AppSec USA 2014
Denver, Colorado
Customizing Burp Suite
Getting the Most out of Burp Extensions
2
August DetlefsenSenior Application Security ConsultantAuthor
• [email protected]• @codemagi• http://www.codemagi.com/blog
3
Burp Suite• Burp Suite is a powerful tool for performing
security assessments• Burp Plugin API allows new features to be
added
www.portswigger.net/burp/extender
4
What Can I Do With Plugins? • Passive Scanning• Active Scanning• Alter/append requests• Define Insertion Points for Scanner/Intruder• Create new payload types• Automate Authentication• Much, Much More
5
Prerequisites• Burp Suite Pro v 1.5.x+• Java 1.6.x+• NetBeans• Other programming languages– Jython– JRuby
6
Creating An Extension• Download the Extender API from Portswigger:
portswigger.net/burp/extender/api/burp_extender_api.zip
• Or export the API from within Burp
7
Creating an Extension• Create a new project with existing sources:
8
Creating an Extension• Create the BurpExtender class– In package ‘burp’– Implement IBurpExtender
9
Creating an Extension
10
Creating an Extension• Implement registerExtenderCallbacks
11
Load the Extension into Burp Suite
12
Passive Scanning• Search responses for problematic values• Built-in passive scans– Credit card numbers– Known passwords– Missing headers
Building a Passive Scanner
13
Passive Scanning – Room for Improvement• Error Messages• Software Version Numbers
Building a Passive Scanner
14
Building a Passive Scanner• Implement the IScannerCheck interface:
• Register the extension as a scanner:
Building a Passive Scanner
15
IScannerCheck.doPassiveScan()
Building a Passive Scanner
16
IScannerCheck.doPassiveScan()
Building a Passive Scanner
17
IScannerCheck.consolidateDuplicateIssues()• Ensure an issue is only posted to scanner once
Building a Passive Scanner
18
IScannerCheck.doActiveScan()• Only needed for active scans
Building a Passive Scanner
19
Active Scanning• Issue requests containing attacks • Look for indication of success in response• Built-In Active Scans– XSS– SQL Injection– Path Traversal– etc
Building an Active Scanner
20
IScannerCheck.doActiveScan()
Building an Active Scanner
21
Insertion Points • Locations of parameters in request • Contain data the server will act upon
Building an Active Scanner
22
Building an Active Scanner
23
Building an Active Scanner
24
Defining Insertion Points• Implement IScannerInsertionPointProvider– getInsertionPoints()
• Register as an insertion point provider
Building an Active Scanner
25
BurpExtender.getInsertionPoints()
Building an Active Scanner
26
Building an Active Scanner
27
Viewing Insertion Points• Add menu option to send request to Intruder• Implement IContextMenuFactory– createMenuItems()
• Register as a menu factory
Building an Active Scanner
28
BurpExtender.createMenuItems()
Building an Active Scanner
29
MenuItemListener
Building an Active Scanner
30
BurpExtender.sendGWTToIntruder()
Building an Active Scanner
31
Building an Active Scanner
32
Building an Active Scanner
33
Modifying Requests• Add custom headers• Add signatures• CSRF tokens
Modifying Requests
34
Modifying Requests• Implement IHttpListener– processHttpMessage()
• Register as an HTTP Listener
Modifying Requests
35
BurpExtender.processHttpMessage()
Modifying a Request
36
BurpExtender.signRequest()
Modifying a Request
37
Debugging• callbacks.printOutput(String)• callbacks.printError(String)
Utilities
38
Utilities
39
Debugging – Stack Traces• Exception.printStackTrace()• Get the error OutputStream
• Print a stack trace to the stream
Utilities
40
Utilities
41
Summary• Setup• Passive Scanning• Active Scanning• Handling custom request types• Utilities
42
Extension Downloads• Download Extensions at:
www.codemagi.com/downloads
• Source code on Google Code
Resources
43
Build Extensions!Customize YOUR Hacking!
Profit!
Top Related