Decoder Improved: An Improved Burp Suite Decoder

[Music] so my name is Justin Moore I work for NCC group as a security consultant I have built an improved version of the burp suite decoder just by show of hands who here has ever opened burp suite in their life is knows what it is okay so like basically everybody but like burp suite is like the tool for doing web application security there's like basically no other option so myself and all my co-workers use this thing every day it's not that great but it works and I had one co-worker in particular who was like I really like this is a coder thing basically it's a little frame and you can put text or random data in it

and then like click some options and it'll like a 64 encode it for you or base64 dakota for you or like URL encoder and whatnot which is like super useful and i doing stuff you want to look at it it's great but the one that's built into burp is not so great it doesn't have tabs there's like a ton of bugs in it doesn't handle unicode characters very well there's just like smart to code button that's not very good so anyway so my coworker reached out to port swagger the developers of birth suite and I was like hey I'd really like if we can get tabs on this decoder thing this decoder it's pretty good but it doesn't have tabs so it's

basically worthless they said no cause it would involve a whole rewrite of it so we had a training night and my work where we learned how to write bursty plugins so I was like oh great I'll take this on from my coworker he really wants this thing it'll be super easy there's this decoder I can do maybe some swing stuff all I had like tabbed pane however that works and I could just take the decoder and put it in this pane and it'll be great it'll take like an afternoon we'll be done everybody will be happy have tabs and be good turns out that's not how writing for plugins works so I started this thing then I committed to

it and it basically turned into me like rewriting this whole decoder thing from scratch and I was complicated until that whole ton of time so I'm here to like pimp out us thing so I way more people to use it so I didn't waste all this time doing this schism bird plugin this is like the most straightforward thing ever it's like literally just an improved version of the built-in burp decoder if you've ever used it it is just a better version of that with tabs and less bugs and all this stuff I'm gonna go through also the source code is all gonna be open source in the future so it's gonna be super easy to extend

you're doing a project for work or whatever and you're like this thing's weird I need to decode it without fighting putting it in like a like my command line or whatever I don't like that on the gooeys so you can extend this thing to make it super easy to do any kind of decoding means great so just a brief overview of how this is going to go I'll tell you more about why the built in Dakota is bad I'll tell you why mine is better I'll tell you why you should just like don't nobody write bear plugins it is a waste of time is god-awful and then I'll show you what the regular one is I'll

show you why mine's better it's very clear I'll give you like the easy demo on how to extend it it takes like 2 seconds to write your own custom decoders you basically just extended class write a little bit of code it's super quick and then I'll tell you where to find it which is basically nowhere right now you have to email me so start like I said the built in one is like it's so useful it's like you think just that tab you'd be so good there's like all these other things in the burp suite that have tabs they're all over the place there's like a repeater thing it has tabs if you didn't have to be

worthless all these things we just in more tabs everything needs tabs browser sometimes we need tabs this thing doesn't have tabs and they didn't want to make it have tabs so I made so needed tabs it doesn't handle Unicode so if you like wanted to code emojis or something it just truncates them so it'll take the first bite of your data and then just like scrap the rest of it so if you're doing anything with like non ASCII data Dakota just doesn't work and I'll get all weird and messed up people on projects live why was this happening I didn't even realize this at the start of me doing it I was just like using this decoder more and more and

realizing it did less and less and things don't work also there's nobody to extend that you just get what you have which it does have some useful things like you know decoding thing basics is for any things are all good and useful use it like all the time at work you know everything's URL encoded and birth so you want to be able to read the things so you need to decode them oh yeah also the hex editor that's built into this thing you can't like add bytes to it so like you start and then you go to edit the hex you can only do like one thing at a time it's like double-click it and then

you start typing and that says we're truncation thing and then you can't make it longer so you can't like add it on bytes to it so you can't really like do hex editing very well so that's basically worthless and then there's this smart to code button that does something but I've never been able to get it to work so like you know I remember what I started doing with web application security and to do some decoding and I open up this burp decoder and I'm like oh smart defended like I have some basics tea for day that they leave a 64 day no where else when URL encoded data so I just press this button

should just work never works it's never maybe like one time I think it only like URL decodes or something anyway it's not good yeah so so I Nix that I got rid of it it's not a problem anymore now the list of features mine has so it does everything the built-in one does it's a complete feature parity - bugs I added the tabs I was like feature numero uno added Unicode support which is like a huge hassle but it works pretty well now I took this hex editor that's open source from the expert project there's one dude making it I don't think anybody else is using this hex editor it's like this guy has spent a ton of time making

a hex editor as a swing component so I hit this guy up my IRC and I was like hey is anybody else using this he said no there was some bugs in it he like fixed the bugs for me pushed everything the gradle are the repository to make my build process work we got super nice so I'm going to say thank you to him so I stole his hex editor and put it in my burp plugin so the hex editing is like fantastic I have built-in arbitrary numeric base conversion so you can turn like base two numbers and debase whatever numbers based whatever movies whatever numbers by default burp only does like binary to octal and

hex and decimal I think it does like the major ones but if you ever have like base seven numbers and you need them to be like base 17 my tool will do that so you know predict in the future I added some find/replace function because there's often a lot of times where I'll have something like a like a JSON blob and I'm like okay I have this value in here but I want it to be this other thing like always but every time I want to change that I feel like copy this blob and like paste it somewhere and then like go in there and find it a highlight and put my new thing in there

that sucked so I took and you can do regular expression base behind there are places across text you just set it up paste your stuff in and I'll do the finer a place for you very nice another thing that the regular burp decoder doesn't do or does do is whenever you go to encode something either HTML a URL then we'll just do the entire string which is almost only almost always not what you want so there's like lots of characters that I like to be able to read and if you go to encode it to URL it turns them on to the URL representation of those characters which is not readable to humans I don't like

that so I added a button where it only does special characters because that's what you like you never want the whole thing URL encoded you only want the special characters so there's a button for that for whatever reason the built-in decoder does some hashing you can like hash stuff but it doesn't have that many algorithms and they're not in a sensible order so I took an included bouncy castle and I exposed every single hashing outer in bouncy castle is available through my plugin and they're in an order that makes sense alphabetical or whatever the bouncy castle documentation uses I think I went there to do that so they're all there and then it is like super easy to extend

this thing if you want to add a new thing new features it's basically you pull my source code you implement well.are you write one class you implement one function and then like you included an ArrayList and we're good Yury compile the plug-in we include it it works everything all the magic thing care for you brief aside on white like no bunny should do this I don't know if the ports are get people out here let me here work for ports with you all right good so the API for writing burp suite plugins is like so bad it doesn't like you want to be a bit like do things with it like you figure like okay I'm gonna write code

and it's gonna write inside this this burp suite which is good which is what I want except for the API that they give you doesn't let you do that we're really anything so so there's like some things that my plugin I would like it to do but there's like no way to get at the like burp like way that burp touches it unless you do some like crazy stuff with reflection and like carry up objects and stuff but then that gets broken every time you have to burp so that sucks so I just had to like not have some features which is unfortunate but uh yeah so basically every plug-in you writes like a second-class citizen inside birth also

all the UI work is done inside swing which I'm a younger person so I kind of missed the point in my career where I would have been like a java swing developer that would be like yes he worked as a developer in like 2005 or something you're probably writing like Java swing code so I was like huh I graduated in college I'll never have to do this great and then ports are just like drug me back into there so I spent like a whole ton of time writing swing code if you've ever had to do it I feel sorry for you it doesn't make sense it's like do it just don't do it it's terrible

it's a thing that I've like now kind of proficient at and it's just like a worse a wasted skill I have I spent all this time learning how to do swing development it is not good and then that's baby that's basically everything API is not good it swings bad Java not so bad I'm okay with Java it's coming around I didn't you can write I have plugins in like Python and Ruby also but they're kind of like if regular plugins are second-class citizens they're like third-class citizens because there's like a extra shim wrapper thing and I was like this thing's already terrible enough I don't need an extra hack on top of this to make it more confusing that

things work what's good yeah all right that's why nobody should do it if anybody's in the market for writing one of these I suggest you just don't use burp you just write your own web proxy thing or maybe he's like man-in-the-middle proxy maybe they're like better alternatives now if anybody knows of them just let me know trying to ditch this thing it's not good oh yeah oh okay so my tool alright so for those who haven't seen burp suite before this is burp suite if you have a job a web application security or interested in and I highly recommend you learn how to use this tool basically everybody uses it this is the regular decoder tab as you

can see here there's like the dakotas the inko has the hash just a basic demo it's like you type in like words you see there I typed in pest and then like let's say I wanted to basically form code that I click on that little box then I press basics before also another great about this it goes away how do I know what a good day cept I look at um so then it's basics t4 and then you can like you know decoders basics before just the same as useful it's a good thing to have but you know it has all the issues whatever the hex editor is not good so here's my tool it looks

basically exactly the same and it does exactly the same stuff

there you go see you like it works the same you encode stuff you decode stuff but you can see what it is he says encode has to be 64 so I know yeah and then there's tabs like you can make as many times as you want so if you like have some some text over here that I just closed you can make like more words it's like exactly what the name says it is an improved version of the built in prep decoder there's like no magic I wish I have like sweet hacks to share with you guys or something but this is just like what it is and it's good yeah the hex editor is great as you can see

here it's very fancy you can extend stuff those aren't valid characters well show up right but if you do like a 4-1 it all shows up and then it all stays there everything's great and now be how to extend this thing great so like I said it's so easy to extend before I wrote this extending it wasn't so great and I had a co-worker look at it and he said it wasn't so great and I agreed so I made it all nice and object-oriented where you basically just need to do like two things and then you're good you just call my source code on github that's not there yet because life is busy so I

didn't put it up there yet but it'll be up there soon they'll be a blog post lols information also it also should be in the B App Store if they let hopefully gets up in there but I don't know what kind of limitations they have to uploading the apps I'm assuming none maybe there nice I don't know and then you create a new class that inherits from by modifier you implement the constructor which is basically just calling super with the name of the thing you want to show up in the little drop-down list and implementing the modified bytes method which is it takes two seconds it takes in an array of bytes and returns an

array of bytes so you just everything's and bytes that's what it is and then either you go in the in code mode class or decode mode class depending on if you're encoding things are decoded things and then there's an ArrayList with like all of the other modes and super easy to see it's not have been class and you just make a new instance under the custom class you just throw you tuck it in there you rebuild the source code and then you reload the extension of the sender and then it just shows up and it works and you click the thing on the drop-down and the thing you need is there and it works with source

visualization this is the source code for the plaintext encoder it's very simple because plaintext it's not doing anything as you can see you just extend one class you implement the constructor you just call super with the name of the thing that shows up in the drop-down and then the modified by its class for this it's super easy just returns the same thing and then when you want it to add at it this is the code inside in code mode you just look for the encoders ArrayList and then the encoders that add new plaintext encoder that's the top one there's a whole bunch of the week that you probably talked use them at the bottom to not mess with the order but if you

don't like the order you can also rearrange we build steal code yourself takes no effort and so as of right now like I said it's nowhere on the internet I'm the only person with access to this so if you want this if you decide that this will make your life so much better send me an email I will send you a jar and then you can trust me run John and that's about as good as it's gonna get right now I'm hoping like in the next few weeks I'll have the source code up on github along with a blog post that basically just reiterates everything I just said you know I really need a blog

post to extend this thing you just look at that once I'd be like oh this is super easy there's a little bit more instruction if you want to have like whole new modes and stuff there's some stuff on how to do that and inside my imaginary blog post that's one like 75% written but as soon as that's all finished it'll be up on the internet and you can just check out NCC group's github repo and it'll be there there'll be some kind of announcement maybe I'll post don't like red and net suck or something that seems like a hacker II type of thing to do that'll probably get to everybody in this room and beyond that does anybody have any

questions yes I think so to this so that's not a suitable alternative for you to build uh so everybody I know who has used that in full disclosure I never have this guy listen all my co-workers and it used to be if you wanted to do WebSocket proxying that was like kind of the only way to do it but apparently support for that wasn't very good and there was a lot of bugs gonna hit it with crash often so basically I never heard anything good about zabba so I've just never used it burp is like not that great but my company buys everybody pro licenses for it so like I only have a reason to complain that much

man-in-the-middle proxy seem like it might be a decent alternative but as of right now I think this is about as

yeah so there's also those I use Fiddler's for the first time last week because I was long excited a client and that's all I had it was pretty alright I think the main issue is that everything that's not verb sweet isn't as fully featured as birth sweet but they do they do work like if you want to think that proxy web traffic and look at it poke at it many things will do it I think Burke Suites just the one that has the most support yeah yes yes it does hopefully it works like there's a bug in it I don't have any text over the center which is an issue but yeah it should let's see if the thing is sure yeah so

there's a sin to decoder improved option there this is one of the things that this is one of the things that it doesn't work in every single menu because the API doesn't expose a way to do it from every single kind of menu even the way that this is supported is kind of hacky like there's a weird context factory thing it doesn't really make sense but you can't get it for sit and I think it works anywhere that there is like HTTP traffic would be sent or viewed inside the burp suite anywhere else I don't think it works also you can't make it flash so like usually if you like send to like repeater or sent a

decoder it'll like flash orange which is nice I like them it's a good future last I was like I want that because it's flashing can't do yeah I looked at the documentation because it's like a standalone jar that gets loaded I don't think that kind of things exposed if somebody knows how to do that you got some expert burp plug-in developers here I would love to know how to make my thing blink but I read the docs I don't think it's

yep I think it's a free version too they added extender to the free version and this doesn't implement any functionality that the pro version has so they should be cool with it I know there's like I

didn't even want to make this one but it was like I made some commitments I didn't it's really like I thought it would be easier I really I truly thought when I said I wouldn't do this I was like okay I'll I'll take my time and do this I told my coworker Nolan I was like hey I won't build this thing for you this will make you happy it's gonna be super easy I knew swing no I didn't know swing where I was like swing is a thing and it has components so maybe I can just take this component and put it in there it doesn't work that way you'd think it would work that way you think

you do whatever it doesn't so I ended up having to do this which took like so much time like the whole the product the product is like super simple it does a thing that basically already exists just with tabs which is not the most valuable thing I understand that it's been a lot of my time doing this thing that is like maybe maybe it wasn't the best use of my time but that's what I'm here talking about to make all of you fine folks use it and make it so I didn't waste my time then I also did kind of race rail about how not that great the whole time which might not have been the best but anyway

uh yeah I don't know don't repair plugins like unless you like writing swing code and it's like a thing that you enjoy for whatever Mack masochistic reason I don't know I wouldn't recommend it yeah but I'm pretty good at it now so good any questions you can email me off I thought it's 20 minutes yeah we're well over yeah I tried to I tried to finish it at like 17 minutes and then the questions so I guess we're all good if anybody has any other questions feel free to hit me up I will be at the NCC group recruiting booths for the rest of today it's a line drive home also email me if you want this thing and you trust

me otherwise building yourself look at the source code it's open source under the most permissive license no that's a lie it's not on the most recent license I don't want to burp people to steal my stuff so it's under some kind of license where they can't do that probably like a new one or something anyway it should be good for all you guys

[Music]