Burp plugin development for java n00bs (44 con)

Burp Plugin Development for Java n00bs

44Con 2012

www.7elements.co.uk | blog.7elements.co.uk | @7elements

/me

• Marc Wickenden• Principal Security Consultant at 7 Elements• Love coding (particularly Ruby)• @marcwickenden on the Twitterz• Most importantly though…..


I am a Java n00b

If you already know Java

You’re either:• In the wrong room• About to be really offended!

Agenda

• The problem• Getting ready• Introduction to the Eclipse IDE• Burp Extender Hello World!• Manipulating runtime data• Decoding a custom encoding scheme• “Shelling out” to other scripts• Limitations of Burp Extender• Really cool Burp plugins already out there to fire your

imagination

Oh…..and there’ll be cats

The problem

• Burp Suite is awesome• De facto web app tool• Open source alternatives don’t compare IMHO• Tools available/cohesion/protocol support• Burp Extender

The problem

I wrote a plugin

Coding by Google FTW!

How? - Burp Extender

• “allows third-party developers to extend the functionality of Burp Suite”

• “Extensions can read and modify Burp’s runtime data and configuration”

• “initiate key actions”• “extend Burp’s user interface”

http://portswigger.net/burp/extender/

Burp Extender

• Achieves this via 6 interfaces:– IBurpExtender– IBurpExtenderCallbacks– IHttpRequestResponse– IScanIssue– IScanQueueItem– IMenuItemHander

Java 101

• Java source is compiled to bytecode (class file)• Runs on Java Virtual Machine (JVM)• Class-based• OO• Write once, run anywhere (WORA)• Two distributions: JRE and JDK

Java 101 continued…

• Usual OO stuff applies: objects, classes, methods, properties/variables

• Lines end with ;


• Source files must be named after the public class they contain

• public keyword denotes method can be called from code in other classes or outside class hierarchy


• class hierarchy defined by directory structure:• uk.co.sevenelements.HelloWorld =

uk/co/sevenelements/HelloWorld.class• JAR file is essentially ZIP file of

classes/directories


• void keyword indicates method will not return data to the caller

• main method called by Java launcher to pass control to the program

• main must accept array of String objects (args)


• Java loads class (specified on CLI or in JAR META-INF/MANIFEST.MF) and starts public static void main method

• You’ve seen this already with Burp:– java –jar burpsuite_pro_v1.4.12.jar

Enough 101

Let’s write some codez

First we need some tools

• Eclipse IDE – de facto free dev tool for Java• Not necessarily the best or easiest thing to use• Alternatives to consider:– Jet Brains IntelliJ (my personal favourite)– NetBeans (never used)– Jcreator (again, never used)– Terminal/vim/javac < MOAR L33T

Download Eclipse Classic

Or install from your USB drive

Eclipse 4.2 Classic

• http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/drops4/R-4.2-201206081400/eclipse-SDK-4.2-win32-x86_64.zip&type=sha1

• 6f4e6834c95e9573cbc1fc46adab4e39da6b4b6d • eclipse-SDK-4.2-win32-x86_64.zip

• http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/drops4/R-4.2-201206081400/eclipse-SDK-4.2-win32.zip&type=sha1

• 68b1eb33596dddaac9ac71473cd1b35f51af8df7 • eclipse-SDK-4.2-win32.zip

http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/drops4/R-4.2-201206081400/eclipse-SDK-4.2-win32-x86_64.zip&type=sha1



http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/drops4/R-4.2-201206081400/eclipse-SDK-4.2-win32.zip&type=sha1



Java JDK

• Used to be bundled with Eclipse• Due to licensing (I think) this is no longer the

case• Grab from Sun Oracle’s website:• http://

download.oracle.com/otn-pub/java/jdk/7u7-b11/jdk-7u7-windows-x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5

http://download.oracle.com/otn-pub/java/jdk/7u7-b11/jdk-7u7-windows-x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5



Welcome to Eclipse

Create a Java Project

• File > New > Java Project• Project Name: Burp Hello World!• Leave everything else as default• Click Next

Java Settings

• Click on Libraries tab• Add External JARs• Select your burpsuite.jar

• Click Finish

Create a new package

• File > New > Package• Enter burp as the name• Click Finish

Create a new file

• Right-click burp package > New > File• Accept the default location of src• Enter BurpExtender.java as the filename• Click Finish

We’re ready to type

Loading external classes

• We need to tell Java about external classes– Ruby has require– PHP has include or require– Perl has require– C has include– Java uses import

Where is Burp?

• We added external JARs in Eclipse• Only helps at compilation• Need to tell our code about classes– import burp.*;

IBurpExtender

• Available at http://portswigger.net/burp/extender/burp/IBurpExtender.html

– “ Implementations must be called BurpExtender, in the package burp, must be declared public, and must provide a default (public, no-argument) constructor”

http://portswigger.net/burp/extender/burp/IBurpExtender.html


In other words

public class BurpExtender{

}

• Remember, Java makes you name files after the class so that’s why we named it BurpExtender.java

Add thispackage burp;

import burp.*;

public class BurpExtender{ public void processHttpMessage( String toolName, boolean messageIsRequest, IHttpRequestResponse messageInfo) throws Exception { System.out.println("Hello World!"); }}

Run the program

• Run > Run• First time we do this it’ll ask what to run as• Select Java Application

Select Java Application

• Under Matching items select StartBurp – burp• Click OK

Burp runs

• Check Alerts tab• View registration of BurpExtender class

Console output

• The console window shows output from the application

• Note the “Hello World!”s

Congratulations

What’s happening?

• Why is it spamming “Hello World!” to the console?

• We defined processHttpMessage()• http://

portswigger.net/burp/extender/burp/IBurpExtender.html– “This method is invoked whenever any of Burp's

tools makes an HTTP request or receives a response”




Burp Suite Flow

processProxyMessage

RepeatAfterMeClient.exe

processHttpMessage

http://wcfbox/RepeaterService.svc

Burp Suite

We’ve got to do a few things

• Split the HTTP Headers from FI body• Decode FI body• Display in Burp• Re-encode modified version• Append to headers• Send to web server• Then the same in reverse

• Right-click Project > Build Path > Add External Archives

• Select FastInfoset.jar• Note that imports are now yellow

Decoding the Fastinfoset to console

First: we get it wrong

• Burp returns message body as byte[]• Hmm, bytes are hard, let’s convert to String• Split on \r\n\r\n

Then we do it right

• Fastinfoset is a binary encoding• Don’t try and convert it to a String• Now things work

Decoding Fastinfoset through Proxy

We’re nearly there……

Running outside of Eclipse

• Plugin is working nicely, now what?• Export to JAR• Command line to run is:

• java –jar yourjar.jar;burp_pro_v1.4.12.jar burp.startBurp

Limitations

• We haven’t coded to handle/decode the response

• Just do the same in reverse• processHttpMessage fires before

processProxyMessage so we can’t alter then re-encode message

• Solution: chain two Burp instances together

Attribution

• All lolcatz courtesy of lolcats.com• No cats were harming in the making of this

workshop• Though some keyboards were….

Questions

?



Technology

Burp plugin development for java n00bs (44 con)