Building Burp Extensions

all right action you going to say something action action okay action let's start building burp extensions I'm actually going to talk a little bit more than just building burp extensions there's a little bit more to this than that so first of all who am I senior security consultant with secure ideas and for some reason my presentation just wants to keep going um I've done a lot I have a fairly extensive background in software development and then I got into security several years ago and I can't say I haven't looked back since I haven't really wanted to go back into pure security software development but uh I now use those skills to build without tools scripts so on and so forth to make

things better for us and that's yeah um open source contributor so this is part of the reason why I have this talk is having to write burp extensions CO2 is one correlator is my latest one uh which is I think is pretty cool um I also have contributions into Lum mobac Samurai web test framework 3.3 was just released was it earlier this week or last week um so done a lot of that sort of thing um and other than that Runner musician and probably the most important point point on the slide is that I am a home Brewer as well that's what I do for fun so this slide has no title tools what I want to do is

actually I'm talking about tools um think about first of all I think actually recognize most of the people in this room why the [ __ ] aren't there more people at a bir Suite talk that's what I'm saying I don't know do people realize what the [ __ ] you can do with this tool I don't know I mean seriously that's what that's what I'm going to talk about well you can go get more people I will dud burp site is H yes maybe that should have been your title what the [ __ ] can you do with burp maybe that would have filled the room a little quicker yeah so so tools um what I wanted to do was

start off with just think about all of the tools that you use when you're conducting pen tests and where do those tools come from and probably some of the tools that you're thinking about are on this slide here somewhere so the next question is what do all of these tools other than the fact that they are used for pen testing what do they all have in common and the answer is they're all free oh more people coming in course yet okay let me let me just back up one slide what we're talking about is the stuff that we do for pent testing here's some of it right we've seen some of these tools before they're all free or

they have free versions or Community versions and that's really what I the Crux of this this talk is about is a lot of what we rely on to do our jobs is free stuff we like free stuff right no you don't like free stuff okay so we like free stuff and uh but it's not really free I mean it's it's free to everyone who's using it it's free as in beer but somebody has to put in all the effort right we have to actually get down we have to figure out how are we're going to write that code that's going to automate the this test or how do we write this script and so on

and so forth and the case of this talk how we how are we going to write a burp extension um that's going to solve some problem for us so that's basically what I wanted to get to so let's start off with burp is Anybody Everybody know what burp is yeah everyone's on their head good so I don't really have to talk about this slide too much there is a free version of burp which is good we like free it's an interception proxy um does a bunch of things the one that we're going to talk about is the one at the very end the last Arrow there extender right is that not CO2 no extender is part of

burp so but I'm saying you can build you can you can build extensions and burp on the free version yeah and uh they have this thing in there and I'll show it afterwards um the B Store which is basically a Marketplace although everything on there is free for extensions um and it'll it'll tell you on the extension which ones only work with the pro version and which work with both the free and the pro version okay so burp extensions if you're going to write a burp extension fortunately you have options you don't have to only know Java um you can write them in Ruby if you really want to I don't know we have any Ruby people in

the room I don't I really dislike Ruby so like J yeah no I hate dealing with gems every time I install anything with Ruby I don't know if you run into this it's always yeah you got the wrong gems installed or something1 23 a yeah great so now I got to figure out how to fix this thing and yeah I hate dealing with Ruby um python is an option you can it has um jython wrapped around it you do have to actually download jython it's a Java version of python basically because burp itself is written in Java so that's the reason why these other things they work work in sort of a container inside of java um and then

there's Java itself and I'm going to focus on Java for a couple of reasons one is burp itself is written in Java it inherently the it works better with burp extensions than it does with these other languages there are some issues with them um and you'll you'll actually see if you look at the U Port swigger website um home of burp you'll see uh there's instructions on there for making this work better with python or or uh Ruby which involves actually increasing your memory Heap because they tend to actually use up extra memory and not release it ever so um it can be if you're just running one or two of them it's not not usually a problem but if

you're running a lot of python or Ruby based extensions it can actually exhaust all of the me memory on your um in your burp instance and make it crash so that's not good so um all right uh so what we're going to be talking about is is Java um and to do that um hang on a second we need to use I I just realized one of my slides is out of order it's free Java is free that's good um I have I built a test case here so this is a scenario it's a mechanism that's similar to something I've run into a couple of times recently on pent tests um and is the mechanism isn't username harvesting

I just made it into a familiar form the mechanism is actually a non type of mechanism where you can't simply send requests through a fuzzer like burp Intruder it just won't work right over the box so we have to come up with a way to solve that problem so let me actually this will probably be easier if I just show it so hopefully everything just works on here so yeah can everyone see that so I have this this login screen here and if you type you type in a username and a password um yeah there okay there we go it woke up so I typed in uh a user that doesn't exist in the system and it comes back

with this message no user session no session user session with that user okay if I type in I have a test user account that I've created in here so this user is in the system and if you put that one in you actually get a different message so this looks like a very classic username harvesting type of flaw right um so let's pop over to burp I'm running everything through burp and we'll take a look and see what's happening uh hang on second there's the problem okay um for some reason I don't know why but um burp seems to think that the Json stuff has to it's be it's a script response I'm not sure

why um so what's actually happening when I did these two logins you'll see that the first request let's go back to yeah so here's the first request that I sent with user equals user and what it's doing is it's making it's making a request for Ann and then on the second request when it logs in I don't know if you can see this but the um what's being submitted is the username again the password and the nons so on the nons resp there's the non Sor on the response it comes back as a Json some kind of strength question yeah so when I run B I don't know very much about it but I play with it

recently yeah I always do intercept and on really noisy websites it's annoying cuz I had to cck forward are you able to just grab what you're grabbing without having to interact and slow [ __ ] down you know what I'm saying yeah so that's a great question um so when you're using burp S I just want to see right click copy a curl and replay and do that Ty right in which case you're actually using the wrong tool inside of burp okay there's a there's a different way to do that and I'm I'm actually going to show that right now so um first of all when the first thing you do anybody does when they get into burp once they know what

they're doing is they turn off The Intercept over here there's intercept you'll notice that it's off and if you go over to options and scroll all the way down to the bottom there's a enable interception on Startup and you can change that to always disable for some reason that's the default that the developer put in there and has never changed despite everybody telling them that that's not the way that you should be using this tool so um so what what you want to do instead is capture your history like I just did here okay and notice that I mean there's this target tab that's the other thing too so this gives you a site map of what's going on it has its use

but most of the time I I use just the history tab because everything happens in order that here without me having to click forward and drop yeah it captures it here in this history log log so now you have everything yep everything that every request that proxies through I have these actually filtered right now so I'm not showing CSS or images or anything else um so it's a filtered version of that list but it captures every single request and response that goes through the proxy and then what you can do is you can rightclick and send one over to repeater okay and the repeater that's where you can modify requests and send it it and get a response send it get a

response the browser is no longer part of the equation right you can just modify the raw request so that's what you probably want to be doing um so in this case here um if I hit go on this it responds back with a knots if I go again it responds back with a different knots so we can see they in the response right so the question is we have a username harvesting F let's say that we have a list of users and we want to uh run this list through and see how many of these users are actually in the system so how are we going to do this there's a couple ways one is you could pull out python

which is probably what I would normally do in this situation uh is just write a quick python script to do it but I wanted to show something with a verp extension so we'll do that so and actually before I get into that let me just for completeness I'll show the log in um same thing I'm running it through repeater um but I haven't changed the KN so it's going to say no user session with that user and even if I put in test for the user which we've we already tested on the actual interface and I hit go there I'm still going to get new user session with that user so unless we get the knots

correct it's going to always respond the same way and that's not what not what we're looking for we want something's going to tell us whether the users in system so to do that hang on so to do that we're going to write a burp extension how do you do that uh first you need to pick your language Ruby python or uh Java is what we're going to do so for Java uh the best tool out there to use is intellig um intellig the reason there's a couple reasons for this first of all this is the tool that Port sger uses to build burp I asked them about this this is this is their integrated development

environment so um we know that it works it provides an easy drag and drop way to make interfaces for those of you who have seen CO2 before um that entire interface was built drag and drop I didn't have to write any custom code for that it was actually the interface part was pretty straightforward hooking up all the logic took a little bit more effort but the interface wasn't too bad um so we want to do uh that's that's one reason second one is they have a free community version and we like free so it's a commercial tool the community version works just fine it's not disabled in any way that prevents us from writing burp extensions um so works

well so the first thing we want to do is uh we create a new project in in there and then once you create the project so I'm actually calling this one a non payload processor and I'll get to why we're calling it that um shortly um but what we need to do is we need to actually include the burp libraries now if you're writing this um if you're writing it as a python or I don't know about the Ruby actually but I know for python you don't have to go through this type of Step you can just start writing your python script and you just subclass the same CL classes that are in the API

the API doesn't change no matter what language you're using so but anyway what we'll do in this case so we create a project and then we what we need to do is add an additional module because in order for everything to compile it needs to be able to see the burp apis all right so what you'll do is you'll create this other module call it burp API or whatever you want um and then hook that up so that it um basically your your structure looks like this window down here afterwards so you have two modules one is the burp interfaces and then the second one is your actual code and right which is right now is

empty okay now where do we get the burp apis from they're actually inside of burp that's the easiest way to get to them so you just go to the burp extender apis Tab and then you'll see down at the the bottom I don't know if I can yeah there we go um down at the bottom you have two buttons one is for the Java do files so you can save those locally um and the other one is save interface files so what you'll do is take those save them into that burp API folder and it's best practice to do this each time because the API change with the versions so you want to make sure that you have

the latest version um once that's in there you open up your module settings I know this is kind of technical but if you're looking to do this later on you can go back to this video and figure out how so um open the module settings and what you want to do is go into the the uh H it's a little bit hard to see here the non payload processor module inside of intelligent and make sure that your burp apis are um our dependency of building your your actual extension okay so the reason we do this is that way everything compiles that means your extension can actually see all of the interfaces that you're using from burp

so one more step in the configuration and then it gets on to the actual fund stuff so uh the last thing that you want to do is go into the artifacts tab this is still under the module settings and um and basically set it up so that it creates um down here you have this build on make you want what you want to do is you want to create uh a jar file it's that's the artifact that the jar file is what you're going to upload to burp so that it has the extension so that's how it's packaged um so you can once you set all of this up inside of intellig it basically run make it automatically

compiles everything creates the jar file and it's ready to import into verb so okay so taking a step back let's think about the problem that we're trying to solve now that we have our uh project structure in place and the problem is uh we want to be able to capture a not so that we can submit that into a login form so we can determine whether or not the user exists so to do that we're going to need some help from Burke we need to have some way to plug into it so they have these interfaces that have been set up in the API and the uh the main one um that we're going to

use is this one here I burp extender so if you're building a burp extension it's weird that it's called I burp extender not I burp extension but that's what it is so every every uh burp extension implements this interface here and all it all it has is one uh method on there register extender callbacks and I'll get to what that looks like in just a second um some other important ones to consider the actual callbacks interface so this is what lets you U inter interact with burp itself um get into calling all the tools so on and so forth uh also if you want to write anything to standard out or um or to the

output within burp that's what you're going to call uh you also have your helpers so that's for actually creating manipulating request or requests and responses um inside of burp as well so there's also some decoding and and coding routines um setting scanner insertion points and things like that so miscellaneous functional functionality in there um so th those those are basically that's all there is for the main Support classes so you have extender you have callbacks and you have helpers then the types of things that you can actually do with an extension so you might be thinking okay well what kind of of problems can I solve uh you can plug into everything that's there so

all of the tools that are available inside of burp there's ways to interact with those programmatically um so we can interact with um with the actual proxy itself so basically we can get um every single request and response that goes through the proxy we can get a handle on that and do something to it change it manipulate it analyze it maybe U log new issues um we can generate payloads okay so I've done some of that before um for uh one CO2 has a generator in there where you can pass it a um a list of user information and then it'll start fuzzing off that list and create um like passwords it'll do lead speak type of

insertions in places and stuff like that so it's pretty cool um and then there's a payload processor which is taking an existing payload and making some changes to it and that's actually what we're going to use for this problem a few other things you can do uh you can inter you can add um issues uh so that's a pro version only right so it has the the scan issues on there so you can actually create new issues uh you can also add editor tabs um change some of the behavior of the tabs that are there you can um manipulate session handling uh logic as well so can do a bunch of things so payload processor

so we have um it has two functions on there this is directly snapshot off of the API dots um we can get the name of the processor uh and then it's pay uh process payload and it takes um three values here and it returns a bite array so basically what we're the only parts of this we're going to use is we're going to take the current payload so that's going to be the username that we're passing into the function and then what we're going to return is the knots so we need to some way to fetch that knots and the easiest way to do that is to make an HTTP request and just so happens

that there's a function inside of the callbacks for making HTTP request using bur's own HTTP stack right so you can just use that directly and uh I think what we'll do is take a look at what that looks like so here is intellig and I know it's probably very tiny on that screen it is I don't know if there's any way to make this larger no that zooms the whole window what's that is that CU I can't read anything he doesn't want to give out all his secr I don't want to give out all the secrets a yellow and two greens good all right so I will briefly explain what's on here and I will I think what

I'll do is I'll just make this available afterwards so you guys can take a look at the actual source code so what I what I did is is I took a uh a request one of the requests that we're sending to the nons and basically pasted it in in here as a template um and this is the request to get the nons okay uh then I did in register callbacks um just basically said hey I want to register a uh Intruder payload processor and this is it here um and then down here is that process payload function and all I'm doing with that is it's taking the username so that uh current payload parameter that first

parameter that I showed in the function um and it's actually making um constructing that request for the nons sending it out getting the response taking the nonset of the response and then returning that as the new payload so it's basically swap out a username for Nots okay and that's all it's doing so how does this look inside of burp I actually have one set up um so for those who have looked at burp before sometimes you're wondering you know the attack type there's all these different types of attack types remember this so the first one on there sniper is the default that's what what we almost always use this is one of those situations we need to submit the US

current username a password and the nons which is actually the username using our payload processor that's been changed into a nons so we have a situation now where we we need to initially submit the username twice in two different positions to do that we use Pitchfork right so now here's a use case for using Pitchfork this is the first one I've ever found mightbe not the first one but we can use pitch for so um on the on the first payload set I have I just put together a list of usernames on the second payload set it's the same list of usernames because that's how pitch Pitchfork works as you want to have pairs of things submitted

in this case here I want the same ones because the second one I'm going to change into the nons have you any threshold limits with on your your list size no have you no I just because I think some of the list that we have I start looking at I'm like they're huge are huge like yeah I love tools but eventually something's just going to be like H you needed two more purples in there for you to be able to process well yeah and and here's the thing if you run into a case where let's say you're you're pulling payloads off of some other tool or something so it could be an infinite list that's when

you want a payload generator because you can make that memory efficient so that it doesn't generate an entire list first it just generates them as you need them I was just curious I mean I haven't I just no I haven't I'm like it's got 10,000 items on this list spr and so and uh now let me go I'll just remove this and add it back in so you can see it so the payload processor for the second one um all you do is is you add the payload processing and then there are a bunch of different options here so if you end ever end up a situation where you need to do some type of encoding or something to a list this

is where you do it um and at the very last one here is invoke B burp extension um and oh mine's not there actually hang on it's not there because we actually need to add it in so on the burp extensions I need to go find my file which is hang on I'll find it in a

second it's buried

building burp extensions there we

are there's the jar so I went and found the jar that I I created um and hit go and there it is so it's loaded all right and so now it shows up on my list here at the bottom uh and then it also shows up inside of intruder so I can go I can add the payload processor invoke bur burp extension not payloader is what I called it because in burp everything ends in ER I don't know if you ever noticed that so I try to stick with it um so now we have that so now if I start the attack um you'll see that I have two payloads one the first one now it's

going slowly because having to make these extra um requests the first one is the uh from the first part of the Pitchfork you know how putting in two lists the second one is after the payload has been processed and so that's why we have the nons on there so and of course we have a couple with the length coming up differently and I don't know if you can read those but the usern names are Kevin and Jason so those are the users in this system random of course completely random yes so right so that's that um any questions other than you know you couldn't actually see the code or anything like that so it was too small um I I will

post this afterwards um along with the code sample so you can take a look at that how that actually really worked uh one other thing I I want to show because we have a little bit of extra time which I was hoping we would is correlator um I know probably some of you have seen the CO2 stuff before correlator I think is actually extremely valuable tool at making us more efficient at what we do um oh wait I think I actually have some slides on this let me let me switch over to that is the pro version worth money you spent on yes absolutely Well yeah if if you actually do pen testing absolutely you write off

one client that's hour right yeah maybe twoing onap they are three if it's govern exactly so yeah it I think it is um the one of the biggest comparisons um you see out there is zap versus burp zap's oos free tool um and it is very good as well so a lot of it is personal preference um I find burp to be a little bit more intuitive it's easier to kind of switch between the tools so you can take payload or um not payloads you can take requests and responses from one tool and get them into other tools very quickly and easily so I find I work with it more efficiently than I do a zap you

don't present it as a stand alone it's meant to be augmentation to your process workflow rather than just kind like hey just C here yeah yeah also doesn't crash it's true it doesn't crash as frequency so you know those are all good reasons um and I mean if if you don't if you don't do actual pen testing very often if you're just playing around with it hobbyist whatever then maybe it isn't worth it 300 BS but for 300 bucks if you do any pen testing it is yeah lifetime so no that's per year it's per year but I mean the community addition chances are you're going to be able to do vast majority of everything you want to do

maybe it's a couple extra steps you know couple yeah write some extensions to do the stuff that it doesn't yeah it's possible I guess uh so correlator um basically what it does is it's automatically automatic analysis of the parameters um and and when am I say parameters I mean everything so post parameters get parameters cookies basically everything that burp understands as a parameter and the types of things that it recognizes um is anything that's URL encoded it'll decode it a automatically for you basic C4 encoding um It'll recognize if something looks like a path they'll say hey yeah it looks like this is this is a path um HTML XML fragments email addresses Social Security numbers if it see something

that looks like that uh one that's not on here is credit cards um although I seem to be currently having an issue with the it's supposed to run the line algorithm on there to actually determine if it's a valid credit card number and I'm not 100% sure it's working um and and it'll uh currently also um decode big IPS cookies so if it runs across a big IP cookie it'll decode that into the IP addresses um so all of this stuff it basically does automatically um and I eventually want it to do more now the purpose of this isn't okay I'm doing a quick little test let me just run it through this question what's a big

IP um so big IP is um basically does the uh Lo Bal load balancing yes that's the word I'm looking for load balancing um so it does it through this cookie mechanism but there's a a known flaw in most configurations of big IP that I've seen anyway where the uh the internal IP address I think it's the internal IP address that's exposed inside the cookie it's in an encoded format but being encoded and not encrypted there's a way to decode it and then you can actually see the IP addresses so just it's just an information disclosure vulnerability it's not a huge deal but it does give somebody an idea of okay this is what the load balancer is on the internal

Network nice mhm y so normally uh where you would use correlator is if you're testing a whole bunch of websites um or if you're testing like a very large complex website that has a whole lot of um stuff on it hang on I'm going to change my scope here and I just ran some uh demo stuff through it earlier um so that we could kind of get an idea of what it looks like some of the output um and that's basically all I did so all you do all it does is it kind of it goes through everything that you've marked as in scope for your test and that's why you saw me pop over to the

Target tab for a second I changed the scope um so everything that's marked in scope it goes through all of those uh requests looks at all the parameters and then it starts figuring out what's what and then it gives all in a nice table for you now in this case here you can still see that all of this over here still looks in it it's all in its original form so that may not be helpful it does have the format down here of what it's figured out it is um but then I I actually re just figured recently hey why don't we just go ahead and do the decoding right there in the table so

um so now it'll actually uh decode those values right there in the table if you click on one of these uh like let's say a Fu for example um this one here says 75% of the instances that it ran across were md5 so it's probably an md5 um and if you go down onto the details here it'll actually list them off all the unique values you can list every single one if you want um but it'll list off all the unique values you just click on one of those and you can see um it it'll walk through how to did it figure out that this is md5 and it says but basically it looks like a hex string

it's a length 32 which is commonly md5 um some of the other ones um this one here you see the starting value on that it's this huge string and I've actually run into stuff like this before it's this huge string of gobleg and uh it figured out on its own hey this this needs to be Bas 64 decoded then you were decoded then you all decoded again and then yeah finally it looks like something that's a printable string right so the N values may be interesting in this case um also uh paths it would it would determine if something looks like a path or in this case here we have something that started off as um base 64 encoded block of stuff and

it figured out hey this is actually XML or HTML I mean it looks that's what it looks like to me so um and then it decoded it for us too so and it it is turns out this is an HTML fragment so this type of information if you're looking at a huge test being able to break it down like this very quickly you can separate the interesting bits of information from the probably not so interesting bits of information very quickly it's a table it's all sortable all the tabs you can you know so if you have a really long list you can say okay let me just look at everything that looks like an md5

let's look at all the shaw ones let's look at everything that looks like an XML fragment cuz that's a good spot for injection possibly right if you have XML fragments going in let's see if I can put a script tag in there um so and that's it has a couple of other features too um you can highlight where something is on the request you can right click on things and say Hey I want to send this request over to repeater um you can if you have a one case where this works like let's say you have a bunch of MD Fs in there that you think are useful hashes you can right click on that and copy

that to the clipboard and then paste it into some other tool where you're doing um like hash lookups you can do that sort of thing with there pretty quickly too so so that's basically it uh so that's that's correlator that's the latest extension that I've built along with an interface and everything so I did want to kind of put in a plug for that um I don't think it's on the B store yet although I asked for it to be oness you you just email them say hey is it more than one person for what for B you said email them and you keeping yeah one person no it's it's a full it's a company they I've actually

interacted with two different people so I know for sure that there's more than one no well yeah it could be I was going to say one was male the other's female but thre's

company works so that's that's my Spiel and I mean really what this is is hopefully getting people somewhat interested if you see um any issues with plugins or tools as you're using them try try to be I mean first of all let the author know hey something's not working right I'm not sure why the latest version seems to be broken but be polite about it too and realize that most of the time most of us are actually doing this on our own time in addition to the whatever 60 or 80 80 hour weeks that we're pulling so question are you offering a bounty I'll give you recognition are you pay so yeah I'll give you a big big

thanks on Twitter or something but yeah so hash you found the purple error y any questions goodu right are you interested in um so I know you you obviously collaborated where do you think you're going to expand on or do you feel like that is functionally where you going to take it um well I would like to do that's a good question so how can I where do I want to go with collaborator next um I think I want to improve on what's there uh one of the things I'm really looking for feedback if if anybody is doing a pen test and you run into some kind of encoding that it doesn't handle do let me know and and let me know what

the uh decoding is that you need it to to figure out because that's the sort of thing that I I'm only adding functionality as I run into it in pen tests new so exactly yeah about function submission submission function yeah no I don't need that but yeah that's that's a great question so yeah if you do if you if you use it and you find anything with this I mean same thing with CO2 too

thanks