Enlarge your burp or how not to be afraid of JavaDocs

Igor Bulatenko Ivan Elkin

Sources

h"ps://goo.gl/oYjBTg(python)

#whoami

•   #videns•   HeadofQIWIapplicaAonsecuritydepartment•   FormersecuritysoFwaredeveloper•   CTFplayerandorganizer(TechnoPandas)•   JBFCMemberJ

Whatisallabout

•   Whypeople(us)useburp•   Burp101

•   Officialinfo•   OtherpresentaAons

•   Internals•   Plugins

Isitgood?

•   #1amongwebscanners*•   CrossplaTorm•   GoodformanualvulnerabiliAestesAng•   Canscanwholeinternet•   Hasplugins•   Mostpopularvulnerabilitychecks•   GartnerchallengersforAST

Unofficialinfos

h"p://www.slideshare.net/jasonhaddix/bsides-finalh"p://www.slideshare.net/AugustDetlefsen/burp-extensionsh"p://www.slideshare.net/marcwickenden/burp-plugin-development-for-java-n00bs-44-conh"p://www.agarri.fr/docs/HiP2k13-Burp_Pro_Tips_and_Tricks.pdfh"p://www.youtube.com/watch?v=Q2WK5LpDbxwh"p://www.youtube.com/watch?v=N-IKHmGjf2ch"ps://twi"er.com/everythingburph"p://www.slideshare.net/AugustDetlefsen/appsec-usa-2015-customizing-burp-suite

Whyimproveit?

•   NotcorrectuseofAPI•   Scanfullness•   TimeforimplemenAngnewtechniques

How it works (spidering)

How its works (active scan)

Demo 01

•   SimplestPlugin•   ShowloggingfuncAonality(stdout,stderr)•   LogInserAonPointsinfo

•   NestedInserAonPoint•   DoAcAveScan•   Howtodebuginpython(jython)

Demo 02

•   DoAcAveScan•   Buildingrequestfora"ack•   Howrequestsarecounted(scannertab)•   Sendrequestsviacallbacksorviajython

•   HighlighAnginrequest/responses

Demo 03

•   Errormessagecheck(h"p://virvales.blogspot.ru/2015/08/burp-stacktrace-sniffer.html)

•   H"pListener•   Manualaddingscanissue

You’re doing it wrong

Right way

Demo 04

InserAonPointProviderCustomInserAonPoint,necessarymethodsLoggingpayloads

The end (part 1)