burp plugin development for java n00bs - 44con 2012
DESCRIPTION
Workshop Burp Plugin Development for Java n00bs by Marc Wickenden at 44CON 2012 in London, September 2012.TRANSCRIPT
![Page 1: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/1.jpg)
Burp Plugin Development for Java n00bs
44Con 2012
www.7elements.co.uk | blog.7elements.co.uk | @7elements
![Page 2: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/2.jpg)
/me
• Marc Wickenden • Principal Security Consultant at 7 Elements • Love coding (parJcularly Ruby) • @marcwickenden on the TwiOerz • Most importantly though…..
www.7elements.co.uk | blog.7elements.co.uk | @7elements
![Page 3: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/3.jpg)
I am a Java n00b
![Page 4: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/4.jpg)
If you already know Java
You’re either: • In the wrong room • About to be really offended!
![Page 5: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/5.jpg)
Agenda
• The problem • GeZng ready • IntroducJon to the Eclipse IDE • Burp Extender Hello World! • ManipulaJng runJme data • Decoding a custom encoding scheme • “Shelling out” to other scripts • LimitaJons of Burp Extender • Really cool Burp plugins already out there to fire your imaginaJon
![Page 6: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/6.jpg)
Oh…..and there’ll be cats
![Page 7: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/7.jpg)
![Page 8: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/8.jpg)
The problem
• Burp Suite is awesome • De facto web app tool • Open source alternaJves don’t compare IMHO
• Tools available/cohesion/protocol support • Burp Extender
![Page 9: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/9.jpg)
The problem
![Page 10: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/10.jpg)
I wrote a plugin
Coding by Google FTW!
![Page 11: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/11.jpg)
How? -‐ Burp Extender
• “allows third-‐party developers to extend the funcJonality of Burp Suite”
• “Extensions can read and modify Burp’s runJme data and configuraJon”
• “iniJate key acJons” • “extend Burp’s user interface”
hOp://portswigger.net/burp/extender/
![Page 12: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/12.jpg)
Burp Extender
• Achieves this via 6 interfaces: • IBurpExtender • IBurpExtenderCallbacks • IHOpRequestResponse • IScanIssue • IScanQueueItem • IMenuItemHander
![Page 13: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/13.jpg)
Java 101
• Java source is compiled to bytecode (class file) • Runs on Java Virtual Machine (JVM) • Class-‐based • OO • Write once, run anywhere (WORA) • Two distribuJons: JRE and JDK
![Page 14: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/14.jpg)
Java 101 conJnued…
• Usual OO stuff applies: objects, classes, methods, properJes/variables
• Lines end with ;
![Page 15: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/15.jpg)
Java 101 conJnued…
• Source files must be named amer the public class they contain
• public keyword denotes method can be called from code in other classes or outside class hierarchy
![Page 16: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/16.jpg)
Java 101 conJnued…
• class hierarchy defined by directory structure: • uk.co.sevenelements.HelloWorld = uk/co/sevenelements/HelloWorld.class
• JAR file is essenJally ZIP file of classes/directories
![Page 17: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/17.jpg)
Java 101 conJnued…
• void keyword indicates method will not return data to the caller
• main method called by Java launcher to pass control to the program
• main must accept array of String objects (args)
![Page 18: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/18.jpg)
Java 101 conJnued…
• Java loads class (specified on CLI or in JAR META-‐INF/MANIFEST.MF) and starts public sta0c void main method
• You’ve seen this already with Burp: • java –jar burpsuite_pro_v1.4.12.jar
![Page 19: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/19.jpg)
Enough 101
![Page 20: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/20.jpg)
![Page 21: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/21.jpg)
Let’s write some codez
![Page 22: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/22.jpg)
First we need some tools
• Eclipse IDE – de facto free dev tool for Java • Not necessarily the best or easiest thing to use • AlternaJves to consider: • Jet Brains IntelliJ (my personal favourite) • NetBeans (never used) • Jcreator (again, never used) • Terminal/vim/javac < MOAR L33T
![Page 23: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/23.jpg)
Download Eclipse Classic
Or install from your USB drive
![Page 24: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/24.jpg)
Eclipse 4.2 Classic • hOp://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/
drops4/R-‐4.2-‐201206081400/eclipse-‐SDK-‐4.2-‐win32-‐x86_64.zip&type=sha1
• 6f4e6834c95e9573cbc1fc46adab4e39da6b4b6d • eclipse-‐SDK-‐4.2-‐win32-‐x86_64.zip
• hOp://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/drops4/R-‐4.2-‐201206081400/eclipse-‐SDK-‐4.2-‐win32.zip&type=sha1
• 68b1eb33596dddaac9ac71473cd1b35f51af8df7 • eclipse-‐SDK-‐4.2-‐win32.zip
![Page 25: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/25.jpg)
Java JDK
• Used to be bundled with Eclipse • Due to licensing (I think) this is no longer the case
• Grab from Sun Oracle’s website: • hOp://download.oracle.com/otn-‐pub/java/jdk/7u7-‐b11/jdk-‐7u7-‐windows-‐
x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5
![Page 26: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/26.jpg)
Welcome to Eclipse
![Page 27: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/27.jpg)
Create a Java Project
• File > New > Java Project • Project Name: Burp Hello World! • Leave everything else as default • Click Next
![Page 28: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/28.jpg)
![Page 29: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/29.jpg)
Java SeZngs
• Click on Libraries tab • Add External JARs • Select your burpsuite.jar
• Click Finish
![Page 30: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/30.jpg)
Create a new package
• File > New > Package • Enter burp as the name • Click Finish
![Page 31: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/31.jpg)
Create a new file
• Right-‐click burp package > New > File • Accept the default locaJon of src • Enter BurpExtender.java as the filename • Click Finish
![Page 32: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/32.jpg)
![Page 33: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/33.jpg)
We’re ready to type
![Page 34: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/34.jpg)
Loading external classes
• We need to tell Java about external classes • Ruby has require • PHP has include or require • Perl has require • C has include • Java uses import
![Page 35: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/35.jpg)
Where is Burp?
• We added external JARs in Eclipse • Only helps at compilaJon • Need to tell our code about classes • import burp.*;
![Page 36: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/36.jpg)
IBurpExtender
• Available at hOp://portswigger.net/burp/extender/burp/IBurpExtender.html
• “ ImplementaJons must be called BurpExtender, in the package burp, must be declared public, and must provide a default (public, no-‐argument) constructor”
![Page 37: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/37.jpg)
In other words
public class BurpExtender {
}
• Remember, Java makes you name files amer the class so that’s why we named it BurpExtender.java
![Page 38: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/38.jpg)
Add this package burp;
import burp.*;
public class BurpExtender { public void processHOpMessage( String toolName, boolean messageIsRequest, IHOpRequestResponse messageInfo) throws ExcepJon { System.out.println("Hello World!"); } }
![Page 39: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/39.jpg)
Run the program
• Run > Run • First Jme we do this it’ll ask what to run as • Select Java Applica0on
![Page 40: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/40.jpg)
Select Java ApplicaJon
• Under Matching items select StartBurp – burp • Click OK
![Page 41: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/41.jpg)
Burp runs
• Check Alerts tab • View registraJon of BurpExtender class
![Page 42: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/42.jpg)
Console output
• The console window shows output from the applicaJon
• Note the “Hello World!”s
![Page 43: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/43.jpg)
CongratulaJons
![Page 44: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/44.jpg)
![Page 45: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/45.jpg)
What’s happening?
• Why is it spamming “Hello World!” to the console?
• We defined processHOpMessage() • hOp://portswigger.net/burp/extender/burp/IBurpExtender.html • “This method is invoked whenever any of Burp's tools makes an HTTP request or receives a response”
![Page 46: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/46.jpg)
Burp Suite Flow
![Page 47: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/47.jpg)
processProxyMessage
RepeatAmerMeClient.exe
processHOpMessage
hOp://wc�ox/RepeaterService.svc
Burp Suite
![Page 48: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/48.jpg)
![Page 49: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/49.jpg)
We’ve got to do a few things
• Split the HTTP Headers from FI body • Decode FI body • Display in Burp • Re-‐encode modified version • Append to headers • Send to web server • Then the same in reverse
![Page 50: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/50.jpg)
![Page 51: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/51.jpg)
• Right-‐click Project > Build Path > Add External Archives
• Select FastInfoset.jar • Note that imports are now yellow
![Page 52: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/52.jpg)
Decoding the FasJnfoset to console
![Page 53: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/53.jpg)
First: we get it wrong
• Burp returns message body as byte[] • Hmm, bytes are hard, let’s convert to String • Split on \r\n\r\n
![Page 54: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/54.jpg)
![Page 55: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/55.jpg)
Then we do it right
• FasJnfoset is a binary encoding • Don’t try and convert it to a String • Now things work
![Page 56: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/56.jpg)
![Page 57: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/57.jpg)
Decoding FasJnfoset through Proxy
![Page 58: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/58.jpg)
![Page 59: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/59.jpg)
We’re nearly there……
![Page 60: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/60.jpg)
![Page 61: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/61.jpg)
Running outside of Eclipse
• Plugin is working nicely, now what? • Export to JAR • Command line to run is:
• java –jar yourjar.jar;burp_pro_v1.4.12.jar burp.startBurp
![Page 62: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/62.jpg)
LimitaJons
• We haven’t coded to handle/decode the response
• Just do the same in reverse • processHOpMessage fires before processProxyMessage so we can’t alter then re-‐encode message
• SoluJon: chain two Burp instances together
![Page 63: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/63.jpg)
AOribuJon
• All lolcatz courtesy of lolcats.com • No cats were harming in the making of this workshop
• Though some keyboards were….
![Page 64: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/64.jpg)
QuesJons
?
www.7elements.co.uk | blog.7elements.co.uk | @7elements
![Page 65: Burp Plugin Development for Java n00bs - 44CON 2012](https://reader034.vdocuments.net/reader034/viewer/2022052523/556807efd8b42a242a8b4c81/html5/thumbnails/65.jpg)
www.7elements.co.uk | blog.7elements.co.uk | @7elements