AppSec USA 2014 Denver, Colorado Customizing Burp Suite Getting the Most out of Burp Extensions
AppSec USA 2014 Denver, Colorado Customizing Burp Suite Getting the Most out of Burp Extensions.
Jan 02, 2016
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
AppSec USA 2014
Denver, Colorado
Customizing Burp Suite
Getting the Most out of Burp Extensions
2
August DetlefsenSenior Application Security Consultant
• [email protected]• @codemagi• http://www.codemagi.com/blog
3
Burp Suite• Burp Suite is a powerful tool for performing
security assessments• Burp Plugin API allows new features to be
added
4
What Can I Do With Plugins? • Passive Scanning• Active Scanning• Alter/append requests• Define Insertion Points for Scanner/Intruder
5
Prerequisites• Burp Suite Pro v 1.5.x• Java 1.6.x• NetBeans• Other programming languages
6
Creating An Extension• Download the Extender API from Portswigger:
http://portswigger.net/burp/extender/api/burp_extender_api.zip
7
Creating an Extension• Create a new project with existing sources:
8
Creating an Extension• Create the BurpExtender class– In package ‘burp’– Implement IBurpExtender
9
Creating an Extension
10
Creating an Extension• Implement registerExtenderCallbacks
11
Load the Extension into Burp Suite
12
Passive Scanning• Search responses for problematic values• Built-in passive scans– Credit card numbers– Known passwords– Missing headers
Building a Passive Scanner
13
Passive Scanning – Room for Improvement• Error Messages• Software Version Numbers
Building a Passive Scanner
14
Building a Passive Scanner• Implement the IScannerCheck interface:
• Register the extension as a scanner:
Building a Passive Scanner
15
IScannerCheck.doPassiveScan()
Building a Passive Scanner
16
IScannerCheck.doPassiveScan()
Building a Passive Scanner
17
IScannerCheck.consolidateDuplicateIssues()• Ensure an issue is only posted to scanner once
Building a Passive Scanner
18
IScannerCheck.doActiveScan()• Only needed for active scans
Building a Passive Scanner
19
Active Scanning• Issue requests containing attacks • Look for indication of success in response• Built-In Active Scans– XSS– SQL Injection– Path Traversal– etc
Building an Active Scanner
20
IScannerCheck.doActiveScan()
Building an Active Scanner
21
Insertion Points • Locations of parameters in request • Contain data the server will act upon
Building an Active Scanner
22
Building an Active Scanner
23
Building an Active Scanner
24
Defining Insertion Points• Implement IScannerInsertionPointProvider– getInsertionPoints()
• Register as an insertion point provider
Building an Active Scanner
25
BurpExtender.getInsertionPoints()
Building an Active Scanner
26
Building an Active Scanner
27
Debugging• callbacks.printOutput(String)• callbacks.printError(String)• Exception.printStackTrace()
Utilities
28
Debugging – Stack Traces• Get the error OutputStream
• Print a stack trace to the stream
Utilities
29
Summary• Setup• Passive Scanning• Active Scanning• Handling custom request types• Utilities
30
Build Extensions!Profit!
Related Documents
