Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Burp	  Plugin	  Development	  for	                           Java	  n00bs	                                                ...
/me	  •     Marc	  Wickenden	  •     Principal	  Security	  Consultant	  at	  7	  Elements	  •     Love	  coding	  (parJcu...
I	  am	  a	  Java	  n00b	  
If	  you	  already	  know	  Java	  You’re	  either:	  •  In	  the	  wrong	  room	  •  About	  to	  be	  really	  offended!	  
Agenda	  •    The	  problem	  •    GeZng	  ready	  •    IntroducJon	  to	  the	  Eclipse	  IDE	  •    Burp	  Extender	  He...
Oh…..and	  there’ll	  be	  cats	  
The	  problem	  •  Burp	  Suite	  is	  awesome	  •  De	  facto	  web	  app	  tool	  •  Open	  source	  alternaJves	  don’t...
The	  problem	  
I	  wrote	  a	  plugin	  Coding	  by	  Google	  FTW!	  
How?	  -­‐	  Burp	  Extender	  •  “allows	  third-­‐party	  developers	  to	  extend	  the	     funcJonality	  of	  Burp	 ...
Burp	  Extender	  •  Achieves	  this	  via	  6	  interfaces:	      •    IBurpExtender	      •    IBurpExtenderCallbacks	  ...
Java	  101	  •    Java	  source	  is	  compiled	  to	  bytecode	  (class	  file)	  •    Runs	  on	  Java	  Virtual	  Machin...
Java	  101	  conJnued…	  •  Usual	  OO	  stuff	  applies:	  objects,	  classes,	     methods,	  properJes/variables	  •  Li...
Java	  101	  conJnued…	  •  Source	  files	  must	  be	  named	  amer	  the	  public	     class	  they	  contain	  •  publi...
Java	  101	  conJnued…	  •  class	  hierarchy	  defined	  by	  directory	  structure:	  •  uk.co.sevenelements.HelloWorld	 ...
Java	  101	  conJnued…	  •  void	  keyword	  indicates	  method	  will	  not	  return	     data	  to	  the	  caller	  •  m...
Java	  101	  conJnued…	  •  Java	  loads	  class	  (specified	  on	  CLI	  or	  in	  JAR	     META-­‐INF/MANIFEST.MF)	  and...
Enough	  101	  
Let’s	  write	  some	  codez	  
First	  we	  need	  some	  tools	  •  Eclipse	  IDE	  –	  de	  facto	  free	  dev	  tool	  for	  Java	  •  Not	  necessari...
Download	  Eclipse	  Classic	    Or	  install	  from	  your	  USB	  drive	  
Eclipse	  4.2	  Classic	  •  hOp://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/   drops4/R-­‐4.2-­‐201206081...
Java	  JDK	  •  Used	  to	  be	  bundled	  with	  Eclipse	  •  Due	  to	  licensing	  (I	  think)	  this	  is	  no	  longe...
Welcome	  to	  Eclipse	  
Create	  a	  Java	  Project	  •    File	  >	  New	  >	  Java	  Project	  •    Project	  Name:	  Burp	  Hello	  World!	  • ...
Java	  SeZngs	  •  Click	  on	  Libraries	  tab	  •  Add	  External	  JARs	  •  Select	  your	  burpsuite.jar	  •  Click	 ...
Create	  a	  new	  package	  •  File	  >	  New	  >	  Package	  •  Enter	  burp	  as	  the	  name	  •  Click	  Finish	  
Create	  a	  new	  file	  •    Right-­‐click	  burp	  package	  >	  New	  >	  File	  •    Accept	  the	  default	  locaJon	...
We’re	  ready	  to	  type	  
Loading	  external	  classes	  •  We	  need	  to	  tell	  Java	  about	  external	  classes	      •    Ruby	  has	  requir...
Where	  is	  Burp?	  •  We	  added	  external	  JARs	  in	  Eclipse	  •  Only	  helps	  at	  compilaJon	  •  Need	  to	  t...
IBurpExtender	  •  Available	  at	     hOp://portswigger.net/burp/extender/burp/IBurpExtender.html	      •  “	  Implementa...
In	  other	  words	  public	  class	  BurpExtender	  {	        	  	  }	  •  Remember,	  Java	  makes	  you	  name	  files	 ...
Add	  this	  package	  burp;	  import	  burp.*;	  public	  class	  BurpExtender	  {	  	  	  	  	  public	  void	  processH...
Run	  the	  program	  •  Run	  >	  Run	  •  First	  Jme	  we	  do	  this	  it’ll	  ask	  what	  to	  run	  as	  •  Select	...
Select	  Java	  ApplicaJon	  •  Under	  Matching	  items	  select	  StartBurp	  –	  burp	  •  Click	  OK	  
Burp	  runs	  •  Check	  Alerts	  tab	  •  View	  registraJon	  of	  BurpExtender	  class	  
Console	  output	  •  The	  console	  window	  shows	  output	  from	  the	     applicaJon	  •  Note	  the	  “Hello	  Worl...
CongratulaJons	  
What’s	  happening?	  •  Why	  is	  it	  spamming	  “Hello	  World!”	  to	  the	     console?	  •  We	  defined	  processHO...
Burp	  Suite	  Flow	  
RepeatAmerMeClient.exe	         processProxyMessage	          processHOpMessage	                                        Bu...
We’ve	  got	  to	  do	  a	  few	  things	  •    Split	  the	  HTTP	  Headers	  from	  FI	  body	  •    Decode	  FI	  body	...
•  Right-­‐click	  Project	  >	  Build	  Path	  >	  Add	  External	     Archives	  •  Select	  FastInfoset.jar	  •  Note	 ...
Decoding	  the	  FasJnfoset	  to	              console	  
First:	  we	  get	  it	  wrong	  •  Burp	  returns	  message	  body	  as	  byte[]	  •  Hmm,	  bytes	  are	  hard,	  let’s	...
Then	  we	  do	  it	  right	  •  FasJnfoset	  is	  a	  binary	  encoding	  •  Don’t	  try	  and	  convert	  it	  to	  a	  ...
Decoding	  FasJnfoset	  through	                Proxy	  
We’re	  nearly	  there……	  
Running	  outside	  of	  Eclipse	  •  Plugin	  is	  working	  nicely,	  now	  what?	  •  Export	  to	  JAR	  •  Command	  ...
LimitaJons	  •  We	  haven’t	  coded	  to	  handle/decode	  the	     response	  •  Just	  do	  the	  same	  in	  reverse	 ...
AOribuJon	  •  All	  lolcatz	  courtesy	  of	  lolcats.com	  •  No	  cats	  were	  harming	  in	  the	  making	  of	  this...
QuesJons	                                                                            	  	                                 ...
www.7elements.co.uk	  |	  blog.7elements.co.uk	  |	  @7elements	  
Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012
Upcoming SlideShare
Loading in …5
×

Burp Plugin Development for Java n00bs - 44CON 2012

1,012 views

Published on

Workshop Burp Plugin Development for Java n00bs by Marc Wickenden at 44CON 2012 in London, September 2012.

  • Be the first to comment

  • Be the first to like this

Burp Plugin Development for Java n00bs - 44CON 2012

  1. 1. Burp  Plugin  Development  for   Java  n00bs   44Con  2012  www.7elements.co.uk  |  blog.7elements.co.uk  |  @7elements  
  2. 2. /me  •  Marc  Wickenden  •  Principal  Security  Consultant  at  7  Elements  •  Love  coding  (parJcularly  Ruby)  •  @marcwickenden  on  the  TwiOerz  •  Most  importantly  though…..  www.7elements.co.uk  |  blog.7elements.co.uk  |  @7elements  
  3. 3. I  am  a  Java  n00b  
  4. 4. If  you  already  know  Java  You’re  either:  •  In  the  wrong  room  •  About  to  be  really  offended!  
  5. 5. Agenda  •  The  problem  •  GeZng  ready  •  IntroducJon  to  the  Eclipse  IDE  •  Burp  Extender  Hello  World!  •  ManipulaJng  runJme  data  •  Decoding  a  custom  encoding  scheme  •  “Shelling  out”  to  other  scripts  •  LimitaJons  of  Burp  Extender  •  Really  cool  Burp  plugins  already  out  there  to  fire   your  imaginaJon  
  6. 6. Oh…..and  there’ll  be  cats  
  7. 7. The  problem  •  Burp  Suite  is  awesome  •  De  facto  web  app  tool  •  Open  source  alternaJves  don’t  compare   IMHO  •  Tools  available/cohesion/protocol  support  •  Burp  Extender  
  8. 8. The  problem  
  9. 9. I  wrote  a  plugin  Coding  by  Google  FTW!  
  10. 10. How?  -­‐  Burp  Extender  •  “allows  third-­‐party  developers  to  extend  the   funcJonality  of  Burp  Suite”  •  “Extensions  can  read  and  modify  Burp’s   runJme  data  and  configuraJon”  •  “iniJate  key  acJons”  •  “extend  Burp’s  user  interface”   hOp://portswigger.net/burp/extender/  
  11. 11. Burp  Extender  •  Achieves  this  via  6  interfaces:   •  IBurpExtender   •  IBurpExtenderCallbacks   •  IHOpRequestResponse   •  IScanIssue   •  IScanQueueItem   •  IMenuItemHander  
  12. 12. Java  101  •  Java  source  is  compiled  to  bytecode  (class  file)  •  Runs  on  Java  Virtual  Machine  (JVM)  •  Class-­‐based  •  OO  •  Write  once,  run  anywhere  (WORA)  •  Two  distribuJons:  JRE  and  JDK  
  13. 13. Java  101  conJnued…  •  Usual  OO  stuff  applies:  objects,  classes,   methods,  properJes/variables  •  Lines  end  with  ;  
  14. 14. Java  101  conJnued…  •  Source  files  must  be  named  amer  the  public   class  they  contain  •  public  keyword  denotes  method  can  be  called   from  code  in  other  classes  or  outside  class   hierarchy  
  15. 15. Java  101  conJnued…  •  class  hierarchy  defined  by  directory  structure:  •  uk.co.sevenelements.HelloWorld  =  uk/co/ sevenelements/HelloWorld.class  •  JAR  file  is  essenJally  ZIP  file  of  classes/ directories  
  16. 16. Java  101  conJnued…  •  void  keyword  indicates  method  will  not  return   data  to  the  caller  •  main  method  called  by  Java  launcher  to  pass   control  to  the  program  •  main  must  accept  array  of  String  objects  (args)  
  17. 17. Java  101  conJnued…  •  Java  loads  class  (specified  on  CLI  or  in  JAR   META-­‐INF/MANIFEST.MF)  and  starts  public   sta0c  void  main  method  •  You’ve  seen  this  already  with  Burp:   •  java  –jar  burpsuite_pro_v1.4.12.jar  
  18. 18. Enough  101  
  19. 19. Let’s  write  some  codez  
  20. 20. First  we  need  some  tools  •  Eclipse  IDE  –  de  facto  free  dev  tool  for  Java  •  Not  necessarily  the  best  or  easiest  thing  to  use  •  AlternaJves  to  consider:   •  Jet  Brains  IntelliJ  (my  personal  favourite)   •  NetBeans  (never  used)   •  Jcreator  (again,  never  used)   •  Terminal/vim/javac  <  MOAR  L33T  
  21. 21. Download  Eclipse  Classic   Or  install  from  your  USB  drive  
  22. 22. Eclipse  4.2  Classic  •  hOp://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/ drops4/R-­‐4.2-­‐201206081400/eclipse-­‐SDK-­‐4.2-­‐win32-­‐ x86_64.zip&type=sha1  •  6f4e6834c95e9573cbc1fc46adab4e39da6b4b6d    •  eclipse-­‐SDK-­‐4.2-­‐win32-­‐x86_64.zip  •  hOp://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/ drops4/R-­‐4.2-­‐201206081400/eclipse-­‐SDK-­‐4.2-­‐win32.zip&type=sha1  •  68b1eb33596dddaac9ac71473cd1b35f51af8df7    •  eclipse-­‐SDK-­‐4.2-­‐win32.zip  
  23. 23. Java  JDK  •  Used  to  be  bundled  with  Eclipse  •  Due  to  licensing  (I  think)  this  is  no  longer  the   case  •  Grab  from  Sun  Oracle’s  website:  •  hOp://download.oracle.com/otn-­‐pub/java/jdk/7u7-­‐b11/jdk-­‐7u7-­‐windows-­‐ x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5    
  24. 24. Welcome  to  Eclipse  
  25. 25. Create  a  Java  Project  •  File  >  New  >  Java  Project  •  Project  Name:  Burp  Hello  World!  •  Leave  everything  else  as  default  •  Click  Next  
  26. 26. Java  SeZngs  •  Click  on  Libraries  tab  •  Add  External  JARs  •  Select  your  burpsuite.jar  •  Click  Finish  
  27. 27. Create  a  new  package  •  File  >  New  >  Package  •  Enter  burp  as  the  name  •  Click  Finish  
  28. 28. Create  a  new  file  •  Right-­‐click  burp  package  >  New  >  File  •  Accept  the  default  locaJon  of  src  •  Enter  BurpExtender.java  as  the  filename  •  Click  Finish  
  29. 29. We’re  ready  to  type  
  30. 30. Loading  external  classes  •  We  need  to  tell  Java  about  external  classes   •  Ruby  has  require   •  PHP  has  include  or  require   •  Perl  has  require   •  C  has  include   •  Java  uses  import  
  31. 31. Where  is  Burp?  •  We  added  external  JARs  in  Eclipse  •  Only  helps  at  compilaJon  •  Need  to  tell  our  code  about  classes   •  import  burp.*;  
  32. 32. IBurpExtender  •  Available  at   hOp://portswigger.net/burp/extender/burp/IBurpExtender.html   •  “  ImplementaJons  must  be  called  BurpExtender,   in  the  package  burp,  must  be  declared  public,  and   must  provide  a  default  (public,  no-­‐argument)   constructor”  
  33. 33. In  other  words  public  class  BurpExtender  {      }  •  Remember,  Java  makes  you  name  files  amer   the  class  so  that’s  why  we  named  it   BurpExtender.java  
  34. 34. Add  this  package  burp;  import  burp.*;  public  class  BurpExtender  {          public  void  processHOpMessage(                          String  toolName,                            boolean  messageIsRequest,                            IHOpRequestResponse  messageInfo)  throws  ExcepJon          {            System.out.println("Hello  World!");          }  
  35. 35. Run  the  program  •  Run  >  Run  •  First  Jme  we  do  this  it’ll  ask  what  to  run  as  •  Select  Java  Applica0on  
  36. 36. Select  Java  ApplicaJon  •  Under  Matching  items  select  StartBurp  –  burp  •  Click  OK  
  37. 37. Burp  runs  •  Check  Alerts  tab  •  View  registraJon  of  BurpExtender  class  
  38. 38. Console  output  •  The  console  window  shows  output  from  the   applicaJon  •  Note  the  “Hello  World!”s  
  39. 39. CongratulaJons  
  40. 40. What’s  happening?  •  Why  is  it  spamming  “Hello  World!”  to  the   console?  •  We  defined  processHOpMessage()  •  hOp://portswigger.net/burp/extender/burp/ IBurpExtender.html   •  “This  method  is  invoked  whenever  any  of  Burps   tools  makes  an  HTTP  request  or  receives  a   response”  
  41. 41. Burp  Suite  Flow  
  42. 42. RepeatAmerMeClient.exe   processProxyMessage   processHOpMessage   Burp  Suite  hOp://wc•ox/RepeaterService.svc  
  43. 43. We’ve  got  to  do  a  few  things  •  Split  the  HTTP  Headers  from  FI  body  •  Decode  FI  body  •  Display  in  Burp  •  Re-­‐encode  modified  version  •  Append  to  headers  •  Send  to  web  server  •  Then  the  same  in  reverse  
  44. 44. •  Right-­‐click  Project  >  Build  Path  >  Add  External   Archives  •  Select  FastInfoset.jar  •  Note  that  imports  are  now  yellow  
  45. 45. Decoding  the  FasJnfoset  to   console  
  46. 46. First:  we  get  it  wrong  •  Burp  returns  message  body  as  byte[]  •  Hmm,  bytes  are  hard,  let’s  convert  to  String  •  Split  on  rnrn  
  47. 47. Then  we  do  it  right  •  FasJnfoset  is  a  binary  encoding  •  Don’t  try  and  convert  it  to  a  String  •  Now  things  work  
  48. 48. Decoding  FasJnfoset  through   Proxy  
  49. 49. We’re  nearly  there……  
  50. 50. Running  outside  of  Eclipse  •  Plugin  is  working  nicely,  now  what?  •  Export  to  JAR  •  Command  line  to  run  is:  •  java  –jar  yourjar.jar;burp_pro_v1.4.12.jar  burp.startBurp  
  51. 51. LimitaJons  •  We  haven’t  coded  to  handle/decode  the   response  •  Just  do  the  same  in  reverse  •  processHOpMessage  fires  before   processProxyMessage  so  we  can’t  alter  then   re-­‐encode  message  •  SoluJon:  chain  two  Burp  instances  together  
  52. 52. AOribuJon  •  All  lolcatz  courtesy  of  lolcats.com  •  No  cats  were  harming  in  the  making  of  this   workshop  •  Though  some  keyboards  were….  
  53. 53. QuesJons       ?  www.7elements.co.uk  |  blog.7elements.co.uk  |  @7elements  
  54. 54. www.7elements.co.uk  |  blog.7elements.co.uk  |  @7elements  

×