Successfully reported this slideshow.

Extending burp

0

Share

Upcoming SlideShare
Ruby and Security
Ruby and Security
Loading in …3
×
1 of 16
1 of 16

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Extending burp

  1. 1. • • • •
  2. 2. • • • • • • • • • •
  3. 3. • • • •

Editor's Notes

  • A little about me
    Been to every Derbycon and excited to present to you today
    Started career as a developer, but when switched to security started the Indianapolis OWASP chapter 12 years ago - still run it today
  • How many use it regularly? How many take advantage of extensions? How many have written an extension?
    Graphical tool for testing web application security
    Intercepting proxy that sits between your browser and a web server
    Provides both manual and automatic testing capabilities
    Number of built-in tools (Scanner, Intruder, Spider, Repeater, etc…)
    Paid version and free version
    Focus of this talk – the extensive API for adding functionality via extensions
  • What is an extension?
    Extensions come from multiple places
    First is the Bapp Store (listed above)
    Shows available extensions and what’s installed
    Differentiates ones that require the pro version
    Code for the ones from portswigger are in github
    To get your own in, send an an email to support@portswigger.net to start the process
  • Second is adding your own
    This screen also shows what’s loaded and type
    Also shows the output from extensions (for debugging, info, etc) and errors
  • Once you click add this is what you get
    Shows that an extension can be written in 3 different languages – Java, Python(Jython), and Ruby(Jruby)
  • Shows the extension API page
    Can download/save interface files
    Can save javadoc files

    What can the API do?
    Process and modify HTTP requests/responses
    Access runtime data of Burp
    Interact with built-in tools(repeater, intruder, etc.)
    Add items to the UI (tabs, context menus)
    Persist settings
  • Switch gears and show a snippet of code from my extension
    Must have a class called BurpExtender in a package called Burp (same package as all of the api files)
    It must implement IBurpExtender
    In this example, we also implement IScannerCheck and register that we are a scanner
    registerExtenderCallbacks comes from IBurpExtender
    doPassiveScan, doActiveScan, and consolidateDuplicateResults come from iScannerCheck
    Package up in jar file
  • When extension loaded, registerExtenderCallbacks is called for each extension when it’s loaded
    Analyzes a request/response pair
    No modification
    During analysis, extension chooses what areas to check
    Headers, parameters, cookies, etc.
    String that represents the entire request and response
    Helper methods to more easily access certain parts
    Happens in the background
    Built-in passive check you can specify what you want to scan

    Create findings
    For findings with duplicate titles, consolidates into 1 finding with different locations
  • Just a sample of the start of the doPassiveScan method
    Use the helpers to get the URL
    Get a byte array of the response and get the body offset
  • Receive a base request and an Insertion Point
    Defines type of value (query string param, form param, cookie, header, etc.)
    Can restrict which types of Insertion Points get scanned in the Active Scan settings, but also use this as a further check
    Build a request with your own custom value for the Insertion Point
    Returns a new request with the data and size of request adjusted
    Send the request and receive the response
    Analyze and create finding(s)
  • Snippet from active scanning
    Shows how to change an insertion point
    Send the request and get the response
    After that, analyze the response and report
  • Order is important because findings needed to be added in the order in which location in the response is found
    Findings might lag corresponding activity
  • Demoing a sample extension that I wrote for the presentation and will share
    Implements both passive and active scanning
    It takes a simple website (that I wrote and host on my laptop) and shows how the sample extension can actively and passively scan it

  • Order is important because findings needed to be added in the order in which location in the response is found
    Findings might lag corresponding activity
  • Open up for questions only specific to this topic
    Invite them to contact me via Twitter for questions, etc.
    Slides and example code at Github
  • ×