Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Breath of Fresh Burp

A Breath of Fresh Burp

An introduction to the Jython Burp API.

Marcin Wielgoszewski

November 14, 2012
Tweet

More Decks by Marcin Wielgoszewski

Other Decks in Programming

Transcript

  1. A BREATH OF FRESH BURP:
    EXTENDING BURP THE
    PYTHON WAY
    Marcin Wielgoszewski

    View full-size slide

  2. Introduction
    ¨  Marcin Wielgoszewski
    ¤  Adjunct lecturer NYU Poly – Web Hacking
    ¨  https://github.com/mwielgoszewski
    2

    View full-size slide

  3. How many people have used Burp during an
    engagement?
    Burp Suite
    3

    View full-size slide

  4. What is Burp?
    ¨  A desktop application and HTTP intercepting proxy
    ¨  Built-in functionality specific to pentesting
    ¤  Proxy
    ¤  Spider
    ¤  Scanner (professional version)
    ¤  Intruder
    ¤  Repeater
    ¤  Sequencer
    ¤  Decoders, etc
    4

    View full-size slide

  5. How many found Burp to do everything you
    needed to do?
    Quick Survey
    5

    View full-size slide

  6. Nothing is ever one-size fits all
    ¨  And neither are your tools!
    ¨  Often find ourselves writing one-off scripts
    ¤  The same scripts over and over again
    ¨  Burp Extender
    ¤  Allows developers to extend Burp Suite functionality
    6

    View full-size slide

  7. Who here has actually written a Burp plugin
    before???
    Second Survey
    7

    View full-size slide

  8. Extending Burp
    ¨  Enables ability to add to Burp Suite’s functionality
    ¨  Implement the IBurpExtender interface, among
    others
    ¨  Problems:
    ¤  One implementation per JVM instance
    ¤  if/then/else and switches galore
    ¤  JAVA!
    8

    View full-size slide

  9. Cool kids hack in Ruby and Python
    ¨  Buby
    ¤  A JRuby implementation of IBurpExtender interface
    ¤  Eric Monti / Timur Duehr
    ¤  Acts as a method proxy between Java and Ruby
    ¤  https://github.com/tduehr/buby
    ¨  Example Usage:
    ¤  http://carnal0wnage.attackresearch.com/2011/05/
    buby-script-basics-part-1.html
    9

    View full-size slide

  10. Cool kids hack in Ruby and Python
    ¨  Jython-Burp-API
    ¤  A Jython implementation of the IBurpExtender interface
    ¤  https://github.com/mwielgoszewski/jython-burp-api
    ¨  Example Usage:
    ¤  http://webstersprodigy.net/2012/07/06/some-
    practical-arp-poison-attacks-with-scapy-iptables-and-
    burp/
    10

    View full-size slide

  11. The Python Way
    Extending Burp
    11

    View full-size slide

  12. Introduction to Jython-Burp-API
    12
    ¨  Finally, a Pythonic way to write Burp plugins
    ¤  Pythonic interface to HTTP request objects
    ¨  Process requests/responses in filterchain like fashion
    ¤  On a tool-by-tool basis
    ¨  Watchdog like monitoring for code reloading
    ¤  No more having to reload JVM each time
    ¨  Cuts out a lot of the boilerplate
    ¤  Less code we have to write

    View full-size slide

  13. The API
    13
    ¨  Based on Trac’s plugin component architecture
    ¤  Component implements an interface
    ¤  Components are “activated” on first import
    ¤  Component methods are called automatically

    View full-size slide

  14. The PluginDispatcher
    14
    ¨  A component that declares extension points for
    Components to “plug in” to
    ¨  An extension point specifies the contract that
    extenders must conform to via an Interface subclass
    ¨  To hook one of these extension points, implement the
    Interface and enable the plugin in burp.ini

    View full-size slide

  15. The PluginDispatcher
    15
    ¨  Responsible for calling plugins when required
    ¨  For example, if a plugin implements:
    ¤  IProxyRequestHandler, IIntruderResponseHandler
    ¤  processRequest() called on requests sent via Proxy
    ¤  processResponse() called on responses received via
    Intruder
    ¨  Allows for customized hooking and request/
    response manipulation on a tool-by-tool basis

    View full-size slide

  16. Extending a Plugin’s Configuration
    16
    ¨  Plugins can define their own configuration options
    ¤  Option, BoolOption, IntOption, ListOption, etc
    class  MyPlugin(Component):  
       keywords  =  ListOption("myplugin",  "keywords")  
     
    burp.ini:  
     
    …snip…  
    [myplugin]  
    keywords  =  error,  syntax,  exception  

    View full-size slide

  17. KeywordHighlighter
    XsrfTokenAnalyzer
    Example Plugins
    17

    View full-size slide

  18. Functionality just a right-click away
    Extending Burp w/Context Menus
    18

    View full-size slide

  19. Menu Item’s made easy
    19
    ¨  Menu items subclass the MenuItem interface
    ¤  Implement the menuItemClicked method
    ¤  Set a CAPTION
    class  MyMenuItem(MenuItem):  
       CAPTION  =  "My  Menu  Item"  
     
       def  menuItemClicked(self,  caption,  messages):  
           for  message  in  messages:  
               req  =  HttpRequest(message)  
               print  "From  Menu  -­‐>",  req.url.geturl()  
     
    burp.ini:  
       [menus]  
       examplepackage.MyMenuItem  =  enabled  
     

    View full-size slide

  20. Interactive Demo
    20

    View full-size slide

  21. Miscellaneous
    21

    View full-size slide

  22. INewScanIssueHandler
    22
    ¨  Called when Burp Scanner comes across a new issue
    ¤  Automatically log issues to a central bug tracker?
    class  IssueLogger(Component):  
       implements(INewScanIssueHandler)  
     
       jira_host  =  Option("scanner",  "jira_host")  
     
       def  newScanIssue(self,  issue):  
           #  POST  https://{jira_host}/rest/api/2/issue/  

    View full-size slide

  23. Conclusion
    23

    View full-size slide

  24. Jython-Burp-API
    24
    ¨  A Pythonic interface and API for Burp plugins
    ¤  Run plugins simultaneously
    ¤  Interactive console
    ¤  Filterchain like processing of requests/responses
    ¤  Simplified configuration and logging
    ¤  Automatic code-reloading
    ¤  Less boilerplate

    View full-size slide

  25. How to get it
    25
    ¨  https://github.com/mwielgoszewski/jython-burp-api
    ¨  https://github.com/mwielgoszewski/jython-burp-
    extensions
    ¨  Ruby:
    ¤  https://github.com/tduehr/buby
    ¨  Others:
    ¤  https://github.com/zynga/hiccup
    ¤  https://github.com/droogie/burp_extended

    View full-size slide

  26. Questions?
    26
    ¨  Marcin Wielgoszewski
    ¤  [email protected]
    ¤  @marcinw
    https://github.com/mwielgoszewski

    View full-size slide