SlideShare a Scribd company logo

Burp plugin development for java n00bs (44 con)

Download as PPTX, PDF
Marc Wickenden
Marc Wickenden

Introduction to using BurpExtender to write plugins for Web application assessment tool Burp Suite. Aimed at testers who have never coded Java before.

TechnologyEducation
1 of 65
Burp Plugin Development for Java n00bs 44Con 2012 www.7elements.co.uk | blog.7elements.co.uk | @7elements
/me • Marc Wickenden • Principal Security Consultant at 7 Elements • Love coding (particularly Ruby) • @marcwickenden on the Twitterz • Most importantly though….. www.7elements.co.uk | blog.7elements.co.uk | @7elements
I am a Java n00b
If you already know Java You’re either: • In the wrong room • About to be really offended!
Agenda • The problem • Getting ready • Introduction to the Eclipse IDE • Burp Extender Hello World! • Manipulating runtime data • Decoding a custom encoding scheme • “Shelling out” to other scripts • Limitations of Burp Extender • Really cool Burp plugins already out there to fire your imagination
Oh…..and there’ll be cats
The problem • Burp Suite is awesome • De facto web app tool • Open source alternatives don’t compare IMHO • Tools available/cohesion/protocol support • Burp Extender
The problem
I wrote a plugin Coding by Google FTW!
How? - Burp Extender • “allows third-party developers to extend the functionality of Burp Suite” • “Extensions can read and modify Burp’s runtime data and configuration” • “initiate key actions” • “extend Burp’s user interface” http://portswigger.net/burp/extender/
Burp Extender • Achieves this via 6 interfaces: – IBurpExtender – IBurpExtenderCallbacks – IHttpRequestResponse – IScanIssue – IScanQueueItem – IMenuItemHander
Java 101 • Java source is compiled to bytecode (class file) • Runs on Java Virtual Machine (JVM) • Class-based • OO • Write once, run anywhere (WORA) • Two distributions: JRE and JDK
Java 101 continued… • Usual OO stuff applies: objects, classes, methods, properties/variable s • Lines end with ;
Java 101 continued… • Source files must be named after the public class they contain • public keyword denotes method can be called from code in other classes or outside class hierarchy
Java 101 continued… • class hierarchy defined by directory structure: • uk.co.sevenelements.HelloWorld = uk/co/sevenelements/HelloWorld.class • JAR file is essentially ZIP file of classes/directories
Java 101 continued… • void keyword indicates method will not return data to the caller • main method called by Java launcher to pass control to the program • main must accept array of String objects (args)
Java 101 continued… • Java loads class (specified on CLI or in JAR META-INF/MANIFEST.MF) and starts public static void main method • You’ve seen this already with Burp: – java –jar burpsuite_pro_v1.4.12.jar
Enough 101
Let’s write some codez
First we need some tools • Eclipse IDE – de facto free dev tool for Java • Not necessarily the best or easiest thing to use • Alternatives to consider: – Jet Brains IntelliJ (my personal favourite) – NetBeans (never used) – Jcreator (again, never used) – Terminal/vim/javac < MOAR L33T
Download Eclipse Classic Or install from your USB drive
Eclipse 4.2 Classic • http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/dr ops4/R-4.2-201206081400/eclipse-SDK-4.2-win32-x86_64.zip&type=sha1 • 6f4e6834c95e9573cbc1fc46adab4e39da6b4b6d • eclipse-SDK-4.2-win32-x86_64.zip • http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/dr ops4/R-4.2-201206081400/eclipse-SDK-4.2-win32.zip&type=sha1 • 68b1eb33596dddaac9ac71473cd1b35f51af8df7 • eclipse-SDK-4.2-win32.zip
Java JDK • Used to be bundled with Eclipse • Due to licensing (I think) this is no longer the case • Grab from Sun Oracle’s website: • http://download.oracle.com/otn-pub/java/jdk/7u7-b11/jdk-7u7-windows- x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5
Welcome to Eclipse
Create a Java Project • File > New > Java Project • Project Name: Burp Hello World! • Leave everything else as default • Click Next
Java Settings • Click on Libraries tab • Add External JARs • Select your burpsuite.jar • Click Finish
Create a new package • File > New > Package • Enter burp as the name • Click Finish
Create a new file • Right-click burp package > New > File • Accept the default location of src • Enter BurpExtender.java as the filename • Click Finish
We’re ready to type
Loading external classes • We need to tell Java about external classes – Ruby has require – PHP has include or require – Perl has require – C has include – Java uses import
Where is Burp? • We added external JARs in Eclipse • Only helps at compilation • Need to tell our code about classes – import burp.*;
IBurpExtender • Available at http://portswigger.net/burp/extender/burp/IBurpExtender.html – “ Implementations must be called BurpExtender, in the package burp, must be declared public, and must provide a default (public, no-argument) constructor”
In other words public class BurpExtender { } • Remember, Java makes you name files after the class so that’s why we named it BurpExtender.java
Add this package burp; import burp.*; public class BurpExtender { public void processHttpMessage( String toolName, boolean messageIsRequest, IHttpRequestResponse messageInfo) throws Exception { System.out.println("Hello World!"); } }
Run the program • Run > Run • First time we do this it’ll ask what to run as • Select Java Application
Select Java Application • Under Matching items select StartBurp – burp • Click OK
Burp runs • Check Alerts tab • View registration of BurpExtender class
Console output • The console window shows output from the application • Note the “Hello World!”s
Congratulations
What’s happening? • Why is it spamming “Hello World!” to the console? • We defined processHttpMessage() • http://portswigger.net/burp/extender/burp/IB urpExtender.html – “This method is invoked whenever any of Burp's tools makes an HTTP request or receives a response”
Burp Suite Flow
RepeatAfterMeClient.exe processProxyMessage processHttpMessage Burp Suite http://wcfbox/RepeaterService.svc
We’ve got to do a few things • Split the HTTP Headers from FI body • Decode FI body • Display in Burp • Re-encode modified version • Append to headers • Send to web server • Then the same in reverse
• Right-click Project > Build Path > Add External Archives • Select FastInfoset.jar • Note that imports are now yellow
Decoding the Fastinfoset to console
First: we get it wrong • Burp returns message body as byte[] • Hmm, bytes are hard, let’s convert to String • Split on rnrn
Then we do it right • Fastinfoset is a binary encoding • Don’t try and convert it to a String • Now things work
Decoding Fastinfoset through Proxy
We’re nearly there……
Running outside of Eclipse • Plugin is working nicely, now what? • Export to JAR • Command line to run is: • java –jar yourjar.jar;burp_pro_v1.4.12.jar burp.startBurp
Limitations • We haven’t coded to handle/decode the response • Just do the same in reverse • processHttpMessage fires before processProxyMessage so we can’t alter then re-encode message • Solution: chain two Burp instances together
Attribution • All lolcatz courtesy of lolcats.com • No cats were harming in the making of this workshop • Though some keyboards were….
Questions ? www.7elements.co.uk | blog.7elements.co.uk | @7elements
www.7elements.co.uk | blog.7elements.co.uk | @7elements

Recommended

Burp suite
Burp suiteBurp suite
Burp suitehamdi_sevben
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite StarterFadi Abdulwahab
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Amazon Web Services
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug BountyNull Bhubaneswar
 
Jenkins-CI
Jenkins-CIJenkins-CI
Jenkins-CIGong Haibing
 
AWS Code-Deploy
AWS Code-DeployAWS Code-Deploy
AWS Code-DeployKnoldus Inc.
 
Infrastructure Automation on AWS using a Real-World Customer Example - Sessio...
Infrastructure Automation on AWS using a Real-World Customer Example - Sessio...Infrastructure Automation on AWS using a Real-World Customer Example - Sessio...
Infrastructure Automation on AWS using a Real-World Customer Example - Sessio...Amazon Web Services
 
Nikto
NiktoNikto
NiktoSorina Chirilă
 

Recommended

Burp suite
Burp suiteBurp suite
Burp suitehamdi_sevben
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite StarterFadi Abdulwahab
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Amazon Web Services
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug BountyNull Bhubaneswar
 
Jenkins-CI
Jenkins-CIJenkins-CI
Jenkins-CIGong Haibing
 
AWS Code-Deploy
AWS Code-DeployAWS Code-Deploy
AWS Code-DeployKnoldus Inc.
 
Infrastructure Automation on AWS using a Real-World Customer Example - Sessio...
Infrastructure Automation on AWS using a Real-World Customer Example - Sessio...Infrastructure Automation on AWS using a Real-World Customer Example - Sessio...
Infrastructure Automation on AWS using a Real-World Customer Example - Sessio...Amazon Web Services
 
Nikto
NiktoNikto
NiktoSorina Chirilă
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydn|u - The Open Security Community
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
Burp suite
Burp suiteBurp suite
Burp suiteSOURABH DESHMUKH
 
tmux
tmuxtmux
tmuxJason Lotito
 
AWS CloudFormation Best Practices
AWS CloudFormation Best PracticesAWS CloudFormation Best Practices
AWS CloudFormation Best PracticesAmazon Web Services
 
Nikto
NiktoNikto
NiktoSorina Chirilă
 
Jenkins for java world
Jenkins for java worldJenkins for java world
Jenkins for java worldAshok Kumar
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
[BizLePro] 主題講座 #7:商業利用怎麼行? - 從開源授權十個常見 FAQ 來了解
[BizLePro] 主題講座 #7:商業利用怎麼行? - 從開源授權十個常見 FAQ 來了解[BizLePro] 主題講座 #7:商業利用怎麼行? - 從開源授權十個常見 FAQ 來了解
[BizLePro] 主題講座 #7:商業利用怎麼行? - 從開源授權十個常見 FAQ 來了解Yi-Feng Tzeng
 
Running distributed tests with k6.pdf
Running distributed tests with k6.pdfRunning distributed tests with k6.pdf
Running distributed tests with k6.pdfLibbySchulze
 
OpenStack 인스턴스 간략 사용자_매뉴얼(liberty)_v1
OpenStack 인스턴스 간략 사용자_매뉴얼(liberty)_v1OpenStack 인스턴스 간략 사용자_매뉴얼(liberty)_v1
OpenStack 인스턴스 간략 사용자_매뉴얼(liberty)_v1Ji-Woong Choi
 
Flutter vs xamarin vs react native - Mobile App Development Framework
Flutter vs xamarin vs react native - Mobile App Development FrameworkFlutter vs xamarin vs react native - Mobile App Development Framework
Flutter vs xamarin vs react native - Mobile App Development Frameworkdeveloperonrents
 
AWS Webcast - High Availability with Route 53 DNS Failover
AWS Webcast - High Availability with Route 53 DNS FailoverAWS Webcast - High Availability with Route 53 DNS Failover
AWS Webcast - High Availability with Route 53 DNS FailoverAmazon Web Services
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers
 
AWS AutoScaling
AWS AutoScalingAWS AutoScaling
AWS AutoScalingMahesh Raj
 
Flutter A year of creativity!
Flutter A year of creativity!Flutter A year of creativity!
Flutter A year of creativity!Ahmed Abu Eldahab
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
Flexible, hybrid API-led software architectures with Kong
Flexible, hybrid API-led software architectures with KongFlexible, hybrid API-led software architectures with Kong
Flexible, hybrid API-led software architectures with KongSven Bernhardt
 
Elastic Load Balancing Deep Dive and Best Practices - Pop-up Loft Tel Aviv
Elastic Load Balancing Deep Dive and Best Practices - Pop-up Loft Tel AvivElastic Load Balancing Deep Dive and Best Practices - Pop-up Loft Tel Aviv
Elastic Load Balancing Deep Dive and Best Practices - Pop-up Loft Tel AvivAmazon Web Services
 
S60 3rd FP2 Widgets
S60 3rd FP2 WidgetsS60 3rd FP2 Widgets
S60 3rd FP2 Widgetsromek
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 

More Related Content

What's hot

Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
AWS CloudFormation Best Practices
AWS CloudFormation Best PracticesAWS CloudFormation Best Practices
AWS CloudFormation Best PracticesAmazon Web Services
 
Jenkins for java world
Jenkins for java worldJenkins for java world
Jenkins for java worldAshok Kumar
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
[BizLePro] 主題講座 #7:商業利用怎麼行? - 從開源授權十個常見 FAQ 來了解
[BizLePro] 主題講座 #7:商業利用怎麼行? - 從開源授權十個常見 FAQ 來了解[BizLePro] 主題講座 #7:商業利用怎麼行? - 從開源授權十個常見 FAQ 來了解
[BizLePro] 主題講座 #7:商業利用怎麼行? - 從開源授權十個常見 FAQ 來了解Yi-Feng Tzeng
 
Running distributed tests with k6.pdf
Running distributed tests with k6.pdfRunning distributed tests with k6.pdf
Running distributed tests with k6.pdfLibbySchulze
 
OpenStack 인스턴스 간략 사용자_매뉴얼(liberty)_v1
OpenStack 인스턴스 간략 사용자_매뉴얼(liberty)_v1OpenStack 인스턴스 간략 사용자_매뉴얼(liberty)_v1
OpenStack 인스턴스 간략 사용자_매뉴얼(liberty)_v1Ji-Woong Choi
 
Flutter vs xamarin vs react native - Mobile App Development Framework
Flutter vs xamarin vs react native - Mobile App Development FrameworkFlutter vs xamarin vs react native - Mobile App Development Framework
Flutter vs xamarin vs react native - Mobile App Development Frameworkdeveloperonrents
 
AWS Webcast - High Availability with Route 53 DNS Failover
AWS Webcast - High Availability with Route 53 DNS FailoverAWS Webcast - High Availability with Route 53 DNS Failover
AWS Webcast - High Availability with Route 53 DNS FailoverAmazon Web Services
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers
 
AWS AutoScaling
AWS AutoScalingAWS AutoScaling
AWS AutoScalingMahesh Raj
 
Flutter A year of creativity!
Flutter A year of creativity!Flutter A year of creativity!
Flutter A year of creativity!Ahmed Abu Eldahab
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
Flexible, hybrid API-led software architectures with Kong
Flexible, hybrid API-led software architectures with KongFlexible, hybrid API-led software architectures with Kong
Flexible, hybrid API-led software architectures with KongSven Bernhardt
 
Elastic Load Balancing Deep Dive and Best Practices - Pop-up Loft Tel Aviv
Elastic Load Balancing Deep Dive and Best Practices - Pop-up Loft Tel AvivElastic Load Balancing Deep Dive and Best Practices - Pop-up Loft Tel Aviv
Elastic Load Balancing Deep Dive and Best Practices - Pop-up Loft Tel AvivAmazon Web Services
 
S60 3rd FP2 Widgets
S60 3rd FP2 WidgetsS60 3rd FP2 Widgets
S60 3rd FP2 Widgetsromek
 

What's hot (20)

Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhyd
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 
Burp suite
Burp suiteBurp suite
Burp suite
 
tmux
tmuxtmux
tmux
 
AWS CloudFormation Best Practices
AWS CloudFormation Best PracticesAWS CloudFormation Best Practices
AWS CloudFormation Best Practices
 
Nikto
NiktoNikto
Nikto
 
Jenkins for java world
Jenkins for java worldJenkins for java world
Jenkins for java world
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
[BizLePro] 主題講座 #7:商業利用怎麼行? - 從開源授權十個常見 FAQ 來了解
[BizLePro] 主題講座 #7:商業利用怎麼行? - 從開源授權十個常見 FAQ 來了解[BizLePro] 主題講座 #7:商業利用怎麼行? - 從開源授權十個常見 FAQ 來了解
[BizLePro] 主題講座 #7:商業利用怎麼行? - 從開源授權十個常見 FAQ 來了解
 
Running distributed tests with k6.pdf
Running distributed tests with k6.pdfRunning distributed tests with k6.pdf
Running distributed tests with k6.pdf
 
OpenStack 인스턴스 간략 사용자_매뉴얼(liberty)_v1
OpenStack 인스턴스 간략 사용자_매뉴얼(liberty)_v1OpenStack 인스턴스 간략 사용자_매뉴얼(liberty)_v1
OpenStack 인스턴스 간략 사용자_매뉴얼(liberty)_v1
 
Flutter vs xamarin vs react native - Mobile App Development Framework
Flutter vs xamarin vs react native - Mobile App Development FrameworkFlutter vs xamarin vs react native - Mobile App Development Framework
Flutter vs xamarin vs react native - Mobile App Development Framework
 
AWS Webcast - High Availability with Route 53 DNS Failover
AWS Webcast - High Availability with Route 53 DNS FailoverAWS Webcast - High Availability with Route 53 DNS Failover
AWS Webcast - High Availability with Route 53 DNS Failover
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
 
AWS AutoScaling
AWS AutoScalingAWS AutoScaling
AWS AutoScaling
 
Flutter A year of creativity!
Flutter A year of creativity!Flutter A year of creativity!
Flutter A year of creativity!
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And Countermeasures
 
Flexible, hybrid API-led software architectures with Kong
Flexible, hybrid API-led software architectures with KongFlexible, hybrid API-led software architectures with Kong
Flexible, hybrid API-led software architectures with Kong
 
Elastic Load Balancing Deep Dive and Best Practices - Pop-up Loft Tel Aviv
Elastic Load Balancing Deep Dive and Best Practices - Pop-up Loft Tel AvivElastic Load Balancing Deep Dive and Best Practices - Pop-up Loft Tel Aviv
Elastic Load Balancing Deep Dive and Best Practices - Pop-up Loft Tel Aviv
 
S60 3rd FP2 Widgets
S60 3rd FP2 WidgetsS60 3rd FP2 Widgets
S60 3rd FP2 Widgets
 

Viewers also liked

Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
AppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp SuiteAppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp SuiteAugust Detlefsen
 
Extending burp with python
Extending burp with pythonExtending burp with python
Extending burp with pythonHoang Nguyen
 
Extending burp with python
Extending burp with pythonExtending burp with python
Extending burp with pythonLuis Goldster
 
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challengeITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challengeITCamp
 
How to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourHow to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourCyren, Inc
 
The impact of sqli (sql injection)
The impact of sqli (sql injection)The impact of sqli (sql injection)
The impact of sqli (sql injection)Sqa Enthusiast
 
Resumen de referencias (6)
Resumen de referencias (6)Resumen de referencias (6)
Resumen de referencias (6)Esteban Garzon
 
Pyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringPyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringIshan Girdhar
 
Burp suite
Burp suiteBurp suite
Burp suiteAmmar WK
 
Windows Azure Versioning Strategies
Windows Azure Versioning StrategiesWindows Azure Versioning Strategies
Windows Azure Versioning StrategiesPavel Revenkov
 
Wcf security session 1
Wcf security session 1Wcf security session 1
Wcf security session 1Anil Kumar M
 
Basics of WCF and its Security
Basics of WCF and its SecurityBasics of WCF and its Security
Basics of WCF and its SecurityMindfire Solutions
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Ishan Girdhar
 
WCF Security, FSec
WCF Security, FSecWCF Security, FSec
WCF Security, FSecAnte Gulam
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionAshraf Bashir
 

Viewers also liked (20)

Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
AppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp SuiteAppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp Suite
 
Burpsuite yara
Burpsuite yaraBurpsuite yara
Burpsuite yara
 
Extending burp with python
Extending burp with pythonExtending burp with python
Extending burp with python
 
Extending burp with python
Extending burp with pythonExtending burp with python
Extending burp with python
 
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challengeITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
 
Paypal-IPN
Paypal-IPNPaypal-IPN
Paypal-IPN
 
How to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourHow to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an Hour
 
The impact of sqli (sql injection)
The impact of sqli (sql injection)The impact of sqli (sql injection)
The impact of sqli (sql injection)
 
Resumen de referencias (6)
Resumen de referencias (6)Resumen de referencias (6)
Resumen de referencias (6)
 
Pyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringPyscho-Strategies for Social Engineering
Pyscho-Strategies for Social Engineering
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Windows Azure Versioning Strategies
Windows Azure Versioning StrategiesWindows Azure Versioning Strategies
Windows Azure Versioning Strategies
 
Wcf security session 1
Wcf security session 1Wcf security session 1
Wcf security session 1
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
 
Basics of WCF and its Security
Basics of WCF and its SecurityBasics of WCF and its Security
Basics of WCF and its Security
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
 
WCF Security, FSec
WCF Security, FSecWCF Security, FSec
WCF Security, FSec
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 Introduction
 

Similar to Burp plugin development for java n00bs (44 con)

Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 201244CON
 
Packaging perl (LPW2010)
Packaging perl (LPW2010)Packaging perl (LPW2010)
Packaging perl (LPW2010)p3castro
 
Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Andrei KUCHARAVY
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Fundamentals of java --- version 2
Fundamentals of java --- version 2Fundamentals of java --- version 2
Fundamentals of java --- version 2Uday Sharma
 
Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012Anton Arhipov
 
JavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesJavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesCharles Nutter
 
Practical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgPractical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgSam Bowne
 
Habitat Overview
Habitat OverviewHabitat Overview
Habitat OverviewMandi Walls
 
Getting Started with Go
Getting Started with GoGetting Started with Go
Getting Started with GoSteven Francia
 
これからのPerlプロダクトのかたち(YAPC::Asia 2013)
これからのPerlプロダクトのかたち(YAPC::Asia 2013)これからのPerlプロダクトのかたち(YAPC::Asia 2013)
これからのPerlプロダクトのかたち(YAPC::Asia 2013)goccy
 
Introduction to java
Introduction to javaIntroduction to java
Introduction to javaattiqrocket
 
basic core java up to operator
basic core java up to operatorbasic core java up to operator
basic core java up to operatorkamal kotecha
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1Payampardaz
 

Similar to Burp plugin development for java n00bs (44 con) (20)

Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012
 
Packaging perl (LPW2010)
Packaging perl (LPW2010)Packaging perl (LPW2010)
Packaging perl (LPW2010)
 
Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1
 
Presentation on java
Presentation on javaPresentation on java
Presentation on java
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Fundamentals of java --- version 2
Fundamentals of java --- version 2Fundamentals of java --- version 2
Fundamentals of java --- version 2
 
Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012
 
EhTrace -- RoP Hooks
EhTrace -- RoP HooksEhTrace -- RoP Hooks
EhTrace -- RoP Hooks
 
JavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesJavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for Dummies
 
Practical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgPractical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbg
 
Habitat Overview
Habitat OverviewHabitat Overview
Habitat Overview
 
Getting Started with Go
Getting Started with GoGetting Started with Go
Getting Started with Go
 
これからのPerlプロダクトのかたち(YAPC::Asia 2013)
これからのPerlプロダクトのかたち(YAPC::Asia 2013)これからのPerlプロダクトのかたち(YAPC::Asia 2013)
これからのPerlプロダクトのかたち(YAPC::Asia 2013)
 
Lesson1 intro
Lesson1 introLesson1 intro
Lesson1 intro
 
Lesson1 intro
Lesson1 introLesson1 intro
Lesson1 intro
 
Introduction to java
Introduction to javaIntroduction to java
Introduction to java
 
basic core java up to operator
basic core java up to operatorbasic core java up to operator
basic core java up to operator
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1
 
Java introduction
Java introductionJava introduction
Java introduction
 

Recently uploaded

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Burp plugin development for java n00bs (44 con)

  • 1. Burp Plugin Development for Java n00bs 44Con 2012 www.7elements.co.uk | blog.7elements.co.uk | @7elements
  • 2. /me • Marc Wickenden • Principal Security Consultant at 7 Elements • Love coding (particularly Ruby) • @marcwickenden on the Twitterz • Most importantly though….. www.7elements.co.uk | blog.7elements.co.uk | @7elements
  • 3. I am a Java n00b
  • 4. If you already know Java You’re either: • In the wrong room • About to be really offended!
  • 5. Agenda • The problem • Getting ready • Introduction to the Eclipse IDE • Burp Extender Hello World! • Manipulating runtime data • Decoding a custom encoding scheme • “Shelling out” to other scripts • Limitations of Burp Extender • Really cool Burp plugins already out there to fire your imagination
  • 7.
  • 8. The problem • Burp Suite is awesome • De facto web app tool • Open source alternatives don’t compare IMHO • Tools available/cohesion/protocol support • Burp Extender
  • 10. I wrote a plugin Coding by Google FTW!
  • 11. How? - Burp Extender • “allows third-party developers to extend the functionality of Burp Suite” • “Extensions can read and modify Burp’s runtime data and configuration” • “initiate key actions” • “extend Burp’s user interface” http://portswigger.net/burp/extender/
  • 12. Burp Extender • Achieves this via 6 interfaces: – IBurpExtender – IBurpExtenderCallbacks – IHttpRequestResponse – IScanIssue – IScanQueueItem – IMenuItemHander
  • 13. Java 101 • Java source is compiled to bytecode (class file) • Runs on Java Virtual Machine (JVM) • Class-based • OO • Write once, run anywhere (WORA) • Two distributions: JRE and JDK
  • 14. Java 101 continued… • Usual OO stuff applies: objects, classes, methods, properties/variable s • Lines end with ;
  • 15. Java 101 continued… • Source files must be named after the public class they contain • public keyword denotes method can be called from code in other classes or outside class hierarchy
  • 16. Java 101 continued… • class hierarchy defined by directory structure: • uk.co.sevenelements.HelloWorld = uk/co/sevenelements/HelloWorld.class • JAR file is essentially ZIP file of classes/directories
  • 17. Java 101 continued… • void keyword indicates method will not return data to the caller • main method called by Java launcher to pass control to the program • main must accept array of String objects (args)
  • 18. Java 101 continued… • Java loads class (specified on CLI or in JAR META-INF/MANIFEST.MF) and starts public static void main method • You’ve seen this already with Burp: – java –jar burpsuite_pro_v1.4.12.jar
  • 20.
  • 22. First we need some tools • Eclipse IDE – de facto free dev tool for Java • Not necessarily the best or easiest thing to use • Alternatives to consider: – Jet Brains IntelliJ (my personal favourite) – NetBeans (never used) – Jcreator (again, never used) – Terminal/vim/javac < MOAR L33T
  • 23. Download Eclipse Classic Or install from your USB drive
  • 24. Eclipse 4.2 Classic • http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/dr ops4/R-4.2-201206081400/eclipse-SDK-4.2-win32-x86_64.zip&type=sha1 • 6f4e6834c95e9573cbc1fc46adab4e39da6b4b6d • eclipse-SDK-4.2-win32-x86_64.zip • http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/dr ops4/R-4.2-201206081400/eclipse-SDK-4.2-win32.zip&type=sha1 • 68b1eb33596dddaac9ac71473cd1b35f51af8df7 • eclipse-SDK-4.2-win32.zip
  • 25. Java JDK • Used to be bundled with Eclipse • Due to licensing (I think) this is no longer the case • Grab from Sun Oracle’s website: • http://download.oracle.com/otn-pub/java/jdk/7u7-b11/jdk-7u7-windows- x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5
  • 27. Create a Java Project • File > New > Java Project • Project Name: Burp Hello World! • Leave everything else as default • Click Next
  • 28.
  • 29. Java Settings • Click on Libraries tab • Add External JARs • Select your burpsuite.jar • Click Finish
  • 30. Create a new package • File > New > Package • Enter burp as the name • Click Finish
  • 31. Create a new file • Right-click burp package > New > File • Accept the default location of src • Enter BurpExtender.java as the filename • Click Finish
  • 32.
  • 34. Loading external classes • We need to tell Java about external classes – Ruby has require – PHP has include or require – Perl has require – C has include – Java uses import
  • 35. Where is Burp? • We added external JARs in Eclipse • Only helps at compilation • Need to tell our code about classes – import burp.*;
  • 36. IBurpExtender • Available at http://portswigger.net/burp/extender/burp/IBurpExtender.html – “ Implementations must be called BurpExtender, in the package burp, must be declared public, and must provide a default (public, no-argument) constructor”
  • 37. In other words public class BurpExtender { } • Remember, Java makes you name files after the class so that’s why we named it BurpExtender.java
  • 38. Add this package burp; import burp.*; public class BurpExtender { public void processHttpMessage( String toolName, boolean messageIsRequest, IHttpRequestResponse messageInfo) throws Exception { System.out.println("Hello World!"); } }
  • 39. Run the program • Run > Run • First time we do this it’ll ask what to run as • Select Java Application
  • 40. Select Java Application • Under Matching items select StartBurp – burp • Click OK
  • 41. Burp runs • Check Alerts tab • View registration of BurpExtender class
  • 42. Console output • The console window shows output from the application • Note the “Hello World!”s
  • 44.
  • 45. What’s happening? • Why is it spamming “Hello World!” to the console? • We defined processHttpMessage() • http://portswigger.net/burp/extender/burp/IB urpExtender.html – “This method is invoked whenever any of Burp's tools makes an HTTP request or receives a response”
  • 47. RepeatAfterMeClient.exe processProxyMessage processHttpMessage Burp Suite http://wcfbox/RepeaterService.svc
  • 48.
  • 49. We’ve got to do a few things • Split the HTTP Headers from FI body • Decode FI body • Display in Burp • Re-encode modified version • Append to headers • Send to web server • Then the same in reverse
  • 50.
  • 51. • Right-click Project > Build Path > Add External Archives • Select FastInfoset.jar • Note that imports are now yellow
  • 53. First: we get it wrong • Burp returns message body as byte[] • Hmm, bytes are hard, let’s convert to String • Split on rnrn
  • 54.
  • 55. Then we do it right • Fastinfoset is a binary encoding • Don’t try and convert it to a String • Now things work
  • 56.
  • 58.
  • 60.
  • 61. Running outside of Eclipse • Plugin is working nicely, now what? • Export to JAR • Command line to run is: • java –jar yourjar.jar;burp_pro_v1.4.12.jar burp.startBurp
  • 62. Limitations • We haven’t coded to handle/decode the response • Just do the same in reverse • processHttpMessage fires before processProxyMessage so we can’t alter then re-encode message • Solution: chain two Burp instances together
  • 63. Attribution • All lolcatz courtesy of lolcats.com • No cats were harming in the making of this workshop • Though some keyboards were….
  • 64. Questions ? www.7elements.co.uk | blog.7elements.co.uk | @7elements

Editor's Notes

  1. In the wrong roomAbout to be really offendedI don’t know much about Java, I don’t know the right terms for things and I don’t know the best style of writing it. But this code will work and that’s my primary objective today.It don’t have to be pretty, it just has to work. That’s the difference between delivering a good test or a bad one imho
  2. So, what are we going to cover?
  3. Can’t do a slide deck without cats
  4. Particularly Professional
  5. Previous app testWCF Service written in C#Not using WCF Binary protocolSOAP with Fastinfoset XML encodingBurp Suite couldn’t read it
  6. IntelliJ Community Edition is availableWe’re going with Eclipse because it works and is free and fully functionalYou can port this learning to anything else
  7. SHA1’s are here if you want to verify them
  8. Package Explorer – like a directory listing of your classes and src filesMain window where we edit filesTask list – I normally close this to be honestOutline view, quite useful, gives a break down of methods, properties of classes you are working onProblems – keep your eye on this bad boy, can be very useful
  9. Notice how it’s already popping up little tips. In this case we’ve declared an import but not used any of the classes.We’ll fix that…
  10. Javadoc is the Java standard for documentation. It is generated automatically from comments in the code.Burp Extender has javadoc available online. We are going to use this a lot.Let’s start…..er, right….
  11. This is our bare bones. Note the import burp.*; isn’t shown
  12. Don’t worry too much about what it all means just at the secondhttps://github.com/7Elements/burp_workshop/tree/master/Burp%20Hello%20World!
  13. Congratulations, you’re first Burp plugin
  14. This code is however, as useful as one of these
  15. https://github.com/7Elements/burp_workshop/tree/master/Burp%20Interface%20Flow
  16. Our problem was fastinfoset. Start google coding: find out about it, look for code snippets. Work out the approach.
  17. We’ve imported some fastinfoset classes but Eclipse is telling us it can’t find them. We need to add an external jar.
  18. https://github.com/7Elements/burp_workshop/tree/master/Burp%20Fastinfoset%20Decoder
  19. https://github.com/7Elements/burp_workshop/tree/master/Burp%20Fastinfoset%20Decoder%20-%20Take%20Two
  20. That’s great, writing out to the console – but we need to intercept and send onwardsWe need to shuffle stuff around a bit then..https://github.com/7Elements/burp_workshop/tree/master/Burp%20Fastinfoset%20Decoder%20-%20Take%20Three
  21. Walk through adding code to processProxyMessageShow how we can decode in the Burp Proxy window by returning new byte[]Then how it fails because the app receives plain text not FI
  22. Now we add a re-encode method to the processHttpMessage using custom HTTP headerWe can exploit the flow order in Burp.Remember proxyProxyMessage is called *before* processHttpMessage– winhttps://github.com/7Elements/burp_workshop/tree/master/Burp%20Fastinfoset%20Decoder%20-%20Take%20Four