Download - AppSec USA 2014 Denver, Colorado Customizing Burp Suite Getting the Most out of Burp Extensions
2
August DetlefsenSenior Application Security Consultant
• [email protected]• @codemagi• http://www.codemagi.com/blog
3
Burp Suite• Burp Suite is a powerful tool for performing
security assessments• Burp Plugin API allows new features to be
added
4
What Can I Do With Plugins? • Passive Scanning• Active Scanning• Alter/append requests• Define Insertion Points for Scanner/Intruder
6
Creating An Extension• Download the Extender API from Portswigger:
http://portswigger.net/burp/extender/api/burp_extender_api.zip
12
Passive Scanning• Search responses for problematic values• Built-in passive scans– Credit card numbers– Known passwords– Missing headers
Building a Passive Scanner
13
Passive Scanning – Room for Improvement• Error Messages• Software Version Numbers
Building a Passive Scanner
14
Building a Passive Scanner• Implement the IScannerCheck interface:
• Register the extension as a scanner:
Building a Passive Scanner
17
IScannerCheck.consolidateDuplicateIssues()• Ensure an issue is only posted to scanner once
Building a Passive Scanner
19
Active Scanning• Issue requests containing attacks • Look for indication of success in response• Built-In Active Scans– XSS– SQL Injection– Path Traversal– etc
Building an Active Scanner
21
Insertion Points • Locations of parameters in request • Contain data the server will act upon
Building an Active Scanner
24
Defining Insertion Points• Implement IScannerInsertionPointProvider– getInsertionPoints()
• Register as an insertion point provider
Building an Active Scanner
27
Debugging• callbacks.printOutput(String)• callbacks.printError(String)• Exception.printStackTrace()
Utilities
28
Debugging – Stack Traces• Get the error OutputStream
• Print a stack trace to the stream
Utilities