1. Enlarge your Burp,
Or how to stop fear of the JavaDocs
part 2, Java (The light side)
Ivan Elkin, QIWI

2. root:~$ whois i.elkin
org : QIWI Plc
post : Application security expert
nickname : vankyver
pursuit : Java, JS, develop, security research
name server: qiwi.com
name server: vulners.com

3. In a previous part
- What is burp
- Why burp
- Why burp is not enough
- How to enlarge burp
- A lot of rows of Python lang...

4. ...But the “native” burp’s language is
Java!

5. Let’s find some killer features which makes
writing Burp Extensions amazing with Java

6. First of all, Java is popular and has a lot of cool
tools to write and debug it

7. IDE, a lot of fat killer features
out from the box!
● Pretty Code Completion
● Pretty Debug (API calls, Threads)
● Easy dependency
● Easy refactoring

8. I know, you are scared of something like this...

9. What if you don’t need any docs and IDE
is enough?

10. One more thing, how do you debug your Burp’s
code in Python ?

11. if result <= 1:
print ("Server response is 1")
x=1
elif result <= 2:
x=2
print ("Server response is 2")
elif result <= 3:
x=3
print ("Server response is 3")
elif result <= 4:
x=4
print ("Server response is 4")
elif result <= 5:
x=5
print ("Server response is 5")
Debugging Burp plugin with python
In common case
is an out print…

12. ...so jumping between
IDE,
Burp,
Python console,
terminal

13. Thanks,
No!

14. Let’s use other solution...

15. Debug Burp.jar
free and powerful

16. 1. Run Burp
process on
localhost:5005
with -Xdebug
Debug Burp.jar

17. 2. Run Eclipse
remote debug
with listening
localhost:5005
Debug Burp.jar

18. 3. Export
Plugin.Jar file
Debug Burp.jar

19. 4. load
extension to
Burp and...
Debug Burp.jar

20. 5. Profit!
Debug Burp.jar

21. Unfortunately,
troubles with
Hot Swap :(
Debug Burp.jar

22. Debug Burp.jar
maybe a habit, but really easy

23. 1. Run Burp as a
JAR Application
Debug Burp.jar

24. 2. Let Idea build
Artifact of a
project with
dependencies
Debug Burp.jar

25. 3. Build -> Build
Artifact
Compiles
project to /out
dir as .jar
4. load
extension to
Burp and debug!
Debug Burp.jar

26. Demo#1
Debug burp.jar
and
Maven compile (easy as a Ctrl+S)

27. ...but, what about Java?
Since Java 1.8 we have Lambda and Stream API

28. panel.getBtnStart().addActionListener(new ActionListener()
{
@Override
public void actionPerformed(ActionEvent e1) {
new Thread() {
@Override
public void run() {
onStartClick();
}
}.start();
}
});
panel.getBtnStart().addActionListener(event ->
new Thread(this::onStartClick).start());
Java 1.8 features. Really Pretty Code
And in some cases is better performance
String xHeader = ""
for (int i=0; i < headers.length -3 ; i++) {
if (header.contains("X-dynaTrace")) {
xHeader = header;
break;
}
}
String xHeader = headers.stream()
.filter(h-> h.contains("X-dynaTrace"))
.findFirst()
.get();

29. Moar real samples!

30. Moar real samples!
https://github.com/vankyver/burp-zn-2015

31. Demo #2
Handling CSRF token-protected forms

32. Demo #3
Finding forms which not protected with
CSRF-tokens

33. Demo #4
GUI and Burp
(My little DirBuster)

34. <dependency>
<groupId>com.intellij</groupId>
<artifactId>forms_rt</artifactId>
<version>7.0.3</version>
</dependency>
Don’t forget to compile GUI
Java source code
and add dependency to
pom.xml

35. Also, before packaging jar, you should precompile your
GUI code
(Ctrl + Shift + F9 in Panel.java)

36. ...one more interesting thing
...Out of Band

37. Year ago, ZN-2014
https://github.com/kyprizel/ussrfuzzer

38. Burp Collaborator
Pretty good thing, but no API yet

39. Demo #5
Out of Band detecting

40. Demo #6
Auto Scan
(Cheap solution for enterprise)

41. Thanks!
@vankyver