Imperial Stout: Building Bolder BurpSuite Functionality

hi everyone thanks for joining my talk this is my first time doing b-sides for Greenville I've met him several times in the past and it's just never really lined up with my schedule so I'm really happy to be part of this even though it is remote so my my talk is it's a topic that is very dear to me which is on on writing I guess open source software for application security purposes so kind of similar to the previous talk but different and most of what I'm gonna be doing here is it's really kind of a show-and-tell and some of the projects that I've worked on but I also want to get into a little bit of technical

details in case people are interested in doing some of their own and yeah so that's basically it so it's about burp suite and but let me let me get into first of all my bio I am my name is Jason go home I wear many many hats sometimes far too many so a security consulting I do I was teaching a class this week on application security I also do software development you know so a bunch of stuff and and I love application security so i although i do pen testing and you know various different aspects of that application security is kind of where where i'm really feel comfortable so you know i've I'm an OS lifetime member I'm a regular

at other B sides this is like I said this is my first time here but for those who know me you've probably seen me before it be sighs Asheville or Charleston or Charlotte you know I've worked with Shaha a lot in the past as well I've been programming for a really long time hate to admit it but yeah my first computer was a Commodore vic-20 it is the one that's actually on this slide I saved up all my money when I was mowing lawns as a teenager and when I bought a computer which was pretty awesome and I started programming on it mostly how the kids were playing games on it I was I started

tinkering with it and in my spare time when I get a little bit now and then I really like craft beer enough that I actually brew some of my own so the picture on here is is one from it's actually from a couple years ago but it's a it's a stout that was dry hopped so that's what all that all the Hawks are on top there's that's dry humping so before I get into this I know that my talk is gonna be around burp suite extensions and burp suite itself is a commercial tool but I wanted to take a minute to acknowledge all of the open source tools that are out there because we as information security professionals

we rely very very heavily on open source tooling the last whole presentation I think everything in there all the PowerShell stuff I think everything in there was all open-source tools a lot of it extendable and there's a here's a bunch that are probably familiar to to anybody's in InfoSec you should be familiar to at least some of the ones on here on this screen here especially on the red team side there's I know more tools open source to tools evolving on the blue team side or have been over the last several years but on the if you're looking like from the from the attacker perspective almost everything's always been open source so we rely very very

heavily on that I want to throw a couple names out there in case you haven't seen the names before okay so these aren't the only people who do open source info type projects but here's a bunch of them so thanks all to all of these find people for all of their contributions over time it's been really great to be able to do our job on your shoulders so very thankful for that now to get into what I want to talk about so so for those of you who have done pentesting before you should already know about burbs sweet it's it's the it's an interception proxy it's the only real commercial commercially available proxy and there is a free version you'll

find it in cali and other places but it's written for those who are it so this is this is one of the main tools that we use aside from the browser which you know you're going to need a browser when you're talking to web applications aside from the browser the interception proxy is the thing that you're going to use most there are there's more than one there's a open source version wasp zap is extremely popular as well but as far as commercially supportive ones its birth suite and the reason why why i use it i just prefer the tooling in it overs out and and i basically the company I work for we standardized on this is what

we use so it's for man in the middling your own traffic so you're gonna be taking you know whenever you make a web request it goes through that proxy goes to the server and then the response comes back through the proxy and then to your browser and so in your proxy you can get a history of everything that's gone on and then you can also do things like take one of those requests and then rerun it and make some changes to it and build fuzzing tools around it and that sort of thing so what I when I the I guess the essence of what I want to dig into here is the fact that Burke has a

an API you can you can extend it to do more things so birth extender allows you to do that it's actually a very rich API I'll get into some of that functionality in just a second in in terms of like there's a lot of hooks in there you can hook into a lot of different parts of what it does it works with Java Python and Ruby so if you are have any sort of programming experience in any of those languages you probably have the skills to extend verb now that being said I will add a caveat in there burp itself is a java application right so if you're going to extend it and you have expertise at all in Java then that

is probably the language you want to use even ports figure that the makers of burb burb suite they're gonna tell you that hey you know although all of these are supported python is actually supported through JSON and Ruby is supported through JRuby which are basically Java wrappers around those so from from a you know memory management and program efficiency perspective it's better to write an extension in Java because it's a lot easier inside Java to just you know load some more classes into the class loader than it is to like load up an entire Python or Ruby interpreter so and the other thing is is the way that it loads those it basically you can only you can only really run one

or two extensions that are Python or Ruby at a time whereas the Java extensions you can actually load up quite a few without having a significant impact on the the memory footprint so alright so that's that part so how does this work how do we actually build these so what you do is is part of the API I'll show it to you in a moment I'll get into some some demos I just have a few slides to go through first but the the extender I burp extender is the sort of the main interface so it's all it's all set of interfaces for those familiar with Java it's just a set of interfaces that you implement so burp extender is

it has just one method on it which is register extender callbacks so you basically implement high burp extender and then you you you do a basically implement that regice regice tur extender callbacks take that callbacks object and then from there that's where you can call into that to to get to hook into the various different aspects of birth and what can you do with that there's a bunch of very useful cool things so one of these is one of the common ones is the h IH TP listener and I proxy listener which basically let you hook into all of the burp history so you can on-the-fly examine requests and responses and even make some changes to

them which is really cool so a lot of the stuff that burp inherently has in it you can extend that sort of functionality inside like for the proxy history and make your own changes to things which which can can be very good for you know certain types of scenarios there's also a pairing here of I of the intruder payload generator an intruder payload processor so both of these work around intruder which is the fuzzing tool inside of burp and they let you you can generate your own dynamic fuzzing payloads with the generator or you can process existing payloads with the payload processor I'm gonna actually show you one of these in a couple minutes so and beyond that you have the

ability to plug into where the were the issues shown so in that I guess that's in the dashboard now right because it's all changed from where it used to be so you can let's let's say you you can you build an extension that is able to detect type of vulnerability that the burp suite doesn't natively tech find you can have use the scan issue interface to add your own issues in there right so then they show up in the dashboard along with everything else which is kind of cool you can also as you've probably seen if you've used any extensions before a lot of them have user interfaces they have like extra tabs that show up on there so there's

this whole mechanism for building those now if you're building a UI inside of burp verb for an extension I recommend that you go down the path of using IntelliJ for that for your IDE that is what ports Twitter already uses I talked to them about this so like building building a new tab sort of interface around there is really not that hard it's kind of a drag-and-drop sort of thing when you when you're using that and then you can plug that in through the tab text editor message editor extensions there's others too these are just this is just a sampling of what's there and then there's a whole like if you have custom session management maybe some special

type of token or something like that or something that needs to be handled you can actually build custom functionality around there if it's again if this is for cases where it falls outside of the norm okay so that's it for that's actually pretty much it for slides so I'm going to hopefully everyone can see this I am going to show I'm gonna drag that off there we go okay so this is burp suite this is what it looks like you know this is the pro version there is a community edition which has some of the features to say but like most of the automation is disabled the extender API is actually still available in the

community edition as well so there are a lot of extensions that will work without you having to put any money down on it which is which is kind of nice so we have on here I'm just going to run through this very quickly just a couple of these tabs because they're important or what I'm going to show after so we have the the target what's really important here for what I'm working on today is the the scope tab so I have I have a little silly little application that I've built just for demonstration purposes and it's it's it's white listed here in the target scope and that will come into play a little bit later I have

a proxy the proxy history tab is the next one right so under proxy there's the the history we can see that I've visited exactly one location at this point in time so I have a browser set up here with like let's say I just I'll just to professional evil calm here so we can see that as well oops and now you can see house you know some more resources have been loaded you know again if you've done a bunch of applications security of seeing this before and then we have intruder this is our fuzzing tool right so if we have a request and we want to send that request multiple times to the server but well

swap out different values like we're using a list of payloads and we're going to try you know a list of username password combinations or something like that as an example you can use this it's sort of a mail merge type of functionality repeater allows you you can take a request put it into a repeater and then send that request to the server multiple times so so far what I've talked about this is all the built-in functionality inside of burp suite and some of that functionality we'll look at extending in just a second here okay so extender extender has this is where the burp extensions get loaded you can actually load you can bundle up an extension into a jar file and just

load it directly here which is what you're gonna do if you're you're developing one if you're working on it locally one really nice thing about the way that they do their class loading on there is I can take like this nonce payloader for example I can unselect it ok now I can go to my my source code on here recompile and then once that's recompiled I can then just click this box again so I don't have to actually delete it and then bring it back in I just click the box again and now it will reload from the whatever version of the jar file was produced from my ID right so it has a fairly tight development

cycle on there which is but you know one of the things that I aim for I don't like to have like some lengthy you press a button you have to wait half an hour before you can actually use something again or go through you know 30 or 40 different steps to make it work so this is just a couple of steps it's not too bad I can mix changes in the source code bundle up in another jar file which just takes a couple seconds and then load it back in very quickly and then try it out some of them will have their own tabs so oh wait hang on before I get to that there's

also the bap store I'm here this is a definitely worth looking at here so the BAP store you can see that and it's although it says store all of these are free I should point that out too but it is these are many of the extensions they're not all of them that are out there but these are many of the extensions that have been produced everything in here is open source and they all extend the functionality of burp in a variety of different ways there's also like a rating system on there and that sort of thing which is kind of cool so lots of different things in there so if you if you're using if

you're doing a web app pen test and you're using burp and there's you run into some scenario where you're like oh man I wish I could see this information a little differently or a little better or if I had a you know a little extra tool to do something before you start writing one go check and see if somebody else already did because there's there's a lot of stuff already out there which is you know pretty cool there's also the API tab on here and if you're you're building if you're building against Burks so you're making your own extension you'll need to save these interface files that's what this button is for down down here right so that

saves the interface files off that way you can compile against them so you'll need that ok so let's look at an extension so I'm gonna look at co2 first which is an oldie but a goodie and the reason I bring this one up is is as time went on when I when I first started in application security and and discovered burp and how awesome it was I I started building extensions when I needed them for various different purposes and eventually after you know I don't know a year a year and a half of doing that I'm like you know I really need some way to keep all of these together cuz a lot of other people want to use

them and so I I bundled them all together into what I call co2 and co2 is a reference back to my home brewing it's you know carbon dioxide which is also happens to be the gas that makes you burp when you drink too much beer so the I'll just run through a little bit of functionality here quickly so we have a sequel mapper so if you've used sequel map before or if you haven't one thing that you'll notice when you do sequel map - even - H on there but there's also a - page for super help um it has many many many different options on there and so I found for me I was

always having trouble remembering you know which option do I use for what which switch to use and then also stuff like like where do I put where what do I need to double quote or where do a single quote you know just trying to figure out all of that because it's a command-line tool right so I made this thing here in which you can do with this is you can take any request out of your history here so I'm just gonna I'm just going to take this one here and then you you send it - this is actually it also demonstrates one of the other things you can hook into you can hook into this

context menu which is really helpful so I can send this to sequel mapper and then that opens that up inside a co2 and now you can see the command has been basically built for you which this one has a ton of cookies in it but there we go okay so so now I can right click copy that line and then go into sequel map and basically just from the command line sequel map space and then just paste my line in there it it properly quotes everything if you like need to let's say not put the cookies in you can unselect that all of the functionality or most of it anyway because as it evolves and it's

hard to keep up with but most of the functionality is is in it's been mapped from from sequel map has been mapped into the user interface here so it allows you to dynamically build that command so for example like let's say you go into text techniques you're like you know I don't want to do the time-based blind that just takes too long you can click that and then it'll automatically put that technique equals BS quue now how many people knew that off the top of their head probably not that many right it's one of those things I got to go researching the dogs and figure it out which is fine but you know I'd rather I'd rather just quickly do

this and then I can right-click and copy that and then wait and go on my merry way which is you know makes this a whole lot easier there is this auto run thing in here I actually don't use that I put that in there because I had several people ask you know is there a way to run single map directly from within there and it's like you know but I actually use it from the command line so I'll run a command and then I'll up arrow and then tinker with it a little bit and then you know run it again that sort of thing so I actually don't use the run directly out of here but I know

some people do ok a couple other things right quick so laudanum I will admit this particular tab does not work right now so laudanum is a project it has worked in the past it's basically it's for for web shells right so when you find somewhere to get a shell onto a web application this would be the type of file that you want to get on there now laudanum the project itself is an older shell and what I was aiming for with this is I wanted to be able to dynamically build one that had some security features in it but also gave you more of a like using basically using Ajax requests gave you the feel of a

real terminal right so you you have a prompt on there you could type something hit enter and that would send that and then you see the response come back and it would move render it as if it was inside of a terminal so that's kind of where I want to go with this one I just really haven't had time to get back to it and do that but you know would support PHP JSP war shells ASP and asp.net s-- that's the idea behind that one anyway so a couple that that I do use quite frequently so the user generator I find extremely useful there's a lot of cases that you're like hey you know I need to

I just need a list of users well which users do I use so and this is based off of census data so one of the things is especially when you're sending fuzzing payloads you have a list of things that you want to send into an application we know that sending a bunch of things into an application can take time right so there's no way I can send a list of a million things in that's just gonna take too long and it's gonna put a lot of load on the application and we don't we want to be as we if we can we want to be nice to it our goal isn't to the denial service every application that we pen

test so so when we want to list user names we want we really want is a list of the most likely user names that will work and so that's what the goal of this this particular tab is right so let's say I have its let's say it's a website with functionality and we I know that its functionality that relates to retirees I'm gonna say okay well let's pick first names from the 1950s because all of the data in here is pulled from census data and so it's the most common two least common and that's how its ordered so I can say let me take first names from the 1950s and I go click alright and they always for some reason

Scrolls down and so the most common name from the 1950s was Michael and then came David and then James John Robert William Christopher Joseph Jennifer Richard and so on and so forth down the list so if I'm looking for first names that that'll work for me if I'm looking for surnames I also have those right so I can just say let's just add surnames and those are the most common surnames not based on date that's just the current census data all right so Smith Johnson Williams Brown right so those are your most common surnames you can also have it just like combined things so let's say you know that the user names tend to be

first initial last name for an organization so what are your most what's the most likely successful candidates for that if you have no idea who actually works there well you can add the combos on there and you you can you can guess that there's a good chance that there's going to be a J Smith a jeh Johnson and then Smith the Jay Williams and M Johnson D Smith like so basically ordered again orders them by you know what's most likely going to be available because I'm gonna need it in a moment I'm gonna grab first names on here so next name Mangler this is very simple I put a name I needed something cuz I I knew that in

this case I knew who some of the people were that I was and I was looking for a username harvesting flaw but I didn't know what the format was for that they were using for their usernames so if I put myself on here and just you know there's a couple of things you can do and there but basically it gives you a bunch of different options so I didn't have to manually go okay well let's try J Gilliam and Gilliam and Gilliam J and you know and it just basically spits out a list that recombines these in different ways so that was that one cooler so ramen would digi ninja big shout out to him and another open source

developer who does a lot of pen testing as well so he has one of the old tool of his cool and I asked him I said hey do you mind if I if I take your tool and take the concept behind it and basically rebuild it into burp and that's what cooler is and so in this one here what you do is you take let me take professionally evil ate oh wait hang on that one's not gonna have anything as a three or four I don't know if this will refresh in there hopefully there we go okay I needed the actual content to send it to cooler all right so so you can send multiple at a time and so the premise

behind cool is that people tend to use words associated with a website in their password for that website so if we extract all of the words from a page then one of the main purposes for that would be to see if any of those someone's use one of these as a password right so that's what what cooler is so pretty simple there's some configuration on there I'm word size and stuff and stuff but at the end of the day you get a bunch of words that came off of that page and then you can you can copy all of those masher notice also most of these end in ER i was trying to keep with the the naming convention inside of

four okay so i'm going to take actually going to take my list from cooler for this so i take this list and so you start off with a input list of words and then what you're going to do is you're going to go hey the password specification which I happen to know in this case requires an alpha uppercase lowercase numeric and it needs to be anywhere between let's say seven carat well say nine characters and eighteen and then this actually creates a payload generator and it will you can also generate samples on here and the samples will be mixes of whatever was in the input and it does start fuzzing them too it'll start adding like the number one

at the end and if you have symbols that are required then I'll start putting exclamation points and you know that sort of thing the generator if you use that it basically just keeps going it keeps generating them indefinitely and that will show up under intruders so if I go to payloads here under the payload type since I've generated it I can go to extension generated and it will actually it should show in this list here there it is I don't know why it's small it's probably because I changed my phone so you can see it better okay so that's that yeah and then there's there's a couple of other little bits and pieces on there so

now the problem that I want to show is because one thing I did want to get into is a little bit more on developing one I'll show you a little bit of source code in a second so I have this this mocked up silly little login thing and if we run this let's just run it with a you know random user I'll just call it random okay we have no user session with that user if I try a user that I know is in the system called test it says login error try again so basically the idea here is it's a it's a login form right and then there's also this little profile link over here

that I just threw this in here and we're not authorized we have to be logged in to get to that so there is a harvesting flaw on here but it's not a harvesting flaw that we could normally get get through with with the built in functionality inside of bird and the reason is is because what we can see if we analyze it which we should always do right we analyze the the request response traffic we realize that what's happening is when we click on something or sorry when we saw when we submit something like here was the user random what's happening is we're getting a nonce back in this case it was a zero because the user didn't exist and in the

next case where I put in test user which I know is a known user in system I got I actually got a nonce back that nonce was then used to attempt to login okay so if we're looking at the request here it's the user was test the password was password and the nonce was was the whatever nonce was produced and I won't go through you know verifying exactly how this works I'll just tell you so basically it's it it requires these two requests in order to login one to grab a nonce and ii actually used that nots to log in the knots only works once right so this is meant as a as a method of preventing you

from being able to brute-force through the login or you know send a whole bunch of fuzzing traffic to it if i just said okay well let me try a bunch of users and and a password list against this and just keep using reusing the same knots it would always fail even if i guess the right password it would still fail and so that's that's kind of the way this is built now it does have a bit of a flaw in that and that although i can't do that with the built-in tools in burke i could make my own just think about all i need to do is is set up my intruder payload so let me let me just pick one

here like let me take this one here i'm going to send this to intruder okay so if you haven't seen this before again this is like a emil merge type set thing so I have my users I have my passwords and then I have these nonces so I need to figure out how I'm gonna handle those okay so we'll bill I'm gonna build a little solution for that actually I already have it built but I'll build the code around that and I'll show you show it to you in a second but before we do that we need to know what are some valid users so let's let's look at a slightly simpler version of this and we know that

the knots that we get back is going to be a zero when the user doesn't exist and a longer string when the user does exist right and that's just by passing a user into this so let's start with this okay so I'm going to send that to intruder and clear this out and for the user instead of test I want to get some actual user names right so I'm gonna go back to CEO to remember how I had the user generator here I'm gonna take those I'm going to pass them into I'm sorry I'm going to pass those into intruder here and then I start that attack and it goes by very quickly and I can tell by the

length that there's at least a Kevin in adjacent in there okay and you know if I if I look inside the response I can see those ones produced nonces all these other names I got a zero back right so that's basically for if you haven't seen this before if you haven't seen a fuzzing attack before that's basically what it how it works we're looking for in the results table we're looking for what's different what are the outliers okay so Kevin and Jason are valid so going back to here if I set this up as a cluster bomb sorry not this one number two you set this up as a cluster bomb we have the test the password and

the nonce cluster bomb is the attack type that tries combinations of things okay so our payloads for this our first payload is going to be user names so we can just type them in I'll type in Kevin I'll type in Jason okay the second one was our password so we need a password list I happen to have a short password list I'm going to need a short one because I need this to run fast okay and then for the third one this one gets a little bit tricky so now we need to generate a nonce and the nonce we know is based on the user right so if I go back to that proxy history

and look at how that works we pass any user we get back a nonce okay I don't see that so how are we gonna make that work so what we do is me bring up here's the nonce payload processor and I basically have hard-coded this whole thing so I have the template of that request I was just showing you right here okay and then I have here's that remember how I said here's the one thing you have to implement right register it's callbacks so let me just zoom in just a little bit here there we go okay so register extender callbacks in this case here all I did was set the extension name from the

callbacks print some output into it so that way I know the right version is loaded and then I have a register and true intruder payload processor and this whole thing actually is the payload processor halo processor has two extra things that you need to implement one is the name you know so that way you have a way for it to show up in the interface and the other one is the actual processing method method which is processed payload and it takes the current payload the original payload and then the base value as parameters on there and so based on on those I'm able to take an existing payload so we're going to use the username as a payload

and and then make and then return back a replacement payload payload a replacement version of that which we're actually gonna return the knots so the way this works in here so inside this block I don't know how easy that is to see but I'll just tell you what it's doing it's basically taking that the username so whatever value we've used for that and it is constructing a request that request is going to request a nonce and we then parse out the knots and then we return the knots okay so not too hard one more like him how far out did I zoom that okay so going back into burp suite that was or nonce Pro so what I'm gonna do is

I'm I'm just gonna copy another payload for the generation of the payload which is gonna be our names because we already have those that's the Kevin and Jason we have in the first the first position right going back to the positions here the name was already here so I'm going to use the name again for this payload position but I'm going to then use my custom payload processor to swap that out for them so one of the payload processing things I can do is invoke the burp extension and anything that I've registered through the callbacks will show up on here so I have ASCII payloads is a different one and then at this nonce payloader right so I'm going to invoke

that and that's everything that I need to do so now I can start this attack and it is in this case it's going to run very slowly because I'm making these extra requests out and yeah so this will take a little while so while this is going we can let me just explain what we have here we have the three different payload positions and their values are actually showing up in the results table and what we're looking for again is something that's different so any anywhere where the length has changed to something else and that should tell us whether or not we've guessed the password for one of those two users Kevin or Jason these are going slow so

once we once we've guessed that then we'll be able to look into the next step which is you know can we actually login with that account and then what's inside of that that profile page that's in there so one little trick actually if you have something that's that's processing along is you can take the request and reverse that and that way it kind of shows up at the top like this makes it a little bit easier to see right away when you see the length change on something and there we go actually there's one that just changed so now that it has Elsword on it and so we can see what it is Kevin's password is not surprisingly

Star Wars okay right because the lengths the length on that one was different so that's the outlier which is we're always looking for the outliers but look at the response for that when it says success you are logged in all right so I'm just going to let that keep going and now I can go back to my application try Kevin and the password Star Wars and we'll just sign in and now it actually says you are logged in and lo and behold I'm able to get to the profile which is just a dummy screen it just doesn't say you are not authorized anymore now it says hey this is Kevin's profile so something's tied to a session

is working alright so we've been able to log in with the nonce and we can actually see what happened here in the the final version of it we use Kevin and his password and we we actually won't I don't think we'll see in the history hang on Kevin yeah there we go so first it was Kevin and we got the nonce back and then in the post right after that Kevin is password and that same nonce was used and we were able to to log in with that now when we go to the profile let me look at the request here one thing that you'll notice on this one is there are a whole bunch of cookies in

here I've just said a bunch of dummy cookies which might make it hard to figure out well which one of those are actually important for the session in which ones aren't so / amyl Iser and I'll get to that in just one second but it ties right into parameter which is another plug-in that extension that I've been working on and this one initially started with a hey I just want to be able to see what everything is inside when I have a really big test that I'm working on you know a very busy application or maybe I'm going across multiple applications and so what you do is well let me go back just one second

here what you have to do is first of all it only analyzes what's in your target scope it only analyzes what's in your target scope I have to say that twice because people go like hey nothing came up so once that happens it will analyze your history only right and it just basically puts everything out into this nice table it does its best job at identifying things like here we have this value here it says if you just click on one of them down here in the details in the bottom left in the middle it'll say hey what is that and it says yeah it's it's a hex string of 40 characters in length so it's

probably a sha-1 hash right and they'll give you a few other details on here is it'll also do its best guess at guessing which one of these would be considered secrets or things that you want to protect in some way okay so and that's just purely based off the name really so you know that we we have that much information on here one thing that we might want to do is go okay looking back at that proxy history on here we have all of these we might want to know which one is that those are important for managing session and which ones are just basically garbage tokens I like to call them sometimes that are

maybe used for like analytics or something like that and one way of doing that is like you can you can manually go into I can send this to repeater and then just you know one by one eliminate them and see and what how my response changes I got tired of doing that I'm lazy so instead of doing that I decided to spend hours trying to come up with a solution to do it for me so what I did is I took this one here and send this over to cram Eliezer so you can do it from anywhere in there but basically it take any requests ideally what you want is you want to request that is a good

one to use as like a heartbeat of am I still logged in right so going to a user's profile would be one it's not making any changes right you don't want because this is gonna automate some some testing on here but it's easy to tell whether or not the user is still logged in if you're trying to access their profile right because if if the session cookie isn't right it shouldn't give you their profile if it does then you have another whole problem on there um so I can send this to parameter and what it does is underneath the sessions tab it opens this up and you can first of all verify the baseline I like I like to do

that first that's that's basically run that same request again and I can verify in the response that it says hey this is Kevin's profile so I know that that's still working the baselines still gonna be accurate and then I just all you have to do is take this analyze button and it makes all of those requests it literally took less than a second and then based on those requests again we're looking for outliers that's what we do right so and we see that hey yeah they're the only outlier on here is the session underscore ID so what this means is in most it's most likely that the session underscore ID is the only cookie that we

need to be considered logged in and all of these other ones are just garbage cookies you can right-click on any of these and I've built in again through the the burp api's you can build in context menu is to send a request to other tools so I can send one of these to repeater all of that was built in through through that okay so I think I'm right near the end of my time let me just I have a couple of closing things bring up PowerPoint right so a couple closing things many open source tools out there are extendable and some commercial ones are as well ok so just because a tool doesn't do exactly what

you need it to do that doesn't mean it's incapable of that and often the those of us who write these tools we write them to be extendable I mean there's lots of examples out there Tim tones again I'll throw his name out there recon ng that's always been a very much a modular framework right it's meant to be extended and map is another one you can you can build scripts additional scripts onto onto n map which you know we all use for port scanning purposes zap of course and burp and then even if you look at like the previous presentation there were several tools like posh r2 extendable tools right so bear that in mind

I mean this our tools get better when we have you know feedback and additions and and and you know we actually look at you know how can we improve on these things second everybody like please support open source development that doesn't mean you have to develop the stuff right it also doesn't mean you have to donate money to it or anything like that but you can help in other ways report issues if you see something that's broken don't just go off that tool is broken maybe they're not maintaining it and then don't say anything right I know that I have like in co2 I know that there are things broken in there that nobody has reported and I'll easily have

not actually opened an issue for but if somebody reported it I'd go okay well somebody wants that fix and so that would get my attention and then when I get some time I'll get around to it I'll fix it I don't expect pull requests for things like co2 it is a I would like to say it's a well-written Java extension for burp suite but it's all the documentation for it's really in my head so so I don't expect anyone else to be able to make sense of my crazy ideas in that case anyway also though share ideas get together with developers of tools and and if you have an idea for hey how could we make

this better share it with them I mean I I I'm very passionate about my tools I would love for to for people that talk to me about and say hey have you thought about maybe using it this way or could you add this functionality to it I'm glad to entertain that and I'm not going to say we'll go submit a pull request right I will for some things but generally not for my burp extensions you can help with Doc's like user user documentation or videos useful videos that sort of thing and just you know express some things I know a lot of people do I often forget way to way too often to say thank you to all of the

people who have built solutions and put them out there for the industry to use because that our industry is built on open source it really is so that's it for my talk my name again is Jason Gilliam if you want to chat with me at any time either later today or anytime afterwards I can be found on a slack Channel professional evil calm and my github repo is it's Jay Galle and this person stole last name if you're trying to find me and some of the tools that are out there so thank you very much thank you so much Jason for contributing your knowledge back to the community some of those um statements you made

right at the end that they weren't specific to your presentation were really hard-hitting for something that all of us should keep in mind that this community has built on all of our contributions and you're an example of it right now I'm an example of it hosting this this room and we're all an example of it consuming it and hopefully giving back to the community