Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Breath of Fresh Burp

A Breath of Fresh Burp

An introduction to the Jython Burp API.

Marcin Wielgoszewski

November 14, 2012
Tweet

More Decks by Marcin Wielgoszewski

Other Decks in Programming

Transcript

  1. Introduction ¨  Marcin Wielgoszewski ¤  Adjunct lecturer NYU Poly –

    Web Hacking ¨  https://github.com/mwielgoszewski 2
  2. What is Burp? ¨  A desktop application and HTTP intercepting

    proxy ¨  Built-in functionality specific to pentesting ¤  Proxy ¤  Spider ¤  Scanner (professional version) ¤  Intruder ¤  Repeater ¤  Sequencer ¤  Decoders, etc 4
  3. Nothing is ever one-size fits all ¨  And neither are

    your tools! ¨  Often find ourselves writing one-off scripts ¤  The same scripts over and over again ¨  Burp Extender ¤  Allows developers to extend Burp Suite functionality 6
  4. Extending Burp ¨  Enables ability to add to Burp Suite’s

    functionality ¨  Implement the IBurpExtender interface, among others ¨  Problems: ¤  One implementation per JVM instance ¤  if/then/else and switches galore ¤  JAVA! 8
  5. Cool kids hack in Ruby and Python ¨  Buby ¤ 

    A JRuby implementation of IBurpExtender interface ¤  Eric Monti / Timur Duehr ¤  Acts as a method proxy between Java and Ruby ¤  https://github.com/tduehr/buby ¨  Example Usage: ¤  http://carnal0wnage.attackresearch.com/2011/05/ buby-script-basics-part-1.html 9
  6. Cool kids hack in Ruby and Python ¨  Jython-Burp-API ¤ 

    A Jython implementation of the IBurpExtender interface ¤  https://github.com/mwielgoszewski/jython-burp-api ¨  Example Usage: ¤  http://webstersprodigy.net/2012/07/06/some- practical-arp-poison-attacks-with-scapy-iptables-and- burp/ 10
  7. Introduction to Jython-Burp-API 12 ¨  Finally, a Pythonic way to

    write Burp plugins ¤  Pythonic interface to HTTP request objects ¨  Process requests/responses in filterchain like fashion ¤  On a tool-by-tool basis ¨  Watchdog like monitoring for code reloading ¤  No more having to reload JVM each time ¨  Cuts out a lot of the boilerplate ¤  Less code we have to write
  8. The API 13 ¨  Based on Trac’s plugin component architecture

    ¤  Component implements an interface ¤  Components are “activated” on first import ¤  Component methods are called automatically
  9. The PluginDispatcher 14 ¨  A component that declares extension points

    for Components to “plug in” to ¨  An extension point specifies the contract that extenders must conform to via an Interface subclass ¨  To hook one of these extension points, implement the Interface and enable the plugin in burp.ini
  10. The PluginDispatcher 15 ¨  Responsible for calling plugins when required

    ¨  For example, if a plugin implements: ¤  IProxyRequestHandler, IIntruderResponseHandler ¤  processRequest() called on requests sent via Proxy ¤  processResponse() called on responses received via Intruder ¨  Allows for customized hooking and request/ response manipulation on a tool-by-tool basis
  11. Extending a Plugin’s Configuration 16 ¨  Plugins can define their

    own configuration options ¤  Option, BoolOption, IntOption, ListOption, etc class  MyPlugin(Component):      keywords  =  ListOption("myplugin",  "keywords")     burp.ini:     …snip…   [myplugin]   keywords  =  error,  syntax,  exception  
  12. Menu Item’s made easy 19 ¨  Menu items subclass the

    MenuItem interface ¤  Implement the menuItemClicked method ¤  Set a CAPTION class  MyMenuItem(MenuItem):      CAPTION  =  "My  Menu  Item"        def  menuItemClicked(self,  caption,  messages):          for  message  in  messages:              req  =  HttpRequest(message)              print  "From  Menu  -­‐>",  req.url.geturl()     burp.ini:      [menus]      examplepackage.MyMenuItem  =  enabled    
  13. INewScanIssueHandler 22 ¨  Called when Burp Scanner comes across a

    new issue ¤  Automatically log issues to a central bug tracker? class  IssueLogger(Component):      implements(INewScanIssueHandler)        jira_host  =  Option("scanner",  "jira_host")        def  newScanIssue(self,  issue):          #  POST  https://{jira_host}/rest/api/2/issue/  
  14. Jython-Burp-API 24 ¨  A Pythonic interface and API for Burp

    plugins ¤  Run plugins simultaneously ¤  Interactive console ¤  Filterchain like processing of requests/responses ¤  Simplified configuration and logging ¤  Automatic code-reloading ¤  Less boilerplate
  15. How to get it 25 ¨  https://github.com/mwielgoszewski/jython-burp-api ¨  https://github.com/mwielgoszewski/jython-burp- extensions

    ¨  Ruby: ¤  https://github.com/tduehr/buby ¨  Others: ¤  https://github.com/zynga/hiccup ¤  https://github.com/droogie/burp_extended