Extending burp
•0 likes•905 views
Report
Derbycon 2017 slides about creating extensions.
Recommended
More Related Content
Recently uploaded
Recently uploaded(20)
Featured
Featured(20)
Extending burp
Editor's Notes
- A little about me Been to every Derbycon and excited to present to you today Started career as a developer, but when switched to security started the Indianapolis OWASP chapter 12 years ago - still run it today
- How many use it regularly? How many take advantage of extensions? How many have written an extension? Graphical tool for testing web application security Intercepting proxy that sits between your browser and a web server Provides both manual and automatic testing capabilities Number of built-in tools (Scanner, Intruder, Spider, Repeater, etc…) Paid version and free version Focus of this talk – the extensive API for adding functionality via extensions
- What is an extension? Extensions come from multiple places First is the Bapp Store (listed above) Shows available extensions and what’s installed Differentiates ones that require the pro version Code for the ones from portswigger are in github To get your own in, send an an email to support@portswigger.net to start the process
- Second is adding your own This screen also shows what’s loaded and type Also shows the output from extensions (for debugging, info, etc) and errors
- Once you click add this is what you get Shows that an extension can be written in 3 different languages – Java, Python(Jython), and Ruby(Jruby)
- Shows the extension API page Can download/save interface files Can save javadoc files What can the API do? Process and modify HTTP requests/responses Access runtime data of Burp Interact with built-in tools(repeater, intruder, etc.) Add items to the UI (tabs, context menus) Persist settings
- Switch gears and show a snippet of code from my extension Must have a class called BurpExtender in a package called Burp (same package as all of the api files) It must implement IBurpExtender In this example, we also implement IScannerCheck and register that we are a scanner registerExtenderCallbacks comes from IBurpExtender doPassiveScan, doActiveScan, and consolidateDuplicateResults come from iScannerCheck Package up in jar file
- When extension loaded, registerExtenderCallbacks is called for each extension when it’s loaded Analyzes a request/response pair No modification During analysis, extension chooses what areas to check Headers, parameters, cookies, etc. String that represents the entire request and response Helper methods to more easily access certain parts Happens in the background Built-in passive check you can specify what you want to scan Create findings For findings with duplicate titles, consolidates into 1 finding with different locations
- Just a sample of the start of the doPassiveScan method Use the helpers to get the URL Get a byte array of the response and get the body offset
- Receive a base request and an Insertion Point Defines type of value (query string param, form param, cookie, header, etc.) Can restrict which types of Insertion Points get scanned in the Active Scan settings, but also use this as a further check Build a request with your own custom value for the Insertion Point Returns a new request with the data and size of request adjusted Send the request and receive the response Analyze and create finding(s)
- Snippet from active scanning Shows how to change an insertion point Send the request and get the response After that, analyze the response and report
- Order is important because findings needed to be added in the order in which location in the response is found Findings might lag corresponding activity
- Demoing a sample extension that I wrote for the presentation and will share Implements both passive and active scanning It takes a simple website (that I wrote and host on my laptop) and shows how the sample extension can actively and passively scan it
- Order is important because findings needed to be added in the order in which location in the response is found Findings might lag corresponding activity
- Open up for questions only specific to this topic Invite them to contact me via Twitter for questions, etc. Slides and example code at Github