AppSec USA 2014
Denver, Colorado
Customizing Burp Suite
Getting the Most out of Burp Extensions
2
August DetlefsenSenior Application Security Consultant
• [email protected]• @codemagi• http://www.codemagi.com/blog
3
Burp Suite• Burp Suite is a powerful tool for performing
security assessments• Burp Plugin API allows new features to be
added
4
What Can I Do With Plugins? • Passive Scanning• Active Scanning• Alter/append requests• Define Insertion Points for Scanner/Intruder
5
Prerequisites• Burp Suite Pro v 1.5.x• Java 1.6.x• NetBeans• Other programming languages
6
Creating An Extension• Download the Extender API from Portswigger:
http://portswigger.net/burp/extender/api/burp_extender_api.zip
7
Creating an Extension• Create a new project with existing sources:
8
Creating an Extension• Create the BurpExtender class– In package ‘burp’– Implement IBurpExtender
9
Creating an Extension
10
Creating an Extension• Implement registerExtenderCallbacks
11
Load the Extension into Burp Suite
12
Passive Scanning• Search responses for problematic values• Built-in passive scans– Credit card numbers– Known passwords– Missing headers
Building a Passive Scanner
13
Passive Scanning – Room for Improvement• Error Messages• Software Version Numbers
Building a Passive Scanner
14
Building a Passive Scanner• Implement the IScannerCheck interface:
• Register the extension as a scanner:
Building a Passive Scanner
15
IScannerCheck.doPassiveScan()
Building a Passive Scanner
16
IScannerCheck.doPassiveScan()
Building a Passive Scanner
17
IScannerCheck.consolidateDuplicateIssues()• Ensure an issue is only posted to scanner once
Building a Passive Scanner
18
IScannerCheck.doActiveScan()• Only needed for active scans
Building a Passive Scanner
19
Active Scanning• Issue requests containing attacks • Look for indication of success in response• Built-In Active Scans– XSS– SQL Injection– Path Traversal– etc
Building an Active Scanner
20
IScannerCheck.doActiveScan()
Building an Active Scanner
21
Insertion Points • Locations of parameters in request • Contain data the server will act upon
Building an Active Scanner
22
Building an Active Scanner
23
Building an Active Scanner
24
Defining Insertion Points• Implement IScannerInsertionPointProvider– getInsertionPoints()
• Register as an insertion point provider
Building an Active Scanner
25
BurpExtender.getInsertionPoints()
Building an Active Scanner
26
Building an Active Scanner
27
Debugging• callbacks.printOutput(String)• callbacks.printError(String)• Exception.printStackTrace()
Utilities
28
Debugging – Stack Traces• Get the error OutputStream
• Print a stack trace to the stream
Utilities
29
Summary• Setup• Passive Scanning• Active Scanning• Handling custom request types• Utilities
30
Build Extensions!Profit!
Recommended
