Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Breath of Fresh Burp

A Breath of Fresh Burp

An introduction to the Jython Burp API.

Avatar for Marcin Wielgoszewski

Marcin Wielgoszewski

November 14, 2012
Tweet

More Decks by Marcin Wielgoszewski

Other Decks in Programming

Transcript

  1. Introduction ¨  Marcin Wielgoszewski ¤  Adjunct lecturer NYU Poly –

    Web Hacking ¨  https://github.com/mwielgoszewski 2
  2. What is Burp? ¨  A desktop application and HTTP intercepting

    proxy ¨  Built-in functionality specific to pentesting ¤  Proxy ¤  Spider ¤  Scanner (professional version) ¤  Intruder ¤  Repeater ¤  Sequencer ¤  Decoders, etc 4
  3. Nothing is ever one-size fits all ¨  And neither are

    your tools! ¨  Often find ourselves writing one-off scripts ¤  The same scripts over and over again ¨  Burp Extender ¤  Allows developers to extend Burp Suite functionality 6
  4. Extending Burp ¨  Enables ability to add to Burp Suite’s

    functionality ¨  Implement the IBurpExtender interface, among others ¨  Problems: ¤  One implementation per JVM instance ¤  if/then/else and switches galore ¤  JAVA! 8
  5. Cool kids hack in Ruby and Python ¨  Buby ¤ 

    A JRuby implementation of IBurpExtender interface ¤  Eric Monti / Timur Duehr ¤  Acts as a method proxy between Java and Ruby ¤  https://github.com/tduehr/buby ¨  Example Usage: ¤  http://carnal0wnage.attackresearch.com/2011/05/ buby-script-basics-part-1.html 9
  6. Cool kids hack in Ruby and Python ¨  Jython-Burp-API ¤ 

    A Jython implementation of the IBurpExtender interface ¤  https://github.com/mwielgoszewski/jython-burp-api ¨  Example Usage: ¤  http://webstersprodigy.net/2012/07/06/some- practical-arp-poison-attacks-with-scapy-iptables-and- burp/ 10
  7. Introduction to Jython-Burp-API 12 ¨  Finally, a Pythonic way to

    write Burp plugins ¤  Pythonic interface to HTTP request objects ¨  Process requests/responses in filterchain like fashion ¤  On a tool-by-tool basis ¨  Watchdog like monitoring for code reloading ¤  No more having to reload JVM each time ¨  Cuts out a lot of the boilerplate ¤  Less code we have to write
  8. The API 13 ¨  Based on Trac’s plugin component architecture

    ¤  Component implements an interface ¤  Components are “activated” on first import ¤  Component methods are called automatically
  9. The PluginDispatcher 14 ¨  A component that declares extension points

    for Components to “plug in” to ¨  An extension point specifies the contract that extenders must conform to via an Interface subclass ¨  To hook one of these extension points, implement the Interface and enable the plugin in burp.ini
  10. The PluginDispatcher 15 ¨  Responsible for calling plugins when required

    ¨  For example, if a plugin implements: ¤  IProxyRequestHandler, IIntruderResponseHandler ¤  processRequest() called on requests sent via Proxy ¤  processResponse() called on responses received via Intruder ¨  Allows for customized hooking and request/ response manipulation on a tool-by-tool basis
  11. Extending a Plugin’s Configuration 16 ¨  Plugins can define their

    own configuration options ¤  Option, BoolOption, IntOption, ListOption, etc class  MyPlugin(Component):      keywords  =  ListOption("myplugin",  "keywords")     burp.ini:     …snip…   [myplugin]   keywords  =  error,  syntax,  exception  
  12. Menu Item’s made easy 19 ¨  Menu items subclass the

    MenuItem interface ¤  Implement the menuItemClicked method ¤  Set a CAPTION class  MyMenuItem(MenuItem):      CAPTION  =  "My  Menu  Item"        def  menuItemClicked(self,  caption,  messages):          for  message  in  messages:              req  =  HttpRequest(message)              print  "From  Menu  -­‐>",  req.url.geturl()     burp.ini:      [menus]      examplepackage.MyMenuItem  =  enabled    
  13. INewScanIssueHandler 22 ¨  Called when Burp Scanner comes across a

    new issue ¤  Automatically log issues to a central bug tracker? class  IssueLogger(Component):      implements(INewScanIssueHandler)        jira_host  =  Option("scanner",  "jira_host")        def  newScanIssue(self,  issue):          #  POST  https://{jira_host}/rest/api/2/issue/  
  14. Jython-Burp-API 24 ¨  A Pythonic interface and API for Burp

    plugins ¤  Run plugins simultaneously ¤  Interactive console ¤  Filterchain like processing of requests/responses ¤  Simplified configuration and logging ¤  Automatic code-reloading ¤  Less boilerplate
  15. How to get it 25 ¨  https://github.com/mwielgoszewski/jython-burp-api ¨  https://github.com/mwielgoszewski/jython-burp- extensions

    ¨  Ruby: ¤  https://github.com/tduehr/buby ¨  Others: ¤  https://github.com/zynga/hiccup ¤  https://github.com/droogie/burp_extended