The integrated Burp Suite Professional platform is the most common tool security consultants turn to when conducting application penetration tests. Burp Suite’s assorted tools work together seamlessly throughout the entire testing process, allowing users to test the security of web applications.
Using sophisticated automation with manual techniques, the Burp suite gives users full control of the security testing process from initial mapping and analysis of an application’s threat surface to locating and exploiting security vulnerabilities.
One of the most exciting aspects of the Burp Suite is its flexibility, which allows users to extend its capabilities, using their own or third-party code. This article will take you through the steps of creating Burp Suite extensions.
There are many reasons you may want to create a Burp Suite extension. The extensions available in the BApp store may not add the functionality you need or you may need to create an extension that works with a specific technology.
Whatever the reason, creating your own Burp Suite extension allows you to customize workflows and automation tasks to your specific engagements. As a bonus, you’ll learn a lot about the Burp Suite software by writing a Burp extension.
Burp Suite allows users to write extensions in Java, Python, and Ruby, all you have to do is set up the environment correctly. Before jumping to the details of writing a Burp extension in each language, it’s important to take into consideration the general context:
- Burp instantiates (without constructor parameters) by looking for the BurpExtender class
- Burp calls RegisterExtenderCallbacks on the object passing in a “callbacks” object
These steps are your extension’s entry point, letting Burp know the extension’s capabilities. They let Burp know when to ask you questions. Understanding these fundamentals will make the task of creating Burp Suite extensions a straightforward process.
Getting started creating a Burp Suite Extension with Java requires using an integrated development environment (IDE). If you don’t already have one, some of the most popular IDE choices include Netbeans, Eclipse, and IntelliJ IDEA.
After choosing an IDE, you’ll need to create a package and a new package. Name the package “burp” then use the Burp at Extender/APIs/Save interface files to export and copy in the interface files. The last step in setting up the general environment is saving the interface files to the folder you created for the Burp package.
Once you’ve finished setting up the general environment, it’s time to create the actual extension file by creating a new file called BurpExtender.java. If the IDE you’re using makes the files for you, you’ll create a new class called BurpExtender. You can then paste this code.
On its own, this sample code you copied doesn’t do anything. However, after you generate a JAR file using the IDE, the code listed above will compile and can be loaded into Burp. You’ll usually find it in the dist or build directory. Go to the extender tool and extension tab in Burp to add a new extension. Next, choose the “Java” extension type and specify your JAR file’s location. Burp should load it without any errors.
Jython provides Burp’s Python support. To get started creating a Burp Suite extension with Python, download Jython’s Standalone Jar and go to Extender / Options / Python environment to configure Burp using its location.
Once you’ve completed this step, using any name you’d like, create a new file that ends in .py. Next, you’ll copy the text found under this Python tab to the file you just created. Go to the extensions tab to add a new file extension. Choose the Python extension type and specify your file’s location.
On its own, this sample code you copied doesn’t do anything but Burp should load free of errors. You may come across memory problems if you load various Python tools extensions or unload and reload a Python extension repeatedly because Jython generates Java classes dynamically. If that happens, you’ll get an error message.
One way to avoid this problem is by adding an option to the command line to configure Java versions below eight to allocate more storage when Burp starts. Versions of Java 8+ and above don’t have this option. Instead, with these versions, the JVM automatically manages the permgen size.
JRuby provides Burp’s Ruby support. Getting started creating Burp Suite extensions using Ruby requires downloading JRuby’s complete.jar version and going to the Extender / Options / Ruby environment to configure Burp using its location.
After completing these steps, using any name you’d like, create a new file that ends in .rb. After that, copy the text found under this Ruby tab to the file you just created. Next, go to the extensions tab to add a new file extension. Choose the Ruby extension type and specify your file’s location. On its own, this sample code you copied doesn’t do anything and Burp should load it without any errors.
If you normally use strings to program, you may need to get used to Burp’s programming extensions’ use of byte arrays to present the data you will inspect. Although you can convert byte to string, it’s not always a straightforward process and may bloat your extension’s memory usage.
Of course, sometimes converting byte to string is unavoidable, for example, if you have to execute a regex against a request/response. Generally, it’s best to work directly with bytes. Model your HTTP quests using the various data objects Burp provides.
Starting with the blank extension created above, your extension’s entry point will be the code found under useful APIs on the Burp creator’s website. In addition to byte, Burp’s extender APIs return some other data types allowing HTTP concepts to be conveniently modeled. There are:
To inspect parameters, cookies, etc. you can further process requests and responses using IExtensionHelpers.analyzeRequest(). Telling Burp what your extension can do is a fundamental part of the extension writing process. You can do this by registering bits of your code with Burp, which will allow Burp to execute the code at a later date.
Burp will notify you when the user unloads your extension to give you the opportunity to engage in clean up such as closing a database connection. You have to be registered to take advantage of this feature, which is commonly known as event-driven architecture.
You may face this scenario when you know certain events may occur but are unsure exactly what those events might be. Registering allows you to selectively focus your attention and efforts on the things you want to tackle, preventing you from unnecessarily wasting time on irrelevant matters.
You can use an API to save some state, for example, if you’ve asked for a user configuration or discovered something you want to use in the future. What makes Burp APIs useful is they allow users to avoid the complex task of managing their own files and databases.
APIs are preferable to file systems, permissions, and differences across operating systems when it comes to saving and reloading data. There are also APIs you can use to avoid memory usage bloat. Many sites share the latest technical information on Burp’s APIs, it’s a matter of finding one you like.
You can carry out many useful tasks using Burp’s deep and powerful extensibility API. In this section, we’ll explore these capabilities. Using the extensibility API, you can register scan issues and execute custom scan checks. You’ll also be able to modify and process HTTP requests and responses for all Burp tools.
If you need to access critical runtime data including a target site map, scanner issues, and proxy history, the API gets it all done. Plus it allows you to set up scanning and spidering actions. You can provide custom payload processors and intruder payloads, query and update suite-wide target scope, and the session handling cooking jar.
Some other actions include carrying out customized sessions for handling actions and adding customized context menu items and taps to the Burp user interface. If you’d like, you can use Burp’s native HTTP message editor inside your user interface.
The customization doesn’t end there, you can tailor Burp’s message editor to process data formats that Burp doesn’t support natively. If you need to obtain headers, parameters, cookies, etc. you can do this by analyzing HTTP requests and responses.
Finally, the extensibility API allows you to build, modify, and issue HTTP requests and retrieve responses.
Creating Burp Suite extensions is an excellent way to customize the Burp Suite to meet your specific needs. Burp Suite’s flexibility allows users to smoothly conduct security testing while customizing the extension to meet their needs. You can use your own code or third-party code to write Burp Extensions.
Whether you need to create a Burp Suite extension to work with a specific technology or are simply interested in increasing your knowledge of how the Burp Suite works, writing a Burp Suite extension is a great way to increase your professional knowledge and ensure you get the job done correctly.