Axa Assurance Maroc - Insurer Innovation Award 2024
Burp plugin development for java n00bs (44 con)
1. Burp Plugin Development for
Java n00bs
44Con 2012
www.7elements.co.uk | blog.7elements.co.uk | @7elements
2. /me
• Marc Wickenden
• Principal Security Consultant at 7 Elements
• Love coding (particularly Ruby)
• @marcwickenden on the Twitterz
• Most importantly though…..
www.7elements.co.uk | blog.7elements.co.uk | @7elements
4. If you already know Java
You’re either:
• In the wrong room
• About to be really offended!
5. Agenda
• The problem
• Getting ready
• Introduction to the Eclipse IDE
• Burp Extender Hello World!
• Manipulating runtime data
• Decoding a custom encoding scheme
• “Shelling out” to other scripts
• Limitations of Burp Extender
• Really cool Burp plugins already out there to fire
your imagination
8. The problem
• Burp Suite is awesome
• De facto web app tool
• Open source alternatives don’t compare
IMHO
• Tools available/cohesion/protocol support
• Burp Extender
11. How? - Burp Extender
• “allows third-party developers to extend the
functionality of Burp Suite”
• “Extensions can read and modify Burp’s
runtime data and configuration”
• “initiate key actions”
• “extend Burp’s user interface”
http://portswigger.net/burp/extender/
13. Java 101
• Java source is compiled to bytecode (class file)
• Runs on Java Virtual Machine (JVM)
• Class-based
• OO
• Write once, run anywhere (WORA)
• Two distributions: JRE and JDK
14. Java 101 continued…
• Usual OO stuff applies:
objects, classes, methods, properties/variable
s
• Lines end with ;
15. Java 101 continued…
• Source files must be named after the public
class they contain
• public keyword denotes method can be called
from code in other classes or outside class
hierarchy
16. Java 101 continued…
• class hierarchy defined by directory structure:
• uk.co.sevenelements.HelloWorld =
uk/co/sevenelements/HelloWorld.class
• JAR file is essentially ZIP file of
classes/directories
17. Java 101 continued…
• void keyword indicates method will not return
data to the caller
• main method called by Java launcher to pass
control to the program
• main must accept array of String objects (args)
18. Java 101 continued…
• Java loads class (specified on CLI or in JAR
META-INF/MANIFEST.MF) and starts public
static void main method
• You’ve seen this already with Burp:
– java –jar burpsuite_pro_v1.4.12.jar
22. First we need some tools
• Eclipse IDE – de facto free dev tool for Java
• Not necessarily the best or easiest thing to use
• Alternatives to consider:
– Jet Brains IntelliJ (my personal favourite)
– NetBeans (never used)
– Jcreator (again, never used)
– Terminal/vim/javac < MOAR L33T
25. Java JDK
• Used to be bundled with Eclipse
• Due to licensing (I think) this is no longer the
case
• Grab from Sun Oracle’s website:
• http://download.oracle.com/otn-pub/java/jdk/7u7-b11/jdk-7u7-windows-
x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5
27. Create a Java Project
• File > New > Java Project
• Project Name: Burp Hello World!
• Leave everything else as default
• Click Next
28.
29. Java Settings
• Click on Libraries tab
• Add External JARs
• Select your burpsuite.jar
• Click Finish
30. Create a new package
• File > New > Package
• Enter burp as the name
• Click Finish
31. Create a new file
• Right-click burp package > New > File
• Accept the default location of src
• Enter BurpExtender.java as the filename
• Click Finish
34. Loading external classes
• We need to tell Java about external classes
– Ruby has require
– PHP has include or require
– Perl has require
– C has include
– Java uses import
35. Where is Burp?
• We added external JARs in Eclipse
• Only helps at compilation
• Need to tell our code about classes
– import burp.*;
36. IBurpExtender
• Available at
http://portswigger.net/burp/extender/burp/IBurpExtender.html
– “ Implementations must be called BurpExtender,
in the package burp, must be declared public, and
must provide a default (public, no-argument)
constructor”
37. In other words
public class BurpExtender
{
}
• Remember, Java makes you name files after
the class so that’s why we named it
BurpExtender.java
38. Add this
package burp;
import burp.*;
public class BurpExtender
{
public void processHttpMessage(
String toolName,
boolean messageIsRequest,
IHttpRequestResponse messageInfo) throws Exception
{
System.out.println("Hello World!");
}
}
39. Run the program
• Run > Run
• First time we do this it’ll ask what to run as
• Select Java Application
45. What’s happening?
• Why is it spamming “Hello World!” to the
console?
• We defined processHttpMessage()
• http://portswigger.net/burp/extender/burp/IB
urpExtender.html
– “This method is invoked whenever any of Burp's
tools makes an HTTP request or receives a
response”
47. RepeatAfterMeClient.exe
processProxyMessage
processHttpMessage
Burp Suite
http://wcfbox/RepeaterService.svc
48.
49. We’ve got to do a few things
• Split the HTTP Headers from FI body
• Decode FI body
• Display in Burp
• Re-encode modified version
• Append to headers
• Send to web server
• Then the same in reverse
50.
51. • Right-click Project > Build Path > Add External
Archives
• Select FastInfoset.jar
• Note that imports are now yellow
61. Running outside of Eclipse
• Plugin is working nicely, now what?
• Export to JAR
• Command line to run is:
• java –jar yourjar.jar;burp_pro_v1.4.12.jar burp.startBurp
62. Limitations
• We haven’t coded to handle/decode the
response
• Just do the same in reverse
• processHttpMessage fires before
processProxyMessage so we can’t alter then
re-encode message
• Solution: chain two Burp instances together
63. Attribution
• All lolcatz courtesy of lolcats.com
• No cats were harming in the making of this
workshop
• Though some keyboards were….
In the wrong roomAbout to be really offendedI don’t know much about Java, I don’t know the right terms for things and I don’t know the best style of writing it. But this code will work and that’s my primary objective today.It don’t have to be pretty, it just has to work. That’s the difference between delivering a good test or a bad one imho
So, what are we going to cover?
Can’t do a slide deck without cats
Particularly Professional
Previous app testWCF Service written in C#Not using WCF Binary protocolSOAP with Fastinfoset XML encodingBurp Suite couldn’t read it
IntelliJ Community Edition is availableWe’re going with Eclipse because it works and is free and fully functionalYou can port this learning to anything else
SHA1’s are here if you want to verify them
Package Explorer – like a directory listing of your classes and src filesMain window where we edit filesTask list – I normally close this to be honestOutline view, quite useful, gives a break down of methods, properties of classes you are working onProblems – keep your eye on this bad boy, can be very useful
Notice how it’s already popping up little tips. In this case we’ve declared an import but not used any of the classes.We’ll fix that…
Javadoc is the Java standard for documentation. It is generated automatically from comments in the code.Burp Extender has javadoc available online. We are going to use this a lot.Let’s start…..er, right….
This is our bare bones. Note the import burp.*; isn’t shown
Don’t worry too much about what it all means just at the secondhttps://github.com/7Elements/burp_workshop/tree/master/Burp%20Hello%20World!
That’s great, writing out to the console – but we need to intercept and send onwardsWe need to shuffle stuff around a bit then..https://github.com/7Elements/burp_workshop/tree/master/Burp%20Fastinfoset%20Decoder%20-%20Take%20Three
Walk through adding code to processProxyMessageShow how we can decode in the Burp Proxy window by returning new byte[]Then how it fails because the app receives plain text not FI
Now we add a re-encode method to the processHttpMessage using custom HTTP headerWe can exploit the flow order in Burp.Remember proxyProxyMessage is called *before* processHttpMessage– winhttps://github.com/7Elements/burp_workshop/tree/master/Burp%20Fastinfoset%20Decoder%20-%20Take%20Four