Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extending Burp with Python Defeating web application idiosyncrasies with common-sense, Python and minimal knowledge of Java GUIs.

Similar presentations

Presentation on theme: "Extending Burp with Python Defeating web application idiosyncrasies with common-sense, Python and minimal knowledge of Java GUIs."— Presentation transcript:

1 Extending Burp with Python Defeating web application idiosyncrasies with common-sense, Python and minimal knowledge of Java GUIs

2 What is Burp?

3 Purpose of this Talk Quick tour of Burp APIs with examples to show what can be achieved Demonstrate that Web app assessment hurdles overcome with minimal coding effort

4 Why would you need a custom extn? 1. Decode custom encoding/serialization 2. Handle anti-tamper or signed requests 3. Provide a new “view” into an application 4. Automate a manual task with a new scanner check

5 Setup to run a Python Burp Extn. 1 Download Jython standalone binary 2 Tell Burp where find Jython 3 Load a Python extension Path to Jython binary goes here

6 The helloworld of Burp extensions from burp import IBurpExtender class BurpExtender(IBurpExtender): # required def registerExtenderCallbacks(self, callbacks): # set our extension name callbacks.setExtensionName("Hello world extension") # write a message to the Burp alerts tab callbacks.issueAlert("Hello alerts") Just writes “Hello alerts” out to alerts tab

7 1. Problem: Unsupported encoding Application uses an encoding not understood by Burp Examples: Serialised Java, SAP’s weird URLenc variant, SAML, Websphere Portlet Burp APIs: IMessageEditorTab to display decoded content

8 Solution: new encoder/decoder 1.Tell Burp about your new message editor tab class CustomDecoderTab(IMessageEditorTab): def __init__(self, extender, controller, editable):... def getTabCaption(self): return "Custom Decoder"

9 Solution: new decoder/encoder 2. Use setMessage to display decode def setMessage(self, content, isRequest):... if '!ut' in path: # actual decoding magic omitted content = content = xml.dom.minidom.parseString(content).toprettyxml() if content: self._txtInput.setText(content) self._currentMessage = content

10 Websphere portlet state decoder Source: Encoded content on URL Gets decoded in new tab

11 2. Problem: Signed requests Application requires signature thats generated client side. examples 1. Seen in thick client apps as anti-tamper mechanism 2. AWS API calls are signed for authentication Burp API: processHTTPMessage allows us to re-write traffic

12 Solution: automate request signing 1. Catch an outbound request from burp import IBurpExtender# this function catches requests and responses def processHttpMessage(self, toolFlag, messageIsRequest, currentRequest): # only process requests if not messageIsRequest: return...

13 Solution: automate request signing 2. Grab the request body and headers # requestInfo object allows us to easily spit body and headers requestInfo = self._helpers.analyzeRequest(currentRequest) bodyBytes = currentRequest.getRequest()[requestInfo.getBodyOffset():] bodyStr = self._helpers.bytesToString(bodyBytes) headers = requestInfo.getHeaders() newHeaders = list(headers) #it's a Java arraylist; get a python list

14 Solution: automate request signing 3. Append signature as HTTP Header # Do custom signing shenanigans secret = "SuperSecret123" h =, bodyStr, hashlib.sha256) newHeaders.append("Authorization: " + base64.b64encode(h.digest()))

15 Solution: automate request signing 4. Create and send request newMessage = self._helpers.buildHttpMessage(newHeaders, bodyStr) currentRequest.setRequest(newMessage) Here’s the new Authorization header being sent out

16 3. Problem: Big apps, lotsa headers Large applications may emit different headers from various locations within the app. Headers can reveal useful info. Eg. Reverse proxy may hand off from backend A to backend B. Burp APIs: processHTTPMessage and ITab to display result

17 Solution: View of unique headers Keep track of unique headers, filter out uninteresting headers. # insert an entry if the header is 'interesting’ if header_name.lower() not in boring_headers: # and we haven't seen this name/value pair before, log it if header not in self.headers_seen: self.headers_seen.append(header) self._log.add(LogEntry(header, …, … )

18 Solution: View of unique headers Create a new tab and display collected headers in the new tab. # Give the new tab a name def getTabCaption(self): return "Response Headers” # This adds all the Java UI unpleasantness def getUiComponent(self): return self._splitpane

19 Solution: View of unique headers List of unique headers displayed in new “Response Headers” tab Clicking item in list shows request/response

20 4. Problem: Automate a manual task Locate and decode F5 cookies, display as a passive scan result Burp API: doPassiveScan to trigger check code

21 Solution: create new check 1. doPassiveScan catches request def doPassiveScan(self, baseRequestResponse): # Returns IResponseInfo analyzedResponse = self.helpers.analyzeResponse(baseRequestResponse.getResponse()) analyzedRequest = self.helpers.analyzeRequest(baseRequestResponse) # Get Cookies from IResponseInfo Instance cookieList = analyzedResponse.getCookies()

22 Solution: create new check 2. Locate BIGIP cookies and decode them # Loop though list of cookies for cookie in cookieList: cookieName = cookie.getName() # Look for BIGIP Cookies if cookieName.lower().startswith("bigip"): f5CookieName = cookieName f5RawCookieValue = cookie.getValue() # Decode and check for RFC 1918 address f5info = decode(f5RawCookieValue)

23 Solution: create new check 3. Create Issue class to return useful info class PassiveScanIssue(IScanIssue):... def getIssueName(self): return "Encoded IP Address Discovered in F5 Cookie Value"... def getIssueDetail(self): msg = "The URL " + str(self.findingurl) + " sets the F5 load balancer cookie "

24 F5-BigIP Cookie Checker Source: Internal IP address retrieved from encoded cookie

25 Summary 1. Decode custom encoding/serialization Use IMessageEditorTab interface to display decoded content 2. Handle anti-tamper or signed requests Use processHTTPMessage to catch and rewrite requests 3. Provide a new “view” into an application Use ITab interface to display custom view 4. Automate a manual task with a new scanner check Use doPassiveScan to trigger a check

Download ppt "Extending Burp with Python Defeating web application idiosyncrasies with common-sense, Python and minimal knowledge of Java GUIs."

Similar presentations

Ads by Google