AppSec USA 2014 Denver, Colorado Customizing Burp Suite Getting the Most out of Burp Extensions

2 August Detlefsen Senior Application Security

3 Burp Suite Burp Suite is a powerful tool for performing security assessments Burp Plugin API allows new features to be added

4 What Can I Do With Plugins? Passive Scanning Active Scanning Alter/append requests Define Insertion Points for Scanner/Intruder

5 Prerequisites Burp Suite Pro v 1.5.x Java 1.6.x NetBeans Other programming languages

6 Creating An Extension Download the Extender API from Portswigger: p_extender_api.zip p_extender_api.zip

7 Creating an Extension Create a new project with existing sources:

8 Creating an Extension Create the BurpExtender class – In package ‘burp’ – Implement IBurpExtender

9 Creating an Extension

10 Creating an Extension Implement registerExtenderCallbacks

11 Load the Extension into Burp Suite

12 Passive Scanning Search responses for problematic values Built-in passive scans – Credit card numbers – Known passwords – Missing headers Building a Passive Scanner

13 Passive Scanning – Room for Improvement Error Messages Software Version Numbers Building a Passive Scanner

14 Building a Passive Scanner Implement the IScannerCheck interface: Register the extension as a scanner: Building a Passive Scanner

15 IScannerCheck.doPassiveScan() Building a Passive Scanner

16 IScannerCheck.doPassiveScan() Building a Passive Scanner

17 IScannerCheck.consolidateDuplicateIssues() Ensure an issue is only posted to scanner once Building a Passive Scanner

18 IScannerCheck.doActiveScan() Only needed for active scans Building a Passive Scanner

19 Active Scanning Issue requests containing attacks Look for indication of success in response Built-In Active Scans – XSS – SQL Injection – Path Traversal – etc Building an Active Scanner

20 IScannerCheck.doActiveScan() Building an Active Scanner

21 Insertion Points Locations of parameters in request Contain data the server will act upon Building an Active Scanner

22 Building an Active Scanner

23 Building an Active Scanner

24 Defining Insertion Points Implement IScannerInsertionPointProvider – getInsertionPoints() Register as an insertion point provider Building an Active Scanner

25 BurpExtender.getInsertionPoints() Building an Active Scanner

26 Building an Active Scanner

27 Debugging callbacks.printOutput(String) callbacks.printError(String) Exception.printStackTrace() Utilities

28 Debugging – Stack Traces Get the error OutputStream Print a stack trace to the stream Utilities

29 Summary Setup Passive Scanning Active Scanning Handling custom request types Utilities

30 Build Extensions! Profit!