Most learning materials for web app pentesting focus on “old school” apps. Maybe they have a little jQuery sprinkled in, but most of the heavy-lifting happens server-side. With the dawn of frontend frameworks like AngularJS, Vue, and React and Single-Page Applications, the way web apps are developed is changing, and pentesters need to keep up. This talk runs through common security issues with and approaches to testing these new apps.
Android Application Penetration Testing - Mohammed AdamMohammed Adam
Android Penetration Testing is a process of testing and finding security issues in an android application. It involves decompiling, real-time analyzing and testing android application for security point of view. This Slides covers real-time testing of android applications and some security issues like insecure logging, leaking content providers, insecure data storage and access control issues.
Most learning materials for web app pentesting focus on “old school” apps. Maybe they have a little jQuery sprinkled in, but most of the heavy-lifting happens server-side. With the dawn of frontend frameworks like AngularJS, Vue, and React and Single-Page Applications, the way web apps are developed is changing, and pentesters need to keep up. This talk runs through common security issues with and approaches to testing these new apps.
Android Application Penetration Testing - Mohammed AdamMohammed Adam
Android Penetration Testing is a process of testing and finding security issues in an android application. It involves decompiling, real-time analyzing and testing android application for security point of view. This Slides covers real-time testing of android applications and some security issues like insecure logging, leaking content providers, insecure data storage and access control issues.
In this talk, we’ll walk through utilizing one of the most popular web vulnerability testing frameworks BurpSuite. During this presentation we will cover the process of how to conduct a successful web penetration tests, while utilizing BurpSuite's features and tools (Free and Pro Version). This discussion will also cover realistic examples and a brief overview of common vulnerabilities found in web applications.
When performing security assessments or participating in bug bounties, there is generally a methodology you follow when assessing source-code or performing dynamic analysis. This involves using tools, reviewing results and understanding what you should be testing for. Reviewing modern web applications can be quite challenging, and this talk will go into details on how we can automate the boring (but necessary parts) and how to set a roadmap of what should be focused on when dealing with modern JavaScript applications.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
Burp Suite is a Java based software platform of tools for performing security testing of web applications. The suite of products can be used to combine automated and manual testing techniques and consists of a number of different tools, such as a proxy server, a web spider, scanner, intruder, repeater, sequencer, decoder, collaborator and extender.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
This lecture gives pentesters and security tool developers an overview of the APIs available to extend the Burp Suite intercepting proxy. Using open-source examples developed by the author I illustrate a number of key areas for anyone wishing to create extensions for Burp Suite:
- Passive scanning
- Active scanning
- Identifying insertion points
- Request modification
The presentation includes code samples and links to actual open source Burp Suite plugins developed by the author.
Getting the Most out of Burp Extensions. How to build a Burp extension, techniques for passive and active scanners, defining insertion points, modifying requests, and building GUI tools. This talk presents code libraries to make it easy for testers to rapidly customize Burp Suite.
In this talk, we’ll walk through utilizing one of the most popular web vulnerability testing frameworks BurpSuite. During this presentation we will cover the process of how to conduct a successful web penetration tests, while utilizing BurpSuite's features and tools (Free and Pro Version). This discussion will also cover realistic examples and a brief overview of common vulnerabilities found in web applications.
When performing security assessments or participating in bug bounties, there is generally a methodology you follow when assessing source-code or performing dynamic analysis. This involves using tools, reviewing results and understanding what you should be testing for. Reviewing modern web applications can be quite challenging, and this talk will go into details on how we can automate the boring (but necessary parts) and how to set a roadmap of what should be focused on when dealing with modern JavaScript applications.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
Burp Suite is a Java based software platform of tools for performing security testing of web applications. The suite of products can be used to combine automated and manual testing techniques and consists of a number of different tools, such as a proxy server, a web spider, scanner, intruder, repeater, sequencer, decoder, collaborator and extender.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
This lecture gives pentesters and security tool developers an overview of the APIs available to extend the Burp Suite intercepting proxy. Using open-source examples developed by the author I illustrate a number of key areas for anyone wishing to create extensions for Burp Suite:
- Passive scanning
- Active scanning
- Identifying insertion points
- Request modification
The presentation includes code samples and links to actual open source Burp Suite plugins developed by the author.
Getting the Most out of Burp Extensions. How to build a Burp extension, techniques for passive and active scanners, defining insertion points, modifying requests, and building GUI tools. This talk presents code libraries to make it easy for testers to rapidly customize Burp Suite.
Instant Payment Notification (IPN) is a messaging service that notifies users of events related to PayPal transactions. One can use IPN messages to automate back-office and administrative functions, such as fulfilling orders, tracking customers, and providing status and other transaction-related information.
How to Launch a Web Security Service in an HourCyren, Inc
Want to find out how to launch your very own web security service in less than an hour? We take a deep dive into the fastest growing security market, explore the limitations of existing solutions, and demonstrate how to take your Web security “to the cloud” today.
Pyscho-Strategies for Social EngineeringIshan Girdhar
We have various resources for learning social engineering like social-engineer.org, the art of deception by kevin mitnick, the art of social engineering by Christopher Hadgney etc. but then why this same old TALK? The purpose of this talk is to take you one step forward, by teaching you how exactly it could be done. I mean, how can you possibly hack computers without having the basic understanding of how operating system works, how computer protocols works? You need to know what you’re dealing with and then you go ahead and look for the security issues and vulnerabilities in them. Similar scenario is with social engineering, You need to know what you are dealing with. HUMANS. Right!. what do you know about humans other than but being one. How do they operate, how do they make decision, what all factors affects their response etc. Without understanding how humans work? Your knowledge of social engineering and toolkits will not suffice. This talk will unleash the psychological strategies to execute the structure of social engineering.
This will be a brief discussion on Pen Testing Web Services in 2012, though OWASP have testing guides which describes various methods and tools for performing black box and white box security testing on web services but they’re all outdated. The key points of the presentation will revolve around how to pen test web services, what are the pre-requisites, methodology, tools used, etc.
Pentesting RESTful webservices talks about problems penetration testers face while testing RESTful Webservices and REST based web applications. The presentation also talks about tools and techniques to do pentesting of RESTful webservices.
A story of how we went about packaging perl and all of the dependencies that our project has.
Where we were before, the chosen path, and the end result.
The pitfalls and a view on the pros and cons of the previous state of affairs versus the pros/cons of the end result.
A short introduction to the more advanced python and programming in general. Intended for users that has already learned the basic coding skills but want to have a rapid tour of more in-depth capacities offered by Python and some general programming background.
Execrices are available at: https://github.com/chiffa/Intermediate_Python_programming
Steelcon 2014 - Process Injection with Pythoninfodox
This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python.
Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method.
The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!
https://www.hackitoergosum.org
This presentation was given as a Workshop at OSCON 2014.
New to Go? This tutorial will give developers an introduction and practical
experience in building applications with the Go language. Gopher Steve Francia,
Author of [Hugo](http://hugo.spf13.com),
[Cobra](http://github.com/spf13/cobra), and many other popular Go packages
breaks it down step by step as you build your own full featured Go application.
Starting with an introduction to the Go language. He then reviews the fantastic
go tools available. With our environment ready we will learn by doing. The
remainder of the time will be dedicated to building a working go web and cli
application. Through our application development experience we will introduce
key features, libraries and best practices of using Go.
This tutorial is designed with developers in mind. Prior experience with any of the
following languages: ruby, perl, java, c#, javascript, php, node.js, or python
is preferred. We will be using the MongoDB database as a backend for our
application.
We will be using/learning a variety of libraries including:
* bytes and strings
* templates
* net/http
* io, fmt, errors
* cobra
* mgo
* Gin
* Go.Rice
* Cobra
* Viper
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
Burp plugin development for java n00bs (44 con)
1. Burp Plugin Development for
Java n00bs
44Con 2012
www.7elements.co.uk | blog.7elements.co.uk | @7elements
2. /me
• Marc Wickenden
• Principal Security Consultant at 7 Elements
• Love coding (particularly Ruby)
• @marcwickenden on the Twitterz
• Most importantly though…..
www.7elements.co.uk | blog.7elements.co.uk | @7elements
4. If you already know Java
You’re either:
• In the wrong room
• About to be really offended!
5. Agenda
• The problem
• Getting ready
• Introduction to the Eclipse IDE
• Burp Extender Hello World!
• Manipulating runtime data
• Decoding a custom encoding scheme
• “Shelling out” to other scripts
• Limitations of Burp Extender
• Really cool Burp plugins already out there to fire
your imagination
8. The problem
• Burp Suite is awesome
• De facto web app tool
• Open source alternatives don’t compare
IMHO
• Tools available/cohesion/protocol support
• Burp Extender
11. How? - Burp Extender
• “allows third-party developers to extend the
functionality of Burp Suite”
• “Extensions can read and modify Burp’s
runtime data and configuration”
• “initiate key actions”
• “extend Burp’s user interface”
http://portswigger.net/burp/extender/
13. Java 101
• Java source is compiled to bytecode (class file)
• Runs on Java Virtual Machine (JVM)
• Class-based
• OO
• Write once, run anywhere (WORA)
• Two distributions: JRE and JDK
14. Java 101 continued…
• Usual OO stuff applies:
objects, classes, methods, properties/variable
s
• Lines end with ;
15. Java 101 continued…
• Source files must be named after the public
class they contain
• public keyword denotes method can be called
from code in other classes or outside class
hierarchy
16. Java 101 continued…
• class hierarchy defined by directory structure:
• uk.co.sevenelements.HelloWorld =
uk/co/sevenelements/HelloWorld.class
• JAR file is essentially ZIP file of
classes/directories
17. Java 101 continued…
• void keyword indicates method will not return
data to the caller
• main method called by Java launcher to pass
control to the program
• main must accept array of String objects (args)
18. Java 101 continued…
• Java loads class (specified on CLI or in JAR
META-INF/MANIFEST.MF) and starts public
static void main method
• You’ve seen this already with Burp:
– java –jar burpsuite_pro_v1.4.12.jar
22. First we need some tools
• Eclipse IDE – de facto free dev tool for Java
• Not necessarily the best or easiest thing to use
• Alternatives to consider:
– Jet Brains IntelliJ (my personal favourite)
– NetBeans (never used)
– Jcreator (again, never used)
– Terminal/vim/javac < MOAR L33T
25. Java JDK
• Used to be bundled with Eclipse
• Due to licensing (I think) this is no longer the
case
• Grab from Sun Oracle’s website:
• http://download.oracle.com/otn-pub/java/jdk/7u7-b11/jdk-7u7-windows-
x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5
27. Create a Java Project
• File > New > Java Project
• Project Name: Burp Hello World!
• Leave everything else as default
• Click Next
28.
29. Java Settings
• Click on Libraries tab
• Add External JARs
• Select your burpsuite.jar
• Click Finish
30. Create a new package
• File > New > Package
• Enter burp as the name
• Click Finish
31. Create a new file
• Right-click burp package > New > File
• Accept the default location of src
• Enter BurpExtender.java as the filename
• Click Finish
34. Loading external classes
• We need to tell Java about external classes
– Ruby has require
– PHP has include or require
– Perl has require
– C has include
– Java uses import
35. Where is Burp?
• We added external JARs in Eclipse
• Only helps at compilation
• Need to tell our code about classes
– import burp.*;
36. IBurpExtender
• Available at
http://portswigger.net/burp/extender/burp/IBurpExtender.html
– “ Implementations must be called BurpExtender,
in the package burp, must be declared public, and
must provide a default (public, no-argument)
constructor”
37. In other words
public class BurpExtender
{
}
• Remember, Java makes you name files after
the class so that’s why we named it
BurpExtender.java
38. Add this
package burp;
import burp.*;
public class BurpExtender
{
public void processHttpMessage(
String toolName,
boolean messageIsRequest,
IHttpRequestResponse messageInfo) throws Exception
{
System.out.println("Hello World!");
}
}
39. Run the program
• Run > Run
• First time we do this it’ll ask what to run as
• Select Java Application
45. What’s happening?
• Why is it spamming “Hello World!” to the
console?
• We defined processHttpMessage()
• http://portswigger.net/burp/extender/burp/IB
urpExtender.html
– “This method is invoked whenever any of Burp's
tools makes an HTTP request or receives a
response”
47. RepeatAfterMeClient.exe
processProxyMessage
processHttpMessage
Burp Suite
http://wcfbox/RepeaterService.svc
48.
49. We’ve got to do a few things
• Split the HTTP Headers from FI body
• Decode FI body
• Display in Burp
• Re-encode modified version
• Append to headers
• Send to web server
• Then the same in reverse
50.
51. • Right-click Project > Build Path > Add External
Archives
• Select FastInfoset.jar
• Note that imports are now yellow
61. Running outside of Eclipse
• Plugin is working nicely, now what?
• Export to JAR
• Command line to run is:
• java –jar yourjar.jar;burp_pro_v1.4.12.jar burp.startBurp
62. Limitations
• We haven’t coded to handle/decode the
response
• Just do the same in reverse
• processHttpMessage fires before
processProxyMessage so we can’t alter then
re-encode message
• Solution: chain two Burp instances together
63. Attribution
• All lolcatz courtesy of lolcats.com
• No cats were harming in the making of this
workshop
• Though some keyboards were….
In the wrong roomAbout to be really offendedI don’t know much about Java, I don’t know the right terms for things and I don’t know the best style of writing it. But this code will work and that’s my primary objective today.It don’t have to be pretty, it just has to work. That’s the difference between delivering a good test or a bad one imho
So, what are we going to cover?
Can’t do a slide deck without cats
Particularly Professional
Previous app testWCF Service written in C#Not using WCF Binary protocolSOAP with Fastinfoset XML encodingBurp Suite couldn’t read it
IntelliJ Community Edition is availableWe’re going with Eclipse because it works and is free and fully functionalYou can port this learning to anything else
SHA1’s are here if you want to verify them
Package Explorer – like a directory listing of your classes and src filesMain window where we edit filesTask list – I normally close this to be honestOutline view, quite useful, gives a break down of methods, properties of classes you are working onProblems – keep your eye on this bad boy, can be very useful
Notice how it’s already popping up little tips. In this case we’ve declared an import but not used any of the classes.We’ll fix that…
Javadoc is the Java standard for documentation. It is generated automatically from comments in the code.Burp Extender has javadoc available online. We are going to use this a lot.Let’s start…..er, right….
This is our bare bones. Note the import burp.*; isn’t shown
Don’t worry too much about what it all means just at the secondhttps://github.com/7Elements/burp_workshop/tree/master/Burp%20Hello%20World!
That’s great, writing out to the console – but we need to intercept and send onwardsWe need to shuffle stuff around a bit then..https://github.com/7Elements/burp_workshop/tree/master/Burp%20Fastinfoset%20Decoder%20-%20Take%20Three
Walk through adding code to processProxyMessageShow how we can decode in the Burp Proxy window by returning new byte[]Then how it fails because the app receives plain text not FI
Now we add a re-encode method to the processHttpMessage using custom HTTP headerWe can exploit the flow order in Burp.Remember proxyProxyMessage is called *before* processHttpMessage– winhttps://github.com/7Elements/burp_workshop/tree/master/Burp%20Fastinfoset%20Decoder%20-%20Take%20Four