• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Burp Plugin Development for Java n00bs - 44CON 2012
 

Burp Plugin Development for Java n00bs - 44CON 2012

on

  • 825 views

Workshop Burp Plugin Development for Java n00bs by Marc Wickenden at 44CON 2012 in London, September 2012.

Workshop Burp Plugin Development for Java n00bs by Marc Wickenden at 44CON 2012 in London, September 2012.

Statistics

Views

Total Views
825
Views on SlideShare
825
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Burp Plugin Development for Java n00bs - 44CON 2012 Burp Plugin Development for Java n00bs - 44CON 2012 Presentation Transcript

    • Burp  Plugin  Development  for   Java  n00bs   44Con  2012  www.7elements.co.uk  |  blog.7elements.co.uk  |  @7elements  
    • /me  •  Marc  Wickenden  •  Principal  Security  Consultant  at  7  Elements  •  Love  coding  (parJcularly  Ruby)  •  @marcwickenden  on  the  TwiOerz  •  Most  importantly  though…..  www.7elements.co.uk  |  blog.7elements.co.uk  |  @7elements  
    • I  am  a  Java  n00b  
    • If  you  already  know  Java  You’re  either:  •  In  the  wrong  room  •  About  to  be  really  offended!  
    • Agenda  •  The  problem  •  GeZng  ready  •  IntroducJon  to  the  Eclipse  IDE  •  Burp  Extender  Hello  World!  •  ManipulaJng  runJme  data  •  Decoding  a  custom  encoding  scheme  •  “Shelling  out”  to  other  scripts  •  LimitaJons  of  Burp  Extender  •  Really  cool  Burp  plugins  already  out  there  to  fire   your  imaginaJon  
    • Oh…..and  there’ll  be  cats  
    • The  problem  •  Burp  Suite  is  awesome  •  De  facto  web  app  tool  •  Open  source  alternaJves  don’t  compare   IMHO  •  Tools  available/cohesion/protocol  support  •  Burp  Extender  
    • The  problem  
    • I  wrote  a  plugin  Coding  by  Google  FTW!  
    • How?  -­‐  Burp  Extender  •  “allows  third-­‐party  developers  to  extend  the   funcJonality  of  Burp  Suite”  •  “Extensions  can  read  and  modify  Burp’s   runJme  data  and  configuraJon”  •  “iniJate  key  acJons”  •  “extend  Burp’s  user  interface”   hOp://portswigger.net/burp/extender/  
    • Burp  Extender  •  Achieves  this  via  6  interfaces:   •  IBurpExtender   •  IBurpExtenderCallbacks   •  IHOpRequestResponse   •  IScanIssue   •  IScanQueueItem   •  IMenuItemHander  
    • Java  101  •  Java  source  is  compiled  to  bytecode  (class  file)  •  Runs  on  Java  Virtual  Machine  (JVM)  •  Class-­‐based  •  OO  •  Write  once,  run  anywhere  (WORA)  •  Two  distribuJons:  JRE  and  JDK  
    • Java  101  conJnued…  •  Usual  OO  stuff  applies:  objects,  classes,   methods,  properJes/variables  •  Lines  end  with  ;  
    • Java  101  conJnued…  •  Source  files  must  be  named  amer  the  public   class  they  contain  •  public  keyword  denotes  method  can  be  called   from  code  in  other  classes  or  outside  class   hierarchy  
    • Java  101  conJnued…  •  class  hierarchy  defined  by  directory  structure:  •  uk.co.sevenelements.HelloWorld  =  uk/co/ sevenelements/HelloWorld.class  •  JAR  file  is  essenJally  ZIP  file  of  classes/ directories  
    • Java  101  conJnued…  •  void  keyword  indicates  method  will  not  return   data  to  the  caller  •  main  method  called  by  Java  launcher  to  pass   control  to  the  program  •  main  must  accept  array  of  String  objects  (args)  
    • Java  101  conJnued…  •  Java  loads  class  (specified  on  CLI  or  in  JAR   META-­‐INF/MANIFEST.MF)  and  starts  public   sta0c  void  main  method  •  You’ve  seen  this  already  with  Burp:   •  java  –jar  burpsuite_pro_v1.4.12.jar  
    • Enough  101  
    • Let’s  write  some  codez  
    • First  we  need  some  tools  •  Eclipse  IDE  –  de  facto  free  dev  tool  for  Java  •  Not  necessarily  the  best  or  easiest  thing  to  use  •  AlternaJves  to  consider:   •  Jet  Brains  IntelliJ  (my  personal  favourite)   •  NetBeans  (never  used)   •  Jcreator  (again,  never  used)   •  Terminal/vim/javac  <  MOAR  L33T  
    • Download  Eclipse  Classic   Or  install  from  your  USB  drive  
    • Eclipse  4.2  Classic  •  hOp://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/ drops4/R-­‐4.2-­‐201206081400/eclipse-­‐SDK-­‐4.2-­‐win32-­‐ x86_64.zip&type=sha1  •  6f4e6834c95e9573cbc1fc46adab4e39da6b4b6d    •  eclipse-­‐SDK-­‐4.2-­‐win32-­‐x86_64.zip  •  hOp://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/ drops4/R-­‐4.2-­‐201206081400/eclipse-­‐SDK-­‐4.2-­‐win32.zip&type=sha1  •  68b1eb33596dddaac9ac71473cd1b35f51af8df7    •  eclipse-­‐SDK-­‐4.2-­‐win32.zip  
    • Java  JDK  •  Used  to  be  bundled  with  Eclipse  •  Due  to  licensing  (I  think)  this  is  no  longer  the   case  •  Grab  from  Sun  Oracle’s  website:  •  hOp://download.oracle.com/otn-­‐pub/java/jdk/7u7-­‐b11/jdk-­‐7u7-­‐windows-­‐ x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5    
    • Welcome  to  Eclipse  
    • Create  a  Java  Project  •  File  >  New  >  Java  Project  •  Project  Name:  Burp  Hello  World!  •  Leave  everything  else  as  default  •  Click  Next  
    • Java  SeZngs  •  Click  on  Libraries  tab  •  Add  External  JARs  •  Select  your  burpsuite.jar  •  Click  Finish  
    • Create  a  new  package  •  File  >  New  >  Package  •  Enter  burp  as  the  name  •  Click  Finish  
    • Create  a  new  file  •  Right-­‐click  burp  package  >  New  >  File  •  Accept  the  default  locaJon  of  src  •  Enter  BurpExtender.java  as  the  filename  •  Click  Finish  
    • We’re  ready  to  type  
    • Loading  external  classes  •  We  need  to  tell  Java  about  external  classes   •  Ruby  has  require   •  PHP  has  include  or  require   •  Perl  has  require   •  C  has  include   •  Java  uses  import  
    • Where  is  Burp?  •  We  added  external  JARs  in  Eclipse  •  Only  helps  at  compilaJon  •  Need  to  tell  our  code  about  classes   •  import  burp.*;  
    • IBurpExtender  •  Available  at   hOp://portswigger.net/burp/extender/burp/IBurpExtender.html   •  “  ImplementaJons  must  be  called  BurpExtender,   in  the  package  burp,  must  be  declared  public,  and   must  provide  a  default  (public,  no-­‐argument)   constructor”  
    • In  other  words  public  class  BurpExtender  {      }  •  Remember,  Java  makes  you  name  files  amer   the  class  so  that’s  why  we  named  it   BurpExtender.java  
    • Add  this  package  burp;  import  burp.*;  public  class  BurpExtender  {          public  void  processHOpMessage(                          String  toolName,                            boolean  messageIsRequest,                            IHOpRequestResponse  messageInfo)  throws  ExcepJon          {            System.out.println("Hello  World!");          }  
    • Run  the  program  •  Run  >  Run  •  First  Jme  we  do  this  it’ll  ask  what  to  run  as  •  Select  Java  Applica0on  
    • Select  Java  ApplicaJon  •  Under  Matching  items  select  StartBurp  –  burp  •  Click  OK  
    • Burp  runs  •  Check  Alerts  tab  •  View  registraJon  of  BurpExtender  class  
    • Console  output  •  The  console  window  shows  output  from  the   applicaJon  •  Note  the  “Hello  World!”s  
    • CongratulaJons  
    • What’s  happening?  •  Why  is  it  spamming  “Hello  World!”  to  the   console?  •  We  defined  processHOpMessage()  •  hOp://portswigger.net/burp/extender/burp/ IBurpExtender.html   •  “This  method  is  invoked  whenever  any  of  Burps   tools  makes  an  HTTP  request  or  receives  a   response”  
    • Burp  Suite  Flow  
    • RepeatAmerMeClient.exe   processProxyMessage   processHOpMessage   Burp  Suite  hOp://wc•ox/RepeaterService.svc  
    • We’ve  got  to  do  a  few  things  •  Split  the  HTTP  Headers  from  FI  body  •  Decode  FI  body  •  Display  in  Burp  •  Re-­‐encode  modified  version  •  Append  to  headers  •  Send  to  web  server  •  Then  the  same  in  reverse  
    • •  Right-­‐click  Project  >  Build  Path  >  Add  External   Archives  •  Select  FastInfoset.jar  •  Note  that  imports  are  now  yellow  
    • Decoding  the  FasJnfoset  to   console  
    • First:  we  get  it  wrong  •  Burp  returns  message  body  as  byte[]  •  Hmm,  bytes  are  hard,  let’s  convert  to  String  •  Split  on  rnrn  
    • Then  we  do  it  right  •  FasJnfoset  is  a  binary  encoding  •  Don’t  try  and  convert  it  to  a  String  •  Now  things  work  
    • Decoding  FasJnfoset  through   Proxy  
    • We’re  nearly  there……  
    • Running  outside  of  Eclipse  •  Plugin  is  working  nicely,  now  what?  •  Export  to  JAR  •  Command  line  to  run  is:  •  java  –jar  yourjar.jar;burp_pro_v1.4.12.jar  burp.startBurp  
    • LimitaJons  •  We  haven’t  coded  to  handle/decode  the   response  •  Just  do  the  same  in  reverse  •  processHOpMessage  fires  before   processProxyMessage  so  we  can’t  alter  then   re-­‐encode  message  •  SoluJon:  chain  two  Burp  instances  together  
    • AOribuJon  •  All  lolcatz  courtesy  of  lolcats.com  •  No  cats  were  harming  in  the  making  of  this   workshop  •  Though  some  keyboards  were….  
    • QuesJons       ?  www.7elements.co.uk  |  blog.7elements.co.uk  |  @7elements  
    • www.7elements.co.uk  |  blog.7elements.co.uk  |  @7elements