cusomizing burp suite - getting the most out of burp extensions

43
AppSec USA 2014 Denver, Colorado Customizing Burp Suite Getting the Most out of Burp Extensions

Upload: august-detlefsen

Post on 09-Jun-2015

761 views

Category:

Technology


8 download

DESCRIPTION

This lecture gives pentesters and security tool developers an overview of the APIs available to extend the Burp Suite intercepting proxy. Using open-source examples developed by the author I illustrate a number of key areas for anyone wishing to create extensions for Burp Suite: - Passive scanning - Active scanning - Identifying insertion points - Request modification The presentation includes code samples and links to actual open source Burp Suite plugins developed by the author.

TRANSCRIPT

Page 1: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

AppSec USA 2014

Denver, Colorado

Customizing Burp Suite

Getting the Most out of Burp Extensions

Page 2: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

2

August DetlefsenSenior Application Security ConsultantAuthor

[email protected]• @codemagi• http://www.codemagi.com/blog

Page 3: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

3

Burp Suite• Burp Suite is a powerful tool for performing

security assessments• Burp Plugin API allows new features to be

added

www.portswigger.net/burp/extender

Page 4: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

4

What Can I Do With Plugins? • Passive Scanning• Active Scanning• Alter/append requests• Define Insertion Points for Scanner/Intruder• Create new payload types• Automate Authentication• Much, Much More

Page 5: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

5

Prerequisites• Burp Suite Pro v 1.5.x+• Java 1.6.x+• NetBeans• Other programming languages– Jython– JRuby

Page 6: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

6

Creating An Extension• Download the Extender API from Portswigger:

portswigger.net/burp/extender/api/burp_extender_api.zip

• Or export the API from within Burp

Page 7: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

7

Creating an Extension• Create a new project with existing sources:

Page 8: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

8

Creating an Extension• Create the BurpExtender class– In package ‘burp’– Implement IBurpExtender

Page 9: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

9

Creating an Extension

Page 10: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

10

Creating an Extension• Implement registerExtenderCallbacks

Page 11: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

11

Load the Extension into Burp Suite

Page 12: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

12

Passive Scanning• Search responses for problematic values• Built-in passive scans– Credit card numbers– Known passwords– Missing headers

Building a Passive Scanner

Page 13: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

13

Passive Scanning – Room for Improvement• Error Messages• Software Version Numbers

Building a Passive Scanner

Page 14: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

14

Building a Passive Scanner• Implement the IScannerCheck interface:

• Register the extension as a scanner:

Building a Passive Scanner

Page 15: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

15

IScannerCheck.doPassiveScan()

Building a Passive Scanner

Page 16: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

16

IScannerCheck.doPassiveScan()

Building a Passive Scanner

Page 17: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

17

IScannerCheck.consolidateDuplicateIssues()• Ensure an issue is only posted to scanner once

Building a Passive Scanner

Page 18: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

18

IScannerCheck.doActiveScan()• Only needed for active scans

Building a Passive Scanner

Page 19: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

19

Active Scanning• Issue requests containing attacks • Look for indication of success in response• Built-In Active Scans– XSS– SQL Injection– Path Traversal– etc

Building an Active Scanner

Page 20: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

20

IScannerCheck.doActiveScan()

Building an Active Scanner

Page 21: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

21

Insertion Points • Locations of parameters in request • Contain data the server will act upon

Building an Active Scanner

Page 22: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

22

Building an Active Scanner

Page 23: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

23

Building an Active Scanner

Page 24: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

24

Defining Insertion Points• Implement IScannerInsertionPointProvider– getInsertionPoints()

• Register as an insertion point provider

Building an Active Scanner

Page 25: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

25

BurpExtender.getInsertionPoints()

Building an Active Scanner

Page 26: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

26

Building an Active Scanner

Page 27: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

27

Viewing Insertion Points• Add menu option to send request to Intruder• Implement IContextMenuFactory– createMenuItems()

• Register as a menu factory

Building an Active Scanner

Page 28: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

28

BurpExtender.createMenuItems()

Building an Active Scanner

Page 29: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

29

MenuItemListener

Building an Active Scanner

Page 30: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

30

BurpExtender.sendGWTToIntruder()

Building an Active Scanner

Page 31: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

31

Building an Active Scanner

Page 32: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

32

Building an Active Scanner

Page 33: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

33

Modifying Requests• Add custom headers• Add signatures• CSRF tokens

Modifying Requests

Page 34: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

34

Modifying Requests• Implement IHttpListener– processHttpMessage()

• Register as an HTTP Listener

Modifying Requests

Page 35: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

35

BurpExtender.processHttpMessage()

Modifying a Request

Page 36: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

36

BurpExtender.signRequest()

Modifying a Request

Page 37: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

37

Debugging• callbacks.printOutput(String)• callbacks.printError(String)

Utilities

Page 38: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

38

Utilities

Page 39: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

39

Debugging – Stack Traces• Exception.printStackTrace()• Get the error OutputStream

• Print a stack trace to the stream

Utilities

Page 40: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

40

Utilities

Page 41: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

41

Summary• Setup• Passive Scanning• Active Scanning• Handling custom request types• Utilities

Page 42: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

42

Extension Downloads• Download Extensions at:

www.codemagi.com/downloads

• Source code on Google Code

Resources

Page 43: Cusomizing Burp Suite - Getting the Most out of Burp Extensions

43

Build Extensions!Customize YOUR Hacking!

Profit!