Upload
44con
View
685
Download
1
Embed Size (px)
DESCRIPTION
Workshop Burp Plugin Development for Java n00bs by Marc Wickenden at 44CON 2012 in London, September 2012.
Citation preview
Burp Plugin Development for Java n00bs
44Con 2012
www.7elements.co.uk | blog.7elements.co.uk | @7elements
/me
• Marc Wickenden • Principal Security Consultant at 7 Elements • Love coding (parJcularly Ruby) • @marcwickenden on the TwiOerz • Most importantly though…..
www.7elements.co.uk | blog.7elements.co.uk | @7elements
I am a Java n00b
If you already know Java
You’re either: • In the wrong room • About to be really offended!
Agenda
• The problem • GeZng ready • IntroducJon to the Eclipse IDE • Burp Extender Hello World! • ManipulaJng runJme data • Decoding a custom encoding scheme • “Shelling out” to other scripts • LimitaJons of Burp Extender • Really cool Burp plugins already out there to fire your imaginaJon
Oh…..and there’ll be cats
The problem
• Burp Suite is awesome • De facto web app tool • Open source alternaJves don’t compare IMHO
• Tools available/cohesion/protocol support • Burp Extender
The problem
I wrote a plugin
Coding by Google FTW!
How? -‐ Burp Extender
• “allows third-‐party developers to extend the funcJonality of Burp Suite”
• “Extensions can read and modify Burp’s runJme data and configuraJon”
• “iniJate key acJons” • “extend Burp’s user interface”
hOp://portswigger.net/burp/extender/
Burp Extender
• Achieves this via 6 interfaces: • IBurpExtender • IBurpExtenderCallbacks • IHOpRequestResponse • IScanIssue • IScanQueueItem • IMenuItemHander
Java 101
• Java source is compiled to bytecode (class file) • Runs on Java Virtual Machine (JVM) • Class-‐based • OO • Write once, run anywhere (WORA) • Two distribuJons: JRE and JDK
Java 101 conJnued…
• Usual OO stuff applies: objects, classes, methods, properJes/variables
• Lines end with ;
Java 101 conJnued…
• Source files must be named amer the public class they contain
• public keyword denotes method can be called from code in other classes or outside class hierarchy
Java 101 conJnued…
• class hierarchy defined by directory structure: • uk.co.sevenelements.HelloWorld = uk/co/sevenelements/HelloWorld.class
• JAR file is essenJally ZIP file of classes/directories
Java 101 conJnued…
• void keyword indicates method will not return data to the caller
• main method called by Java launcher to pass control to the program
• main must accept array of String objects (args)
Java 101 conJnued…
• Java loads class (specified on CLI or in JAR META-‐INF/MANIFEST.MF) and starts public sta0c void main method
• You’ve seen this already with Burp: • java –jar burpsuite_pro_v1.4.12.jar
Enough 101
Let’s write some codez
First we need some tools
• Eclipse IDE – de facto free dev tool for Java • Not necessarily the best or easiest thing to use • AlternaJves to consider: • Jet Brains IntelliJ (my personal favourite) • NetBeans (never used) • Jcreator (again, never used) • Terminal/vim/javac < MOAR L33T
Download Eclipse Classic
Or install from your USB drive
Eclipse 4.2 Classic • hOp://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/
drops4/R-‐4.2-‐201206081400/eclipse-‐SDK-‐4.2-‐win32-‐x86_64.zip&type=sha1
• 6f4e6834c95e9573cbc1fc46adab4e39da6b4b6d • eclipse-‐SDK-‐4.2-‐win32-‐x86_64.zip
• hOp://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/drops4/R-‐4.2-‐201206081400/eclipse-‐SDK-‐4.2-‐win32.zip&type=sha1
• 68b1eb33596dddaac9ac71473cd1b35f51af8df7 • eclipse-‐SDK-‐4.2-‐win32.zip
Java JDK
• Used to be bundled with Eclipse • Due to licensing (I think) this is no longer the case
• Grab from Sun Oracle’s website: • hOp://download.oracle.com/otn-‐pub/java/jdk/7u7-‐b11/jdk-‐7u7-‐windows-‐
x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5
Welcome to Eclipse
Create a Java Project
• File > New > Java Project • Project Name: Burp Hello World! • Leave everything else as default • Click Next
Java SeZngs
• Click on Libraries tab • Add External JARs • Select your burpsuite.jar
• Click Finish
Create a new package
• File > New > Package • Enter burp as the name • Click Finish
Create a new file
• Right-‐click burp package > New > File • Accept the default locaJon of src • Enter BurpExtender.java as the filename • Click Finish
We’re ready to type
Loading external classes
• We need to tell Java about external classes • Ruby has require • PHP has include or require • Perl has require • C has include • Java uses import
Where is Burp?
• We added external JARs in Eclipse • Only helps at compilaJon • Need to tell our code about classes • import burp.*;
IBurpExtender
• Available at hOp://portswigger.net/burp/extender/burp/IBurpExtender.html
• “ ImplementaJons must be called BurpExtender, in the package burp, must be declared public, and must provide a default (public, no-‐argument) constructor”
In other words
public class BurpExtender {
}
• Remember, Java makes you name files amer the class so that’s why we named it BurpExtender.java
Add this package burp;
import burp.*;
public class BurpExtender { public void processHOpMessage( String toolName, boolean messageIsRequest, IHOpRequestResponse messageInfo) throws ExcepJon { System.out.println("Hello World!"); } }
Run the program
• Run > Run • First Jme we do this it’ll ask what to run as • Select Java Applica0on
Select Java ApplicaJon
• Under Matching items select StartBurp – burp • Click OK
Burp runs
• Check Alerts tab • View registraJon of BurpExtender class
Console output
• The console window shows output from the applicaJon
• Note the “Hello World!”s
CongratulaJons
What’s happening?
• Why is it spamming “Hello World!” to the console?
• We defined processHOpMessage() • hOp://portswigger.net/burp/extender/burp/IBurpExtender.html • “This method is invoked whenever any of Burp's tools makes an HTTP request or receives a response”
Burp Suite Flow
processProxyMessage
RepeatAmerMeClient.exe
processHOpMessage
hOp://wc�ox/RepeaterService.svc
Burp Suite
We’ve got to do a few things
• Split the HTTP Headers from FI body • Decode FI body • Display in Burp • Re-‐encode modified version • Append to headers • Send to web server • Then the same in reverse
• Right-‐click Project > Build Path > Add External Archives
• Select FastInfoset.jar • Note that imports are now yellow
Decoding the FasJnfoset to console
First: we get it wrong
• Burp returns message body as byte[] • Hmm, bytes are hard, let’s convert to String • Split on \r\n\r\n
Then we do it right
• FasJnfoset is a binary encoding • Don’t try and convert it to a String • Now things work
Decoding FasJnfoset through Proxy
We’re nearly there……
Running outside of Eclipse
• Plugin is working nicely, now what? • Export to JAR • Command line to run is:
• java –jar yourjar.jar;burp_pro_v1.4.12.jar burp.startBurp
LimitaJons
• We haven’t coded to handle/decode the response
• Just do the same in reverse • processHOpMessage fires before processProxyMessage so we can’t alter then re-‐encode message
• SoluJon: chain two Burp instances together
AOribuJon
• All lolcatz courtesy of lolcats.com • No cats were harming in the making of this workshop
• Though some keyboards were….
QuesJons
?
www.7elements.co.uk | blog.7elements.co.uk | @7elements
www.7elements.co.uk | blog.7elements.co.uk | @7elements