Date post: | 30-Jun-2015 |
Category: |
Technology |
Upload: | marc-wickenden |
View: | 3,327 times |
Download: | 0 times |
Burp Plugin Development for Java n00bs
44Con 2012
www.7elements.co.uk | blog.7elements.co.uk | @7elements
/me
• Marc Wickenden• Principal Security Consultant at 7 Elements• Love coding (particularly Ruby)• @marcwickenden on the Twitterz• Most importantly though…..
www.7elements.co.uk | blog.7elements.co.uk | @7elements
I am a Java n00b
If you already know Java
You’re either:• In the wrong room• About to be really offended!
Agenda
• The problem• Getting ready• Introduction to the Eclipse IDE• Burp Extender Hello World!• Manipulating runtime data• Decoding a custom encoding scheme• “Shelling out” to other scripts• Limitations of Burp Extender• Really cool Burp plugins already out there to fire your
imagination
Oh…..and there’ll be cats
The problem
• Burp Suite is awesome• De facto web app tool• Open source alternatives don’t compare IMHO• Tools available/cohesion/protocol support• Burp Extender
The problem
I wrote a plugin
Coding by Google FTW!
How? - Burp Extender
• “allows third-party developers to extend the functionality of Burp Suite”
• “Extensions can read and modify Burp’s runtime data and configuration”
• “initiate key actions”• “extend Burp’s user interface”
http://portswigger.net/burp/extender/
Burp Extender
• Achieves this via 6 interfaces:– IBurpExtender– IBurpExtenderCallbacks– IHttpRequestResponse– IScanIssue– IScanQueueItem– IMenuItemHander
Java 101
• Java source is compiled to bytecode (class file)• Runs on Java Virtual Machine (JVM)• Class-based• OO• Write once, run anywhere (WORA)• Two distributions: JRE and JDK
Java 101 continued…
• Usual OO stuff applies: objects, classes, methods, properties/variables
• Lines end with ;
Java 101 continued…
• Source files must be named after the public class they contain
• public keyword denotes method can be called from code in other classes or outside class hierarchy
Java 101 continued…
• class hierarchy defined by directory structure:• uk.co.sevenelements.HelloWorld =
uk/co/sevenelements/HelloWorld.class• JAR file is essentially ZIP file of
classes/directories
Java 101 continued…
• void keyword indicates method will not return data to the caller
• main method called by Java launcher to pass control to the program
• main must accept array of String objects (args)
Java 101 continued…
• Java loads class (specified on CLI or in JAR META-INF/MANIFEST.MF) and starts public static void main method
• You’ve seen this already with Burp:– java –jar burpsuite_pro_v1.4.12.jar
Enough 101
Let’s write some codez
First we need some tools
• Eclipse IDE – de facto free dev tool for Java• Not necessarily the best or easiest thing to use• Alternatives to consider:– Jet Brains IntelliJ (my personal favourite)– NetBeans (never used)– Jcreator (again, never used)– Terminal/vim/javac < MOAR L33T
Download Eclipse Classic
Or install from your USB drive
Eclipse 4.2 Classic
• http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/drops4/R-4.2-201206081400/eclipse-SDK-4.2-win32-x86_64.zip&type=sha1
• 6f4e6834c95e9573cbc1fc46adab4e39da6b4b6d • eclipse-SDK-4.2-win32-x86_64.zip
• http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/drops4/R-4.2-201206081400/eclipse-SDK-4.2-win32.zip&type=sha1
• 68b1eb33596dddaac9ac71473cd1b35f51af8df7 • eclipse-SDK-4.2-win32.zip
Java JDK
• Used to be bundled with Eclipse• Due to licensing (I think) this is no longer the
case• Grab from Sun Oracle’s website:• http://
download.oracle.com/otn-pub/java/jdk/7u7-b11/jdk-7u7-windows-x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5
Welcome to Eclipse
Create a Java Project
• File > New > Java Project• Project Name: Burp Hello World!• Leave everything else as default• Click Next
Java Settings
• Click on Libraries tab• Add External JARs• Select your burpsuite.jar
• Click Finish
Create a new package
• File > New > Package• Enter burp as the name• Click Finish
Create a new file
• Right-click burp package > New > File• Accept the default location of src• Enter BurpExtender.java as the filename• Click Finish
We’re ready to type
Loading external classes
• We need to tell Java about external classes– Ruby has require– PHP has include or require– Perl has require– C has include– Java uses import
Where is Burp?
• We added external JARs in Eclipse• Only helps at compilation• Need to tell our code about classes– import burp.*;
IBurpExtender
• Available at http://portswigger.net/burp/extender/burp/IBurpExtender.html
– “ Implementations must be called BurpExtender, in the package burp, must be declared public, and must provide a default (public, no-argument) constructor”
In other words
public class BurpExtender{
}
• Remember, Java makes you name files after the class so that’s why we named it BurpExtender.java
Add thispackage burp;
import burp.*;
public class BurpExtender{ public void processHttpMessage( String toolName, boolean messageIsRequest, IHttpRequestResponse messageInfo) throws Exception { System.out.println("Hello World!"); }}
Run the program
• Run > Run• First time we do this it’ll ask what to run as• Select Java Application
Select Java Application
• Under Matching items select StartBurp – burp• Click OK
Burp runs
• Check Alerts tab• View registration of BurpExtender class
Console output
• The console window shows output from the application
• Note the “Hello World!”s
Congratulations
What’s happening?
• Why is it spamming “Hello World!” to the console?
• We defined processHttpMessage()• http://
portswigger.net/burp/extender/burp/IBurpExtender.html– “This method is invoked whenever any of Burp's
tools makes an HTTP request or receives a response”
Burp Suite Flow
processProxyMessage
RepeatAfterMeClient.exe
processHttpMessage
http://wcfbox/RepeaterService.svc
Burp Suite
We’ve got to do a few things
• Split the HTTP Headers from FI body• Decode FI body• Display in Burp• Re-encode modified version• Append to headers• Send to web server• Then the same in reverse
• Right-click Project > Build Path > Add External Archives
• Select FastInfoset.jar• Note that imports are now yellow
Decoding the Fastinfoset to console
First: we get it wrong
• Burp returns message body as byte[]• Hmm, bytes are hard, let’s convert to String• Split on \r\n\r\n
Then we do it right
• Fastinfoset is a binary encoding• Don’t try and convert it to a String• Now things work
Decoding Fastinfoset through Proxy
We’re nearly there……
Running outside of Eclipse
• Plugin is working nicely, now what?• Export to JAR• Command line to run is:
• java –jar yourjar.jar;burp_pro_v1.4.12.jar burp.startBurp
Limitations
• We haven’t coded to handle/decode the response
• Just do the same in reverse• processHttpMessage fires before
processProxyMessage so we can’t alter then re-encode message
• Solution: chain two Burp instances together
Attribution
• All lolcatz courtesy of lolcats.com• No cats were harming in the making of this
workshop• Though some keyboards were….
Questions
?
www.7elements.co.uk | blog.7elements.co.uk | @7elements
www.7elements.co.uk | blog.7elements.co.uk | @7elements