Nothing is ever one-size fits all ¨ And neither are your tools! ¨ Often find ourselves writing one-off scripts ¤ The same scripts over and over again ¨ Burp Extender ¤ Allows developers to extend Burp Suite functionality 6
Extending Burp ¨ Enables ability to add to Burp Suite’s functionality ¨ Implement the IBurpExtender interface, among others ¨ Problems: ¤ One implementation per JVM instance ¤ if/then/else and switches galore ¤ JAVA! 8
Cool kids hack in Ruby and Python ¨ Buby ¤ A JRuby implementation of IBurpExtender interface ¤ Eric Monti / Timur Duehr ¤ Acts as a method proxy between Java and Ruby ¤ https://github.com/tduehr/buby ¨ Example Usage: ¤ http://carnal0wnage.attackresearch.com/2011/05/ buby-script-basics-part-1.html 9
Cool kids hack in Ruby and Python ¨ Jython-Burp-API ¤ A Jython implementation of the IBurpExtender interface ¤ https://github.com/mwielgoszewski/jython-burp-api ¨ Example Usage: ¤ http://webstersprodigy.net/2012/07/06/some- practical-arp-poison-attacks-with-scapy-iptables-and- burp/ 10
Introduction to Jython-Burp-API 12 ¨ Finally, a Pythonic way to write Burp plugins ¤ Pythonic interface to HTTP request objects ¨ Process requests/responses in filterchain like fashion ¤ On a tool-by-tool basis ¨ Watchdog like monitoring for code reloading ¤ No more having to reload JVM each time ¨ Cuts out a lot of the boilerplate ¤ Less code we have to write
The API 13 ¨ Based on Trac’s plugin component architecture ¤ Component implements an interface ¤ Components are “activated” on first import ¤ Component methods are called automatically
The PluginDispatcher 14 ¨ A component that declares extension points for Components to “plug in” to ¨ An extension point specifies the contract that extenders must conform to via an Interface subclass ¨ To hook one of these extension points, implement the Interface and enable the plugin in burp.ini
The PluginDispatcher 15 ¨ Responsible for calling plugins when required ¨ For example, if a plugin implements: ¤ IProxyRequestHandler, IIntruderResponseHandler ¤ processRequest() called on requests sent via Proxy ¤ processResponse() called on responses received via Intruder ¨ Allows for customized hooking and request/ response manipulation on a tool-by-tool basis
Extending a Plugin’s Configuration 16 ¨ Plugins can define their own configuration options ¤ Option, BoolOption, IntOption, ListOption, etc class
MyPlugin(Component):
keywords
=
ListOption("myplugin",
"keywords")
Menu Item’s made easy 19 ¨ Menu items subclass the MenuItem interface ¤ Implement the menuItemClicked method ¤ Set a CAPTION class
MyMenuItem(MenuItem):
CAPTION
=
"My
Menu
Item"
def
menuItemClicked(self,
caption,
messages):
for
message
in
messages:
req
=
HttpRequest(message)
print
"From
Menu
-‐>",
req.url.geturl()
INewScanIssueHandler 22 ¨ Called when Burp Scanner comes across a new issue ¤ Automatically log issues to a central bug tracker? class
IssueLogger(Component):
implements(INewScanIssueHandler)
jira_host
=
Option("scanner",
"jira_host")
def
newScanIssue(self,
issue):
#
POST
https://{jira_host}/rest/api/2/issue/
Jython-Burp-API 24 ¨ A Pythonic interface and API for Burp plugins ¤ Run plugins simultaneously ¤ Interactive console ¤ Filterchain like processing of requests/responses ¤ Simplified configuration and logging ¤ Automatic code-reloading ¤ Less boilerplate
How to get it 25 ¨ https://github.com/mwielgoszewski/jython-burp-api ¨ https://github.com/mwielgoszewski/jython-burp- extensions ¨ Ruby: ¤ https://github.com/tduehr/buby ¨ Others: ¤ https://github.com/zynga/hiccup ¤ https://github.com/droogie/burp_extended