SlideShare a Scribd company logo

Extending burp with python

Download as PPTX, PDF
T
Tony Nguyen

1. Burp extensions can overcome web application hurdles through the Burp API. Interfaces like IMessageEditorTab and ITab allow creating new views of requests and responses, while processHTTPMessage and doPassiveScan can automate tasks by catching and rewriting traffic. 2. Examples include decoding custom encodings, signing requests, viewing unique response headers, and passively scanning for encoded values in cookies. Common problems are solved with minimal Python coding against the Burp API.

Technology
1 of 25
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Extending Burp with Python Defeating web application idiosyncrasies with common-sense, Python and minimal knowledge of Java GUIs
What is Burp?
Purpose of this Talk • Quick tour of Burp APIs with examples to show what can be achieved • Demonstrate that Web app assessment hurdles overcome with minimal coding effort
Why would you need a custom extn? 1. Decode custom encoding/serialization 2. Handle anti-tamper or signed requests 3. Provide a new “view” into an application 4. Automate a manual task with a new scanner check
Setup to run a Python Burp Extn. 1 Download Jython standalone binary 2 Tell Burp where find Jython 3 Load a Python extension Path to Jython binary goes here
The helloworld of Burp extensions from burp import IBurpExtender class BurpExtender(IBurpExtender): # required def registerExtenderCallbacks(self, callbacks): # set our extension name callbacks.setExtensionName("Hello world extension") # write a message to the Burp alerts tab callbacks.issueAlert("Hello alerts") Just writes “Hello alerts” out to alerts tab
1. Problem: Unsupported encoding Application uses an encoding not understood by Burp Examples: Serialised Java, SAP’s weird URLenc variant, SAML, Websphere Portlet Burp APIs: IMessageEditorTab to display decoded content
Solution: new encoder/decoder 1. Tell Burp about your new message editor tab class CustomDecoderTab(IMessageEditorTab): def __init__(self, extender, controller, editable): ... def getTabCaption(self): return "Custom Decoder"
Solution: new decoder/encoder 2. Use setMessage to display decode def setMessage(self, content, isRequest): ... if '!ut' in path: # actual decoding magic omitted content = response.read() content = xml.dom.minidom.parseString(content).toprettyxml() if content: self._txtInput.setText(content) self._currentMessage = content
Websphere portlet state decoder Source: https://github.com/faffi/WebSphere-Portlet-State-Decoder Encoded content on URL Gets decoded in new tab
2. Problem: Signed requests Application requires signature thats generated client side. examples 1. Seen in thick client apps as anti-tamper mechanism 2. AWS API calls are signed for authentication http://rajasaur.blogspot.co.nz/2009/10/hmac-sha-signatures-using-python-for.html Burp API: processHTTPMessage allows us to re-write traffic
Solution: automate request signing 1. Catch an outbound request from burp import IBurpExtender# this function catches requests and responses def processHttpMessage(self, toolFlag, messageIsRequest, currentRequest): # only process requests if not messageIsRequest: return ...
Solution: automate request signing 2. Grab the request body and headers # requestInfo object allows us to easily spit body and headers requestInfo = self._helpers.analyzeRequest(currentRequest) bodyBytes = currentRequest.getRequest()[requestInfo.getBodyOffset():] bodyStr = self._helpers.bytesToString(bodyBytes) headers = requestInfo.getHeaders() newHeaders = list(headers) #it's a Java arraylist; get a python list
Solution: automate request signing 3. Append signature as HTTP Header # Do custom signing shenanigans secret = "SuperSecret123" h = hmac.new(secret, bodyStr, hashlib.sha256) newHeaders.append("Authorization: " + base64.b64encode(h.digest()))
Solution: automate request signing 4. Create and send request newMessage = self._helpers.buildHttpMessage(newHeaders, bodyStr) currentRequest.setRequest(newMessage) Here’s the new Authorization header being sent out
3. Problem: Big apps, lotsa headers Large applications may emit different headers from various locations within the app. Headers can reveal useful info. Eg. Reverse proxy may hand off from backend A to backend B. Burp APIs: processHTTPMessage and ITab to display result
Solution: View of unique headers Keep track of unique headers, filter out uninteresting headers. # insert an entry if the header is 'interesting’ if header_name.lower() not in boring_headers: # and we haven't seen this name/value pair before, log it if header not in self.headers_seen: self.headers_seen.append(header) self._log.add(LogEntry(header, …, … )
Solution: View of unique headers Create a new tab and display collected headers in the new tab. # Give the new tab a name def getTabCaption(self): return "Response Headers” # This adds all the Java UI unpleasantness def getUiComponent(self): return self._splitpane
Solution: View of unique headers List of unique headers displayed in new “Response Headers” tab Clicking item in list shows request/response
4. Problem: Automate a manual task Locate and decode F5 cookies, display as a passive scan result Burp API: doPassiveScan to trigger check code
Solution: create new check 1. doPassiveScan catches request def doPassiveScan(self, baseRequestResponse): # Returns IResponseInfo analyzedResponse = self.helpers.analyzeResponse(baseRequestResponse.getResponse()) analyzedRequest = self.helpers.analyzeRequest(baseRequestResponse) # Get Cookies from IResponseInfo Instance cookieList = analyzedResponse.getCookies()
Solution: create new check 2. Locate BIGIP cookies and decode them # Loop though list of cookies for cookie in cookieList: cookieName = cookie.getName() # Look for BIGIP Cookies if cookieName.lower().startswith("bigip"): f5CookieName = cookieName f5RawCookieValue = cookie.getValue() # Decode and check for RFC 1918 address f5info = decode(f5RawCookieValue)
Solution: create new check 3. Create Issue class to return useful info class PassiveScanIssue(IScanIssue): ... def getIssueName(self): return "Encoded IP Address Discovered in F5 Cookie Value" ... def getIssueDetail(self): msg = "The URL <b>" + str(self.findingurl) + "</b> sets the F5 load balancer cookie <b>"
F5-BigIP Cookie Checker Source: http://blog.secureideas.com/2013/08/burp-extension-for-f5-cookie-detection.html Internal IP address retrieved from encoded cookie
Summary 1. Decode custom encoding/serialization Use IMessageEditorTab interface to display decoded content 2. Handle anti-tamper or signed requests Use processHTTPMessage to catch and rewrite requests 3. Provide a new “view” into an application Use ITab interface to display custom view 4. Automate a manual task with a new scanner check Use doPassiveScan to trigger a check

More Related Content

PPTX
Extending burp with python
Hoang Nguyen
 
PPTX
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
August Detlefsen
 
PDF
Python tools for testing web services over HTTP
Mykhailo Kolesnyk
 
PPTX
Build restful ap is with python and flask
Jeetendra singh
 
PDF
AOP in Python API design
meij200
 
ODP
Intro To Spring Python
gturnquist
 
PDF
The Basic Concept Of IOC
Carl Lu
 
PDF
Connecting with the enterprise - The how and why of connecting to Enterprise ...
Kevin Poorman
 
Extending burp with python
Hoang Nguyen
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
August Detlefsen
 
Python tools for testing web services over HTTP
Mykhailo Kolesnyk
 
Build restful ap is with python and flask
Jeetendra singh
 
AOP in Python API design
meij200
 
Intro To Spring Python
gturnquist
 
The Basic Concept Of IOC
Carl Lu
 
Connecting with the enterprise - The how and why of connecting to Enterprise ...
Kevin Poorman
 

What's hot (15)

PDF
ES6 metaprogramming unleashed
Javier Arias Losada
 
PDF
Flask Introduction - Python Meetup
Areski Belaid
 
PDF
Reliable Python REST API (by Volodymyr Hotsyk) - Web Back-End Tech Hangout - ...
Innovecs
 
PDF
Intro to JavaScript
Yakov Fain
 
PDF
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless Way
Srushith Repakula
 
PDF
스프링 실전 가이드
남윤 김
 
PDF
Symfony 2
Kris Wallsmith
 
PDF
iPhone Coding For Web Developers
Matt Biddulph
 
PDF
Python RESTful webservices with Python: Flask and Django solutions
Solution4Future
 
PPTX
Developing on the aloashbei platform
pycharmer
 
KEY
Morpheus configuration engine (slides from Saint Perl-2 conference)
Vyacheslav Matyukhin
 
PDF
Flask RESTful Flask HTTPAuth
Eueung Mulyana
 
PDF
Alex conrad - Pyramid Tweens (PloneConf 2011)
aconrad
 
PPTX
Method and decorator
Celine George
 
PDF
Don't RTFM, WTFM - Open Source Documentation - German Perl Workshop 2010
singingfish
 
ES6 metaprogramming unleashed
Javier Arias Losada
 
Flask Introduction - Python Meetup
Areski Belaid
 
Reliable Python REST API (by Volodymyr Hotsyk) - Web Back-End Tech Hangout - ...
Innovecs
 
Intro to JavaScript
Yakov Fain
 
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless Way
Srushith Repakula
 
스프링 실전 가이드
남윤 김
 
Symfony 2
Kris Wallsmith
 
iPhone Coding For Web Developers
Matt Biddulph
 
Python RESTful webservices with Python: Flask and Django solutions
Solution4Future
 
Developing on the aloashbei platform
pycharmer
 
Morpheus configuration engine (slides from Saint Perl-2 conference)
Vyacheslav Matyukhin
 
Flask RESTful Flask HTTPAuth
Eueung Mulyana
 
Alex conrad - Pyramid Tweens (PloneConf 2011)
aconrad
 
Method and decorator
Celine George
 
Don't RTFM, WTFM - Open Source Documentation - German Perl Workshop 2010
singingfish
 
Ad

Viewers also liked (19)

PPTX
Montage Bamboo terrarium de la marque Reptiles-Planet
Romain Julian
 
PPTX
How to make a terrarium with Emily at Snug Harbor Farm
snugharborfarm
 
PDF
Dart Frog Terrarium Build
Rami Lazarus
 
PPTX
Big picture of data mining
Tony Nguyen
 
PPTX
Data mining and knowledge discovery
Tony Nguyen
 
DOCX
Make a terrarium mini
Norhaizan Ramli
 
PPTX
Directory based cache coherence
Tony Nguyen
 
PPTX
Business analytics and data mining
Tony Nguyen
 
PPTX
Object model
Tony Nguyen
 
PPTX
Api crash
Tony Nguyen
 
PPTX
Abstraction file
Tony Nguyen
 
PPTX
Hardware managed cache
Tony Nguyen
 
PPTX
Terrarium
terarium
 
PPTX
Object oriented analysis
Tony Nguyen
 
PPTX
Python language data types
Tony Nguyen
 
PDF
Python in Action (Part 2)
David Beazley (Dabeaz LLC)
 
PPT
Introduction to Python
amiable_indian
 
PPTX
Terrarium
Christine Joy Pilapil
 
PPTX
Florante at Laura : Ang Kariktan ni Laura
Christine Joy Pilapil
 
Montage Bamboo terrarium de la marque Reptiles-Planet
Romain Julian
 
How to make a terrarium with Emily at Snug Harbor Farm
snugharborfarm
 
Dart Frog Terrarium Build
Rami Lazarus
 
Big picture of data mining
Tony Nguyen
 
Data mining and knowledge discovery
Tony Nguyen
 
Make a terrarium mini
Norhaizan Ramli
 
Directory based cache coherence
Tony Nguyen
 
Business analytics and data mining
Tony Nguyen
 
Object model
Tony Nguyen
 
Api crash
Tony Nguyen
 
Abstraction file
Tony Nguyen
 
Hardware managed cache
Tony Nguyen
 
Terrarium
terarium
 
Object oriented analysis
Tony Nguyen
 
Python language data types
Tony Nguyen
 
Python in Action (Part 2)
David Beazley (Dabeaz LLC)
 
Introduction to Python
amiable_indian
 
Terrarium
Christine Joy Pilapil
 
Florante at Laura : Ang Kariktan ni Laura
Christine Joy Pilapil
 
Ad

Similar to Extending burp with python (20)

PPTX
AppSec USA 2015: Customizing Burp Suite
August Detlefsen
 
PDF
Working Effectively With Legacy Perl Code
erikmsp
 
PPTX
slides.pptx
abcabc794064
 
PPT
Spring training
TechFerry
 
PPTX
Symfony2 Introduction Presentation
Nerd Tzanetopoulos
 
PDF
Behavior & Specification Driven Development in PHP - #OpenWest
Joshua Warren
 
PDF
Effective testing with pytest
Hector Canto
 
PPTX
-Kotlin_Camp_Unit2.pptx
RishiGandhi19
 
PPTX
-Kotlin Camp Unit2.pptx
IshwariKulkarni6
 
PDF
Effizientere WordPress-Plugin-Entwicklung mit Softwaretests
DECK36
 
PDF
Android application architecture
Romain Rochegude
 
PDF
Testing the frontend
Heiko Hardt
 
PPT
JavaOne 2007 - TS4721
Edgar Silva
 
PPTX
Skillwise EJB3.0 training
Skillwise Group
 
PDF
Ane for 9ria_cn
sonicxs
 
PDF
Analysis of bugs in Orchard CMS
PVS-Studio
 
PDF
OpenWhisk by Example - Auto Retweeting Example in Python
CodeOps Technologies LLP
 
PPTX
Azure Functions @ global azure day 2017
Sean Feldman
 
DOC
Advanced Hibernate Notes
Kaniska Mandal
 
PPTX
DF12 - Process Orchestration using Streaming API and Heroku
afawcett
 
AppSec USA 2015: Customizing Burp Suite
August Detlefsen
 
Working Effectively With Legacy Perl Code
erikmsp
 
slides.pptx
abcabc794064
 
Spring training
TechFerry
 
Symfony2 Introduction Presentation
Nerd Tzanetopoulos
 
Behavior & Specification Driven Development in PHP - #OpenWest
Joshua Warren
 
Effective testing with pytest
Hector Canto
 
-Kotlin_Camp_Unit2.pptx
RishiGandhi19
 
-Kotlin Camp Unit2.pptx
IshwariKulkarni6
 
Effizientere WordPress-Plugin-Entwicklung mit Softwaretests
DECK36
 
Android application architecture
Romain Rochegude
 
Testing the frontend
Heiko Hardt
 
JavaOne 2007 - TS4721
Edgar Silva
 
Skillwise EJB3.0 training
Skillwise Group
 
Ane for 9ria_cn
sonicxs
 
Analysis of bugs in Orchard CMS
PVS-Studio
 
OpenWhisk by Example - Auto Retweeting Example in Python
CodeOps Technologies LLP
 
Azure Functions @ global azure day 2017
Sean Feldman
 
Advanced Hibernate Notes
Kaniska Mandal
 
DF12 - Process Orchestration using Streaming API and Heroku
afawcett
 

More from Tony Nguyen (20)

PPTX
Cache recap
Tony Nguyen
 
PPTX
How analysis services caching works
Tony Nguyen
 
PPT
Abstract data types
Tony Nguyen
 
PPTX
Optimizing shared caches in chip multiprocessors
Tony Nguyen
 
PPT
Abstract class
Tony Nguyen
 
PPTX
Concurrency with java
Tony Nguyen
 
PPTX
Data structures and algorithms
Tony Nguyen
 
PPTX
Inheritance
Tony Nguyen
 
PPTX
Object oriented programming-with_java
Tony Nguyen
 
PPTX
Cobol, lisp, and python
Tony Nguyen
 
PPTX
Learning python
Tony Nguyen
 
PPTX
Programming for engineers in python
Tony Nguyen
 
PPTX
Python basics
Tony Nguyen
 
PPTX
Rest api to integrate with your site
Tony Nguyen
 
PPTX
Python your new best friend
Tony Nguyen
 
PPTX
Smm and caching
Tony Nguyen
 
PDF
How to build a rest api
Tony Nguyen
 
PPT
Poo java
Tony Nguyen
 
PPTX
Encapsulation anonymous class
Tony Nguyen
 
PPT
Data preprocessing
Tony Nguyen
 
Cache recap
Tony Nguyen
 
How analysis services caching works
Tony Nguyen
 
Abstract data types
Tony Nguyen
 
Optimizing shared caches in chip multiprocessors
Tony Nguyen
 
Abstract class
Tony Nguyen
 
Concurrency with java
Tony Nguyen
 
Data structures and algorithms
Tony Nguyen
 
Inheritance
Tony Nguyen
 
Object oriented programming-with_java
Tony Nguyen
 
Cobol, lisp, and python
Tony Nguyen
 
Learning python
Tony Nguyen
 
Programming for engineers in python
Tony Nguyen
 
Python basics
Tony Nguyen
 
Rest api to integrate with your site
Tony Nguyen
 
Python your new best friend
Tony Nguyen
 
Smm and caching
Tony Nguyen
 
How to build a rest api
Tony Nguyen
 
Poo java
Tony Nguyen
 
Encapsulation anonymous class
Tony Nguyen
 
Data preprocessing
Tony Nguyen
 

Recently uploaded (20)

PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Encapsulation theory and applications.pdf
gurumoop
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Approach and Philosophy of On baking technology
30anthuong17
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 

Extending burp with python

  • 1. Extending Burp with Python Defeating web application idiosyncrasies with common-sense, Python and minimal knowledge of Java GUIs
  • 3. Purpose of this Talk • Quick tour of Burp APIs with examples to show what can be achieved • Demonstrate that Web app assessment hurdles overcome with minimal coding effort
  • 4. Why would you need a custom extn? 1. Decode custom encoding/serialization 2. Handle anti-tamper or signed requests 3. Provide a new “view” into an application 4. Automate a manual task with a new scanner check
  • 5. Setup to run a Python Burp Extn. 1 Download Jython standalone binary 2 Tell Burp where find Jython 3 Load a Python extension Path to Jython binary goes here
  • 6. The helloworld of Burp extensions from burp import IBurpExtender class BurpExtender(IBurpExtender): # required def registerExtenderCallbacks(self, callbacks): # set our extension name callbacks.setExtensionName("Hello world extension") # write a message to the Burp alerts tab callbacks.issueAlert("Hello alerts") Just writes “Hello alerts” out to alerts tab
  • 7. 1. Problem: Unsupported encoding Application uses an encoding not understood by Burp Examples: Serialised Java, SAP’s weird URLenc variant, SAML, Websphere Portlet Burp APIs: IMessageEditorTab to display decoded content
  • 8. Solution: new encoder/decoder 1. Tell Burp about your new message editor tab class CustomDecoderTab(IMessageEditorTab): def __init__(self, extender, controller, editable): ... def getTabCaption(self): return "Custom Decoder"
  • 9. Solution: new decoder/encoder 2. Use setMessage to display decode def setMessage(self, content, isRequest): ... if '!ut' in path: # actual decoding magic omitted content = response.read() content = xml.dom.minidom.parseString(content).toprettyxml() if content: self._txtInput.setText(content) self._currentMessage = content
  • 10. Websphere portlet state decoder Source: https://github.com/faffi/WebSphere-Portlet-State-Decoder Encoded content on URL Gets decoded in new tab
  • 11. 2. Problem: Signed requests Application requires signature thats generated client side. examples 1. Seen in thick client apps as anti-tamper mechanism 2. AWS API calls are signed for authentication http://rajasaur.blogspot.co.nz/2009/10/hmac-sha-signatures-using-python-for.html Burp API: processHTTPMessage allows us to re-write traffic
  • 12. Solution: automate request signing 1. Catch an outbound request from burp import IBurpExtender# this function catches requests and responses def processHttpMessage(self, toolFlag, messageIsRequest, currentRequest): # only process requests if not messageIsRequest: return ...
  • 13. Solution: automate request signing 2. Grab the request body and headers # requestInfo object allows us to easily spit body and headers requestInfo = self._helpers.analyzeRequest(currentRequest) bodyBytes = currentRequest.getRequest()[requestInfo.getBodyOffset():] bodyStr = self._helpers.bytesToString(bodyBytes) headers = requestInfo.getHeaders() newHeaders = list(headers) #it's a Java arraylist; get a python list
  • 14. Solution: automate request signing 3. Append signature as HTTP Header # Do custom signing shenanigans secret = "SuperSecret123" h = hmac.new(secret, bodyStr, hashlib.sha256) newHeaders.append("Authorization: " + base64.b64encode(h.digest()))
  • 15. Solution: automate request signing 4. Create and send request newMessage = self._helpers.buildHttpMessage(newHeaders, bodyStr) currentRequest.setRequest(newMessage) Here’s the new Authorization header being sent out
  • 16. 3. Problem: Big apps, lotsa headers Large applications may emit different headers from various locations within the app. Headers can reveal useful info. Eg. Reverse proxy may hand off from backend A to backend B. Burp APIs: processHTTPMessage and ITab to display result
  • 17. Solution: View of unique headers Keep track of unique headers, filter out uninteresting headers. # insert an entry if the header is 'interesting’ if header_name.lower() not in boring_headers: # and we haven't seen this name/value pair before, log it if header not in self.headers_seen: self.headers_seen.append(header) self._log.add(LogEntry(header, …, … )
  • 18. Solution: View of unique headers Create a new tab and display collected headers in the new tab. # Give the new tab a name def getTabCaption(self): return "Response Headers” # This adds all the Java UI unpleasantness def getUiComponent(self): return self._splitpane
  • 19. Solution: View of unique headers List of unique headers displayed in new “Response Headers” tab Clicking item in list shows request/response
  • 20. 4. Problem: Automate a manual task Locate and decode F5 cookies, display as a passive scan result Burp API: doPassiveScan to trigger check code
  • 21. Solution: create new check 1. doPassiveScan catches request def doPassiveScan(self, baseRequestResponse): # Returns IResponseInfo analyzedResponse = self.helpers.analyzeResponse(baseRequestResponse.getResponse()) analyzedRequest = self.helpers.analyzeRequest(baseRequestResponse) # Get Cookies from IResponseInfo Instance cookieList = analyzedResponse.getCookies()
  • 22. Solution: create new check 2. Locate BIGIP cookies and decode them # Loop though list of cookies for cookie in cookieList: cookieName = cookie.getName() # Look for BIGIP Cookies if cookieName.lower().startswith("bigip"): f5CookieName = cookieName f5RawCookieValue = cookie.getValue() # Decode and check for RFC 1918 address f5info = decode(f5RawCookieValue)
  • 23. Solution: create new check 3. Create Issue class to return useful info class PassiveScanIssue(IScanIssue): ... def getIssueName(self): return "Encoded IP Address Discovered in F5 Cookie Value" ... def getIssueDetail(self): msg = "The URL <b>" + str(self.findingurl) + "</b> sets the F5 load balancer cookie <b>"
  • 24. F5-BigIP Cookie Checker Source: http://blog.secureideas.com/2013/08/burp-extension-for-f5-cookie-detection.html Internal IP address retrieved from encoded cookie
  • 25. Summary 1. Decode custom encoding/serialization Use IMessageEditorTab interface to display decoded content 2. Handle anti-tamper or signed requests Use processHTTPMessage to catch and rewrite requests 3. Provide a new “view” into an application Use ITab interface to display custom view 4. Automate a manual task with a new scanner check Use doPassiveScan to trigger a check