A Breath of Fresh Burp

Transcript

1. 1.

   A BREATH OF FRESH BURP: EXTENDING BURP THE PYTHON WAY

   Marcin Wielgoszewski
2. 2.

   Introduction ¨  Marcin Wielgoszewski ¤  Adjunct lecturer NYU Poly –

   Web Hacking ¨  https://github.com/mwielgoszewski 2
3. 3.

   How many people have used Burp during an engagement? Burp

   Suite 3
4. 4.

   What is Burp? ¨  A desktop application and HTTP intercepting

   proxy ¨  Built-in functionality specific to pentesting ¤  Proxy ¤  Spider ¤  Scanner (professional version) ¤  Intruder ¤  Repeater ¤  Sequencer ¤  Decoders, etc 4
5. 5.

   How many found Burp to do everything you needed to

   do? Quick Survey 5
6. 6.

   Nothing is ever one-size fits all ¨  And neither are

   your tools! ¨  Often find ourselves writing one-off scripts ¤  The same scripts over and over again ¨  Burp Extender ¤  Allows developers to extend Burp Suite functionality 6
7. 7.

   Who here has actually written a Burp plugin before??? Second

   Survey 7
8. 8.

   Extending Burp ¨  Enables ability to add to Burp Suite’s

   functionality ¨  Implement the IBurpExtender interface, among others ¨  Problems: ¤  One implementation per JVM instance ¤  if/then/else and switches galore ¤  JAVA! 8
9. 9.

   Cool kids hack in Ruby and Python ¨  Buby ¤ 

   A JRuby implementation of IBurpExtender interface ¤  Eric Monti / Timur Duehr ¤  Acts as a method proxy between Java and Ruby ¤  https://github.com/tduehr/buby ¨  Example Usage: ¤  http://carnal0wnage.attackresearch.com/2011/05/ buby-script-basics-part-1.html 9
10. 10.

    Cool kids hack in Ruby and Python ¨  Jython-Burp-API ¤ 

    A Jython implementation of the IBurpExtender interface ¤  https://github.com/mwielgoszewski/jython-burp-api ¨  Example Usage: ¤  http://webstersprodigy.net/2012/07/06/some- practical-arp-poison-attacks-with-scapy-iptables-and- burp/ 10
11. 11.

    The Python Way Extending Burp 11

12. 12.

    Introduction to Jython-Burp-API 12 ¨  Finally, a Pythonic way to

    write Burp plugins ¤  Pythonic interface to HTTP request objects ¨  Process requests/responses in filterchain like fashion ¤  On a tool-by-tool basis ¨  Watchdog like monitoring for code reloading ¤  No more having to reload JVM each time ¨  Cuts out a lot of the boilerplate ¤  Less code we have to write
13. 13.

    The API 13 ¨  Based on Trac’s plugin component architecture

    ¤  Component implements an interface ¤  Components are “activated” on first import ¤  Component methods are called automatically
14. 14.

    The PluginDispatcher 14 ¨  A component that declares extension points

    for Components to “plug in” to ¨  An extension point specifies the contract that extenders must conform to via an Interface subclass ¨  To hook one of these extension points, implement the Interface and enable the plugin in burp.ini
15. 15.

    The PluginDispatcher 15 ¨  Responsible for calling plugins when required

    ¨  For example, if a plugin implements: ¤  IProxyRequestHandler, IIntruderResponseHandler ¤  processRequest() called on requests sent via Proxy ¤  processResponse() called on responses received via Intruder ¨  Allows for customized hooking and request/ response manipulation on a tool-by-tool basis
16. 16.

    Extending a Plugin’s Configuration 16 ¨  Plugins can define their

    own configuration options ¤  Option, BoolOption, IntOption, ListOption, etc class  MyPlugin(Component):      keywords  =  ListOption("myplugin",  "keywords")     burp.ini:     …snip…   [myplugin]   keywords  =  error,  syntax,  exception  
17. 17.

    KeywordHighlighter XsrfTokenAnalyzer Example Plugins 17

18. 18.

    Functionality just a right-click away Extending Burp w/Context Menus 18

19. 19.

    Menu Item’s made easy 19 ¨  Menu items subclass the

    MenuItem interface ¤  Implement the menuItemClicked method ¤  Set a CAPTION class  MyMenuItem(MenuItem):      CAPTION  =  "My  Menu  Item"        def  menuItemClicked(self,  caption,  messages):          for  message  in  messages:              req  =  HttpRequest(message)              print  "From  Menu  -­‐>",  req.url.geturl()     burp.ini:      [menus]      examplepackage.MyMenuItem  =  enabled    
20. 20.

    Interactive Demo 20

21. 21.

    Miscellaneous 21

22. 22.

    INewScanIssueHandler 22 ¨  Called when Burp Scanner comes across a

    new issue ¤  Automatically log issues to a central bug tracker? class  IssueLogger(Component):      implements(INewScanIssueHandler)        jira_host  =  Option("scanner",  "jira_host")        def  newScanIssue(self,  issue):          #  POST  https://{jira_host}/rest/api/2/issue/  
23. 23.

    Conclusion 23

24. 24.

    Jython-Burp-API 24 ¨  A Pythonic interface and API for Burp

    plugins ¤  Run plugins simultaneously ¤  Interactive console ¤  Filterchain like processing of requests/responses ¤  Simplified configuration and logging ¤  Automatic code-reloading ¤  Less boilerplate
25. 25.

    How to get it 25 ¨  https://github.com/mwielgoszewski/jython-burp-api ¨  https://github.com/mwielgoszewski/jython-burp- extensions

    ¨  Ruby: ¤  https://github.com/tduehr/buby ¨  Others: ¤  https://github.com/zynga/hiccup ¤  https://github.com/droogie/burp_extended
26. 26.

    Questions? 26 ¨  Marcin Wielgoszewski ¤  marcin.wielgoszewski@gmail.com ¤  @marcinw https://github.com/mwielgoszewski