BSides Iowa 2018: "Better Burping – Improving Efficiency with Plugins and DIY"

so this talk is about using burp suite specifically around using plugins that are available to increase your efficiency during testing and we'll also get into a little bit of do-it-yourself so we'll write go walk through a plugin written in Python so the real quick obligatory about me slide my name is Brad bellman I work for secure works I'm an application pen tester so I use burp suite every day when working first time my family actually came and seen one of the talks so we got some gaps in what burp does for us I mean don't get me wrong I love it it's awesome it's my favorite tool to use when I'm testing there's a few gaps that we're gonna fill

in using plugins we're talking about beefing up the scanner we're going to talk about adding some passive detection things that you can do we're gonna look at a few specific tasks using some plugins and then we're gonna get into a little bit of writing your own so I'm gonna start out just walking through some of the basics I'm sure that a lot of you probably use burp and are familiar with it some of you probably not so we're just gonna walk through a couple of the basics real quick first off when you're using plugins make sure you understand what they are I see a lot of people like hey I read this description it sounds really cool it's

the new thing that just came out or whatever cuz there's you know a decent mount of plugins that are that come up for this now you want to understand what they're doing they're on github so you can actually go and look and read a little bit of code and see what they're doing at least the the Store apps are on github anyway and again if you're not familiar with burp it's got an extender it's got a store so there's a look at what the store looks like I hope you can kind of see that in the back but it's got a list of plugins descriptions author names there's a link to where it is all you

got to do is just select it install it as long as everything goes well it will install and you can start using the plug-in immediately so I meant some of some of burps gaps the big one that that we're going to talk about is having full visibility into the other requests and responses in all the different tools so like the proxy history and intruder and repeater it's not really a big deal because you can see all those right but things like the scanner spider if you're running macros and something starts breaking especially in scanner it's difficult to troubleshoot when you're not 100% sure of what it's actually sending to the application so that's the big one we're

gonna talk about it also doesn't give you an easy way outside the plugins to really add any scanner checks so we're gonna look at adding scanner checks for you so we're gonna talk about those passive checks just really easy simple ways to add those in and then we're going to look at some decoders and file format viewers so first off I put this one first because it's by far my favorite plug-in it's awesome for like I mentioned troubleshooting macros things like that it's called logger plus plus it's from NCC group here's a real quick look at part of the configuration of it but what I what I wanted to call here was you can check the different tools that you want

to be able to see so you don't necessarily need to run it against all tools but you know I really liked it first scanner and every now and then sequencer and things like that because you can go back through and look that's a whole lot of different things you can do with it too like searching and highlighting and exporting and reg X's and things like that so here's kind of what it looks like when you're when you're actually running something you just have it's really basic interface of on the left you can see you know the number of the requests coming by which tool it's in what you're scanning and gassed and you see method path all that

stuff so it's really nice I also like to use it keep an eye on things so as I'm running anything automated so I'll run automated tools like nikto and things like that superb as well and it's really nice as you're watching it you'll see the requests go through and it's kind of nice to keep an eye on things because you can spot a lot of differences in responses so you know as it's checking things thrown a lot of things at the application application obviously will respond in different ways sometimes there's you can spot kind of interesting behavior that the tool doesn't necessarily tell you about but it's just something you can see in the in the results so here's an example so

you can see the response length there is the same throughout and all of a sudden one of them is a little bit different so not saying that that's you know some sort of a vulnerability is some kind of finding everything that's definitely something that's interesting that the application did and I'd really like to see you know what that difference was and take a look and see why that was different all the others are the same and all of a sudden one is different so the pros and cons of it the the biggest the additional insight it's really nice for troubleshooting searching all those things the cons it doesn't save automatically so Burke now will save

projects and things automatically this doesn't save any of that stuff so if you want to keep findings that you have out of logger plus plus you can export them to CSV and you can do an auto save to CSV it's kind of a pain and the other thing is you only see the entries in the logger after there's a response or a timeout so if you send something and it's sitting there you know the applications not responding or anything you have to sit there and wait for a timeout or if it eventually a centre-back response you can't see the request that was sent because it it pairs them together and then pushes them into the interface so I want to talk

about beefing up the scanner a little bit there's a lot of really good plug-ins that are really easy to install and do a lot of really useful things for you not like to use the scanner piece as a second set of eyes so you know as you're going through and doing a lot of manual testings scanner is really nice to find easier automatable things like you know cross-site scripting and things like that so it's a really nice second set eyes on things but there's a lot that we can add to it and like I said low-hanging fruit and tedious stuff you know I want I want automated every time and the main goal obviously being

you want to focus on the application logic because that's really where you know you add your value is is testing out logic and things like that not necessarily looking for cross-site scripting and things so the first one is called active scan plus plus it's written by one of the one of the people that worked for ports wigger which is who puts out Bert and adds a lot of really useful additional scan attacks like xxe and other XML attacks I'm I don't know if you guys have seen but the new wasp top-10 actually lists xxe as one of them now I personally don't agree with that being in the top ten and regardless here feelings you know that's that's been a

little bit of an interesting subject but that's one thing that you've gone may is is checks for that suspicious input transforms we will actually look at a few of those there's several other tools that do something similar and then the older stuff too so like shell-shocked and things that you know aren't really necessarily out there a lot anymore but something you still need to look for because every now and then you know you'll see something like that so there's no GUI component to it all it does is just add adds checks into the scanner so it'll queue them up as you're scanning some additional things host header attacks the the input transformation so things like seeing if

that gets evaluated so seven times seven you know things like that and we'll look at an example so this is from a recent engagement that I was on where it actually fingerprinted I don't know Hawaii but it's saying hey I found something that looks like server-side templating section and if actually fingerprinted out to be velocity which is an Apache product and the way it did it is you can see the payload so it's syntax and velocity actually and using that getting response where that was actually evaluated it said hey I think this is velocity turned out to be right and that was actually a really interesting attack if you saw talk that Jarrod McLaren and I did at skier Iowa

we actually walked through part of that where this turned out to be a sellable situation through the application so another one additional scanner checks so adding dom-based cross-site scripting and things like that you want to be a little bit leery of that you'll get a ton of hits on that most of them are not exploitable I've seen you know engagements where all have five thousand findings of dom-based cross-site scripting know it it's a little bit it's a little bit verbose than that it's airing on the side of caution you'll get a lot of false positives it does things like really simple checks like missing security headers like you know CSP policy and things like that also it's

for HTTP to HTTPS redirection and another one is j2ee scan so this doesn't another one where it's a lot of pass CDEs a lot of stuff you don't necessarily want to be spending time manually looking for it'll do for you and you can see a lot of different examples there some Java based stuff like struts and Grails JBoss that sort of thing and ton of other things too once again this one doesn't have a good component it's just adding on to the skin so this is again this is another recent engagement where this caught something I definitely did not go into this engagement saying hey I'm gonna find this og NL console it was just not even on my radar

something to look for in that application but there it was so that console lets you evaluate expression language statements and that ended up being a very fruitful one as well so the pros it's really easy to add a lot of automated testing into the scanner there's one that does have a GUI tab most not I put that as a pro because as you start adding some of these some plugins and things for though you use burp you see a lot of tabs there at the top and it's it becomes a pain to try to find which one you're using and stuff so I don't necessarily like to see the tabs I mean obviously they're useful for a

lot of cases but I'd prefer to not see them in some of those the con the only con really being that it's gonna add time your skin obviously I mean you're adding to it so of course this is a somewhat more recent I mean it's been out for a little while it's very interesting one called back slash powered scanner James kettle again one of the ports burger guys it doesn't necessarily look for you know a tax string here measure the response see what it is it's looking more for hey I'm gonna throw something kind of interesting like I'm gonna throw in different keywords or I'm going to escape different special characters and things and see the differences so that's

the the suspicious input transformations it's just you know really really simple example is it's going to use a backslash to escape you know a double quote and then I will run the same thing just without escaping it and see the differences in the application the theory being if it if it reacts differently to a non escaped character than it does to an escape character that's obviously something that's being processed by the application maybe something important to the application and is something that is is worth looking into so he did a really really good white paper on the whole theory of it and and how he was able to optimize it and everything else so it's a it's an

easy one to find if you want to go out there and just search for the white paper on backslash powered scanner so it's like I said it shows you the interesting results to point you towards a potential issue so this is really one of those things or it's pointing to hey I saw something that is kind of odd I don't know what it is but you need to go check it so it always requires manual verification so here's an example so I mentioned keywords in this case it took one of the parameters and it's using null and I changed it to and zll so it's just one letter difference but the null keyword changed the application response so you

can see content length is much different so obviously null is something important to the application doesn't necessarily mean that it's vulnerable to anything but it's definitely an interesting little bit of behavior that you want to go check out and sometimes it does lead to something so this has a little add a little menu into burp and this is defaults I've never really had any reason to mess with the defaults it works well for me so pros and cons again con being some of the results you'll see it's not always very useful you'll see things that you know you'll see a different response and things like that and you'll go and look like oh okay obviously that's gonna have a different

response I don't know why it's reporting that it happens it's not so bad again easy additional automated tests that you can throw in and look for different things that you may not have thought to look for and it's the the really powerful thing about it is that third one there is sometimes it'll find things that other techniques will miss so the next one is scan manual insertion point so this is just a really really simple one you can add it in and it just adds a little option for you in one of the menus so as you're looking at say a request in any one of the tools it could be the proxy or a repeater or whatever

you can just highlight it right click and say scan this so here's an example you can see here where I've highlighted the big string there in the post body right and then I just right-click and you scan manual insertion point which is really nice I know a lot of people talk about they're sending something to intruder and then do scanning that way this saves the step as long as it's only a parameter that you want to send to the scanner and so it's simple to use saves you the steps the only downside you can only do one section at a time and remembering it's there I've had a lot of times where I go through and send

a intruder or whatever and get into the scanner just to remember like oh I coulda just right-clicked and said go alright so let's talk about something other than the scare so pdfs is something that i've personally come across in a ton of assessments right and you'll see something like this where it's you know it's a PDF I mean it's really obviously a PDF right you don't necessarily know what the PDF is and just by glancing at that at the text there so what we want to do is go from this so it's just to look at the raw request there to that so what it'll do is they'll add this little extra tab here I know what it is I can look at

that really quickly and say oh I know exactly that is so maybe you have sensitive information or whatever you know whatever you happen to be looking for in the assessment so really similar EXIF tool scanner which is really nice so it'll scan any of the supported file formats and look for metadata for you so looking at that same PDF we just used in the previous example another tab for metadata you can go or and say hey author or all this stuff you know you you can look for things like that using folk of the advantage here is if I'm doing an assessment where I am authenticated I can now look at you know across metadata of things really quickly

in an authenticated State with things like search engines and Foca and search diggity and some of those other tools and I don't be able to find this obviously because it's in the authenticated portion of the application so the nice thing about it is you don't have to go through and look through the metadata of all the files if it finds anything it will just throw up an issue for you and say hey I found and PDF and you can just go click on that it'll list if you if you looked at you know a thousand PDFs and they all had metadata it will list them all out for you you can go through and look at

them there and it'll auto attack so if you already have XF tool in your path it'll find that for you and just use that and if not it'll extract to a temp file and use it that way so you can literally just install it and go you don't have to worry about it setting a path or anything like that and it has this little this little tab here so you can by default it will ignore HTML JSON things like that that are not gonna have metadata it's gonna collect so it doesn't mess with looking through those and and you know giving you a performance hit essentially and then you can turn off things to you like ignore

access tool version things like that they don't necessarily want to see in each one of those so the pros and cons of those I mean I don't there's no rule of cons that I can think of in using those I do like to easily look at PDFs when I come across them and see what they are quick insight into the metadata and searching all that automatically and then giving you the heads-up of hey I found some metadata here's a list of everything I found really really nice so move on to the passive detection so the first one that I like to use for this is called retire j/s so this is looking at javascript dependencies for you and

comparing them against a database and saying hey I just passively saw as you were loading this page it was using this bit of jQuery and it's an old version and it's vulnerable and vulnerable to these known things so I'll give you the version it saw it'll give you links to CVEs and things like that which is is awesome for you know finding that stuff for you don't necessarily want to be looking through all the GS files of everything you get there's a lot of jazz heavy applications out there now so there's an example so in this one too and again I didn't have to go out there and look for that it found it for me as

I was just mapping the application popped it out here and hey it's known vulnerable to these things so you know jQuery a lot of times no and vulnerable to cross-site scripting things like that but it will tell you exactly exactly the issues that are known so next one to stop for a vulnerability scanner so this is by a group called boners they have a website with an API so this plugin uses that API and again it's just passively watching versions of things that it's that it's viewing as you're just mapping the application or whatever you're doing and I'll go through user API and say hey I found this version of Apache or is or whatever and ping the API and then come

back and say hey that particular version of this again is known vulnerability to these sorts of things so the the one downside is you know especially when you deal with someone like iOS it'll report a whole bunch of you know known CDs for is 7.5 or whatever your your target may very well be patched against those things you know so it's it's really up to you at that point to determine whether or not they're in a patch state or not but but it's really nice for for quickly finding those things so here's an example in this case it found iOS 7 and then you can see you know a list of CDs things like that in this case and

again you know it's it's nice because as you're going through obviously you're gonna probably fingerprint it and you might even see in the headers of the response - hey it's iOS 7 you know easy to find but this gives you a nice list and says hey here's everything in known vulnerability and you can go and look for things interesting that aren't aren't like you know denial-of-service and things that you might want to try and engage meant obviously yeah there are some not so common applications I don't have a screenshot of it but it has a tab of a lot of different technologies and things that it will check for so yeah I asked Apaches things like that are obviously

in there but some of the lesser-known things even some obscure CMS systems and things like that will be in there so the one one thing about it is just you have to remember that's passive it's not actively fingerprinting anything for you it's seen versions come across in headers or you know in a file or whatever and reporting that for you it's not actively doing anything to find these for you and so there's a there's just a quick example there you know put an issue in on on the target tab just like some of the others and say here's everything I found so as you go through you know you may find other versions of software than didn't detect but at least

you know what it did and did not find for you all right so another one is error message checks so I like this one it uses reg X this check for verbose error messages and things like that and it'll also create an entry just like just like the last one you saw up saying hey I saw this match this reject matched on this request and you can go through and look and see if it you know what the error message was so there's there's an example it's nice that it actually gives you the the regex is that it matches on and you'll get some false positives because you will have you know error handling and things like that in

JavaScript files that sometimes will trigger on this it's not a verbose error message it's revealing anything to you and you know in some of those cases so you do get some false positives but I like it because it's checking for verbose error messages and some of the tools you're running like the scanner you know it was one even even the spider sometimes I've had that come across something that's spitting out a verbose error message so things that you may or may not have spotted otherwise and so there's there's a look at the configuration for it these are all built in and you can put in regex match just you know whatever whatever regex you want and and create

those if you want it also lets you turn on and off for different tools so by default these are the tools that's looking at so pros I like to I like to turn it on in most everything just passively checking so it's not you know a big massive resource hit or anything like that easy way to find those then just go in our target issues here's the list easy to miss you know verbose error messages and some of those are really easy to spot and then con being the false pause that i mentioned that you sometimes will see in some of the javascript files alright so i want to just go to a couple of specific tasks

using some plugins so this is one of my favorite favorites here it's called authorize and what it is is you can make identical requests under different users so you can have user 1 user 2 so two different users making the same request so if i'm browsing as user 1 and user 2 can get to some of the same resources that live under user ones profile i may have you know a horizontal privileged escalation there or you can also set it up so i'm browsing as an admin and it will make requests as an unprivileged user and an anonymous user and as you go through and map out the admin portion sometimes you'll find and it sounds it

sounds kind of simple sometimes but you'll find that some of the admin screens a lower privileged user can get to just by no the URL and just going to it right so forced browsing so if you have an admin user you can map out all the admin functions under that user as this tool is uh is sending the same exact request just basically replacing the cookies with the ones used for the lower privileged and you can very easily then spot where you have some horizontal and vertical escalations so here's here's what it looks like by default it's just turned off and you feed it cookies so what I like to do is use two browsers

I'll think one browser and log in is a low privileged user and I'll take the other and login as an admin or just another user and point them both through burp and you can use the button down here to grab the cookies so you feed of the cookies of the user that you want it to make the request uh right and then you just go and browse then in the using the browser of the admin or the other user and so you can see the the buttons red once you're ready once you have it all set up you just click the button turns it on and then you start browsing and here's what you get is side by side

comparison of every request that you've made using two actually

there so that's the length that they get so it just does a comparison and you can see here where it starts to to highlight its it says I don't know if you can read it but it says authorize authorization bypass so you can see this first one here the original session had a length of 690 the second one had an accession of 679 the United said 8 828 so it's got it's got a little bit of variable so that one may or may not be a false false positive but if you start to look down here at the bottom don't start to line up and actually in this engagement I took this from was against a medical

records application and I he was using this and found where they go and generate reports and so the requests I'm making here I blacked out sorry you can't see him the requests are hitting this this reporting engine and it spits out a PDF and what I found using this pretty pretty quickly was a whole whole bunch of medical records that you know the the first user should see they're an admin and they they can see they can get to everywhere the the second user absolutely should not be able to see that I'm talking you know 50,000 plus this is a staging environment and they had 50,000 records or so second user shouldnt have been able to see any of

that except their own it can see all of them what was really interesting though is you know us down there anonymously if i know the URL and i can i can find that you know how its spitting out reports they were all just named by a six digit number so anonymously i can find that and oh hey now i can just start iterating through and i just found all the medical records in this application anonymously so pros just mentioned it's it's really nice to quickly test large portions of the application for those types of of authorization issues really easy to spot the differences from that screenshot you saw it'll you know highlight it for you and

authorization bypass so it's really easy to spot it's really nice to be able to do the anonymous testing at the same time I did not in that application even remotely expect that that the anonymous would work obviously as something as a tester you always want to test anyway but it gives you the opportunity then to test not only for the escalations but the anonymous portion as well so you're kind of kind of you know doing two birds with one stone at that point and then the cons I you know I pointed out that one it was within its margin of error or the difference that it was looking for in the request so the first one wasn't

wasn't a a true detection it was just close enough that it detected and said hey authorization bypass actually wasn't so you do have some false positives that you want to go through and make sure that you verify that that it is that is a real detection so another specific tasks session timeout tests so this plug-in will allow you to just do exactly what it's what it's telling you is test for session timeout some applications you know fall out a PCI that it has specific rules for win sessions timeout and things like that so in some cases knowing you know down to the minute when it's timing out and things for you know compliance reasons is is important so what you can do is

you basically just feed it a string to look for that says hey your session time don't you know however the application lets you know your session timed out some will say your session timed out some old redirect you to the login screen you know things like that so what I typically do with this is as I'm testing I'll leave a session open over lunch or something come back and see how it responded to being locked out or timed out and then later on you know later that day or maybe even on that lunch the next day I'll use this plugin so here's a look at it so top lemare string to match so in this case really

simple example your sessions time bill I want to report when it finds that and then the next two are you know I don't I don't want it to obviously send a request to every minute and then increment at two minutes things like that it'll take forever so you're setting here I want it to start at fifteen minutes it'll send it'll send a request and see if it's timed out and down there the interval then is do you want it to check every minute at that point do you want to so gets to fifteen minutes it sends a request waits sixteen minutes and it'll send a request away 17 minutes and send a request and see if

it's timed out that way so down below then I I didn't have I didn't grab a screenshot when I was using this you know you know real session so it's just a really quick test I tells you down there that's complete knows no timeout detected obviously if it's in a real scenario you know at times I'll tell hey timed out here's the here's the time length it when it timed out so pros it's easy to test when you're when you're doing something else doing lunch you know things like that you're still getting something done there and testing cons don't forget to click start before you walk away I've done that on more than one occasion and it's frustrating

alright so the next one is called parameter and this is this is an interesting one because it'll basically look across all the parameters that are in scope so you know you go to your target an application you put it in scope it'll analyze all those parameters for you and give you a really nice little overview of all the parameters that found and an example value of here's here's what was in it and it will even do a little bit of analysis for you and say hey this looks like it was a base64 encoded value or this is just an ASCII string or this is Skol you you know that's things like that and I like to use it not not just

for the analysis portion of it I like to use it as a list of okay here's my parameters did I make sure I went in and manually tested each one of these that I thought fuzz every single one of these so there's a look at it so in this case you can see up here where you know if you say things like that you don't want to analyze so this is that's those are set by default so if you use you know looking at you have a ton of you state it doesn't analyze things like that and you can add to that as well but then the the middle section here you can see where I keep walking

across the different columns their format so you know first one it only saw it in numeric format it's just just integers next one you know 69% of the time it was a word things like that it also tells you was it reflected was it decodable so it all tries hey I saw his basics for encoded to be able to decode it sure things like that and then the final over here is here's an example value of one of the ones I saw so if you want to really dial in on one of these so the one I have highlighted here is just D units you can see that's what the example is down below and showing you

values and you can look and see all the different unique values for it as well so not just the example one that it has a top here's all the unique values that it found as well so you can if you you know you find something interesting with this this particular parameter you can go through and look at all the unique values that this that the tool pulled out for you and then over here you got that you're you know you're familiar requests and response tabs to look at in the button in the middle there's kind of nice you can highlight the value then and go find it in in your proxy history as well all right

so we just covered a lot of plugins in in the store that are you know free and available to use at this point does anybody have any questions I do I really considered putting in this I just at this point I had so many plugins and I wasn't really sure I'd be doing for time so yeah I did co2 is another great one I could you know I could talk up here for another hour on plugins I like to use yeah it's so versatile yeah yep so the plugins she mentioned is co2 and it yeah it does so many different things like I can't even go through all of them and top my head here but go ahead some of

them do some of them you need the professional Edition when you go into the store it will tell you whether or not it requires professional you know I'm not sure that none of the plugins that I know of in the store are paid so I don't I don't know where the distinction is of hey this one can be using the free and this one can be use in professional yeah and that would make that make sense

yeah so if you're talking specifically about the boners plug-in through some volt scanners gonna be way better this is just hey I saw this come across and I happen to know there's CDs for it

I guess it depends on your goals if if you have the opportunity to use the traditional Bowlin scanner you'll get better results with it for sure so yeah if you have the opportunity I would still I would still go that route Nick

personally no I haven't I do you know I have seen there's plugins that are made available outside of the store so I mean just like anything else let's say you use caution just like you know loading an unknown Metasploit module or anything like that you know it hope you trust the the person that's providing it but no I haven't seen an actual malicious one myself personally have you just curious any other questions all right so we've got about 15 minutes left I just want to move into writing your own plugins because every now and then you know the need arises for having your own customized plugin having the flexibility of being able to write your own is

absolutely you know just awesome and and a huge time saver so if you didn't know burp exposes an API it's got some documentation that we'll look at in a little bit it supports Java so burp itself is written in Java you can do plugins in Java because that's native to it you can do python using jython which is just an interpreter that takes your Python code and translates it into Java bytecode or I can use JRuby which is similar the example I want to walk through I I'm you know I'm not a Java developer by any means I can kind of fit on my way through it I use Python quite a bit though so our example is gonna use

Python so here's a really quick look at setting up the environment for that up top here is if you're writing in Java you can point it at a location of different jar files that you need loaded with it and really similar Python will do the same where that second optional optional input here is here's modules that may or may not be available to burp as we're running so you can include them into a directory and say hey as you're running my plugin here's the other modules you'll need but the really important thing is that first part there you need to have installed - for this to work obviously and this is just telling it hey here's here's where that Jai

thought interpreter is so that's that's that's what my the value is there is the interpreter installed in my laptop here

yep that's a that's a great point some of the ones in the store are also written in Python or Ruby and you have to to get those to work properly you would also have to set those so I mentioned some of the documentation here's a quick look when you're in the extender tab and it's it's got some documentation that you can look through then as you're developing if you need a reference you know it's just right there in the API or in the documentation here so the examples that I'm gonna walk through in just a little bit it's using PyCharm Community Edition if anybody's interested in what what those are and you can see an example down here when

you can't really see the interface or anything but that's what the screenshots are using and then the example plugin I'm going to talk about is it's going to be it's gonna have a GUI tab and it's a token generator so this one in particular was for a target where we were testing an API and you had to have a specific token in the header and it was time-based so it'd be good for 15 minutes and then you have to regenerate and plug all those in well that really sucks when you got a really long running you know intruder session or something like that uh the might may possibly go over for games or even scan or two that

might go over that time limit and all of a sudden it stops working so what we wanted to do is take take the plug-in and take the request and just Auto generate these for us and just plug them in so that's what this is and I included some of the code here so you kind of see what it is the main thing being it's looking for a public key a pipe a time stamp a pipe and then a hash value so that's that's basically what we're gonna write here so up top for the imports so I mentioned this is a Python specific IDE that is using so you can see up here you know the squiggly lines it's complaining

saying I have no idea what that is that's an unresolved reference that's just because obviously it doesn't know about the modules and burp and things like that some of the the standard Python line race you can see some of the job ID burp stuff though it doesn't know about so it's complaining saying hey I've no no idea about these that's okay because once once JA it's running within the the burp environment those things are available to it just the ID itself just doesn't know so we have to start out with extending the or creating the burp extender class and so this is all I mean fairly easy to walk through so we're creating a class we're giving it

the different things so I've herb extender is required some of the others are optional so we're creating a GUI for this so I tab is that GUI tab that we're going to create and things like that I the HTTP listener is it gives us access sent to the requests and things through burp and then you can see we're registering callbacks callbacks is something that Bert makes available for really common functions that you're going to want to do that makes you know really easy for you then and we'll get a we'll get a look at some of those in just a bit or actually there's an example here at the bottom that extension name is one of the callbacks

so I just gave it a generic name of API token gen so this part is building the GUI now I mentioned that you know I don't do a ton with Java and I certainly don't build gooeys so this part was a little bit clunky to me at first but basically what we're doing is we're setting up different panels and once we get into the GUI portion you'll see we're setting up panels we're defining all those things I need to feed it a public key and a private key so you can see things like that so that's what this all this is here so we're gonna put in a Save button I don't want to put those in

every time I'm running you know if I shut down burp and I come back the next day I don't have to put those back in every time so create a button it's gonna save the the values that we enter and then all the all the panels and things that we've defined and this is just bringing all of it back together now so we're actually building some of the rows defining those us we're defining panels and things that all these different GUI aspects live under once we have the UI set up so this is just a little bit of extra components of the of the tab so we're looking specifically at the GUI tab that we're

going to create now is gonna be in Bert so caption token generator doing component and we're looking at the main panel so once we click on that tab that's what we want to see is that main panel so this one this is the part that's actually doing the work that of finding where we want to put our token into our response or request I'm sorry it's going to find where we want it so I mentioned an API so it's all XML based there was a note in the XML where we want to feed that so what this is doing then is is taking the same process HTTP message so we can use that and say you

know I only want this to work on the intruder portion or scanner or whatever in this case it's going across to all of us we didn't actually use it the next part is messages requests so we we want to act on the requests we don't obviously need to inject anything to the response that does make any sense so we're looking at message is requests and then that last one there is passing in the actual message information and in the first if there's is that logic then of if it's not a request just passed on we don't need to process it any further in our plugin so the block down there then is we have that request available to us and we want

to pick apart interesting things then like the first line there is getting the request the second line is is looking at bytes and then you can see it's getting the body offset so we specifically want to process the the body portion so we're getting the offset so we can use that later and then when once you see tree that's that's a Python library then that's going to actually process the XML for us and what we specifically wanted to find is so what we're telling it is this is you know once we generate the token here's what we're gonna plug it in essentially and then once we do that create a new body so we've plugged in

we're creating then a new body that we're gonna replace that original request with with this new one with our token in it so we we'd already defined the button and everything before all that this is actually the the logic behind that so basically the button was there to say once I am i plug in my public and private keys and click Save it's going to save it that way I don't have to put them in every single time so this is at the end of the script here then and you already saw this is what's actually generating the token so it's that the public key pipe timestamp thing that we already looked at this is the

actual logic to compute that using a fresh timestamp and so we have a actual valid value then based on the public or the private key so that we're essentially authenticated then once we have because we've shown that hey we have access to the private key so down there it's just returning that token into that into the function before what was finding that portion in the XML plugging that in creates our new body and that's what burp then sends onto the application so then each request we don't have to generate that it just automatically does it so the results then here's the GUI all the different portions so we talked about the different rows and the main panel and

all that all that was to basically get two input boxes in a button here but essentially it's I plug in that public key private key say that and now I can do all my testing all that's just done automatically for me then I don't have to worry about generating tokens as we go so that's the that's the DIY portion is anybody have any additional questions around that all right well thank you very much oh we got one

yeah that's a great point if you can't do bug it because the the IDE doesn't know about those thing it'll just crash right away and say hey I can't import this so the way you end up debugging that is by importing it into burp and looking at errors if it's painful it is painful I don't know of a better way to do it at this point

Java I'm sure it probably would be I honestly just don't have enough experience with it to to give you a good answer there but yeah Python it's a little bit of a pain it's it's kind of painful too yeah yeah it is that's a great question one great point any other questions all right well thank you everybody really appreciate it [Applause]