-
Requirements
- BurpSuite >= 1.7
- JVM Runtime >= 1.8
-
Installation from GitHub
- Download the latest release from github https://github.com/BitTheByte/BitTraversal/releases
- Using burpsuite navigate to
Extender > Add
- Select the downloaded
.jar
file
A Mutator will run against every request seen from burpsuite e.g(proxy, repeater, scanner) generating a number of potential urls each appended with a payload to be passed to Executor and Detector classes to detect if one of the detection techniques was successful
This plugin uses two main techniques to identify directory traversal vulnerabilities
- Detection Methods
- Static Detection
- Dynamic Detection
i) Using predefined payloads specified at payloads.list which will be fetched at runtime from GitHub and matched against regex.list
ii) Still in development. the aim to detect same response requests like /static/css/main.css/
and /static/../static/css/main.css
with minimal false postives and also apply similar techniques like the ones found in CVE-2020-5902
, CVE-2020-15506