appsec usa 2015: customizing burp suite
TRANSCRIPT
![Page 1: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/1.jpg)
Customizing Burp Suite
Getting the Most out of Burp Extensions
![Page 2: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/2.jpg)
August Detlefsen
• Senior Application Security Consultant• Author
[email protected]@codemagihttp://www.codemagi.com/blog
![Page 3: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/3.jpg)
Monika Morrow
• Senior Application Security Consultant@ AppSec Consulting
[email protected] @fortytwowho
![Page 4: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/4.jpg)
Agenda/Overview
• Extensions• Using the BApp Store• Building Your First Extension• Adding GUI to extensions• Building Scanners• Utilities
![Page 5: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/5.jpg)
Burp Suite
• What is Burp? • What are extensions?– What can I do with them? (use cases)
![Page 6: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/6.jpg)
What Can I Do With Extensions?
• Passive Scanning• Active Scanning• Alter/append requests• Define Insertion Points for Scanner/Intruder• Create new payload types• Automate Authentication• Much, Much More
![Page 7: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/7.jpg)
BApp Store
• What is it? • How do I use it? • A look at some useful extensions– Logger++– WSDL Wizard
![Page 8: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/8.jpg)
BApp Store
![Page 9: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/9.jpg)
Burp Extension Tab
![Page 10: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/10.jpg)
BApp Store
![Page 11: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/11.jpg)
Logger++
![Page 12: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/12.jpg)
List of Active/Inactive Burp Extensions
![Page 13: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/13.jpg)
Logger++ Options
![Page 14: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/14.jpg)
Logger++ View Logs
![Page 15: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/15.jpg)
Logger++ Item Details
![Page 16: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/16.jpg)
Jython Extensions
![Page 17: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/17.jpg)
Burp Extensions Settings
![Page 18: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/18.jpg)
Burp Extensions Settings
![Page 19: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/19.jpg)
One Click Install Jython Extensions
![Page 20: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/20.jpg)
WSDL Wizard Installed
![Page 21: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/21.jpg)
Installed Burp Extensions
![Page 22: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/22.jpg)
WSDL Wizard Usage
![Page 23: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/23.jpg)
WSDL Wizard Results
![Page 24: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/24.jpg)
Limited Examples
• Proprietary code• One-Offs• No process for updating BApp Store
extensions
![Page 25: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/25.jpg)
Loading a Custom Extension
• Java, Python, and Ruby extensions are loaded and managed through a single interface within the Extension tab
![Page 26: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/26.jpg)
Loading a Custom Extension
![Page 27: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/27.jpg)
Loading a Custom Extension
![Page 28: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/28.jpg)
Loading a Custom Extension
![Page 29: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/29.jpg)
Loading a Custom Extension
![Page 30: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/30.jpg)
Loading a Custom Extension
![Page 31: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/31.jpg)
Building Custom Extensions
• Burp Suite Pro v 1.6.x• Current NetBeans IDE (8.0.2)• JDK 8
![Page 32: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/32.jpg)
Starting with a Template
• Find a starter project• Some example projects at
https://portswigger.net/burp/extender/ • Today we’ll start with my NetbeansGUI project
found at https://github.com/monikamorrow/ Burp-Suite-Extension-Examples– Which depends on
https://github.com/augustd/burp-suite-utils
![Page 33: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/33.jpg)
Starting with a Template
• Clone Burp-Suite-Extension-Examples and burp-suite-utils into your working directory
• Open the Burp-Suite-Extension-Examples NetBeans project and expand folders and resolve issues along the way
• Compile the project to resolve remaining issues
![Page 34: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/34.jpg)
Open the NetBeans Project
![Page 35: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/35.jpg)
Problems already! No problem.
![Page 36: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/36.jpg)
Resolve Project Problems
![Page 37: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/37.jpg)
Find the Cloned Project
![Page 38: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/38.jpg)
….and Repeat. Resolved.
![Page 39: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/39.jpg)
Now what!?
![Page 40: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/40.jpg)
Invalid Java Version?
![Page 41: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/41.jpg)
Select Java Version
![Page 42: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/42.jpg)
Resolved!
![Page 43: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/43.jpg)
More Problems?
![Page 44: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/44.jpg)
Compile to Fix!Building jar: C:\Users\mmorrow\Documents\GitHub\Burp-Suite-Extension-Examples\Example4NetBeansGUI\BurpExtender\dist\BurpExtender-combined.jarjar:BUILD SUCCESSFUL (total time: 1 second)
![Page 45: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/45.jpg)
Edit build.xml
<target name="-post-jar"><jar jarfile=
"dist/BurpExtender-combined.jar"><zipfileset src="${dist.jar}" /><zipgroupfileset dir="dist/lib" includes="*.jar”excludes="META-INF/*"/></jar>
</target>
![Page 46: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/46.jpg)
Test!
![Page 47: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/47.jpg)
Let's Write Some Code
• Start new class BurpExtender• Import BurpGUIExtender• Implement BurpGUIExtender's abstract
functions– init()– processSelectedMessage()
![Page 48: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/48.jpg)
BurpExtenderpackage burp;import com.monikamorrow.burp.BurpGUIExtender;
public class BurpExtender extends BurpGUIExtender { ... }
![Page 49: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/49.jpg)
BurpExtenderpublic class BurpExtender extends BurpGUIExtender {
public void init() { mPluginName = "MYPROJECT"; mUsageStatement = "Usage statement for " + mPluginName; }
}
![Page 50: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/50.jpg)
BurpExtenderpublic class BurpExtender extends BurpGUIExtender
protected IHttpRequestResponse processSelectedMessage( IHttpRequestResponse messageInfo, boolean isRequest) { ... return messageInfo; }}
![Page 51: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/51.jpg)
BurpExtender{if(isRequest) { mStdOut.println( "processSelectedMessage triggered for request"); messageInfo.setComment("Request processed");} else { mStdOut.println( "processSelectedMessage triggered for response"); messageInfo.setComment( messageInfo.getComment() + "/Response processed");} return messageInfo;}
![Page 52: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/52.jpg)
What's Available?
• Mix and match– BurpGUIExtender– BurpSuiteTab• ToolsScopeComponent• UrlScopeComponent
– BaseExtender– PassiveScan– ….and more
![Page 53: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/53.jpg)
GUI Components
• Configuration of options• Enable only what you want• Autosave
![Page 54: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/54.jpg)
How to Add?
mTab = new BurpSuiteTab (mPluginName, mCallbacks);mTab.add(toolsScope);mTab.add(urlScope);mTab.add(myJPanel);mCallbacks.customizeUiComponent(mTab);mCallbacks.addSuiteTab(mTab);
![Page 55: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/55.jpg)
How to Get Settings?urlScope.processAllRequests();
toolsScope.isToolSelected(toolFlag);
![Page 56: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/56.jpg)
Passive Scanning• Search responses for problematic values• Built-in passive scans– Credit card numbers– Known passwords– Missing headers
Building a Passive Scanner
![Page 57: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/57.jpg)
Passive Scanning – Room for Improvement• Error Messages• Software Version Numbers
Building a Passive Scanner
![Page 58: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/58.jpg)
Implement the IScannerCheck interfacepublic class PassiveScan implements IScannerCheck {
@Override public List<IScanIssue> doPassiveScan(
IHttpRequestResponse baseRequestResponse) { … }
@Override public List<IScanIssue> doActiveScan(
IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { … }
@Override public int consolidateDuplicateIssues(
IScanIssue existingIssue, IScanIssue newIssue) { … }
Building a Passive Scanner
![Page 59: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/59.jpg)
Register the extension as a custom scanner@Overrideprotected void initialize() { callbacks.registerScannerCheck(this);}
Building a Passive Scanner
![Page 60: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/60.jpg)
IScannerCheck.doPassiveScan()for (MatchRule rule : rules) {
Matcher matcher = rule.getPattern().matcher(response);
while (matcher.find()) {matches.add(
new ScannerMatch(matcher.start(), matcher.end(), group,
rule));
Building a Passive Scanner
![Page 61: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/61.jpg)
IScannerCheck.doPassiveScan()if (!matches.isEmpty()) {
Collections.sort(matches);
List<int[]> startStop = new ArrayList<int[]>(1);
for (ScannerMatch match : matches) {startStop.add(new int[]{match.getStart(), match.getEnd()
});
Building a Passive Scanner
![Page 62: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/62.jpg)
IScannerCheck.doPassiveScan()return new ScanIssue(
baseRequestResponse.getHttpService(),
helpers.analyzeRequest(baseRequestResponse).getUrl(),
new IHttpRequestResponse[] {callbacks.applyMarkers(
baseRequestResponse, null, startStop)}, issueName, issueDetail, ScanIssueSeverity.MEDIUM, ScanIssueConfidence.FIRM
Building a Passive Scanner
![Page 63: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/63.jpg)
IScannerCheck.consolidateDuplicateIssues()@Overridepublic int consolidateDuplicateIssues(
IScanIssue existingIssue, IScanIssue newIssue) {
if (existingIssue.getIssueDetail().equals(newIssue.getIssueDetail())) {
return -1; //It is a duplicate
} else { return 0; //This is a new issue}
Building a Passive Scanner
![Page 64: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/64.jpg)
Extending from PassiveScan@Overrideprotected void initPassiveScan() {
//set the extension NameextensionName = "Error Message Checks";
//create match rulesaddMatchRule(
new MatchRule(PHP_ON_LINE, 0, "PHP"));addMatchRule(
new MatchRule(PHP_HTML_ON_LINE, 0, "PHP"));…
Building a Passive Scanner
![Page 65: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/65.jpg)
Extending from PassiveScan@Overrideprotected ScanIssue getScanIssue(
IHttpRequestResponse baseRequestResponse, List<ScannerMatch> matches, List<int[]> startStop) {
return new ScanIssue(baseRequestResponse, helpers,callbacks, startStop, getIssueName(), getIssueDetail(matches), ScanIssueSeverity.MEDIUM.getName(), ScanIssueConfidence.FIRM.getName());
Building a Passive Scanner
![Page 66: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/66.jpg)
Active Scanning• Issue requests containing attacks • Look for indication of success in response• Built-In Active Scans– XSS– SQL Injection– Path Traversal– etc
Building an Active Scanner
![Page 67: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/67.jpg)
IScannerCheck.doActiveScan()@Overridepublic List<IScanIssue> doActiveScan(
IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) {
for (MatchRule rule : rules) { // compile a request containing our // injection test in the insertion point byte[] testBytes = rule.getTest(); byte[] checkRequest =
insertionPoint.buildRequest(testBytes);
Building an Active Scanner
![Page 68: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/68.jpg)
IScannerCheck.doActiveScan()// issue the requestIHttpRequestResponse checkRequestResponse =
callbacks.makeHttpRequest( httpService, checkRequest);
//get the responseString response = helpers.bytesToString(
checkRequestResponse.getResponse());
Building an Active Scanner
![Page 69: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/69.jpg)
IScannerCheck.doActiveScan()// get the offsets of the payload // within the request, for in-UI highlightingList<int[]> requestHighlights =
new ArrayList<int[]>(1);requestHighlights.add(
insertionPoint.getPayloadOffsets(testBytes));
Building an Active Scanner
![Page 70: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/70.jpg)
Extending from ActiveScan@Overrideprotected void initActiveScan() { //set the extension Name extensionName = "Server Side Javascript Injection checks"; //create match rules addMatchRule(
new MatchRule("response.end('success')", SUCCESS, 0, "response.end")); addMatchRule(
new MatchRule("1995';return(true);var%20foo='bar", TRUE, 0, "string"));
Building an Active Scanner
![Page 71: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/71.jpg)
Insertion Points • Locations of parameters in request • Contain data the server will act upon
Building an Active Scanner
![Page 72: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/72.jpg)
Defining Insertion Points
![Page 73: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/73.jpg)
Defining Insertion Points
![Page 74: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/74.jpg)
Defining Insertion Points• Implement IScannerInsertionPointProvider– getInsertionPoints()
• Register as an insertion point provider:
callbacks.registerScannerInsertionPointProvider(this)
;
Defining Insertion Points
![Page 75: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/75.jpg)
BurpExtender.getInsertionPoints()@Overridepublic List<IScannerInsertionPoint> getInsertionPoints(
IHttpRequestResponse baseRR) { byte[] request = baseRR.getRequest(); String requestAsString =
new String(request);
GWTParser parser = new GWTParser(); parser.parse(requestAsString);
Defining Insertion Points
![Page 76: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/76.jpg)
BurpExtender.getInsertionPoints()for (int[] offset : insertionPointOffsets) {IScannerInsertionPoint point = helpers.makeScannerInsertionPoint(
"GWT", request, offset[0] - bodyStart, offset[1] - bodyStart);
insertionPoints.add(point);
}return insertionPoints;
Defining Insertion Points
![Page 77: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/77.jpg)
Defining Insertion Points
![Page 78: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/78.jpg)
Viewing Insertion Points• Add menu option to send request to Intruder
• Implement IContextMenuFactory– createMenuItems()
• Register as a menu factorycallbacks.registerContextMenuFactory(this);
Defining Insertion Points
![Page 79: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/79.jpg)
BurpExtender.createMenuItems()@Overridepublic List<JMenuItem> createMenuItems(
IContextMenuInvocation invocation) { //get selected requests from //the invocation IHttpRequestResponse[] ihrrs =
invocation.getSelectedMessages();
Defining Insertion Points
![Page 80: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/80.jpg)
BurpExtender.createMenuItems()//create clickable menu itemJMenuItem item = new JMenuItem(
"Send GWT request(s) to Intruder");item.addActionListener(new MenuItemListener(ihrrs));
//return a Collection of menu itemsList<JMenuItem> menuItems =
new ArrayList<JMenuItem>();menuItems.add(item); return menuItems;
Defining Insertion Points
![Page 81: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/81.jpg)
MenuItemListenerclass MenuItemListener implements ActionListener { private IHttpRequestResponse[] ihrrs; public MenuItemListener(
IHttpRequestResponse[] ihrrs) {this.ihrrs = ihrrs;
} public void actionPerformed(ActionEvent ae) {
sendGWTToIntruder(ihrrs); }}
Defining Insertion Points
![Page 82: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/82.jpg)
BurpExtender.sendGWTToIntruder()public void sendGWTToIntruder(IHttpRequestResponse[] ihrrs) { for (IHttpRequestResponse baseRR : ihrrs) {
IHttpService service = baseRR.getHttpService();
// parse the request (not shown)
if (isGWTRequest) {// Send GWT request to Intrudercallbacks.sendToIntruder(
service.getHost(), service.getPort(),
service.getProtocol().equals("https"), request, insertionPointOffsets);
Defining Insertion Points
![Page 83: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/83.jpg)
BurpExtender.sendGWTToIntruder()
baseRR.setComment("GWT: " +
parser.getServiceMethod() + " " + baseRR.getComment()
);
Defining Insertion Points
![Page 84: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/84.jpg)
Defining Insertion Points
![Page 85: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/85.jpg)
Defining Insertion Points
![Page 86: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/86.jpg)
Modifying Requests• Add custom headers• Add signatures• CSRF tokens
Modifying Requests
![Page 87: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/87.jpg)
Modifying Requests• Implement IHttpListener
processHttpMessage()
• Register as an HTTP Listenercallbacks.registerHttpListener(this);
Modifying Requests
![Page 88: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/88.jpg)
@Overridepublic void processHttpMessage(
int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) {
if (messageIsRequest && callbacks.TOOL_SCANNER == toolFlag) {
BurpExtender.processHttpMessage()Modifying a Request
![Page 89: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/89.jpg)
//see if the request contains a CSRF_TOKENbyte[] scannerRequest =
messageInfo.getRequest();String requestString =
helpers.bytesToString(scannerRequest);
Matcher matcher =TOKEN_PATTERN.matcher(requestString);
if (matcher.find()) { getFreshToken();
BurpExtender.processHttpMessage()Modifying a Request
![Page 90: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/90.jpg)
byte[] request = helpers.buildHttpRequest(FORM_URL);
// issue the request and get the responsebyte[] response = callbacks.makeHttpRequest(
DOMAIN_NAME, 443, true, request);
getFreshToken()Modifying a Request
![Page 91: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/91.jpg)
String responseString = helpers.bytesToString(response);
Matcher matcher = TOKEN_INPUT_PATTERN.matcher(responseString)
;
if (matcher.find()) return matcher.group(1);
getFreshToken()Modifying a Request
![Page 92: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/92.jpg)
String token = getFreshToken(); if (token != null) { requestString = matcher.replaceAll(
"name=\"CSRF_TOKEN\" value=\" + token);} messageInfo.setRequest(
requestString.getBytes());
BurpExtender.processHttpMessage()Modifying a Request
![Page 93: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/93.jpg)
Debugging• callbacks.printOutput(String)• callbacks.printError(String)
Utilities
![Page 94: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/94.jpg)
Utilities
![Page 95: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/95.jpg)
Debugging – Stack Traces• Exception.printStackTrace()• Get the error OutputStream
• Print a stack trace to the stream
Utilities
![Page 96: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/96.jpg)
Utilities
![Page 97: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/97.jpg)
Bringing it all Together
• BApp Store Challenges• Base Classes• Passive Scanning• GUI Building
![Page 98: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/98.jpg)
Using Base Classes• com.codemagi.burp.BaseExtender– com.codemagi.burp.PassiveScan• com.monikamorrow.burp.BurpSuiteTab
Bringing it all Together
![Page 99: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/99.jpg)
Bringing it all TogetherGUI Building
![Page 100: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/100.jpg)
Passive Scanning@Overrideprotected void initPassiveScan() { //set the extension Name extensionName = "Software Version Checks"; //create a component rulesTable = new RuleTableComponent(this, callbacks); //add component to Burp GUI mTab = new BurpSuiteTab(extensionName, callbacks); mTab.addComponent(rulesTable);}
Bringing it all Together
![Page 101: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/101.jpg)
Bringing it all TogetherSolving BApp Store Challenges
![Page 102: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/102.jpg)
Get the Code• Burp Suite Utils:– https://github.com/augustd/burp-suite-utils
• Burp Suite Extension Examples: – https://github.com/monikamorrow/Burp-Suite-Extension-Exam
ples
• Software Version Checks– https://github.com/augustd/burp-suite-software-version-checks
• GWT Scan– https://github.com/augustd/burp-suite-gwt-scan
![Page 103: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/103.jpg)
Get the Extensions
• Software Version Checks• GWT Scan
Also See: • Error Message Checks• Session Timeout Test
Available in the Bapp Store
![Page 104: AppSec USA 2015: Customizing Burp Suite](https://reader038.vdocuments.mx/reader038/viewer/2022102617/58ae93151a28abdf068b60bf/html5/thumbnails/104.jpg)
Thank You!
August Detlefsen
[email protected]@codemagi
Monika Morrow
mmorrow@ appsecconsulting.com@fortytwowho