burp plugin development for java n00bs - 44con 2012
DESCRIPTION
Workshop Burp Plugin Development for Java n00bs by Marc Wickenden at 44CON 2012 in London, September 2012.TRANSCRIPT
Burp Plugin Development for Java n00bs
44Con 2012
www.7elements.co.uk | blog.7elements.co.uk | @7elements
/me
• Marc Wickenden • Principal Security Consultant at 7 Elements • Love coding (parJcularly Ruby) • @marcwickenden on the TwiOerz • Most importantly though…..
www.7elements.co.uk | blog.7elements.co.uk | @7elements
I am a Java n00b
If you already know Java
You’re either: • In the wrong room • About to be really offended!
Agenda
• The problem • GeZng ready • IntroducJon to the Eclipse IDE • Burp Extender Hello World! • ManipulaJng runJme data • Decoding a custom encoding scheme • “Shelling out” to other scripts • LimitaJons of Burp Extender • Really cool Burp plugins already out there to fire your imaginaJon
Oh…..and there’ll be cats
The problem
• Burp Suite is awesome • De facto web app tool • Open source alternaJves don’t compare IMHO
• Tools available/cohesion/protocol support • Burp Extender
The problem
I wrote a plugin
Coding by Google FTW!
How? -‐ Burp Extender
• “allows third-‐party developers to extend the funcJonality of Burp Suite”
• “Extensions can read and modify Burp’s runJme data and configuraJon”
• “iniJate key acJons” • “extend Burp’s user interface”
hOp://portswigger.net/burp/extender/
Burp Extender
• Achieves this via 6 interfaces: • IBurpExtender • IBurpExtenderCallbacks • IHOpRequestResponse • IScanIssue • IScanQueueItem • IMenuItemHander
Java 101
• Java source is compiled to bytecode (class file) • Runs on Java Virtual Machine (JVM) • Class-‐based • OO • Write once, run anywhere (WORA) • Two distribuJons: JRE and JDK
Java 101 conJnued…
• Usual OO stuff applies: objects, classes, methods, properJes/variables
• Lines end with ;
Java 101 conJnued…
• Source files must be named amer the public class they contain
• public keyword denotes method can be called from code in other classes or outside class hierarchy
Java 101 conJnued…
• class hierarchy defined by directory structure: • uk.co.sevenelements.HelloWorld = uk/co/sevenelements/HelloWorld.class
• JAR file is essenJally ZIP file of classes/directories
Java 101 conJnued…
• void keyword indicates method will not return data to the caller
• main method called by Java launcher to pass control to the program
• main must accept array of String objects (args)
Java 101 conJnued…
• Java loads class (specified on CLI or in JAR META-‐INF/MANIFEST.MF) and starts public sta0c void main method
• You’ve seen this already with Burp: • java –jar burpsuite_pro_v1.4.12.jar
Enough 101
Let’s write some codez
First we need some tools
• Eclipse IDE – de facto free dev tool for Java • Not necessarily the best or easiest thing to use • AlternaJves to consider: • Jet Brains IntelliJ (my personal favourite) • NetBeans (never used) • Jcreator (again, never used) • Terminal/vim/javac < MOAR L33T
Download Eclipse Classic
Or install from your USB drive
Eclipse 4.2 Classic • hOp://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/
drops4/R-‐4.2-‐201206081400/eclipse-‐SDK-‐4.2-‐win32-‐x86_64.zip&type=sha1
• 6f4e6834c95e9573cbc1fc46adab4e39da6b4b6d • eclipse-‐SDK-‐4.2-‐win32-‐x86_64.zip
• hOp://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/drops4/R-‐4.2-‐201206081400/eclipse-‐SDK-‐4.2-‐win32.zip&type=sha1
• 68b1eb33596dddaac9ac71473cd1b35f51af8df7 • eclipse-‐SDK-‐4.2-‐win32.zip
Java JDK
• Used to be bundled with Eclipse • Due to licensing (I think) this is no longer the case
• Grab from Sun Oracle’s website: • hOp://download.oracle.com/otn-‐pub/java/jdk/7u7-‐b11/jdk-‐7u7-‐windows-‐
x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5
Welcome to Eclipse
Create a Java Project
• File > New > Java Project • Project Name: Burp Hello World! • Leave everything else as default • Click Next
Java SeZngs
• Click on Libraries tab • Add External JARs • Select your burpsuite.jar
• Click Finish
Create a new package
• File > New > Package • Enter burp as the name • Click Finish
Create a new file
• Right-‐click burp package > New > File • Accept the default locaJon of src • Enter BurpExtender.java as the filename • Click Finish
We’re ready to type
Loading external classes
• We need to tell Java about external classes • Ruby has require • PHP has include or require • Perl has require • C has include • Java uses import
Where is Burp?
• We added external JARs in Eclipse • Only helps at compilaJon • Need to tell our code about classes • import burp.*;
IBurpExtender
• Available at hOp://portswigger.net/burp/extender/burp/IBurpExtender.html
• “ ImplementaJons must be called BurpExtender, in the package burp, must be declared public, and must provide a default (public, no-‐argument) constructor”
In other words
public class BurpExtender {
}
• Remember, Java makes you name files amer the class so that’s why we named it BurpExtender.java
Add this package burp;
import burp.*;
public class BurpExtender { public void processHOpMessage( String toolName, boolean messageIsRequest, IHOpRequestResponse messageInfo) throws ExcepJon { System.out.println("Hello World!"); } }
Run the program
• Run > Run • First Jme we do this it’ll ask what to run as • Select Java Applica0on
Select Java ApplicaJon
• Under Matching items select StartBurp – burp • Click OK
Burp runs
• Check Alerts tab • View registraJon of BurpExtender class
Console output
• The console window shows output from the applicaJon
• Note the “Hello World!”s
CongratulaJons
What’s happening?
• Why is it spamming “Hello World!” to the console?
• We defined processHOpMessage() • hOp://portswigger.net/burp/extender/burp/IBurpExtender.html • “This method is invoked whenever any of Burp's tools makes an HTTP request or receives a response”
Burp Suite Flow
processProxyMessage
RepeatAmerMeClient.exe
processHOpMessage
hOp://wc�ox/RepeaterService.svc
Burp Suite
We’ve got to do a few things
• Split the HTTP Headers from FI body • Decode FI body • Display in Burp • Re-‐encode modified version • Append to headers • Send to web server • Then the same in reverse
• Right-‐click Project > Build Path > Add External Archives
• Select FastInfoset.jar • Note that imports are now yellow
Decoding the FasJnfoset to console
First: we get it wrong
• Burp returns message body as byte[] • Hmm, bytes are hard, let’s convert to String • Split on \r\n\r\n
Then we do it right
• FasJnfoset is a binary encoding • Don’t try and convert it to a String • Now things work
Decoding FasJnfoset through Proxy
We’re nearly there……
Running outside of Eclipse
• Plugin is working nicely, now what? • Export to JAR • Command line to run is:
• java –jar yourjar.jar;burp_pro_v1.4.12.jar burp.startBurp
LimitaJons
• We haven’t coded to handle/decode the response
• Just do the same in reverse • processHOpMessage fires before processProxyMessage so we can’t alter then re-‐encode message
• SoluJon: chain two Burp instances together
AOribuJon
• All lolcatz courtesy of lolcats.com • No cats were harming in the making of this workshop
• Though some keyboards were….
QuesJons
?
www.7elements.co.uk | blog.7elements.co.uk | @7elements
www.7elements.co.uk | blog.7elements.co.uk | @7elements