PG - Burpsuite Team Collaborator: Enabling Collaborative App Testing - Tanner Barnes

alright everybody let's get started shall we good afternoon welcome to besides Las Vegas proving ground this talk is burp suite team collaborator our speaker we're lucky to have them today as Tanner Barnes a couple of announcements before we get started we want to thank our sponsors especially our inner circle sponsors critical sac and Val ml and our stellar sponsors Amazon blackberry and the national security security agency my favorite it's their support along with our other sponsors and donors and volunteers that make this event possible so thank you all these talks are being streamed live as a courtesy to our speaker and audience we ask that you check to make sure your cell phones are set to the silent position if you have

questions please use the audience microphone so that YouTube can hear you just raise your hand and I'll bring the microphone to you although we may only have one microphone so that may be a judge okay all right we'll figure it out with that said let's get it started please welcome Tanner Barnes

thank you first off I'd like to thank Tom he was my mentor for this whole thing as being my first time speaking at a conference so he was a lot of help in making sure the slides looked somewhat presentable and I didn't sound like a complete fool so we'll see how how well he did it's all on him if this doesn't go well it's not me right so my name is Tanner Barnes this is a burp suite plug-in that I built for allowing collaborative web app testing so a little bit about Who I am I'm a full stack a full stack I am a full service penetration tester I work for a consulting firm doing everything from

red teaming to social engineering when I'm not doing that I get the pleasure of building tools that make my life and other life's of hackers more easy and then before all that fun stuff I was just your average full stack developer writing software for various different companies so show of hands real quick so I have no gauge of the audience who is used burp suite Oh perfect this slide is way easier for for those people in the middle who who don't necessarily know what it is right it is what's called a price or web proxy so any requests when you set it up with your browser when you make a request for Google com it will go through burp log

that request in clear text and then you can toilet that do what you'd like and then send it on its way so it's pretty much the de-facto tool for any type of web application testing so a little bit of story time here it really just kind of a manifesto for why this came to be so in my job I typically deal with some more junior penetration testers or people who maybe were less known to this type of space right and it was one week where I was on a dual engagement on a web app and I had to keep getting up going across the room look at their burp window see what they might be doing go

back sit down later in the day there'd be another problem and then about halfway through the week I thought well let's just solve the getting up thing just export your project and mail it to me which worked except by the end of the week that project was 5 gigabytes and was impossible to ship around except with these like giant like file transfers or you have to log into a third app to like he was a pain so this is a week of this I've gotten none of my work done because I'm like just standing over their shoulder like here's how you do cross-site scripting and I was just furious over the weekend I thought someone someone has solved

this problem this is and this is so dumb it's been like a day and I was like well no one has and being the true developer that I am was like well I've got this I can do this so that's really what birth this tool is and I was looking at the burp suite api's which you can see there in the extension store and there was this just beautiful API request where it will take an HTTP request from the proxy turn it into bytes and then you can do whatever you want with it and I thought well why don't I just grab a chat server instead of sending text I'll just send the bytes of the request and it worked so in a day

over the weekend I had the nuts and bolts of what is the meat of a burp suite team collaborator so in this guy what I was alluding to earlier right if you look at like what can we do to collaboratively work in burp suite we're very limited right you can export and merge project files but there's a lot of cons that come with that they're a point in time right so when you do it that's it if the second you send me that and I'm Midway like typing my password to that file share and you're like oh wait I've I figured it out well you've got to re-export it and resend it to me even if

we do that like I said the projects grow to massive sizes especially if we're dealing with some type of app or you would need a collaborative type of workload and it's just a repeated process right I'm gonna have to when I fix or find out what the solution is I've got to export it send it back to you and it's just a complete waste of everyone's time so that's what we're here to solve the day so what the collaborator does is it allows multiple testers to 2n2 connect to one central server and every in scope requests that you have I will see in real-time and every request I make you will see in real-time so it allows you to remotely

anywhere in the world with two or plus people collaboratively work on the same web app at the same time so how it does it it's pretty simple it's your standard client-server architecture if you really want to boil this down I've made a glorified chat server but it's still cool so the client is written in a burp suite plugin in Java because JSON is gross and you should never write anything in Java don't do it I tried for like a week I was like oh I love Python and I was like I'm not writing a Java class in a Python file like I've got better things to do so that was done I was like we'll just

do Java and go that one's the more fun one I never learned go and I saw some cool projects from some co-workers and go and I thought well I'm doing this let's learn go so the server is written in go it also is a nice ancillary benefit that the server when you compile it is cross-compatible right so when you build this thing it can run on Windows Linux your phone maybe you shouldn't do that but maybe you could I've actually never tried that someone should try to run this server on their phone that would be pretty dope so let's look at like some of the things we can do with this plugin right so you can in this

plugin share scope with the whole team right so when you join a room which we'll show in a second you can set the scope for that room and push that scope to all the other testers so you can in a click of a button you can have tin testers all with the same scope and no confusion about like what API are we doing like what app is this they're all on the same page this one is pretty useful especially if you've got people who like to troll which is obviously no hacker in this room by all means you can mute anybody in the room or the entire team in general so that's that's definitely a big help for all of us you

can also say you're working on something that you'd rather not send anybody or you're going somewhere maybe no one else should see I won't judge you can pause your requests and make sure those don't actually ever get sent to the server until you're ready to send them and the the file like large feature is you can share whole requests or individual ones with the whole group or a single team right so if say I join your project a week late and there's this API I really need you to see I can right-click inside the target map pick that request or the whole top local domain and send it straight to you and you only and you're

immediately caught up on all the work I've done for the last week we look at like some tool specifics kind of like drilling a little bit down you can do that same sharing with both repeater and intruder payloads the repeater is probably the most fun especially if you're looking at something that's really a tough nut to crack like a weird xxxx yyyy or an SSRI vulnerability I maybe I'm no good at those but I found it I can ship that off to a better tester he can toy with it fix it get it working and send it back to me and I can send it and see how it works without ever having to like if anyone's I've

seen people have done this and I've done it like try to like copy a whole burp request like into a slack window and like yeah this will go well like here's this binary file I'm sending I'm just gonna like paste it in ascii and like hope it transfers well back to burp it's like this is a terrible idea right so that's immediately solved because we're transferring it straight two bytes and then back into a burp object so it doesn't do any type of weird like encoding on its way there I will say watch we'll cover here right so this is something I talked about earlier the server allows multiple rooms at once right so you can have a top level server

for your whole organization and then separate team rooms for all the projects you're running without having to spin up individual servers apart here I didn't put on the slides but should have my apologies all of this is a es encrypted and shortly I haven't got it fully working yet by version 2 part of the end of the week each room will be individually AES encrypted so any one room doesn't know what any other room is doing on a project so they are all individually siloed and have their own work streams so here's we're going to walk through the fun part there is a demo this is not something I just made up it's like a big

con I actually do have a working product right so this is the UI I can everyone see that by the way I hope so no I oh I know you know what I know what I did wrong I didn't switch it in the slides I have a better video way better right that was like the first thing I got on Monday they were like we're not like we no one has a magnifying glass to me so this is the UI right so you have I have a pointer so I have your display name right which is unique to you you've got the server address the port that it runs on currently it's tied to eight

eight or eight nine eight nine I'm fixing that this week as well set it to whatever port you like have fun with it this server password is also the AES encrypted key it's generated when you start the server and then when I fix it will be generated when you create a room so it's unique to the server and that's how you authenticate to it so we're connecting right you see here on the right there's no rooms and that's just like the default setting once you're on the server there's no rooms created so this is the two clients for a lot of this demo we'll be zooming in and out of different parts this is probably the

biggest show of it this is to burp windows side-by-side right to separate clients this one is actually on the proxy it's actually connected this one is not connected at all to the proxy no requests are going through here so here on the Left I'm creating a new room that's another kind of weird thing that's a Java issue Java creates pop-up windows on the main screen so I this is actually a bigger monitor my laptop is below it that's something I'm also fixing just to do it in whatever screen you're in but that's pretty trivial so that's the window name for the for the server that we're creating so you can see here on the Left that's you right in

the server and then when I make the room that's pushed all the other clients so this is that new room I made most of the UI here is right-click menu so you just right click in there and hit join and then immediately you can see both testers are in the room and we're ready to get to the the actual fun part so this is really quick that's just leaving the room rejoining pretty simple stuff so here's where the real fun part is and it happens really quick so here on the left that's test this is test comm coming in and we're pushing it live to the other client without ever being on burp and you can see it's all requests

it's not just the top level one so here in this next part I'm showing actually sending specific requests so I'm deleting you to an idea that maybe I haven't actually gotten to that API I'm joining the server so we go to share requests and we do to group and immediately it's all sent over in real-time and this is just a show you don't have to necessarily do the whole thing right maybe there's like a specific API request and we can send just that one specifically right and we'll only get just that API if you don't want to box someone down with an entire workload this is muting right there's also a super useful feature for some things I

have coming in 2.0 you'll see that we're muting will be a real big feature so here you can see we muted ourselves and I don't think I can go back really easily but I muted myself and you're never going to sin we're never gonna get requests from that user this is the sharing scope right so I set a scope here on client 1 tests comm we you set room scope and it's pushed immediately to all clients there and just like say you're late to a project and I don't have the api's but I'm trying to get up to date I can just do get room scope and I will pull that scope from the server

and be right up and running so you don't miss a have to start at the same time this is the opposite of muting right this is pausing yourself where you'll get the requests and the other clients won't ever actually get them until you unmute yourself [Music] oh so this is the father fun part this is the repeater payloads right so this is a repeater payload I've made say a PIR I I do share repeater payload and we're gonna send it to the group every groups got that repeater payload exactly how I make it now maybe I only need one team member who's really good at this next part and so it's the same thing just like Shannon in the top right

I can send them specifically to a teammate we can do the same thing with intruder and send it straight to both this is actually something if you'd like to help me out burp sweet does not action this is maybe the one bad thing I have to say about burp suite but it's very minor you can't actually share intruder payloads with your set custom indexes so you can send the payload but it will only use the default ones if I have the indexes I can make it but I can't actually get that information from the UI so if you'd like to hit up ports wigger and ask them on my behalf to make that available that

would be amazing or tell me I'm wrong I honestly might be wrong so who knows so it's the same thing right just in intruder

and that is the demo but wait I mean [Music] PowerPoint but wait there's more so these are some things I'm working on pretty actively here in the week I've actually demoed this to a couple people they got to see it today ahead of time so one thing you'll notice if you if you pay a kind of attention when you use it in full-screen the only person who's going to see findings from like the passive scanner is the person who makes the initial request right so I'll push the request in the response to your bourbon you won't see the passive findings now the nice thing is we can actually push those to your client and it's pretty

simple so here in the next like week I'll probably have it so you will also if I like go to an API and it passively detects like SQL injection that finding will get pushed to you and also store locally on the server so you can actually from a service I just see the collective findings of a whole room another thing super simple I haven't gotten to yet sharing of cookie jars this is actually very useful as well if you're doing collaborative testing and I've got a set of creds I've found and I authenticate to it when you do that in burp suite it stores that session cookie in burp so instead of me having to like

get on slack and like type you the credentials it will just push that cookie to your cookie jar and you can just refresh the page and be me or whoever you'd like to be in that type of room scope pushing findings between clients goes with the findings on the server right and this is the one I'm most fond of I got this 90% of the way there so in when you go to repeater and version 2 you'll be able to see another context menu that does create a link and what that will do is take that request build a base64 hash of that and then append it to a custom URL handler and then what you can do is say you're a

person who does like guides right you did some cool walkthrough on a pack the box right and you want to you're building your guide to like teach the community you can take that link embed it in your medium post or what have you and if you click on that link while using my Burt plugin it will inject that into your repeater payload so you can literally do play along like walkthroughs a finisher of a pack the box type thing another one that I have working now you can save connection settings so if you're always going to the same server if you close burp or close the extension and reload it you'll get those connection settings back this is a

little helpful and then again for you guys I'm sure there's something I've thought of that would be amazing for this tool and so that that's one thing I would like the community's help with is is getting that information so that's part of this right so this is where the code is you can find that here the first one is the client that's the Java burp extension and then the server is the ghost server that will help you run them and seriously please someone try to run this on a phone it'll be amazing please submit issues I've already had some people tell me some things that could probably be better please do those if you'd like to help I'm always over for

PRS and then submit suggestions I'm sure there's again some cool things people have thought of that I can't do and if you'd like to ask me some stuff I haven't thought of recovery err that's my twitter handle and that is to talk thank you [Music] and now it's that was the Q&A part I was yes sir yes they just retweeted actually the retweet of a reads yeah sorry yeah he asked if port swagger has noticed it yet just by like 30 minutes ago they retweeted a retweet from hacker one about the top so yes anything else yes ma'am [Music] [Music] so she was asking if while you're doing work if I make a change your request and

do I is she going to know if I did that the answer's no that's actually a good idea I yeah there's actually a nice way to do that because I don't want to pop like pop up boxes that would be annoying but you can actually if you change something in a tab it lights it up so probably what I'll do actually is just put like a hidden notification on there's a burp TC like tab for the plug-in I'll probably put like a hidden counter you can't see and just like move that like toggle it and it should change the thing to white the thing I worry about that it well yeah that's a good idea

so the answer is no it's just kind of streaming live you will notice for Peter if you do it they share you a repeater payload the repeater tab will light up because there's a new repeater payload but the actual just live request and the target map no you'd have to be watching good question yes sir correct so yes is the muting handled client side or server side it is actually a state of the server it to me it's store client as well right so when I yes every single user can control who they move and when they meet them and you can mute again you give you everybody at once or like handpick people you want to mute and

unmute Thank You Portia [Music] did your first talk at a hackathon proving ground we want to award you a Most Improved digits thank you

yes oh all right well that's that's all for questions that's all oh yes good not it's a good question so know that not yet but that is something very useful for two Oh as much as I start working with some people who do the type of like live-streaming or they want to like and that is what kind of one of the interesting things I've been talking people this week about riot is using this in the collaborative setting on like twitch to like play along with people as they are teaching a topic and of course there will always be trolls and so yes that's something in - oh the people who whoever's running the room will have the ability to boot people off

the room for sure thank you yes sir it's I've thought about it the one thing I worry about is almost putting too much on the UI and like most I mean at least I always do anybody the people I've seen hacking they always have like another window with slack or discord or what-have-you so it seems a bit of like a repeated use case I don't know I personally wouldn't like it but for kit do-it-yourself no but yeah so no I wasn't planning on putting an actual dedicated chat server in there but thank you question all right thank you

[Applause]