1 / 25

Extending Burp with Python

Extending Burp with Python. Defeating web application idiosyncrasies with common-sense, Python and minimal knowledge of Java GUIs. What is Burp?. Purpose of this Talk. Quick tour of Burp APIs with examples to show what can be achieved

eldora
Download Presentation

Extending Burp with Python

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Extending Burp with Python Defeating web application idiosyncrasies with common-sense, Python and minimal knowledge of Java GUIs

  2. What is Burp?

  3. Purpose of this Talk • Quick tour of Burp APIs with examples to show what can be achieved • Demonstrate that Web app assessment hurdles overcome with minimal coding effort

  4. Why would you need a custom extn? 1. Decode custom encoding/serialization 2. Handle anti-tamper or signed requests 3. Provide a new “view” into an application 4. Automate a manual task with a new scanner check

  5. Setup to run a Python Burp Extn. 1 Download Jython standalone binary 2 Tell Burp where find Jython 3 Load a Python extension Path to Jython binary goes here

  6. The helloworld of Burp extensions from burp import IBurpExtenderclass BurpExtender(IBurpExtender):# required def registerExtenderCallbacks(self, callbacks):# set our extension name callbacks.setExtensionName("Hello world extension")# write a message to the Burp alerts tab callbacks.issueAlert("Hello alerts") Just writes “Hello alerts” out to alerts tab

  7. 1. Problem: Unsupported encoding Application uses an encoding not understood by Burp Examples: Serialised Java, SAP’s weird URLenc variant, SAML, Websphere Portlet Burp APIs: IMessageEditorTab to display decoded content

  8. Solution: new encoder/decoder • Tell Burp about your new message editor tab • class CustomDecoderTab(IMessageEditorTab): def __init__(self, extender, controller, editable):...def getTabCaption(self):return"Custom Decoder"

  9. Solution: new decoder/encoder 2. Use setMessage to display decode def setMessage(self, content, isRequest): ...if'!ut'in path:# actual decoding magic omitted content = response.read() content = xml.dom.minidom.parseString(content).toprettyxml()if content:self._txtInput.setText(content)self._currentMessage = content

  10. Websphere portlet state decoder Source:https://github.com/faffi/WebSphere-Portlet-State-Decoder Encoded content on URL Gets decoded in new tab

  11. 2. Problem: Signed requests Application requires signature thats generated client side. examples 1. Seen in thick client apps as anti-tamper mechanism 2. AWS API calls are signed for authentication http://rajasaur.blogspot.co.nz/2009/10/hmac-sha-signatures-using-python-for.html Burp API: processHTTPMessage allows us to re-write traffic

  12. Solution: automate request signing 1. Catch an outbound request from burp import IBurpExtender# this function catches requests and responsesdef processHttpMessage(self, toolFlag, messageIsRequest, currentRequest):# only process requestsifnot messageIsRequest:return ...

  13. Solution: automate request signing 2.Grab the request body and headers # requestInfo object allows us to easily spit body and headers requestInfo =self._helpers.analyzeRequest(currentRequest) bodyBytes = currentRequest.getRequest()[requestInfo.getBodyOffset():] bodyStr =self._helpers.bytesToString(bodyBytes) headers = requestInfo.getHeaders() newHeaders =list(headers) #it's a Java arraylist; get a python list

  14. Solution: automate request signing 3. Append signature as HTTP Header # Do custom signing shenaniganssecret ="SuperSecret123"h = hmac.new(secret, bodyStr, hashlib.sha256)newHeaders.append("Authorization: "+ base64.b64encode(h.digest()))

  15. Solution: automate request signing 4. Create and send request newMessage =self._helpers.buildHttpMessage(newHeaders, bodyStr) currentRequest.setRequest(newMessage) Here’s the new Authorization header being sent out

  16. 3. Problem: Big apps, lotsaheaders Large applications may emit different headers from various locations within the app. Headers can reveal useful info. Eg. Reverse proxy may hand off from backend A to backend B. Burp APIs: processHTTPMessage and ITab to display result

  17. Solution: View of unique headers Keep track of unique headers, filter out uninteresting headers. # insert an entry if the header is 'interesting’ ifheader_name.lower() notin boring_headers: # and we haven't seen this name/value pair before, log it ifheader notinself.headers_seen:self.headers_seen.append(header)self._log.add(LogEntry(header, …, … )

  18. Solution: View of unique headers Create a new tab and display collected headers in the new tab. # Give the new tab a name def getTabCaption(self):return"Response Headers” # This adds all the Java UI unpleasantnessdef getUiComponent(self):returnself._splitpane

  19. Solution: View of unique headers List of unique headers displayed in new “Response Headers” tab Clicking item in list shows request/response

  20. 4. Problem: Automate a manual task Locate and decode F5 cookies, display as a passive scan result Burp API: doPassiveScan totrigger check code

  21. Solution: create new check 1. doPassiveScan catches request def doPassiveScan(self, baseRequestResponse): # Returns IResponseInfo analyzedResponse =self.helpers.analyzeResponse(baseRequestResponse.getResponse()) analyzedRequest =self.helpers.analyzeRequest(baseRequestResponse) # Get Cookies from IResponseInfo Instance cookieList = analyzedResponse.getCookies()

  22. Solution: create new check 2. Locate BIGIP cookies and decode them # Loop though list of cookies forcookie in cookieList: cookieName = cookie.getName()# Look for BIGIP Cookiesif cookieName.lower().startswith("bigip"): f5CookieName = cookieName f5RawCookieValue = cookie.getValue() # Decode and check for RFC 1918 address f5info = decode(f5RawCookieValue)

  23. Solution: create new check 3. Create Issue class to return useful info class PassiveScanIssue(IScanIssue): ... def getIssueName(self):return"Encoded IP Address Discovered in F5 Cookie Value" ... def getIssueDetail(self): msg ="The URL <b>"+str(self.findingurl) +"</b> sets the F5 load balancer cookie <b>"

  24. F5-BigIP Cookie Checker Source:http://blog.secureideas.com/2013/08/burp-extension-for-f5-cookie-detection.html Internal IP address retrieved from encoded cookie

  25. Summary • 1. Decode custom encoding/serialization • Use IMessageEditorTabinterfaceto display decoded content 2. Handle anti-tamper or signed requests • Use processHTTPMessageto catch and rewrite requests 3. Provide a new “view” into an application • Use ITabinterface to display custom view 4. Automate a manual task with a new scanner check • Use doPassiveScanto trigger a check

More Related