Content negotiation bypass | | 9 | Semicolon | `Advanced Encoders` | `/admin;` | Delimiter abuse | | 10 | X-Rewrite-URL | `Rewrite Tricks` | Header: `/admin` | URL rewrite (IIS/ASP.NET) | | 11 | X-Original-URL | `Rewrite Tricks` | Header: `/admin` | URL override (IIS/ASP.NET) | | 12 | X-Accel-Redirect | `Rewrite Tricks` | Header: `/admin` | **Nginx / OpenResty** internal redirect bypass — targets `X-Accel-Redirect` header handling in Nginx reverse proxy setups | | 13+ | Delimiter Fuzzing | `Delimiter Fuzzing` | `/admin?abc`, `/admin%23abc` | WCD Phase 1 | | 20+ | Delimiter + Extension | `Delimiter + Extension` | `/admin?abc.js` | WCD Phase 2 | | 30+ | Norm Discrepancy | `Normalization Discrepancy` | `/aaa/..%2fadmin` | WCD Phase 3 | | 40+ | Cache Deception Combo | `Cache Deception Combos` | `/admin%23%2f%2e%2e%2fresources` | WCD Phase 4 | ## 📸 Screenshot Guide Place the following screenshots in the `img/` directory: | Filename | What to Capture | |----------|-----------------| | `banner.png` | A branded banner image (1200×300 recommended) | | `overview.png` | Full extension window showing all three tabs | | `three_tabs.png` | Close-up of the tab bar (Header Bypass, Path/GET Bypass, Selection Fuzz) | | `header_bypass_tab.png` | Header Bypass tab with settings and results populated | | `path_bypass_tab.png` | Path/GET Bypass tab showing WCD checkboxes | | `selection_fuzz_tab.png` | Selection Fuzz tab with custom payloads | | `wcd_settings.png` | Close-up of the WCD settings panel (delimiter, extension, norm, combo checkboxes) | | `wcd_results.png` | Results table showing X-Cache headers in Notes column | | `results_table.png` | Color-coded results table with anomalies highlighted | | `request_response_viewer.png` | Double-click dialog showing Burp's native Request/Response editors | | `rerun_button.png` | Control panel showing the ▶ Re-run Fuzzing button | | `load_file.png` | Custom textarea with Load File button and "X lines loaded" feedback | | `opsec_check.png` | OPSEC panel showing verified IP address | | `installation.png` | Burp Extensions tab showing the loaded extension | | `context_menu.png` | Right-click context menu showing the three Access Context options | | `lab_success.png` | Screenshot showing solved PortSwigger labs (green "Solved" banners) | ## 🔒 Responsible Use This tool is designed for **authorized security testing only**. Always ensure you have proper authorization before testing any target. The OPSEC features (IP verification, configurable delays) are provided to help testers operate safely and responsibly. <a id="contributing"></a> ## 🤝 Contributing Contributions are welcome! Here's how to get started: 1. **Fork** the repository 2. Create a **feature branch** (`git checkout -b feature/awesome-feature`) 3. **Commit** your changes (`git commit -m 'Add awesome feature'`) 4. **Push** to the branch (`git push origin feature/awesome-feature`) 5. Open a **Pull Request** ### Ideas for Contribution - [ ] Additional encoding schemes (e.g., Base64, Punycode) - [ ] GraphQL-specific bypass techniques - [ ] Collaborative notes / tagging for results - [ ] Auto-detect interesting responses using ML heuristics - [ ] WCD two-phase verification (automated attacker re-request to confirm cached content) - [ ] Persistent scan history across Burp restarts (serialize to file) ## 📄 License This project is licensed under the **MIT License** — see the [LICENSE](LICENSE) file for details. ## 🙏 Acknowledgments - **PortSwigger** — for Burp Suite and the [Montoya API](https://portswigger.net/burp/documentation/desktop/extensions/creating) - **PortSwigger Web Security Academy** — for the [Web Cache Deception labs](https://portswigger.net/web-security/web-cache-deception) that inspired the WCD module - The security research community for documenting access control bypass techniques ### 📖 Further Reading - [Web Cache Deception & Poisoning](https://tagmachan.com/web-cache-deception-and-poisoning.tagox) — a deep dive into the attack classes this extension automates ## 👤 Author <p align="center"> <strong>Developed with 🛡️ by <a href="https://tagmachan.com">Tagoletta</a></strong> </p> <p align="center"> For detailed write-ups, development stories, and more security tools, visit <a href="https://tagmachan.com"><strong>tagmachan.com</strong></a> </p> <p align="center"> <a href="https://github.com/Tagoletta/AccessContextFuzzer/issues">Report Bug</a> • <a href="https://github.com/Tagoletta/AccessContextFuzzer/issues">Request Feature</a> • <a href="https://tagmachan.com">Blog & Write-ups</a> </p></div><div><strong>标签:</strong>Burp Suite插件, CISA项目, JS文件枚举, Ubuntu, Web安全, 域名枚举, 网络管理, 蓝队分析, 路径遍历</div></article></div> <!-- 人机验证 --> <script> (function () { var base = (document.querySelector('base') && document.querySelector('base').getAttribute('href')) || ''; var path = base.replace(/\/?$/, '') + '/cap-wasm/cap_wasm.min.js'; window.CAP_CUSTOM_WASM_URL = new URL(path, window.location.href).href; })(); </script> </body> </html>