A little about me
Been to every Derbycon and excited to present to you today
Started career as a developer, but when switched to security started the Indianapolis OWASP chapter 12 years ago - still run it today
How many use it regularly? How many take advantage of extensions? How many have written an extension?
Graphical tool for testing web application security
Intercepting proxy that sits between your browser and a web server
Provides both manual and automatic testing capabilities
Number of built-in tools (Scanner, Intruder, Spider, Repeater, etc…)
Paid version and free version
Focus of this talk – the extensive API for adding functionality via extensions
What is an extension?
Extensions come from multiple places
First is the Bapp Store (listed above)
Shows available extensions and what’s installed
Differentiates ones that require the pro version
Code for the ones from portswigger are in github
To get your own in, send an an email to support@portswigger.net to start the process
Second is adding your own
This screen also shows what’s loaded and type
Also shows the output from extensions (for debugging, info, etc) and errors
Once you click add this is what you get
Shows that an extension can be written in 3 different languages – Java, Python(Jython), and Ruby(Jruby)
Shows the extension API page
Can download/save interface files
Can save javadoc files
What can the API do?
Process and modify HTTP requests/responses
Access runtime data of Burp
Interact with built-in tools(repeater, intruder, etc.)
Add items to the UI (tabs, context menus)
Persist settings
Switch gears and show a snippet of code from my extension
Must have a class called BurpExtender in a package called Burp (same package as all of the api files)
It must implement IBurpExtender
In this example, we also implement IScannerCheck and register that we are a scanner
registerExtenderCallbacks comes from IBurpExtender
doPassiveScan, doActiveScan, and consolidateDuplicateResults come from iScannerCheck
Package up in jar file
When extension loaded, registerExtenderCallbacks is called for each extension when it’s loaded
Analyzes a request/response pair
No modification
During analysis, extension chooses what areas to check
Headers, parameters, cookies, etc.
String that represents the entire request and response
Helper methods to more easily access certain parts
Happens in the background
Built-in passive check you can specify what you want to scan
Create findings
For findings with duplicate titles, consolidates into 1 finding with different locations
Just a sample of the start of the doPassiveScan method
Use the helpers to get the URL
Get a byte array of the response and get the body offset
Receive a base request and an Insertion Point
Defines type of value (query string param, form param, cookie, header, etc.)
Can restrict which types of Insertion Points get scanned in the Active Scan settings, but also use this as a further check
Build a request with your own custom value for the Insertion Point
Returns a new request with the data and size of request adjusted
Send the request and receive the response
Analyze and create finding(s)
Snippet from active scanning
Shows how to change an insertion point
Send the request and get the response
After that, analyze the response and report
Order is important because findings needed to be added in the order in which location in the response is found
Findings might lag corresponding activity
Demoing a sample extension that I wrote for the presentation and will share
Implements both passive and active scanning
It takes a simple website (that I wrote and host on my laptop) and shows how the sample extension can actively and passively scan it
Order is important because findings needed to be added in the order in which location in the response is found
Findings might lag corresponding activity
Open up for questions only specific to this topic
Invite them to contact me via Twitter for questions, etc.
Slides and example code at Github