Burp Plugin Development for Java n00bs - 44CON 2012

Slide 1

Slide 1 text

Burp Plugin Development for Java n00bs 44Con 2012 www.7elements.co.uk | blog.7elements.co.uk | @7elements

Slide 2

Slide 2 text

/me •  Marc Wickenden •  Principal Security Consultant at 7 Elements •  Love coding (parJcularly Ruby) •  @marcwickenden on the TwiOerz •  Most importantly though….. www.7elements.co.uk | blog.7elements.co.uk | @7elements

Slide 3

Slide 3 text

I am a Java n00b

Slide 4

Slide 4 text

If you already know Java You’re either: •  In the wrong room •  About to be really oﬀended!

Slide 5

Slide 5 text

Agenda •  The problem •  GeZng ready •  IntroducJon to the Eclipse IDE •  Burp Extender Hello World! •  ManipulaJng runJme data •  Decoding a custom encoding scheme •  “Shelling out” to other scripts •  LimitaJons of Burp Extender •  Really cool Burp plugins already out there to ﬁre your imaginaJon

Slide 6

Slide 6 text

Oh…..and there’ll be cats

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

The problem •  Burp Suite is awesome •  De facto web app tool •  Open source alternaJves don’t compare IMHO •  Tools available/cohesion/protocol support •  Burp Extender

Slide 9

Slide 9 text

The problem

Slide 10

Slide 10 text

I wrote a plugin Coding by Google FTW!

Slide 11

Slide 11 text

How? -‐ Burp Extender •  “allows third-‐party developers to extend the funcJonality of Burp Suite” •  “Extensions can read and modify Burp’s runJme data and conﬁguraJon” •  “iniJate key acJons” •  “extend Burp’s user interface” hOp://portswigger.net/burp/extender/

Slide 12

Slide 12 text

Burp Extender •  Achieves this via 6 interfaces: •  IBurpExtender •  IBurpExtenderCallbacks •  IHOpRequestResponse •  IScanIssue •  IScanQueueItem •  IMenuItemHander

Slide 13

Slide 13 text

Java 101 •  Java source is compiled to bytecode (class ﬁle) •  Runs on Java Virtual Machine (JVM) •  Class-‐based •  OO •  Write once, run anywhere (WORA) •  Two distribuJons: JRE and JDK

Slide 14

Slide 14 text

Java 101 conJnued… •  Usual OO stuﬀ applies: objects, classes, methods, properJes/variables •  Lines end with ;

Slide 15

Slide 15 text

Java 101 conJnued… •  Source ﬁles must be named amer the public class they contain •  public keyword denotes method can be called from code in other classes or outside class hierarchy

Slide 16

Slide 16 text

Java 101 conJnued… •  class hierarchy defined by directory structure: •  uk.co.sevenelements.HelloWorld = uk/co/ sevenelements/HelloWorld.class •  JAR file is essenJally ZIP file of classes/ directories

Slide 17

Slide 17 text

Java 101 conJnued… •  void keyword indicates method will not return data to the caller •  main method called by Java launcher to pass control to the program •  main must accept array of String objects (args)

Slide 18

Slide 18 text

Java 101 conJnued… •  Java loads class (speciﬁed on CLI or in JAR META-‐INF/MANIFEST.MF) and starts public sta0c void main method •  You’ve seen this already with Burp: •  java –jar burpsuite_pro_v1.4.12.jar

Slide 19

Slide 19 text

Enough 101

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

Let’s write some codez

Slide 22

Slide 22 text

First we need some tools •  Eclipse IDE – de facto free dev tool for Java •  Not necessarily the best or easiest thing to use •  AlternaJves to consider: •  Jet Brains IntelliJ (my personal favourite) •  NetBeans (never used) •  Jcreator (again, never used) •  Terminal/vim/javac < MOAR L33T

Slide 23

Slide 23 text

Download Eclipse Classic Or install from your USB drive

Slide 24

Slide 24 text

Eclipse 4.2 Classic •  hOp://www.eclipse.org/downloads/sums.php?ﬁle=/eclipse/downloads/ drops4/R-‐4.2-‐201206081400/eclipse-‐SDK-‐4.2-‐win32-‐ x86_64.zip&type=sha1 •  6f4e6834c95e9573cbc1fc46adab4e39da6b4b6d •  eclipse-‐SDK-‐4.2-‐win32-‐x86_64.zip •  hOp://www.eclipse.org/downloads/sums.php?ﬁle=/eclipse/downloads/ drops4/R-‐4.2-‐201206081400/eclipse-‐SDK-‐4.2-‐win32.zip&type=sha1 •  68b1eb33596dddaac9ac71473cd1b35f51af8df7 •  eclipse-‐SDK-‐4.2-‐win32.zip

Slide 25

Slide 25 text

Java JDK •  Used to be bundled with Eclipse •  Due to licensing (I think) this is no longer the case •  Grab from Sun Oracle’s website: •  hOp://download.oracle.com/otn-‐pub/java/jdk/7u7-‐b11/jdk-‐7u7-‐windows-‐ x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5

Slide 26

Slide 26 text

Welcome to Eclipse

Slide 27

Slide 27 text

Create a Java Project •  File > New > Java Project •  Project Name: Burp Hello World! •  Leave everything else as default •  Click Next

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

Java SeZngs •  Click on Libraries tab •  Add External JARs •  Select your burpsuite.jar •  Click Finish

Slide 30

Slide 30 text

Create a new package •  File > New > Package •  Enter burp as the name •  Click Finish

Slide 31

Slide 31 text

Create a new ﬁle •  Right-‐click burp package > New > File •  Accept the default locaJon of src •  Enter BurpExtender.java as the ﬁlename •  Click Finish

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

We’re ready to type

Slide 34

Slide 34 text

Loading external classes •  We need to tell Java about external classes •  Ruby has require •  PHP has include or require •  Perl has require •  C has include •  Java uses import

Slide 35

Slide 35 text

Where is Burp? •  We added external JARs in Eclipse •  Only helps at compilaJon •  Need to tell our code about classes •  import burp.*;

Slide 36

Slide 36 text

IBurpExtender •  Available at hOp://portswigger.net/burp/extender/burp/IBurpExtender.html •  “ ImplementaJons must be called BurpExtender, in the package burp, must be declared public, and must provide a default (public, no-‐argument) constructor”

Slide 37

Slide 37 text

In other words public class BurpExtender { } •  Remember, Java makes you name ﬁles amer the class so that’s why we named it BurpExtender.java

Slide 38

Slide 38 text

Add this package burp; import burp.*; public class BurpExtender { public void processHOpMessage( String toolName, boolean messageIsRequest, IHOpRequestResponse messageInfo) throws ExcepJon { System.out.println("Hello World!"); }

Slide 39

Slide 39 text

Run the program •  Run > Run •  First Jme we do this it’ll ask what to run as •  Select Java Applica0on

Slide 40

Slide 40 text

Select Java ApplicaJon •  Under Matching items select StartBurp – burp •  Click OK

Slide 41

Slide 41 text

Burp runs •  Check Alerts tab •  View registraJon of BurpExtender class

Slide 42

Slide 42 text

Console output •  The console window shows output from the applicaJon •  Note the “Hello World!”s

Slide 43

Slide 43 text

CongratulaJons

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

What’s happening? •  Why is it spamming “Hello World!” to the console? •  We deﬁned processHOpMessage() •  hOp://portswigger.net/burp/extender/burp/ IBurpExtender.html •  “This method is invoked whenever any of Burp's tools makes an HTTP request or receives a response”

Slide 46

Slide 46 text

Burp Suite Flow

Slide 47

Slide 47 text

processProxyMessage RepeatAmerMeClient.exe processHOpMessage hOp://wc•ox/RepeaterService.svc Burp Suite

Slide 48

Slide 48 text

No content

Slide 49

Slide 49 text

We’ve got to do a few things •  Split the HTTP Headers from FI body •  Decode FI body •  Display in Burp •  Re-‐encode modiﬁed version •  Append to headers •  Send to web server •  Then the same in reverse

Slide 50

Slide 50 text

No content

Slide 51

Slide 51 text

•  Right-‐click Project > Build Path > Add External Archives •  Select FastInfoset.jar •  Note that imports are now yellow

Slide 52

Slide 52 text

Decoding the FasJnfoset to console

Slide 53

Slide 53 text

First: we get it wrong •  Burp returns message body as byte[] •  Hmm, bytes are hard, let’s convert to String •  Split on \r\n\r\n

Slide 54

Slide 54 text

No content

Slide 55

Slide 55 text

Then we do it right •  FasJnfoset is a binary encoding •  Don’t try and convert it to a String •  Now things work

Slide 56

Slide 56 text

No content

Slide 57

Slide 57 text

Decoding FasJnfoset through Proxy

Slide 58

Slide 58 text

No content

Slide 59

Slide 59 text

We’re nearly there……

Slide 60

Slide 60 text

No content

Slide 61

Slide 61 text

Running outside of Eclipse •  Plugin is working nicely, now what? •  Export to JAR •  Command line to run is: •  java –jar yourjar.jar;burp_pro_v1.4.12.jar burp.startBurp

Slide 62

Slide 62 text

LimitaJons •  We haven’t coded to handle/decode the response •  Just do the same in reverse •  processHOpMessage ﬁres before processProxyMessage so we can’t alter then re-‐encode message •  SoluJon: chain two Burp instances together

Slide 63

Slide 63 text

AOribuJon •  All lolcatz courtesy of lolcats.com •  No cats were harming in the making of this workshop •  Though some keyboards were….