AppSec USA 2014

Denver, Colorado

Customizing Burp Suite

Getting the Most out of Burp Extensions

2

August DetlefsenSenior Application Security Consultant

• augustd@codemagi.com• @codemagi• http://www.codemagi.com/blog

3

Burp Suite• Burp Suite is a powerful tool for performing

security assessments• Burp Plugin API allows new features to be

added

4

What Can I Do With Plugins? • Passive Scanning• Active Scanning• Alter/append requests• Define Insertion Points for Scanner/Intruder

5

Prerequisites• Burp Suite Pro v 1.5.x• Java 1.6.x• NetBeans• Other programming languages

6

Creating An Extension• Download the Extender API from Portswigger:

http://portswigger.net/burp/extender/api/burp_extender_api.zip

7

Creating an Extension• Create a new project with existing sources:

8

Creating an Extension• Create the BurpExtender class– In package ‘burp’– Implement IBurpExtender

9

Creating an Extension

10

Creating an Extension• Implement registerExtenderCallbacks

11

Load the Extension into Burp Suite

12

Passive Scanning• Search responses for problematic values• Built-in passive scans– Credit card numbers– Known passwords– Missing headers

Building a Passive Scanner

13

Passive Scanning – Room for Improvement• Error Messages• Software Version Numbers

Building a Passive Scanner

14

Building a Passive Scanner• Implement the IScannerCheck interface:

• Register the extension as a scanner:

Building a Passive Scanner

15

IScannerCheck.doPassiveScan()

Building a Passive Scanner

16

IScannerCheck.doPassiveScan()

Building a Passive Scanner

17

IScannerCheck.consolidateDuplicateIssues()• Ensure an issue is only posted to scanner once

Building a Passive Scanner

18

IScannerCheck.doActiveScan()• Only needed for active scans

Building a Passive Scanner

19

Active Scanning• Issue requests containing attacks • Look for indication of success in response• Built-In Active Scans– XSS– SQL Injection– Path Traversal– etc

Building an Active Scanner

20

IScannerCheck.doActiveScan()

Building an Active Scanner

21

Insertion Points • Locations of parameters in request • Contain data the server will act upon

Building an Active Scanner

22

Building an Active Scanner

23

Building an Active Scanner

24

Defining Insertion Points• Implement IScannerInsertionPointProvider– getInsertionPoints()

• Register as an insertion point provider

Building an Active Scanner

25

BurpExtender.getInsertionPoints()

Building an Active Scanner

26

Building an Active Scanner

27

Debugging• callbacks.printOutput(String)• callbacks.printError(String)• Exception.printStackTrace()

Utilities

28

Debugging – Stack Traces• Get the error OutputStream

• Print a stack trace to the stream

Utilities

29

Summary• Setup• Passive Scanning• Active Scanning• Handling custom request types• Utilities

30

Build Extensions!Profit!