Getting the Most out of Burp Extensions. How to build a Burp extension, techniques for passive and active scanners, defining insertion points, modifying requests, and building GUI tools. This talk presents code libraries to make it easy for testers to rapidly customize Burp Suite.
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
This lecture gives pentesters and security tool developers an overview of the APIs available to extend the Burp Suite intercepting proxy. Using open-source examples developed by the author I illustrate a number of key areas for anyone wishing to create extensions for Burp Suite:
- Passive scanning
- Active scanning
- Identifying insertion points
- Request modification
The presentation includes code samples and links to actual open source Burp Suite plugins developed by the author.
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
This lecture gives pentesters and security tool developers an overview of the APIs available to extend the Burp Suite intercepting proxy. Using open-source examples developed by the author I illustrate a number of key areas for anyone wishing to create extensions for Burp Suite:
- Passive scanning
- Active scanning
- Identifying insertion points
- Request modification
The presentation includes code samples and links to actual open source Burp Suite plugins developed by the author.
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
Παιχνίδι γνωριμίας
Καθένας μαθητής ρίχνει το ζάρι και ανάλογα με τον αριθμό μου έριξε, διαλέγει να απαντήσει μία από τις τρεις ερωτήσεις που αντιστοιχούν στον αριθμό. Ανάλογα με τον αριθμό των μαθητών ή το χρόνο που διαθέτουμε, ο κάθε μαθητής θα ρίξει 2, 3 ή και περισσότερες φορές το ζάρι.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
Παιχνίδι γνωριμίας
Καθένας μαθητής ρίχνει το ζάρι και ανάλογα με τον αριθμό μου έριξε, διαλέγει να απαντήσει μία από τις τρεις ερωτήσεις που αντιστοιχούν στον αριθμό. Ανάλογα με τον αριθμό των μαθητών ή το χρόνο που διαθέτουμε, ο κάθε μαθητής θα ρίξει 2, 3 ή και περισσότερες φορές το ζάρι.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
In this talk, we’ll walk through utilizing one of the most popular web vulnerability testing frameworks BurpSuite. During this presentation we will cover the process of how to conduct a successful web penetration tests, while utilizing BurpSuite's features and tools (Free and Pro Version). This discussion will also cover realistic examples and a brief overview of common vulnerabilities found in web applications.
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
BSides Lisbon 2013 - All your sites belong to BurpTiago Mendo
This talk is going to be all about Burp. I will explain why is such a great tool and how it compares with similar ones.
Its going to have a quick walkthrough of its main features, but the juicy part is going to be about how to fully explore its main tools, such as the scanner, intruder and sequencer, to increase the number and type of vulnerabilities found.
In addition, I will provide an overview of the Burp Extender Interface and how to easily and quickly take advantage of extensions to increase its awesomeness. I will show how easy is for an pentester to translate an idea to a extension and (I hope) publicly release one plugin to further help pentesters.
The talks objective is to increase your efficiency while using Burp, either by taking advantage of its excellent tools or by adding that feature that really need.
Presented at BSides Lisbon at 04/10/13 (http://bsideslisbon.org)
Web-App Remote Code Execution Via Scripting Engines by Rahul Sasi at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
Writing vuln reports that maximize payouts - Nullcon 2016bugcrowd
Writing Vuln Submissions that Maximize Your Payouts - presentation given at Nullcon 2016 by Bugcrowd's Kymberlee Price.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
XXE Exposed Webinar Slides:
Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD)
Full recording here:
NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25
https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
These slides have been presented at Black Hat Euroe conference in Amsterdam on April 16, 2009.
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the 2nd Digital Security Forum in Lisbon on June 27, 2009.
Updated version of http://www.slideshare.net/inquis/sql-injection-not-only-and-11.
Sanoop Thomas & Samandeep Singh
Burp suite is the de-facto proxy application for web security testers. This hands-on workshop will explore the different capabilities of burp proxy application, also dive into the extensions and tooling options to perform improved application security test cases.
The workshop will start with a quick overview of burp usage, different settings, features, some commonly useful extensions and then explore deep into its extension APIs to build your own custom extensions. We will provide a suitable development environment in Java and Python platforms. This will be a hands-on workshop and participants will learn how to automate different application security test scenarios and build burp extensions with the help of templates.
PyCon AU 2012 - Debugging Live Python Web ApplicationsGraham Dumpleton
Monitoring tools record the result of what happened to your web application when a problem arises, but for some classes of problems, monitoring systems are only a starting point. Sometimes it is necessary to take more intrusive steps to plan for the unexpected by embedding mechanisms that will allow you to interact with a live deployed web application and extract even more detailed information.
Presentation to the MIT IAP HTML5 Game Development Class on Debugging and Optimizing Javascript, Local storage, Offline Storage and Server side Javascript with Node.js
Alfresco’s highly customizable repository can often seem overwhelming. Learn approaches for adding common customizations requests (Extending Javascript API, Content Modeling, Permission Modeling, packaging, etc.) from current and former Alfresco consulting staff. Learn where we often see the most common errors and participate in open Q&A.
Whether you are building a mobile app or a web app, Apache Usergrid (incubating) can provide you with a complete backend that supports authentication, persistence and social features like activities and followers all via a comprehensive REST API — and backed by Cassandra, giving you linear scalability. This session will tell you what you need to know to be a Usergrid contributor, starting with the basics of building and running Usergrid from source code. You’ll learn how to find your way around the Usergrid code base, how the code for the Stack, Portal and SDKs and how to use the test infrastructure to test your changes to Usergrid. You’ll learn the Usergrid contributor workflow, how the project uses JIRA and Github to manage change and how to contribute your changes to the project. The session will also cover the Usergrid roadmap and what the community is currently working on.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
5. Burp Suite
• What is Burp?
• What are extensions?
– What can I do with them? (use cases)
6. What Can I Do With Extensions?
• Passive Scanning
• Active Scanning
• Alter/append requests
• Define Insertion Points for Scanner/Intruder
• Create new payload types
• Automate Authentication
• Much, Much More
7. BApp Store
• What is it?
• How do I use it?
• A look at some useful extensions
– Logger++
– WSDL Wizard
32. Starting with a Template
• Find a starter project
• Some example projects at
https://portswigger.net/burp/extender/
• Today we’ll start with my NetbeansGUI project
found at https://github.com/monikamorrow/
Burp-Suite-Extension-Examples
– Which depends on https://github.com/augustd/burp-
suite-utils
33. Starting with a Template
• Clone Burp-Suite-Extension-Examples and
burp-suite-utils into your working directory
• Open the Burp-Suite-Extension-Examples
NetBeans project and expand folders and
resolve issues along the way
• Compile the project to resolve remaining
issues
54. How to Add?
mTab = new BurpSuiteTab
(mPluginName, mCallbacks);
mTab.add(toolsScope);
mTab.add(urlScope);
mTab.add(myJPanel);
mCallbacks.customizeUiComponent(mTab);
mCallbacks.addSuiteTab(mTab);
55. How to Get Settings?
urlScope.processAllRequests();
toolsScope.isToolSelected(toolFlag);
56. Passive Scanning
• Search responses for problematic values
• Built-in passive scans
– Credit card numbers
– Known passwords
– Missing headers
Building a Passive Scanner
57. Passive Scanning – Room for Improvement
• Error Messages
• Software Version Numbers
Building a Passive Scanner
58. Implement the IScannerCheck interface
public class PassiveScan implements IScannerCheck {
@Override
public List<IScanIssue> doPassiveScan(
IHttpRequestResponse baseRequestResponse) { … }
@Override
public List<IScanIssue> doActiveScan(
IHttpRequestResponse baseRequestResponse,
IScannerInsertionPoint insertionPoint) { … }
@Override
public int consolidateDuplicateIssues(
IScanIssue existingIssue, IScanIssue newIssue) { … }
Building a Passive Scanner
59. Register the extension as a custom scanner
@Override
protected void initialize() {
callbacks.registerScannerCheck(this);
}
Building a Passive Scanner
60. IScannerCheck.doPassiveScan()
for (MatchRule rule : rules) {
Matcher matcher =
rule.getPattern().matcher(response);
while (matcher.find()) {
matches.add(
new ScannerMatch(
matcher.start(), matcher.end(), group, rule));
Building a Passive Scanner
64. Extending from PassiveScan
@Override
protected void initPassiveScan() {
//set the extension Name
extensionName = "Error Message Checks";
//create match rules
addMatchRule(
new MatchRule(PHP_ON_LINE, 0, "PHP"));
addMatchRule(
new MatchRule(PHP_HTML_ON_LINE, 0, "PHP"));
…
Building a Passive Scanner
65. Extending from PassiveScan
@Override
protected ScanIssue getScanIssue(
IHttpRequestResponse baseRequestResponse,
List<ScannerMatch> matches, List<int[]> startStop) {
return new ScanIssue(
baseRequestResponse,
helpers,
callbacks,
startStop,
getIssueName(),
getIssueDetail(matches),
ScanIssueSeverity.MEDIUM.getName(),
ScanIssueConfidence.FIRM.getName());
Building a Passive Scanner
66. Active Scanning
• Issue requests containing attacks
• Look for indication of success in response
• Built-In Active Scans
– XSS
– SQL Injection
– Path Traversal
– etc
Building an Active Scanner
67. IScannerCheck.doActiveScan()
@Override
public List<IScanIssue> doActiveScan(
IHttpRequestResponse baseRequestResponse,
IScannerInsertionPoint insertionPoint) {
for (MatchRule rule : rules) {
// compile a request containing our
// injection test in the insertion point
byte[] testBytes = rule.getTest();
byte[] checkRequest =
insertionPoint.buildRequest(testBytes);
Building an Active Scanner
68. IScannerCheck.doActiveScan()
// issue the request
IHttpRequestResponse checkRequestResponse =
callbacks.makeHttpRequest(
httpService, checkRequest);
//get the response
String response = helpers.bytesToString(
checkRequestResponse.getResponse());
Building an Active Scanner
69. IScannerCheck.doActiveScan()
// get the offsets of the payload
// within the request, for in-UI highlighting
List<int[]> requestHighlights =
new ArrayList<int[]>(1);
requestHighlights.add(
insertionPoint.getPayloadOffsets(testBytes));
Building an Active Scanner
70. Extending from ActiveScan
@Override
protected void initActiveScan() {
//set the extension Name
extensionName = "Server Side Javascript Injection checks";
//create match rules
addMatchRule(
new MatchRule("response.end('success')", SUCCESS, 0, "response.end"));
addMatchRule(
new MatchRule("1995';return(true);var%20foo='bar", TRUE, 0, "string"));
Building an Active Scanner
71. Insertion Points
• Locations of parameters in request
• Contain data the server will act upon
Building an Active Scanner
78. Viewing Insertion Points
• Add menu option to send request to Intruder
• Implement IContextMenuFactory
– createMenuItems()
• Register as a menu factory
callbacks.registerContextMenuFactory(this);
Defining Insertion Points
80. BurpExtender.createMenuItems()
//create clickable menu item
JMenuItem item = new JMenuItem(
"Send GWT request(s) to Intruder");
item.addActionListener(new MenuItemListener(ihrrs));
//return a Collection of menu items
List<JMenuItem> menuItems =
new ArrayList<JMenuItem>();
menuItems.add(item);
return menuItems;
Defining Insertion Points
81. MenuItemListener
class MenuItemListener implements ActionListener {
private IHttpRequestResponse[] ihrrs;
public MenuItemListener(
IHttpRequestResponse[] ihrrs) {
this.ihrrs = ihrrs;
}
public void actionPerformed(ActionEvent ae) {
sendGWTToIntruder(ihrrs);
}
}
Defining Insertion Points
82. BurpExtender.sendGWTToIntruder()
public void sendGWTToIntruder(IHttpRequestResponse[] ihrrs) {
for (IHttpRequestResponse baseRR : ihrrs) {
IHttpService service = baseRR.getHttpService();
// parse the request (not shown)
if (isGWTRequest) {
// Send GWT request to Intruder
callbacks.sendToIntruder(
service.getHost(), service.getPort(),
service.getProtocol().equals("https"),
request, insertionPointOffsets);
Defining Insertion Points
100. Passive Scanning
@Override
protected void initPassiveScan() {
//set the extension Name
extensionName = "Software Version Checks";
//create a component
rulesTable = new RuleTableComponent(this,
callbacks);
//add component to Burp GUI
mTab = new BurpSuiteTab(extensionName,
callbacks);
mTab.addComponent(rulesTable);
}
Bringing it all Together
Burp Suite is the leading web application vulnerability testing tool. It is available from http://portswigger.net for $299/year –a fraction of the cost of some other commercially available web application testing tools.
Burp supports a plugin architecture which allows additional functionality to be developed and integrated with the tool. Anyone can download it and start adding new features to the tool.
I’ve spoken to some of you who are using plugins to do some truly incredible stuff like turning Burp into a full automated testing suite.
In the short time we have here today we won’t be able to get into cool stuff like that, but I want to give you the basic tools to get started writing your own extensions.
A subtab of the Extender tab of Burp the BApp Store consists of 66 Burp Extensions that can be installed from within Burp. Many can be installed with one click although extensions that aren’t built natively in Java require a small amount of configuration first.
A subtab of the Extender tab of Burp the BApp Store consists of 66 Burp Extensions that can be installed from within Burp. Many can be installed with one click although extensions that aren’t built natively in Java require a small amount of configuration first.
Installable with just one click Logger++ is one of the most broadly applicable extensions within the BApp Store.
Once an extension has been installed from the BApp Store it will show up on the Extensions subtab. Further details, an output console, and error console are available here in addition to an interface to toggle the extension on/off without uninstalling it.
Logger++ adds a Main tab to the Burp interface. It has an options tab here to configure which tools should be logged in addition to extension specific settings.
We'll talk about adding tabs to the Burp interface a little bit later
The View Logs tab of the Logger++ tab shows requests similar to the proxy tab but all requests are logged. Here you can see the tool selected can be seen in the Tool column.
Selecting an item in the Log View allows viewing of the request/response consistent with other locations in Burp.
Jython and Ruby extensions require extra configuration before being installed. Once Jython is downloaded and configured within Burp the Install button will be activated.
Java libraries locations, Jython and Ruby configurations are controlled here.
After locating the jython.jar file restart Burp.
Now Burp treats Jython extensions the same as native Java extensions and WSDL Wizard can be one click installed.
The WSDL Wizard now indicates it is installed on the BApp Store page.
Both the Logger++ and WSDL Wizard extension are installed and active. Their active state can be toggled from the Burp Extensions tab without reinstallation or reloading of Burp.
The WSDL Wizard adds a context menu in the Site map that scans for WSDL files. To use it right click on a target of interest in the Site map to access and select the custom context menu, “Scan for WSDL Files”.
The results of the scan are viewable in the WSDL Wizard output window.
Even though the BApp Store is great it is still only a small slice of what plugins CAN be used for. This is where the extensions that are fit for wide release are located.
Proprietary and one off: CSRF token changed on every request. One off extension parsed made request to obtain a new token and added the updated token to each automated request made by Burp.
Proprietary: Custom signature required for requests to be accepted by the application.
So we’ve seen how to load an extension from the BApp store. Now lets take a look at how to load a custom extension built from source.
On the Extensions subtab of the Extender tab click the “Add” button to load a custom extension by selecting its .jar, .py, or .rb file.
Select the extension type from the drop down and use the file selector to find the jar for your custom extension.
When using a NetBeans project the .jar file is located in the “dist” folder within the “BurpExtender” folder.
Change the location of the Standard Output and Standard Error if desired and press “Next” to load the extension.
If the extension is loaded successfully the Loaded checkbox will be checked and there will most likely be some text in the Output tab and no text in the Error tab.
You DO NOT need Burp Suite Pro in order to use extensions. But some features won't work unless you have pro
Java 1.6.x is the minimum requirement to run Burp, but much newer versions are available.
I like NetBeans for its ease of use, but you can use any IDE, or even a simple text editor
You can also write Burp extensions in Python using Jython, OR Ruby using Jruby, but Java is the native language of Burp Suite (and me) so that will be the focus of this talk today.
It’s helpful to name MYPROJECT with a useful name so as you mouse over your BurpExtender projects you can find the one you want
In order for Burp Suite to load your extension, all of the Java class files must be contained in a single jar file. Since we are depending on classes from other libraries, we have to update the build scripts provided by NetBeans to build a fat jar.
You should now have a functional starter project!
Passive Scanning
Passive scanning allows you to monitor responses for certain values and flag them as issues in the Burp Scanner tab.
Burp includes built in passive scanning for things like credit card numbers, previously used passwords, missing headers like X-Frame-Options, etc.
Error messages can reveal valuable details about the inner workings of an application
Software version numbers can inform you as to the overall health of an organization’s operations: When they are patched, how up to date, etc.
These things are often only revealed in error pages - things that might be responses to Scanner or Intruder requests, but not necessarily seen by a tester.
Burp has no facility to detect them on its own. Enter the Plugins!
To build a passive scanner you must implement the IScannerCheck interface and register it as a scanner check with the Extender Callbacks.
IScannerCheck requires you to implement 3 methods:
doPassiveScan will perform the meat of your scanning.
doActiveScan we are not really concerned with because this is not an active scanner. This method can simply return null.
consolidateDuplicateIssues is used to ensure that the same issue is not reported multiple times
Registering the extension as a scanner check is a simple method call to the callbacks object and can be done when the extension initializes.
Then we iterate over a list of regular expressions (contained in the MatchRule objects) attempting to match them to the response body.
When we find a match, we save it in a ScannerMatch object (just a simple Java bean defined as an inner class) which we will add to Burp’s Scanner results.
Once we have found matches of our regex, we want to add them to the Burp Scanner interface.
1. First, we need to sort the matches. This is important because in order for code highlighting to work, Burp wants all matches to be in order.
Next we create a list of ints which are the offsets, the start and stop points, within the response. These are used by Burp to do the code highlighting
Finally return a CustomScanIssue (an POJO object that extends IScanIssue) to be added to the Scanner results tab.
The ScanIssue contains all the information that will be displayed in Burp Scanner’s Advisory tab
consolidateDuplicateIssues is called by Burp to ensure that the same issue only shows up once on Burp’s Scanner list.
It essentially works like any other Java Comparable:
Return -1 to keep the old issue and discard the new one
Return 0 to report both issues
Return 1 to report the new issue and discard the old one
If that all seems overly complicated, you are not alone. Based on feedback from last year’s presentation I’ve released a set of utilities that attempt to abstract this and make it much easier to get started. These are on my GitHub, the URLs will be at the end of the presentation.
All you need to do now is extend from the abstract class com.codemagi.burp.PassiveScan and implement two methods. In initPassiveScan set the extension name and add match rules.
In getScanIssue you add your custom code to return scan issues when a match is found.
That’s it! All of the mechanics of scanning are handled for you by extending from PassiveScan
This brings us to our next topic, Active Scanning.
Active scanning is excellent for finding injection type vulnerabilities, like SQL injection, XSS and others. Active scanning is more complicated because it requires you to issue requests and look for success in the responses.
Here we will be building an example active scanner to test for server-side code execution a JavaScript-based website, for example using node.js.
doActiveScan is called for each insertion point of each request that the Burp Scanner makes. Here we iterate through our injection tests, and for each:
Compile a test request, into the checkRequest variable, a byte array
2. Now you can issue the test request to the server, and get the response.
You get the httpService object from the IHttpRequestResponse
Now it is just a matter of applying a regex to the response to look for indications that your attack worked. If any matches are found, report the issue.
If any matches are found, report the issue. This is basically the same process as a passive scan, with one exception.
Since the active scanner issued an altered request you want to highlight the data you changed in the request, as well as the matches in the response.
getPayloadOffsets returns a two position array of ints that indicate the start and stop points of the area to be highlighted in the request.
I’ve also created a base class to simplify building active scans. All you need to do now is extend from the abstract class com.codemagi.burp.ActiveScan and implement two methods. In initActiveScan set the extension name and add match rules.
The only major difference here is that our MatchRule needs to include not only the regular expression to match, but also the attack string that will be added to each insertion point in the request. The attack strings are highlighted here in orange.
Insertion Points define the locations within a request that contain data that the server will act upon.
Insertion points are used by the Active Scanner or Burp Intruder to target attack payloads.
You can see the insertion points that Burp identifies by right-clicking a request and selecting Send to Intruder.
Burp does a pretty good job defining insertion points on its own for regular HTTP requests.
But what if your request looks like this? This is a Google Web Toolkit request, and Burp’s built-in request parser doesn’t do such a good job.
Somewhere inside that huge block of condensed text, we know that there is data that the server is going to act upon. Sure, in Intruder we can actively select each one, but that is time consuming and… boring.
So how can we teach Burp to automatically know where they are?
To have your extension define insertion points, you must implement IScannerInsertionPointProvider. This consists of one method: getInsertionPoints()
You also need to register as an insertion point provider. This can be done in the registerExtenderCallbacks method when your extension initializes.
Implementing getInsertionPoints is easy. The method is passed the HTTP request. We parse that request to determine the offsets of the insertion points we want to use. In this case, I did some research and found existing parsers, but they all missed something, so I wound up writing my own. How it works is unimportant, just know that it returns a set of offsets: The start/stop index of the insertion point within the raw request.
Once we know the offsets, we create a List of IScannerInsertionPoint objects using the helpers object we got form the callbacks.
Here, insertionPointOffsets is the list of int arrays returned by the parser.
Once we know the offsets, we return a List of IScannerInsertionPoint objects using the helpers object we got form the callbacks.
getInsertionPoints() is called automatically when you send an item to the active scanner. If you send a request to the scanner, you can see that it now has 5 insertion points, rather than the 2 that Burp originally identified.
If you want to see the actual insertion points that your extension defines you have to send the request to Intruder. Burp’s own Send to Intruder option will use the built-in insertion points, so you need to add your own option to the right-click menu.
To do that you will need to implement the IContextMenuFactory interface and add the createMenuItems() method.
You also need to register as a context menu factory. This can be done in the registerExtenderCallbacks method when your extension initializes.
The createMenuItems() method is passed an Invocation object by Burp. This object contains the request or requests that were selected when the mouse was right clicked.
We want to create a new standard Swing JMenuItem and attach an ActionListener that will fire when the menu item is clicked.
This method actually wants you to return a Collection of menu items. That way your extension can define more than one menu item.
We create an ActionListener that responds to the Java Swing events that are generated when the user clicks on the menu item.
In this case, I just send the selected items to Intruder.
The method called by the MenuItemListener parses each request in turn to see if it can locate GWT insertion points.
If insertion points are found, that indicates that the request is a GWT request. Then it invokes the sendToIntruder method of the callbacks object, passing the request with the new insertion points to Intruder.
Additionally, we call setComment on the requestResponse object to add the GWT service method to the comments that appear in the Burp proxy list.
baseRR.getComment() returns the original comment for this item so we do not overwrite any comment that the tester may have already added.
Now you can right-click on a request in any of Burp’s Tools and there will be a new option in the context menu to send a GWT request to Intruder.
In Intruder you can now see the 5 new insertion points that our extension defined.
Some web services require you to send a custom header or signature with your requests.
I had to test a site that used a constantly rotating anti-CSRF token to each request. Each time a form was submitted, the application would create a new anti-CSRF token. Any attempt to scan this app would fail after the first scanner request was submitted. I needed a way to fetch a valid CSRF token and update the parameters used by the scanner for every single request.
To do that you will need to do request modification.
To setup your extension to modify requests you need to implement IHttpListener. This has one method: processHttpMessage()
You also need to register the class as HTTP listener. Again, this is done in registerExtenderCallbacks
The processHttpMessage method is called by Burp for each HTTP request before it is sent to the server, and for each response, before it is returned to the browser.
The fist thing we need to do then is determine if this is a request or response. Fortunately Burp passes the messageIsRequest boolean to this method to tell you.
Next we need to determine whether this is a request for the scanner. Remember, Burp processes this extension’s method for every request. To do that, we check whether the toolFlag parameter matches the value for the scanner tool defined in the callbacks.
If both of those things are true, we next check to see whether the request we are scanning includes a CSRF token.
First we convert the request from a byte array to a string, then use regex to look for a match of the CSRF token.
If the request contains a CSRF token then we need to hit the form page, parse out the token from a hidden field, and place the token into the request.
To issue the request, use the helpers class to build a request as an array of bytes.
Use callbacks.makeHttpRequest to issue the request to the server and get the response as bytes.
There is a bytesToString() helper method to convert the response bytes to a string.
Then it is simply a matter of using a regex pattern to find and return the CSRF token
If both of those things are true, we next check to see whether the request we are scanning includes a CSRF token.
First we convert the request from a byte array to a string, then use regex to look for a match of the CSRF token.
Then finally we set the modified request string into the messageInfo object that Burp passed in to processHttpMessage() so that Burp can send the modified scanner request to the server.
The Burp Extender API now offers methods to print Strings to the Extension’s output and error logs. This was actually a suggestion I submitted on the Burp Suite Forums.
If you want to see stack traces you can use e.printStackTrace() and the stack trace will show up in the terminal where you launched Burp.
Calling printOutput causes the message to be written to the Output tab on the Extensions panel, directly within the Burp GUI
You can still also select to output to the terminal where you launched Burp, or save it to a file, which could be useful if you want to do further analysis.
You can call printStackTrace and write a stack trace to the terminal where you opened Burp.
To show a stack trace in Burp’s own interface, you need to get the actual OutputStream from the callbacks.
Then, create a method to print an exception stack trace directly to that OutputStream.
Now stack traces will show up directly within the Burp GUI
Today we talked about using Base Classes, Passive Scanning, and GUI Building. Now let's use these techniques to solve one of the big challenges with the BApp Store: getting your updates published. With the Software Version Checks extension, I am constantly finding new patterns that need to be added to the scanner, but writing new code and asking for a new deployment each time is unreliable.
Starting with the BaseExtender class in burp-suite-util I got access to all of the callbacks and helper methods in the Burp internals. PassiveScan extends from BaseExtender. It takes care of all the details of running a scan. To the PassiveScan I added a BurpSuiteTab that does everything needed to create a new tab in the Burp Suite UI.
Using NetBeans Gui builder I created a table component, which let's you enter a URL to load your match rules from.
Now with this much code I can extend PassiveScan to create a new passive scanner.
Now, when my extension loads, I can click a button to load the set of match rules from a tab delimited file on GitHub. This solves the challenge of deploying updates to the BApp store: There is no longer a need to deploy new code to add a new match rule, I just need to update a file! You can load your own match rules as well by creating your own tab delimited files.
Now that this is in GitHub I look forward to all of your pull requests to add new match rules!