SlideShare a Scribd company logo

Burp plugin development for java n00bs (44 con)

Download as PPTX, PDF
Marc Wickenden
Marc Wickenden

Introduction to using BurpExtender to write plugins for Web application assessment tool Burp Suite. Aimed at testers who have never coded Java before.

TechnologyEducation
1 of 65
Burp Plugin Development for Java n00bs 44Con 2012 www.7elements.co.uk | blog.7elements.co.uk | @7elements
/me • Marc Wickenden • Principal Security Consultant at 7 Elements • Love coding (particularly Ruby) • @marcwickenden on the Twitterz • Most importantly though….. www.7elements.co.uk | blog.7elements.co.uk | @7elements
I am a Java n00b
If you already know Java You’re either: • In the wrong room • About to be really offended!
Agenda • The problem • Getting ready • Introduction to the Eclipse IDE • Burp Extender Hello World! • Manipulating runtime data • Decoding a custom encoding scheme • “Shelling out” to other scripts • Limitations of Burp Extender • Really cool Burp plugins already out there to fire your imagination
Oh…..and there’ll be cats
The problem • Burp Suite is awesome • De facto web app tool • Open source alternatives don’t compare IMHO • Tools available/cohesion/protocol support • Burp Extender
The problem
I wrote a plugin Coding by Google FTW!
How? - Burp Extender • “allows third-party developers to extend the functionality of Burp Suite” • “Extensions can read and modify Burp’s runtime data and configuration” • “initiate key actions” • “extend Burp’s user interface” http://portswigger.net/burp/extender/
Burp Extender • Achieves this via 6 interfaces: – IBurpExtender – IBurpExtenderCallbacks – IHttpRequestResponse – IScanIssue – IScanQueueItem – IMenuItemHander
Java 101 • Java source is compiled to bytecode (class file) • Runs on Java Virtual Machine (JVM) • Class-based • OO • Write once, run anywhere (WORA) • Two distributions: JRE and JDK
Java 101 continued… • Usual OO stuff applies: objects, classes, methods, properties/variable s • Lines end with ;
Java 101 continued… • Source files must be named after the public class they contain • public keyword denotes method can be called from code in other classes or outside class hierarchy
Java 101 continued… • class hierarchy defined by directory structure: • uk.co.sevenelements.HelloWorld = uk/co/sevenelements/HelloWorld.class • JAR file is essentially ZIP file of classes/directories
Java 101 continued… • void keyword indicates method will not return data to the caller • main method called by Java launcher to pass control to the program • main must accept array of String objects (args)
Java 101 continued… • Java loads class (specified on CLI or in JAR META-INF/MANIFEST.MF) and starts public static void main method • You’ve seen this already with Burp: – java –jar burpsuite_pro_v1.4.12.jar
Enough 101
Let’s write some codez
First we need some tools • Eclipse IDE – de facto free dev tool for Java • Not necessarily the best or easiest thing to use • Alternatives to consider: – Jet Brains IntelliJ (my personal favourite) – NetBeans (never used) – Jcreator (again, never used) – Terminal/vim/javac < MOAR L33T
Download Eclipse Classic Or install from your USB drive
Eclipse 4.2 Classic • http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/dr ops4/R-4.2-201206081400/eclipse-SDK-4.2-win32-x86_64.zip&type=sha1 • 6f4e6834c95e9573cbc1fc46adab4e39da6b4b6d • eclipse-SDK-4.2-win32-x86_64.zip • http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/dr ops4/R-4.2-201206081400/eclipse-SDK-4.2-win32.zip&type=sha1 • 68b1eb33596dddaac9ac71473cd1b35f51af8df7 • eclipse-SDK-4.2-win32.zip
Java JDK • Used to be bundled with Eclipse • Due to licensing (I think) this is no longer the case • Grab from Sun Oracle’s website: • http://download.oracle.com/otn-pub/java/jdk/7u7-b11/jdk-7u7-windows- x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5
Welcome to Eclipse
Create a Java Project • File > New > Java Project • Project Name: Burp Hello World! • Leave everything else as default • Click Next
Java Settings • Click on Libraries tab • Add External JARs • Select your burpsuite.jar • Click Finish
Create a new package • File > New > Package • Enter burp as the name • Click Finish
Create a new file • Right-click burp package > New > File • Accept the default location of src • Enter BurpExtender.java as the filename • Click Finish
We’re ready to type
Loading external classes • We need to tell Java about external classes – Ruby has require – PHP has include or require – Perl has require – C has include – Java uses import
Where is Burp? • We added external JARs in Eclipse • Only helps at compilation • Need to tell our code about classes – import burp.*;
IBurpExtender • Available at http://portswigger.net/burp/extender/burp/IBurpExtender.html – “ Implementations must be called BurpExtender, in the package burp, must be declared public, and must provide a default (public, no-argument) constructor”
In other words public class BurpExtender { } • Remember, Java makes you name files after the class so that’s why we named it BurpExtender.java
Add this package burp; import burp.*; public class BurpExtender { public void processHttpMessage( String toolName, boolean messageIsRequest, IHttpRequestResponse messageInfo) throws Exception { System.out.println("Hello World!"); } }
Run the program • Run > Run • First time we do this it’ll ask what to run as • Select Java Application
Select Java Application • Under Matching items select StartBurp – burp • Click OK
Burp runs • Check Alerts tab • View registration of BurpExtender class
Console output • The console window shows output from the application • Note the “Hello World!”s
Congratulations
What’s happening? • Why is it spamming “Hello World!” to the console? • We defined processHttpMessage() • http://portswigger.net/burp/extender/burp/IB urpExtender.html – “This method is invoked whenever any of Burp's tools makes an HTTP request or receives a response”
Burp Suite Flow
RepeatAfterMeClient.exe processProxyMessage processHttpMessage Burp Suite http://wcfbox/RepeaterService.svc
We’ve got to do a few things • Split the HTTP Headers from FI body • Decode FI body • Display in Burp • Re-encode modified version • Append to headers • Send to web server • Then the same in reverse
• Right-click Project > Build Path > Add External Archives • Select FastInfoset.jar • Note that imports are now yellow
Decoding the Fastinfoset to console
First: we get it wrong • Burp returns message body as byte[] • Hmm, bytes are hard, let’s convert to String • Split on rnrn
Then we do it right • Fastinfoset is a binary encoding • Don’t try and convert it to a String • Now things work
Decoding Fastinfoset through Proxy
We’re nearly there……
Running outside of Eclipse • Plugin is working nicely, now what? • Export to JAR • Command line to run is: • java –jar yourjar.jar;burp_pro_v1.4.12.jar burp.startBurp
Limitations • We haven’t coded to handle/decode the response • Just do the same in reverse • processHttpMessage fires before processProxyMessage so we can’t alter then re-encode message • Solution: chain two Burp instances together
Attribution • All lolcatz courtesy of lolcats.com • No cats were harming in the making of this workshop • Though some keyboards were….
Questions ? www.7elements.co.uk | blog.7elements.co.uk | @7elements
www.7elements.co.uk | blog.7elements.co.uk | @7elements

Recommended

OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
Rest API with Swagger and NodeJS
Rest API with Swagger and NodeJSRest API with Swagger and NodeJS
Rest API with Swagger and NodeJSLuigi Saetta
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Introduction to burp suite
Introduction to burp suiteIntroduction to burp suite
Introduction to burp suiteUtkarsh Bhargava
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 

Recommended

OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
Rest API with Swagger and NodeJS
Rest API with Swagger and NodeJSRest API with Swagger and NodeJS
Rest API with Swagger and NodeJSLuigi Saetta
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Introduction to burp suite
Introduction to burp suiteIntroduction to burp suite
Introduction to burp suiteUtkarsh Bhargava
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backendAPIsecure_ Official
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022MichaelM85042
 
Burp suite
Burp suiteBurp suite
Burp suiteYashar Shahinzadeh
 
Web Worker, Service Worker and Worklets
Web Worker, Service Worker and WorkletsWeb Worker, Service Worker and Worklets
Web Worker, Service Worker and WorkletsKeshav Gupta
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Spring Boot
Spring BootSpring Boot
Spring BootPei-Tang Huang
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf toolsBrendan Gregg
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelinesLalit Kale
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with ZapSoluto
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Building robust and friendly command line applications in go
Building robust and friendly command line applications in goBuilding robust and friendly command line applications in go
Building robust and friendly command line applications in goAndrii Soldatenko
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
 
AppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp SuiteAppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp SuiteAugust Detlefsen
 

More Related Content

What's hot

2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backendAPIsecure_ Official
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022MichaelM85042
 
Web Worker, Service Worker and Worklets
Web Worker, Service Worker and WorkletsWeb Worker, Service Worker and Worklets
Web Worker, Service Worker and WorkletsKeshav Gupta
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf toolsBrendan Gregg
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelinesLalit Kale
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with ZapSoluto
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Building robust and friendly command line applications in go
Building robust and friendly command line applications in goBuilding robust and friendly command line applications in go
Building robust and friendly command line applications in goAndrii Soldatenko
 

What's hot (20)

2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Web Worker, Service Worker and Worklets
Web Worker, Service Worker and WorkletsWeb Worker, Service Worker and Worklets
Web Worker, Service Worker and Worklets
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf tools
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Building robust and friendly command line applications in go
Building robust and friendly command line applications in goBuilding robust and friendly command line applications in go
Building robust and friendly command line applications in go
 

Viewers also liked

Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
 
AppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp SuiteAppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp SuiteAugust Detlefsen
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers
 
Extending burp with python
Extending burp with pythonExtending burp with python
Extending burp with pythonHoang Nguyen
 
Extending burp with python
Extending burp with pythonExtending burp with python
Extending burp with pythonLuis Goldster
 
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challengeITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challengeITCamp
 
How to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourHow to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourCyren, Inc
 
The impact of sqli (sql injection)
The impact of sqli (sql injection)The impact of sqli (sql injection)
The impact of sqli (sql injection)Sqa Enthusiast
 
Resumen de referencias (6)
Resumen de referencias (6)Resumen de referencias (6)
Resumen de referencias (6)Esteban Garzon
 
Pyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringPyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringIshan Girdhar
 
Burp suite
Burp suiteBurp suite
Burp suiteAmmar WK
 
Windows Azure Versioning Strategies
Windows Azure Versioning StrategiesWindows Azure Versioning Strategies
Windows Azure Versioning StrategiesPavel Revenkov
 
Wcf security session 1
Wcf security session 1Wcf security session 1
Wcf security session 1Anil Kumar M
 
Basics of WCF and its Security
Basics of WCF and its SecurityBasics of WCF and its Security
Basics of WCF and its SecurityMindfire Solutions
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Ishan Girdhar
 
WCF Security, FSec
WCF Security, FSecWCF Security, FSec
WCF Security, FSecAnte Gulam
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionAshraf Bashir
 

Viewers also liked (20)

Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
 
AppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp SuiteAppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp Suite
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
 
Burpsuite yara
Burpsuite yaraBurpsuite yara
Burpsuite yara
 
Extending burp with python
Extending burp with pythonExtending burp with python
Extending burp with python
 
Extending burp with python
Extending burp with pythonExtending burp with python
Extending burp with python
 
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challengeITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
 
Paypal-IPN
Paypal-IPNPaypal-IPN
Paypal-IPN
 
How to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourHow to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an Hour
 
The impact of sqli (sql injection)
The impact of sqli (sql injection)The impact of sqli (sql injection)
The impact of sqli (sql injection)
 
Resumen de referencias (6)
Resumen de referencias (6)Resumen de referencias (6)
Resumen de referencias (6)
 
Pyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringPyscho-Strategies for Social Engineering
Pyscho-Strategies for Social Engineering
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Windows Azure Versioning Strategies
Windows Azure Versioning StrategiesWindows Azure Versioning Strategies
Windows Azure Versioning Strategies
 
Wcf security session 1
Wcf security session 1Wcf security session 1
Wcf security session 1
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
 
Basics of WCF and its Security
Basics of WCF and its SecurityBasics of WCF and its Security
Basics of WCF and its Security
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
 
WCF Security, FSec
WCF Security, FSecWCF Security, FSec
WCF Security, FSec
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 Introduction
 

Similar to Burp plugin development for java n00bs (44 con)

Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 201244CON
 
Packaging perl (LPW2010)
Packaging perl (LPW2010)Packaging perl (LPW2010)
Packaging perl (LPW2010)p3castro
 
Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Andrei KUCHARAVY
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Fundamentals of java --- version 2
Fundamentals of java --- version 2Fundamentals of java --- version 2
Fundamentals of java --- version 2Uday Sharma
 
Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012Anton Arhipov
 
JavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesJavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesCharles Nutter
 
Practical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgPractical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgSam Bowne
 
Habitat Overview
Habitat OverviewHabitat Overview
Habitat OverviewMandi Walls
 
Getting Started with Go
Getting Started with GoGetting Started with Go
Getting Started with GoSteven Francia
 
これからのPerlプロダクトのかたち(YAPC::Asia 2013)
これからのPerlプロダクトのかたち(YAPC::Asia 2013)これからのPerlプロダクトのかたち(YAPC::Asia 2013)
これからのPerlプロダクトのかたち(YAPC::Asia 2013)goccy
 
Introduction to java
Introduction to javaIntroduction to java
Introduction to javaattiqrocket
 
basic core java up to operator
basic core java up to operatorbasic core java up to operator
basic core java up to operatorkamal kotecha
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1Payampardaz
 

Similar to Burp plugin development for java n00bs (44 con) (20)

Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012
 
Packaging perl (LPW2010)
Packaging perl (LPW2010)Packaging perl (LPW2010)
Packaging perl (LPW2010)
 
Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1
 
Presentation on java
Presentation on javaPresentation on java
Presentation on java
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Fundamentals of java --- version 2
Fundamentals of java --- version 2Fundamentals of java --- version 2
Fundamentals of java --- version 2
 
Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012
 
EhTrace -- RoP Hooks
EhTrace -- RoP HooksEhTrace -- RoP Hooks
EhTrace -- RoP Hooks
 
JavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesJavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for Dummies
 
Practical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgPractical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbg
 
Habitat Overview
Habitat OverviewHabitat Overview
Habitat Overview
 
Getting Started with Go
Getting Started with GoGetting Started with Go
Getting Started with Go
 
これからのPerlプロダクトのかたち(YAPC::Asia 2013)
これからのPerlプロダクトのかたち(YAPC::Asia 2013)これからのPerlプロダクトのかたち(YAPC::Asia 2013)
これからのPerlプロダクトのかたち(YAPC::Asia 2013)
 
Lesson1 intro
Lesson1 introLesson1 intro
Lesson1 intro
 
Introduction to java
Introduction to javaIntroduction to java
Introduction to java
 
Lesson1 intro
Lesson1 introLesson1 intro
Lesson1 intro
 
basic core java up to operator
basic core java up to operatorbasic core java up to operator
basic core java up to operator
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1
 
Java introduction
Java introductionJava introduction
Java introduction
 

Recently uploaded

Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 

Recently uploaded (20)

Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 

Burp plugin development for java n00bs (44 con)

  • 1. Burp Plugin Development for Java n00bs 44Con 2012 www.7elements.co.uk | blog.7elements.co.uk | @7elements
  • 2. /me • Marc Wickenden • Principal Security Consultant at 7 Elements • Love coding (particularly Ruby) • @marcwickenden on the Twitterz • Most importantly though….. www.7elements.co.uk | blog.7elements.co.uk | @7elements
  • 3. I am a Java n00b
  • 4. If you already know Java You’re either: • In the wrong room • About to be really offended!
  • 5. Agenda • The problem • Getting ready • Introduction to the Eclipse IDE • Burp Extender Hello World! • Manipulating runtime data • Decoding a custom encoding scheme • “Shelling out” to other scripts • Limitations of Burp Extender • Really cool Burp plugins already out there to fire your imagination
  • 7.
  • 8. The problem • Burp Suite is awesome • De facto web app tool • Open source alternatives don’t compare IMHO • Tools available/cohesion/protocol support • Burp Extender
  • 10. I wrote a plugin Coding by Google FTW!
  • 11. How? - Burp Extender • “allows third-party developers to extend the functionality of Burp Suite” • “Extensions can read and modify Burp’s runtime data and configuration” • “initiate key actions” • “extend Burp’s user interface” http://portswigger.net/burp/extender/
  • 12. Burp Extender • Achieves this via 6 interfaces: – IBurpExtender – IBurpExtenderCallbacks – IHttpRequestResponse – IScanIssue – IScanQueueItem – IMenuItemHander
  • 13. Java 101 • Java source is compiled to bytecode (class file) • Runs on Java Virtual Machine (JVM) • Class-based • OO • Write once, run anywhere (WORA) • Two distributions: JRE and JDK
  • 14. Java 101 continued… • Usual OO stuff applies: objects, classes, methods, properties/variable s • Lines end with ;
  • 15. Java 101 continued… • Source files must be named after the public class they contain • public keyword denotes method can be called from code in other classes or outside class hierarchy
  • 16. Java 101 continued… • class hierarchy defined by directory structure: • uk.co.sevenelements.HelloWorld = uk/co/sevenelements/HelloWorld.class • JAR file is essentially ZIP file of classes/directories
  • 17. Java 101 continued… • void keyword indicates method will not return data to the caller • main method called by Java launcher to pass control to the program • main must accept array of String objects (args)
  • 18. Java 101 continued… • Java loads class (specified on CLI or in JAR META-INF/MANIFEST.MF) and starts public static void main method • You’ve seen this already with Burp: – java –jar burpsuite_pro_v1.4.12.jar
  • 20.
  • 22. First we need some tools • Eclipse IDE – de facto free dev tool for Java • Not necessarily the best or easiest thing to use • Alternatives to consider: – Jet Brains IntelliJ (my personal favourite) – NetBeans (never used) – Jcreator (again, never used) – Terminal/vim/javac < MOAR L33T
  • 23. Download Eclipse Classic Or install from your USB drive
  • 24. Eclipse 4.2 Classic • http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/dr ops4/R-4.2-201206081400/eclipse-SDK-4.2-win32-x86_64.zip&type=sha1 • 6f4e6834c95e9573cbc1fc46adab4e39da6b4b6d • eclipse-SDK-4.2-win32-x86_64.zip • http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/dr ops4/R-4.2-201206081400/eclipse-SDK-4.2-win32.zip&type=sha1 • 68b1eb33596dddaac9ac71473cd1b35f51af8df7 • eclipse-SDK-4.2-win32.zip
  • 25. Java JDK • Used to be bundled with Eclipse • Due to licensing (I think) this is no longer the case • Grab from Sun Oracle’s website: • http://download.oracle.com/otn-pub/java/jdk/7u7-b11/jdk-7u7-windows- x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5
  • 27. Create a Java Project • File > New > Java Project • Project Name: Burp Hello World! • Leave everything else as default • Click Next
  • 28.
  • 29. Java Settings • Click on Libraries tab • Add External JARs • Select your burpsuite.jar • Click Finish
  • 30. Create a new package • File > New > Package • Enter burp as the name • Click Finish
  • 31. Create a new file • Right-click burp package > New > File • Accept the default location of src • Enter BurpExtender.java as the filename • Click Finish
  • 32.
  • 34. Loading external classes • We need to tell Java about external classes – Ruby has require – PHP has include or require – Perl has require – C has include – Java uses import
  • 35. Where is Burp? • We added external JARs in Eclipse • Only helps at compilation • Need to tell our code about classes – import burp.*;
  • 36. IBurpExtender • Available at http://portswigger.net/burp/extender/burp/IBurpExtender.html – “ Implementations must be called BurpExtender, in the package burp, must be declared public, and must provide a default (public, no-argument) constructor”
  • 37. In other words public class BurpExtender { } • Remember, Java makes you name files after the class so that’s why we named it BurpExtender.java
  • 38. Add this package burp; import burp.*; public class BurpExtender { public void processHttpMessage( String toolName, boolean messageIsRequest, IHttpRequestResponse messageInfo) throws Exception { System.out.println("Hello World!"); } }
  • 39. Run the program • Run > Run • First time we do this it’ll ask what to run as • Select Java Application
  • 40. Select Java Application • Under Matching items select StartBurp – burp • Click OK
  • 41. Burp runs • Check Alerts tab • View registration of BurpExtender class
  • 42. Console output • The console window shows output from the application • Note the “Hello World!”s
  • 44.
  • 45. What’s happening? • Why is it spamming “Hello World!” to the console? • We defined processHttpMessage() • http://portswigger.net/burp/extender/burp/IB urpExtender.html – “This method is invoked whenever any of Burp's tools makes an HTTP request or receives a response”
  • 47. RepeatAfterMeClient.exe processProxyMessage processHttpMessage Burp Suite http://wcfbox/RepeaterService.svc
  • 48.
  • 49. We’ve got to do a few things • Split the HTTP Headers from FI body • Decode FI body • Display in Burp • Re-encode modified version • Append to headers • Send to web server • Then the same in reverse
  • 50.
  • 51. • Right-click Project > Build Path > Add External Archives • Select FastInfoset.jar • Note that imports are now yellow
  • 53. First: we get it wrong • Burp returns message body as byte[] • Hmm, bytes are hard, let’s convert to String • Split on rnrn
  • 54.
  • 55. Then we do it right • Fastinfoset is a binary encoding • Don’t try and convert it to a String • Now things work
  • 56.
  • 58.
  • 60.
  • 61. Running outside of Eclipse • Plugin is working nicely, now what? • Export to JAR • Command line to run is: • java –jar yourjar.jar;burp_pro_v1.4.12.jar burp.startBurp
  • 62. Limitations • We haven’t coded to handle/decode the response • Just do the same in reverse • processHttpMessage fires before processProxyMessage so we can’t alter then re-encode message • Solution: chain two Burp instances together
  • 63. Attribution • All lolcatz courtesy of lolcats.com • No cats were harming in the making of this workshop • Though some keyboards were….
  • 64. Questions ? www.7elements.co.uk | blog.7elements.co.uk | @7elements

Editor's Notes

  1. In the wrong roomAbout to be really offendedI don’t know much about Java, I don’t know the right terms for things and I don’t know the best style of writing it. But this code will work and that’s my primary objective today.It don’t have to be pretty, it just has to work. That’s the difference between delivering a good test or a bad one imho
  2. So, what are we going to cover?
  3. Can’t do a slide deck without cats
  4. Particularly Professional
  5. Previous app testWCF Service written in C#Not using WCF Binary protocolSOAP with Fastinfoset XML encodingBurp Suite couldn’t read it
  6. IntelliJ Community Edition is availableWe’re going with Eclipse because it works and is free and fully functionalYou can port this learning to anything else
  7. SHA1’s are here if you want to verify them
  8. Package Explorer – like a directory listing of your classes and src filesMain window where we edit filesTask list – I normally close this to be honestOutline view, quite useful, gives a break down of methods, properties of classes you are working onProblems – keep your eye on this bad boy, can be very useful
  9. Notice how it’s already popping up little tips. In this case we’ve declared an import but not used any of the classes.We’ll fix that…
  10. Javadoc is the Java standard for documentation. It is generated automatically from comments in the code.Burp Extender has javadoc available online. We are going to use this a lot.Let’s start…..er, right….
  11. This is our bare bones. Note the import burp.*; isn’t shown
  12. Don’t worry too much about what it all means just at the secondhttps://github.com/7Elements/burp_workshop/tree/master/Burp%20Hello%20World!
  13. Congratulations, you’re first Burp plugin
  14. This code is however, as useful as one of these
  15. https://github.com/7Elements/burp_workshop/tree/master/Burp%20Interface%20Flow
  16. Our problem was fastinfoset. Start google coding: find out about it, look for code snippets. Work out the approach.
  17. We’ve imported some fastinfoset classes but Eclipse is telling us it can’t find them. We need to add an external jar.
  18. https://github.com/7Elements/burp_workshop/tree/master/Burp%20Fastinfoset%20Decoder
  19. https://github.com/7Elements/burp_workshop/tree/master/Burp%20Fastinfoset%20Decoder%20-%20Take%20Two
  20. That’s great, writing out to the console – but we need to intercept and send onwardsWe need to shuffle stuff around a bit then..https://github.com/7Elements/burp_workshop/tree/master/Burp%20Fastinfoset%20Decoder%20-%20Take%20Three
  21. Walk through adding code to processProxyMessageShow how we can decode in the Burp Proxy window by returning new byte[]Then how it fails because the app receives plain text not FI
  22. Now we add a re-encode method to the processHttpMessage using custom HTTP headerWe can exploit the flow order in Burp.Remember proxyProxyMessage is called *before* processHttpMessage– winhttps://github.com/7Elements/burp_workshop/tree/master/Burp%20Fastinfoset%20Decoder%20-%20Take%20Four