Cusomizing Burp Suite - Getting the Most out of Burp Extensions

AppSec USA 2014

Denver, Colorado

Customizing Burp Suite

Getting the Most out of Burp Extensions

August DetlefsenSenior Application Security ConsultantAuthor

• augustd@codemagi.com• @codemagi• http://www.codemagi.com/blog

Burp Suite• Burp Suite is a powerful tool for performing

security assessments• Burp Plugin API allows new features to be

www.portswigger.net/burp/extender

What Can I Do With Plugins? • Passive Scanning• Active Scanning• Alter/append requests• Define Insertion Points for Scanner/Intruder• Create new payload types• Automate Authentication• Much, Much More

Prerequisites• Burp Suite Pro v 1.5.x+• Java 1.6.x+• NetBeans• Other programming languages– Jython– JRuby

Creating An Extension• Download the Extender API from Portswigger:

portswigger.net/burp/extender/api/burp_extender_api.zip

• Or export the API from within Burp

Creating an Extension• Create a new project with existing sources:

Creating an Extension• Create the BurpExtender class– In package ‘burp’– Implement IBurpExtender

Creating an Extension

Creating an Extension• Implement registerExtenderCallbacks

Load the Extension into Burp Suite

Passive Scanning• Search responses for problematic values• Built-in passive scans– Credit card numbers– Known passwords– Missing headers

Building a Passive Scanner

Passive Scanning – Room for Improvement• Error Messages• Software Version Numbers

Building a Passive Scanner• Implement the IScannerCheck interface:

• Register the extension as a scanner:

IScannerCheck.doPassiveScan()

IScannerCheck.consolidateDuplicateIssues()• Ensure an issue is only posted to scanner once

IScannerCheck.doActiveScan()• Only needed for active scans

Active Scanning• Issue requests containing attacks • Look for indication of success in response• Built-In Active Scans– XSS– SQL Injection– Path Traversal– etc

Building an Active Scanner

IScannerCheck.doActiveScan()

Insertion Points • Locations of parameters in request • Contain data the server will act upon

Defining Insertion Points• Implement IScannerInsertionPointProvider– getInsertionPoints()

• Register as an insertion point provider

BurpExtender.getInsertionPoints()

Viewing Insertion Points• Add menu option to send request to Intruder• Implement IContextMenuFactory– createMenuItems()

• Register as a menu factory

BurpExtender.createMenuItems()

MenuItemListener

BurpExtender.sendGWTToIntruder()

Modifying Requests• Add custom headers• Add signatures• CSRF tokens

Modifying Requests

Modifying Requests• Implement IHttpListener– processHttpMessage()

• Register as an HTTP Listener

Modifying Requests

BurpExtender.processHttpMessage()

Modifying a Request

BurpExtender.signRequest()

Modifying a Request

Debugging• callbacks.printOutput(String)• callbacks.printError(String)

Utilities

Debugging – Stack Traces• Exception.printStackTrace()• Get the error OutputStream

• Print a stack trace to the stream

Utilities

Summary• Setup• Passive Scanning• Active Scanning• Handling custom request types• Utilities

Extension Downloads• Download Extensions at:

www.codemagi.com/downloads

• Source code on Google Code

Resources

Build Extensions!Customize YOUR Hacking!

Profit!

Cusomizing Burp Suite - Getting the Most out of Burp Extensions

Technology

NEST Kali Linux Tutorial: Burp Suitenest.unm.edu/files/9413/8379/7983/burpsuite.pdf · NEST Kali Linux Tutorial: Burp Suite “Burp gives you full control, letting you combine advanced

Adding&Value&to&Automated&Web&Scans& Burp&Suite… · Automated&Scanning&vs&Manual&Tes;ng& • Manual&Tes;ng&Tools/Suites& • AtMSU&>&QualysGuard&WAS&&&Burp&Suite& • Automated&Scanning&>&iden;fy&aack&surface&accross&

Extending Burp with Python

Automation of Web Application Scanning with Burp …...Why Burp Suite? 5 Burp Suite - GUI proxy server for manual analyse of HTTP and Websocket protocols › Everyone in our team uses

Burp Suite Starter

Burp Suite

Cloud Platform 2.21 API Release Notes - Qualys · With our new Burp API, you can now import Burp scan reports and store the findings discovered by the Burp Suite scanner with those

SearchSecurity.in Burp Suite Tutorial Part 01

11 Web security testing using Burp and Firebugminisites.qaiglobalservices.com/stc2012/Paper_ Best_Practice/Web... · Web security testing using Burp Tools in Burp suite Burp Suite

Bath Burp Issue 5

Elevate Your Application Security Program with Burp Suite and ThreadFix

Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window

Burp Suite Pro · Me & Myself Founder & owner of Agarri Lot of Web PenTesting NOT affiliated with PortSwigger Ltd Using Burp Suite for years And others proxies before

Mocking HTTP APIs With Burp - Shea Polansky · Burp Intruder Repeater Window Help Repeater Options URL Burp Suite Community Edition v1.7.35 - Temporary Project Alerts it H u b—

Pentesting Using Burp Suite

Bath Burp Issue 4

Pentesting With Burp Suite

AppSec USA 2015: Customizing Burp Suite

Pen Testing With Burp Suite

Bath Burp Issue 15