Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extending Burp with Python Defeating web application idiosyncrasies with common-sense, Python and minimal knowledge of Java GUIs.

Published byKennedi Rockwood Modified over 9 years ago

Similar presentations

Presentation on theme: "Extending Burp with Python Defeating web application idiosyncrasies with common-sense, Python and minimal knowledge of Java GUIs."— Presentation transcript:

1 Extending Burp with Python Defeating web application idiosyncrasies with common-sense, Python and minimal knowledge of Java GUIs

2 What is Burp?

3 Purpose of this Talk Quick tour of Burp APIs with examples to show what can be achieved Demonstrate that Web app assessment hurdles overcome with minimal coding effort

4 Why would you need a custom extn? 1. Decode custom encoding/serialization 2. Handle anti-tamper or signed requests 3. Provide a new “view” into an application 4. Automate a manual task with a new scanner check

5 Setup to run a Python Burp Extn. 1 Download Jython standalone binary 2 Tell Burp where find Jython 3 Load a Python extension Path to Jython binary goes here

6 The helloworld of Burp extensions from burp import IBurpExtender class BurpExtender(IBurpExtender): # required def registerExtenderCallbacks(self, callbacks): # set our extension name callbacks.setExtensionName("Hello world extension") # write a message to the Burp alerts tab callbacks.issueAlert("Hello alerts") Just writes “Hello alerts” out to alerts tab

7 1. Problem: Unsupported encoding Application uses an encoding not understood by Burp Examples: Serialised Java, SAP’s weird URLenc variant, SAML, Websphere Portlet Burp APIs: IMessageEditorTab to display decoded content

8 Solution: new encoder/decoder 1.Tell Burp about your new message editor tab class CustomDecoderTab(IMessageEditorTab): def __init__(self, extender, controller, editable):... def getTabCaption(self): return "Custom Decoder"

9 Solution: new decoder/encoder 2. Use setMessage to display decode def setMessage(self, content, isRequest):... if '!ut' in path: # actual decoding magic omitted content = response.read() content = xml.dom.minidom.parseString(content).toprettyxml() if content: self._txtInput.setText(content) self._currentMessage = content

10 Websphere portlet state decoder Source: https://github.com/faffi/WebSphere-Portlet-State-Decoder https://github.com/faffi/WebSphere-Portlet-State-Decoder Encoded content on URL Gets decoded in new tab

11 2. Problem: Signed requests Application requires signature thats generated client side. examples 1. Seen in thick client apps as anti-tamper mechanism 2. AWS API calls are signed for authentication http://rajasaur.blogspot.co.nz/2009/10/hmac-sha-signatures-using-python-for.html Burp API: processHTTPMessage allows us to re-write traffic

12 Solution: automate request signing 1. Catch an outbound request from burp import IBurpExtender# this function catches requests and responses def processHttpMessage(self, toolFlag, messageIsRequest, currentRequest): # only process requests if not messageIsRequest: return...

13 Solution: automate request signing 2. Grab the request body and headers # requestInfo object allows us to easily spit body and headers requestInfo = self._helpers.analyzeRequest(currentRequest) bodyBytes = currentRequest.getRequest()[requestInfo.getBodyOffset():] bodyStr = self._helpers.bytesToString(bodyBytes) headers = requestInfo.getHeaders() newHeaders = list(headers) #it's a Java arraylist; get a python list

14 Solution: automate request signing 3. Append signature as HTTP Header # Do custom signing shenanigans secret = "SuperSecret123" h = hmac.new(secret, bodyStr, hashlib.sha256) newHeaders.append("Authorization: " + base64.b64encode(h.digest()))

15 Solution: automate request signing 4. Create and send request newMessage = self._helpers.buildHttpMessage(newHeaders, bodyStr) currentRequest.setRequest(newMessage) Here’s the new Authorization header being sent out

16 3. Problem: Big apps, lotsa headers Large applications may emit different headers from various locations within the app. Headers can reveal useful info. Eg. Reverse proxy may hand off from backend A to backend B. Burp APIs: processHTTPMessage and ITab to display result

17 Solution: View of unique headers Keep track of unique headers, filter out uninteresting headers. # insert an entry if the header is 'interesting’ if header_name.lower() not in boring_headers: # and we haven't seen this name/value pair before, log it if header not in self.headers_seen: self.headers_seen.append(header) self._log.add(LogEntry(header, …, … )

18 Solution: View of unique headers Create a new tab and display collected headers in the new tab. # Give the new tab a name def getTabCaption(self): return "Response Headers” # This adds all the Java UI unpleasantness def getUiComponent(self): return self._splitpane

19 Solution: View of unique headers List of unique headers displayed in new “Response Headers” tab Clicking item in list shows request/response

20 4. Problem: Automate a manual task Locate and decode F5 cookies, display as a passive scan result Burp API: doPassiveScan to trigger check code

21 Solution: create new check 1. doPassiveScan catches request def doPassiveScan(self, baseRequestResponse): # Returns IResponseInfo analyzedResponse = self.helpers.analyzeResponse(baseRequestResponse.getResponse()) analyzedRequest = self.helpers.analyzeRequest(baseRequestResponse) # Get Cookies from IResponseInfo Instance cookieList = analyzedResponse.getCookies()

22 Solution: create new check 2. Locate BIGIP cookies and decode them # Loop though list of cookies for cookie in cookieList: cookieName = cookie.getName() # Look for BIGIP Cookies if cookieName.lower().startswith("bigip"): f5CookieName = cookieName f5RawCookieValue = cookie.getValue() # Decode and check for RFC 1918 address f5info = decode(f5RawCookieValue)

23 Solution: create new check 3. Create Issue class to return useful info class PassiveScanIssue(IScanIssue):... def getIssueName(self): return "Encoded IP Address Discovered in F5 Cookie Value"... def getIssueDetail(self): msg = "The URL " + str(self.findingurl) + " sets the F5 load balancer cookie "

24 F5-BigIP Cookie Checker Source: http://blog.secureideas.com/2013/08/burp-extension-for-f5-cookie-detection.html http://blog.secureideas.com/2013/08/burp-extension-for-f5-cookie-detection.html Internal IP address retrieved from encoded cookie

25 Summary 1. Decode custom encoding/serialization Use IMessageEditorTab interface to display decoded content 2. Handle anti-tamper or signed requests Use processHTTPMessage to catch and rewrite requests 3. Provide a new “view” into an application Use ITab interface to display custom view 4. Automate a manual task with a new scanner check Use doPassiveScan to trigger a check

Download ppt "Extending Burp with Python Defeating web application idiosyncrasies with common-sense, Python and minimal knowledge of Java GUIs."

Similar presentations

Chapter 6 Server-side Programming: Java Servlets

Chapter 6 Server-side Programming: Java Servlets
HTML Forms. collect information for passing to server- side processes built up from standard widgets –text-input, radio buttons, check boxes, option lists,

HTML Forms. collect information for passing to server- side processes built up from standard widgets –text-input, radio buttons, check boxes, option lists,
Using the Self Service BMC Helpdesk

Using the Self Service BMC Helpdesk
CGI & HTML forms -05-. CGI Common Gateway Interface  A web server is only a pipe between user-agents  and content – it does not generate content.

CGI & HTML forms CGI Common Gateway Interface  A web server is only a pipe between user-agents  and content – it does not generate content.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Https://ebudde.littlebrownie.com Troop Users. Each user is given access based on their needs. This is determined by council. When you “Log In” you will.

Troop Users. Each user is given access based on their needs. This is determined by council. When you “Log In” you will.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Ozeki Informatics Ltd. | | info.ozekiphone.com | +36 52 532 731 Ozeki Informatics Ltd. | | +36.

Ozeki Informatics Ltd. | | info.ozekiphone.com | Ozeki Informatics Ltd. | | +36.
1 Content Delivery Networks iBAND2 May 24, 1999 Dave Farber CTO Sandpiper Networks, Inc.

1 Content Delivery Networks iBAND2 May 24, 1999 Dave Farber CTO Sandpiper Networks, Inc.
Servlets and a little bit of Web Services Russell Beale.

Servlets and a little bit of Web Services Russell Beale.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Google App Engine Danail Alexiev Technical Trainer SoftAcad.bg.

Google App Engine Danail Alexiev Technical Trainer SoftAcad.bg.
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
Web server and web browser It’s a take and give policy in between client and server through HTTP(Hyper Text Transport Protocol) Server takes a request.

Web server and web browser It’s a take and give policy in between client and server through HTTP(Hyper Text Transport Protocol) Server takes a request.
Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.

Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

Similar presentations

Ads by Google