A Breath of Fresh Burp

Transcript

1. A BREATH OF FRESH BURP: EXTENDING BURP THE PYTHON WAY

   Marcin Wielgoszewski

2. Introduction ¨  Marcin Wielgoszewski ¤  Adjunct lecturer NYU Poly –

   Web Hacking ¨  https://github.com/mwielgoszewski 2

3. How many people have used Burp during an engagement? Burp

   Suite 3

4. What is Burp? ¨  A desktop application and HTTP intercepting

   proxy ¨  Built-in functionality specific to pentesting ¤  Proxy ¤  Spider ¤  Scanner (professional version) ¤  Intruder ¤  Repeater ¤  Sequencer ¤  Decoders, etc 4

5. How many found Burp to do everything you needed to

   do? Quick Survey 5

6. Nothing is ever one-size fits all ¨  And neither are

   your tools! ¨  Often find ourselves writing one-off scripts ¤  The same scripts over and over again ¨  Burp Extender ¤  Allows developers to extend Burp Suite functionality 6

7. Who here has actually written a Burp plugin before??? Second

   Survey 7

8. Extending Burp ¨  Enables ability to add to Burp Suite’s

   functionality ¨  Implement the IBurpExtender interface, among others ¨  Problems: ¤  One implementation per JVM instance ¤  if/then/else and switches galore ¤  JAVA! 8

9. Cool kids hack in Ruby and Python ¨  Buby ¤ 

   A JRuby implementation of IBurpExtender interface ¤  Eric Monti / Timur Duehr ¤  Acts as a method proxy between Java and Ruby ¤  https://github.com/tduehr/buby ¨  Example Usage: ¤  http://carnal0wnage.attackresearch.com/2011/05/ buby-script-basics-part-1.html 9

10. Cool kids hack in Ruby and Python ¨  Jython-Burp-API ¤ 

    A Jython implementation of the IBurpExtender interface ¤  https://github.com/mwielgoszewski/jython-burp-api ¨  Example Usage: ¤  http://webstersprodigy.net/2012/07/06/some- practical-arp-poison-attacks-with-scapy-iptables-and- burp/ 10

11. The Python Way Extending Burp 11

12. Introduction to Jython-Burp-API 12 ¨  Finally, a Pythonic way to

    write Burp plugins ¤  Pythonic interface to HTTP request objects ¨  Process requests/responses in filterchain like fashion ¤  On a tool-by-tool basis ¨  Watchdog like monitoring for code reloading ¤  No more having to reload JVM each time ¨  Cuts out a lot of the boilerplate ¤  Less code we have to write

13. The API 13 ¨  Based on Trac’s plugin component architecture

    ¤  Component implements an interface ¤  Components are “activated” on first import ¤  Component methods are called automatically

14. The PluginDispatcher 14 ¨  A component that declares extension points

    for Components to “plug in” to ¨  An extension point specifies the contract that extenders must conform to via an Interface subclass ¨  To hook one of these extension points, implement the Interface and enable the plugin in burp.ini

15. The PluginDispatcher 15 ¨  Responsible for calling plugins when required

    ¨  For example, if a plugin implements: ¤  IProxyRequestHandler, IIntruderResponseHandler ¤  processRequest() called on requests sent via Proxy ¤  processResponse() called on responses received via Intruder ¨  Allows for customized hooking and request/ response manipulation on a tool-by-tool basis

16. Extending a Plugin’s Configuration 16 ¨  Plugins can define their

    own configuration options ¤  Option, BoolOption, IntOption, ListOption, etc class  MyPlugin(Component):      keywords  =  ListOption("myplugin",  "keywords")     burp.ini:     …snip…   [myplugin]   keywords  =  error,  syntax,  exception  

17. KeywordHighlighter XsrfTokenAnalyzer Example Plugins 17

18. Functionality just a right-click away Extending Burp w/Context Menus 18

19. Menu Item’s made easy 19 ¨  Menu items subclass the

    MenuItem interface ¤  Implement the menuItemClicked method ¤  Set a CAPTION class  MyMenuItem(MenuItem):      CAPTION  =  "My  Menu  Item"        def  menuItemClicked(self,  caption,  messages):          for  message  in  messages:              req  =  HttpRequest(message)              print  "From  Menu  -­‐>",  req.url.geturl()     burp.ini:      [menus]      examplepackage.MyMenuItem  =  enabled    

20. Interactive Demo 20

21. Miscellaneous 21

22. INewScanIssueHandler 22 ¨  Called when Burp Scanner comes across a

    new issue ¤  Automatically log issues to a central bug tracker? class  IssueLogger(Component):      implements(INewScanIssueHandler)        jira_host  =  Option("scanner",  "jira_host")        def  newScanIssue(self,  issue):          #  POST  https://{jira_host}/rest/api/2/issue/  

23. Conclusion 23

24. Jython-Burp-API 24 ¨  A Pythonic interface and API for Burp

    plugins ¤  Run plugins simultaneously ¤  Interactive console ¤  Filterchain like processing of requests/responses ¤  Simplified configuration and logging ¤  Automatic code-reloading ¤  Less boilerplate

25. How to get it 25 ¨  https://github.com/mwielgoszewski/jython-burp-api ¨  https://github.com/mwielgoszewski/jython-burp- extensions

    ¨  Ruby: ¤  https://github.com/tduehr/buby ¨  Others: ¤  https://github.com/zynga/hiccup ¤  https://github.com/droogie/burp_extended

26. Questions? 26 ¨  Marcin Wielgoszewski ¤  [email protected] ¤  @marcinw https://github.com/mwielgoszewski