Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Burp plugin development for java n00bs (44 con)


Published on

Introduction to using BurpExtender to write plugins for Web application assessment tool Burp Suite.

Aimed at testers who have never coded Java before.

Published in: Technology, Education
  • Be the first to comment

Burp plugin development for java n00bs (44 con)

  1. 1. Burp Plugin Development for Java n00bs 44Con | | @7elements
  2. 2. /me• Marc Wickenden• Principal Security Consultant at 7 Elements• Love coding (particularly Ruby)• @marcwickenden on the Twitterz• Most importantly though… | | @7elements
  3. 3. I am a Java n00b
  4. 4. If you already know JavaYou’re either:• In the wrong room• About to be really offended!
  5. 5. Agenda• The problem• Getting ready• Introduction to the Eclipse IDE• Burp Extender Hello World!• Manipulating runtime data• Decoding a custom encoding scheme• “Shelling out” to other scripts• Limitations of Burp Extender• Really cool Burp plugins already out there to fire your imagination
  6. 6. Oh…..and there’ll be cats
  7. 7. The problem• Burp Suite is awesome• De facto web app tool• Open source alternatives don’t compare IMHO• Tools available/cohesion/protocol support• Burp Extender
  8. 8. The problem
  9. 9. I wrote a pluginCoding by Google FTW!
  10. 10. How? - Burp Extender• “allows third-party developers to extend the functionality of Burp Suite”• “Extensions can read and modify Burp’s runtime data and configuration”• “initiate key actions”• “extend Burp’s user interface”
  11. 11. Burp Extender• Achieves this via 6 interfaces: – IBurpExtender – IBurpExtenderCallbacks – IHttpRequestResponse – IScanIssue – IScanQueueItem – IMenuItemHander
  12. 12. Java 101• Java source is compiled to bytecode (class file)• Runs on Java Virtual Machine (JVM)• Class-based• OO• Write once, run anywhere (WORA)• Two distributions: JRE and JDK
  13. 13. Java 101 continued…• Usual OO stuff applies: objects, classes, methods, properties/variable s• Lines end with ;
  14. 14. Java 101 continued…• Source files must be named after the public class they contain• public keyword denotes method can be called from code in other classes or outside class hierarchy
  15. 15. Java 101 continued…• class hierarchy defined by directory structure:• = uk/co/sevenelements/HelloWorld.class• JAR file is essentially ZIP file of classes/directories
  16. 16. Java 101 continued…• void keyword indicates method will not return data to the caller• main method called by Java launcher to pass control to the program• main must accept array of String objects (args)
  17. 17. Java 101 continued…• Java loads class (specified on CLI or in JAR META-INF/MANIFEST.MF) and starts public static void main method• You’ve seen this already with Burp: – java –jar burpsuite_pro_v1.4.12.jar
  18. 18. Enough 101
  19. 19. Let’s write some codez
  20. 20. First we need some tools• Eclipse IDE – de facto free dev tool for Java• Not necessarily the best or easiest thing to use• Alternatives to consider: – Jet Brains IntelliJ (my personal favourite) – NetBeans (never used) – Jcreator (again, never used) – Terminal/vim/javac < MOAR L33T
  21. 21. Download Eclipse Classic Or install from your USB drive
  22. 22. Eclipse 4.2 Classic• ops4/R-4.2-201206081400/• 6f4e6834c95e9573cbc1fc46adab4e39da6b4b6d•• ops4/R-4.2-201206081400/• 68b1eb33596dddaac9ac71473cd1b35f51af8df7•
  23. 23. Java JDK• Used to be bundled with Eclipse• Due to licensing (I think) this is no longer the case• Grab from Sun Oracle’s website:• x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5
  24. 24. Welcome to Eclipse
  25. 25. Create a Java Project• File > New > Java Project• Project Name: Burp Hello World!• Leave everything else as default• Click Next
  26. 26. Java Settings• Click on Libraries tab• Add External JARs• Select your burpsuite.jar• Click Finish
  27. 27. Create a new package• File > New > Package• Enter burp as the name• Click Finish
  28. 28. Create a new file• Right-click burp package > New > File• Accept the default location of src• Enter as the filename• Click Finish
  29. 29. We’re ready to type
  30. 30. Loading external classes• We need to tell Java about external classes – Ruby has require – PHP has include or require – Perl has require – C has include – Java uses import
  31. 31. Where is Burp?• We added external JARs in Eclipse• Only helps at compilation• Need to tell our code about classes – import burp.*;
  32. 32. IBurpExtender• Available at – “ Implementations must be called BurpExtender, in the package burp, must be declared public, and must provide a default (public, no-argument) constructor”
  33. 33. In other wordspublic class BurpExtender{}• Remember, Java makes you name files after the class so that’s why we named it
  34. 34. Add thispackage burp;import burp.*;public class BurpExtender{ public void processHttpMessage( String toolName, boolean messageIsRequest, IHttpRequestResponse messageInfo) throws Exception { System.out.println("Hello World!"); }}
  35. 35. Run the program• Run > Run• First time we do this it’ll ask what to run as• Select Java Application
  36. 36. Select Java Application• Under Matching items select StartBurp – burp• Click OK
  37. 37. Burp runs• Check Alerts tab• View registration of BurpExtender class
  38. 38. Console output• The console window shows output from the application• Note the “Hello World!”s
  39. 39. Congratulations
  40. 40. What’s happening?• Why is it spamming “Hello World!” to the console?• We defined processHttpMessage()• urpExtender.html – “This method is invoked whenever any of Burps tools makes an HTTP request or receives a response”
  41. 41. Burp Suite Flow
  42. 42. RepeatAfterMeClient.exe processProxyMessage processHttpMessage Burp Suitehttp://wcfbox/RepeaterService.svc
  43. 43. We’ve got to do a few things• Split the HTTP Headers from FI body• Decode FI body• Display in Burp• Re-encode modified version• Append to headers• Send to web server• Then the same in reverse
  44. 44. • Right-click Project > Build Path > Add External Archives• Select FastInfoset.jar• Note that imports are now yellow
  45. 45. Decoding the Fastinfoset to console
  46. 46. First: we get it wrong• Burp returns message body as byte[]• Hmm, bytes are hard, let’s convert to String• Split on rnrn
  47. 47. Then we do it right• Fastinfoset is a binary encoding• Don’t try and convert it to a String• Now things work
  48. 48. Decoding Fastinfoset through Proxy
  49. 49. We’re nearly there……
  50. 50. Running outside of Eclipse• Plugin is working nicely, now what?• Export to JAR• Command line to run is:• java –jar yourjar.jar;burp_pro_v1.4.12.jar burp.startBurp
  51. 51. Limitations• We haven’t coded to handle/decode the response• Just do the same in reverse• processHttpMessage fires before processProxyMessage so we can’t alter then re-encode message• Solution: chain two Burp instances together
  52. 52. Attribution• All lolcatz courtesy of• No cats were harming in the making of this workshop• Though some keyboards were….
  53. 53. Questions ? | | @7elements
  54. 54. | | @7elements