Burp Plugin Development for Java n00bs - 44CON 2012
•
0 j'aime•900 vues
Workshop Burp Plugin Development for Java n00bs by Marc Wickenden at 44CON 2012 in London, September 2012.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (19)
Similaire à Burp Plugin Development for Java n00bs - 44CON 2012
Similaire à Burp Plugin Development for Java n00bs - 44CON 2012 (20)
Plus de 44CON
Plus de 44CON (20)
Burp Plugin Development for Java n00bs - 44CON 2012
- 1. Burp Plugin Development for Java n00bs 44Con 2012 www.7elements.co.uk | blog.7elements.co.uk | @7elements
- 2. /me • Marc Wickenden • Principal Security Consultant at 7 Elements • Love coding (parJcularly Ruby) • @marcwickenden on the TwiOerz • Most importantly though….. www.7elements.co.uk | blog.7elements.co.uk | @7elements
- 3. I am a Java n00b
- 4. If you already know Java You’re either: • In the wrong room • About to be really offended!
- 5. Agenda • The problem • GeZng ready • IntroducJon to the Eclipse IDE • Burp Extender Hello World! • ManipulaJng runJme data • Decoding a custom encoding scheme • “Shelling out” to other scripts • LimitaJons of Burp Extender • Really cool Burp plugins already out there to fire your imaginaJon
- 6. Oh…..and there’ll be cats
- 8. The problem • Burp Suite is awesome • De facto web app tool • Open source alternaJves don’t compare IMHO • Tools available/cohesion/protocol support • Burp Extender
- 9. The problem
- 10. I wrote a plugin Coding by Google FTW!
- 11. How? -‐ Burp Extender • “allows third-‐party developers to extend the funcJonality of Burp Suite” • “Extensions can read and modify Burp’s runJme data and configuraJon” • “iniJate key acJons” • “extend Burp’s user interface” hOp://portswigger.net/burp/extender/
- 12. Burp Extender • Achieves this via 6 interfaces: • IBurpExtender • IBurpExtenderCallbacks • IHOpRequestResponse • IScanIssue • IScanQueueItem • IMenuItemHander
- 13. Java 101 • Java source is compiled to bytecode (class file) • Runs on Java Virtual Machine (JVM) • Class-‐based • OO • Write once, run anywhere (WORA) • Two distribuJons: JRE and JDK
- 14. Java 101 conJnued… • Usual OO stuff applies: objects, classes, methods, properJes/variables • Lines end with ;
- 15. Java 101 conJnued… • Source files must be named amer the public class they contain • public keyword denotes method can be called from code in other classes or outside class hierarchy
- 16. Java 101 conJnued… • class hierarchy defined by directory structure: • uk.co.sevenelements.HelloWorld = uk/co/ sevenelements/HelloWorld.class • JAR file is essenJally ZIP file of classes/ directories
- 17. Java 101 conJnued… • void keyword indicates method will not return data to the caller • main method called by Java launcher to pass control to the program • main must accept array of String objects (args)
- 18. Java 101 conJnued… • Java loads class (specified on CLI or in JAR META-‐INF/MANIFEST.MF) and starts public sta0c void main method • You’ve seen this already with Burp: • java –jar burpsuite_pro_v1.4.12.jar
- 19. Enough 101
- 21. Let’s write some codez
- 22. First we need some tools • Eclipse IDE – de facto free dev tool for Java • Not necessarily the best or easiest thing to use • AlternaJves to consider: • Jet Brains IntelliJ (my personal favourite) • NetBeans (never used) • Jcreator (again, never used) • Terminal/vim/javac < MOAR L33T
- 23. Download Eclipse Classic Or install from your USB drive
- 24. Eclipse 4.2 Classic • hOp://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/ drops4/R-‐4.2-‐201206081400/eclipse-‐SDK-‐4.2-‐win32-‐ x86_64.zip&type=sha1 • 6f4e6834c95e9573cbc1fc46adab4e39da6b4b6d • eclipse-‐SDK-‐4.2-‐win32-‐x86_64.zip • hOp://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/ drops4/R-‐4.2-‐201206081400/eclipse-‐SDK-‐4.2-‐win32.zip&type=sha1 • 68b1eb33596dddaac9ac71473cd1b35f51af8df7 • eclipse-‐SDK-‐4.2-‐win32.zip
- 25. Java JDK • Used to be bundled with Eclipse • Due to licensing (I think) this is no longer the case • Grab from Sun Oracle’s website: • hOp://download.oracle.com/otn-‐pub/java/jdk/7u7-‐b11/jdk-‐7u7-‐windows-‐ x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5
- 27. Create a Java Project • File > New > Java Project • Project Name: Burp Hello World! • Leave everything else as default • Click Next
- 29. Java SeZngs • Click on Libraries tab • Add External JARs • Select your burpsuite.jar • Click Finish
- 30. Create a new package • File > New > Package • Enter burp as the name • Click Finish
- 31. Create a new file • Right-‐click burp package > New > File • Accept the default locaJon of src • Enter BurpExtender.java as the filename • Click Finish
- 33. We’re ready to type
- 34. Loading external classes • We need to tell Java about external classes • Ruby has require • PHP has include or require • Perl has require • C has include • Java uses import
- 35. Where is Burp? • We added external JARs in Eclipse • Only helps at compilaJon • Need to tell our code about classes • import burp.*;
- 36. IBurpExtender • Available at hOp://portswigger.net/burp/extender/burp/IBurpExtender.html • “ ImplementaJons must be called BurpExtender, in the package burp, must be declared public, and must provide a default (public, no-‐argument) constructor”
- 37. In other words public class BurpExtender { } • Remember, Java makes you name files amer the class so that’s why we named it BurpExtender.java
- 38. Add this package burp; import burp.*; public class BurpExtender { public void processHOpMessage( String toolName, boolean messageIsRequest, IHOpRequestResponse messageInfo) throws ExcepJon { System.out.println("Hello World!"); }
- 39. Run the program • Run > Run • First Jme we do this it’ll ask what to run as • Select Java Applica0on
- 40. Select Java ApplicaJon • Under Matching items select StartBurp – burp • Click OK
- 41. Burp runs • Check Alerts tab • View registraJon of BurpExtender class
- 42. Console output • The console window shows output from the applicaJon • Note the “Hello World!”s
- 43. CongratulaJons
- 45. What’s happening? • Why is it spamming “Hello World!” to the console? • We defined processHOpMessage() • hOp://portswigger.net/burp/extender/burp/ IBurpExtender.html • “This method is invoked whenever any of Burp's tools makes an HTTP request or receives a response”
- 46. Burp Suite Flow
- 47. RepeatAmerMeClient.exe processProxyMessage processHOpMessage Burp Suite hOp://wc•ox/RepeaterService.svc
- 49. We’ve got to do a few things • Split the HTTP Headers from FI body • Decode FI body • Display in Burp • Re-‐encode modified version • Append to headers • Send to web server • Then the same in reverse
- 51. • Right-‐click Project > Build Path > Add External Archives • Select FastInfoset.jar • Note that imports are now yellow
- 52. Decoding the FasJnfoset to console
- 53. First: we get it wrong • Burp returns message body as byte[] • Hmm, bytes are hard, let’s convert to String • Split on rnrn
- 55. Then we do it right • FasJnfoset is a binary encoding • Don’t try and convert it to a String • Now things work
- 57. Decoding FasJnfoset through Proxy
- 61. Running outside of Eclipse • Plugin is working nicely, now what? • Export to JAR • Command line to run is: • java –jar yourjar.jar;burp_pro_v1.4.12.jar burp.startBurp
- 62. LimitaJons • We haven’t coded to handle/decode the response • Just do the same in reverse • processHOpMessage fires before processProxyMessage so we can’t alter then re-‐encode message • SoluJon: chain two Burp instances together
- 63. AOribuJon • All lolcatz courtesy of lolcats.com • No cats were harming in the making of this workshop • Though some keyboards were….
- 64. QuesJons ? www.7elements.co.uk | blog.7elements.co.uk | @7elements
- 65. www.7elements.co.uk | blog.7elements.co.uk | @7elements