Pro Yearly is on sale from $80 to $50! »

A Breath of Fresh Burp

A Breath of Fresh Burp

An introduction to the Jython Burp API.

03edde9cd3ab0678a3c45fff9a85f0d2?s=128

Marcin Wielgoszewski

November 14, 2012
Tweet

Transcript

  1. A BREATH OF FRESH BURP: EXTENDING BURP THE PYTHON WAY

    Marcin Wielgoszewski
  2. Introduction ¨  Marcin Wielgoszewski ¤  Adjunct lecturer NYU Poly –

    Web Hacking ¨  https://github.com/mwielgoszewski 2
  3. How many people have used Burp during an engagement? Burp

    Suite 3
  4. What is Burp? ¨  A desktop application and HTTP intercepting

    proxy ¨  Built-in functionality specific to pentesting ¤  Proxy ¤  Spider ¤  Scanner (professional version) ¤  Intruder ¤  Repeater ¤  Sequencer ¤  Decoders, etc 4
  5. How many found Burp to do everything you needed to

    do? Quick Survey 5
  6. Nothing is ever one-size fits all ¨  And neither are

    your tools! ¨  Often find ourselves writing one-off scripts ¤  The same scripts over and over again ¨  Burp Extender ¤  Allows developers to extend Burp Suite functionality 6
  7. Who here has actually written a Burp plugin before??? Second

    Survey 7
  8. Extending Burp ¨  Enables ability to add to Burp Suite’s

    functionality ¨  Implement the IBurpExtender interface, among others ¨  Problems: ¤  One implementation per JVM instance ¤  if/then/else and switches galore ¤  JAVA! 8
  9. Cool kids hack in Ruby and Python ¨  Buby ¤ 

    A JRuby implementation of IBurpExtender interface ¤  Eric Monti / Timur Duehr ¤  Acts as a method proxy between Java and Ruby ¤  https://github.com/tduehr/buby ¨  Example Usage: ¤  http://carnal0wnage.attackresearch.com/2011/05/ buby-script-basics-part-1.html 9
  10. Cool kids hack in Ruby and Python ¨  Jython-Burp-API ¤ 

    A Jython implementation of the IBurpExtender interface ¤  https://github.com/mwielgoszewski/jython-burp-api ¨  Example Usage: ¤  http://webstersprodigy.net/2012/07/06/some- practical-arp-poison-attacks-with-scapy-iptables-and- burp/ 10
  11. The Python Way Extending Burp 11

  12. Introduction to Jython-Burp-API 12 ¨  Finally, a Pythonic way to

    write Burp plugins ¤  Pythonic interface to HTTP request objects ¨  Process requests/responses in filterchain like fashion ¤  On a tool-by-tool basis ¨  Watchdog like monitoring for code reloading ¤  No more having to reload JVM each time ¨  Cuts out a lot of the boilerplate ¤  Less code we have to write
  13. The API 13 ¨  Based on Trac’s plugin component architecture

    ¤  Component implements an interface ¤  Components are “activated” on first import ¤  Component methods are called automatically
  14. The PluginDispatcher 14 ¨  A component that declares extension points

    for Components to “plug in” to ¨  An extension point specifies the contract that extenders must conform to via an Interface subclass ¨  To hook one of these extension points, implement the Interface and enable the plugin in burp.ini
  15. The PluginDispatcher 15 ¨  Responsible for calling plugins when required

    ¨  For example, if a plugin implements: ¤  IProxyRequestHandler, IIntruderResponseHandler ¤  processRequest() called on requests sent via Proxy ¤  processResponse() called on responses received via Intruder ¨  Allows for customized hooking and request/ response manipulation on a tool-by-tool basis
  16. Extending a Plugin’s Configuration 16 ¨  Plugins can define their

    own configuration options ¤  Option, BoolOption, IntOption, ListOption, etc class  MyPlugin(Component):      keywords  =  ListOption("myplugin",  "keywords")     burp.ini:     …snip…   [myplugin]   keywords  =  error,  syntax,  exception  
  17. KeywordHighlighter XsrfTokenAnalyzer Example Plugins 17

  18. Functionality just a right-click away Extending Burp w/Context Menus 18

  19. Menu Item’s made easy 19 ¨  Menu items subclass the

    MenuItem interface ¤  Implement the menuItemClicked method ¤  Set a CAPTION class  MyMenuItem(MenuItem):      CAPTION  =  "My  Menu  Item"        def  menuItemClicked(self,  caption,  messages):          for  message  in  messages:              req  =  HttpRequest(message)              print  "From  Menu  -­‐>",  req.url.geturl()     burp.ini:      [menus]      examplepackage.MyMenuItem  =  enabled    
  20. Interactive Demo 20

  21. Miscellaneous 21

  22. INewScanIssueHandler 22 ¨  Called when Burp Scanner comes across a

    new issue ¤  Automatically log issues to a central bug tracker? class  IssueLogger(Component):      implements(INewScanIssueHandler)        jira_host  =  Option("scanner",  "jira_host")        def  newScanIssue(self,  issue):          #  POST  https://{jira_host}/rest/api/2/issue/  
  23. Conclusion 23

  24. Jython-Burp-API 24 ¨  A Pythonic interface and API for Burp

    plugins ¤  Run plugins simultaneously ¤  Interactive console ¤  Filterchain like processing of requests/responses ¤  Simplified configuration and logging ¤  Automatic code-reloading ¤  Less boilerplate
  25. How to get it 25 ¨  https://github.com/mwielgoszewski/jython-burp-api ¨  https://github.com/mwielgoszewski/jython-burp- extensions

    ¨  Ruby: ¤  https://github.com/tduehr/buby ¨  Others: ¤  https://github.com/zynga/hiccup ¤  https://github.com/droogie/burp_extended
  26. Questions? 26 ¨  Marcin Wielgoszewski ¤  marcin.wielgoszewski@gmail.com ¤  @marcinw https://github.com/mwielgoszewski