43
AppSec USA 2014 Denver, Colorado Customizing Burp Suite Getting the Most out of Burp Extensions

Cusomizing Burp Suite - Getting the Most out of Burp Extensions

Embed Size (px)

DESCRIPTION

This lecture gives pentesters and security tool developers an overview of the APIs available to extend the Burp Suite intercepting proxy. Using open-source examples developed by the author I illustrate a number of key areas for anyone wishing to create extensions for Burp Suite: - Passive scanning - Active scanning - Identifying insertion points - Request modification The presentation includes code samples and links to actual open source Burp Suite plugins developed by the author.

Citation preview

Page 1: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

AppSec USA 2014

Denver, Colorado

Customizing Burp Suite

Getting the Most out of Burp Extensions

Page 2: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

2

August DetlefsenSenior Application Security ConsultantAuthor

[email protected]• @codemagi• http://www.codemagi.com/blog

Page 3: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

3

Burp Suite• Burp Suite is a powerful tool for performing

security assessments• Burp Plugin API allows new features to be

added

www.portswigger.net/burp/extender

Page 4: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

4

What Can I Do With Plugins? • Passive Scanning• Active Scanning• Alter/append requests• Define Insertion Points for Scanner/Intruder• Create new payload types• Automate Authentication• Much, Much More

Page 5: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

5

Prerequisites• Burp Suite Pro v 1.5.x+• Java 1.6.x+• NetBeans• Other programming languages– Jython– JRuby

Page 6: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

6

Creating An Extension• Download the Extender API from Portswigger:

portswigger.net/burp/extender/api/burp_extender_api.zip

• Or export the API from within Burp

Page 7: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

7

Creating an Extension• Create a new project with existing sources:

Page 8: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

8

Creating an Extension• Create the BurpExtender class– In package ‘burp’– Implement IBurpExtender

Page 9: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

9

Creating an Extension

Page 10: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

10

Creating an Extension• Implement registerExtenderCallbacks

Page 11: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

11

Load the Extension into Burp Suite

Page 12: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

12

Passive Scanning• Search responses for problematic values• Built-in passive scans– Credit card numbers– Known passwords– Missing headers

Building a Passive Scanner

Page 13: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

13

Passive Scanning – Room for Improvement• Error Messages• Software Version Numbers

Building a Passive Scanner

Page 14: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

14

Building a Passive Scanner• Implement the IScannerCheck interface:

• Register the extension as a scanner:

Building a Passive Scanner

Page 15: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

15

IScannerCheck.doPassiveScan()

Building a Passive Scanner

Page 16: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

16

IScannerCheck.doPassiveScan()

Building a Passive Scanner

Page 17: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

17

IScannerCheck.consolidateDuplicateIssues()• Ensure an issue is only posted to scanner once

Building a Passive Scanner

Page 18: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

18

IScannerCheck.doActiveScan()• Only needed for active scans

Building a Passive Scanner

Page 19: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

19

Active Scanning• Issue requests containing attacks • Look for indication of success in response• Built-In Active Scans– XSS– SQL Injection– Path Traversal– etc

Building an Active Scanner

Page 20: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

20

IScannerCheck.doActiveScan()

Building an Active Scanner

Page 21: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

21

Insertion Points • Locations of parameters in request • Contain data the server will act upon

Building an Active Scanner

Page 22: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

22

Building an Active Scanner

Page 23: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

23

Building an Active Scanner

Page 24: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

24

Defining Insertion Points• Implement IScannerInsertionPointProvider– getInsertionPoints()

• Register as an insertion point provider

Building an Active Scanner

Page 25: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

25

BurpExtender.getInsertionPoints()

Building an Active Scanner

Page 26: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

26

Building an Active Scanner

Page 27: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

27

Viewing Insertion Points• Add menu option to send request to Intruder• Implement IContextMenuFactory– createMenuItems()

• Register as a menu factory

Building an Active Scanner

Page 28: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

28

BurpExtender.createMenuItems()

Building an Active Scanner

Page 29: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

29

MenuItemListener

Building an Active Scanner

Page 30: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

30

BurpExtender.sendGWTToIntruder()

Building an Active Scanner

Page 31: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

31

Building an Active Scanner

Page 32: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

32

Building an Active Scanner

Page 33: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

33

Modifying Requests• Add custom headers• Add signatures• CSRF tokens

Modifying Requests

Page 34: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

34

Modifying Requests• Implement IHttpListener– processHttpMessage()

• Register as an HTTP Listener

Modifying Requests

Page 35: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

35

BurpExtender.processHttpMessage()

Modifying a Request

Page 36: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

36

BurpExtender.signRequest()

Modifying a Request

Page 37: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

37

Debugging• callbacks.printOutput(String)• callbacks.printError(String)

Utilities

Page 38: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

38

Utilities

Page 39: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

39

Debugging – Stack Traces• Exception.printStackTrace()• Get the error OutputStream

• Print a stack trace to the stream

Utilities

Page 40: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

40

Utilities

Page 41: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

41

Summary• Setup• Passive Scanning• Active Scanning• Handling custom request types• Utilities

Page 42: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

42

Extension Downloads• Download Extensions at:

www.codemagi.com/downloads

• Source code on Google Code

Resources

Page 43: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

43

Build Extensions!Customize YOUR Hacking!

Profit!