Basics of Burp Extender (Part 2)

In the first part of a Basics of Burp Extender, we have created a sample burp extender to drop all the HTTP request to "www.facebook.com". We have implemented the processProxyMessage method of IBurpExtender interface.

In this part, we will implement processHttpMessage and registerExtenderCallbacks methods of IBurpExtender interface. The end goal of this sample example is "Intercept the HTTP request, check if it is in target scope, if not in scope then add it to the target scope list and passively scan the response."

/* 
 * A simple burp extender to intercept the request,
 * add it to the target scope and scan passively.
 */
 
package burp;
import java.io.*;
import java.net.URL;

public class BurpExtender
  {
     public IBurpExtenderCallbacks mycallbacks;

     //This method is invoked whenever proxy tool (proxy tab) makes an HTTP request or receives a response.
     public void processHttpMessage(java.lang.String toolName,
                           boolean messageIsRequest,
                           IHttpRequestResponse messageInfo) 
 {
   if(messageIsRequest)
     {
               //Methods of IBurpExtenderCallbacks must be wrapped inside try catch block as they throws java.lang.Exception
               try
                {
                   URL url = messageInfo.getUrl(); //Get the URL of the intercepted request
                                  
                   if(!mycallbacks.isInScope(url)) //Check whether it is in scope or not?
                     {
                        mycallbacks.includeInScope(url); //add the target URL to scope
                        
                        //passively scan the target URL
                        mycallbacks.doPassiveScan(messageInfo.getHost(),
                                    messageInfo.getPort(),false,
                                    messageInfo.getRequest(),
                                    messageInfo.getResponse());
                     }
                 }
               catch(Exception e)
                 {
                    e.printStackTrace();
                 }
      }
 }
    
    /*This method is invoked at startup. It is needed if you are implementing any method of IBurpExtenderCallbacks interface.
    In this example, we have implemented three such methods of this interface.*/
    public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks)
        {
          mycallbacks = callbacks;
        }
  }

This was rather a very sample example. In the next part we will implement newScanIssue method of IBurpExtender interface and few other things (i am not sure what other things ;-) )

Basics of Burp Extender (Part 1)

This monster (Burp Suite) does not need any introduction, it is itself a beauty and blessings for any web security analyst. If that is not enough, it allows other to extend it's functionalities by exposing certain interfaces. These are known as Burp Extender.

There are six such interfaces available which are as follows,

1) IBurpExtender
2) IBurpExtenderCallbacks
3) IHttpRequestResponse
4) IScanIssue
5) IScanQueueItem
6) IMenuItemHander

Each of this interface has some of the fields and methods implemented to carry out certain tasks. Using the above mentioned interfaces we can extend Burp Suite and can get our things done. Everything is Java here.

A sample extender which extracts the HTML comments from the response is shown here. The purpose of their post was to highlight the steps needed to follow in order to get your extender working. However, their purpose does not fulfil as if you follow the steps mentioned by them then you will get the following error "Exception in thread "main" java.lang.NoClassDefFoundError: burp/StartBurp".

So in this write up, we will see few examples on how to utilize these interfaces and get the best out of this beast :)

1.... A sample application to drop any HTTP request to www.facebook.com

/* 
 * A simple burp extender to drop any HTTP request to facebook.com
 */
 
package burp;
import java.io.*;

public class BurpExtender
 {
      //At-least one of the 5 methods described in IBurpExtender interface should be present.
      public byte[] processProxyMessage(int messageReference,
                           boolean messageIsRequest,
                           java.lang.String remoteHost,
                           int remotePort,
                           boolean serviceIsHttps,
                           java.lang.String httpMethod,
                           java.lang.String url,
                           java.lang.String resourceType,
                           java.lang.String statusCode,
                           java.lang.String responseContentType,
                           byte[] message,
                           int[] action) 
      {
         if(messageIsRequest)
           {      
                                   
              if(remoteHost.equals("www.facebook.com"))
                { 
                    action[0]=3; //An array whose default action is set to 3 i.e ACTION_DROP variable of IBurpExtender
                }
           }
         return message;
      }
 }

Let us dissect the above code

Any burp extender must have one of the 5 methods described in IBurpExtender interface. In the above example, we have used processProxyMessage() method which is invoked by Burp Proxy whenever a client request or server response is received.

This mean that whenever Burp receive any request or response, it will look for this method in the burp extender and if found one then the code block inside this method will get executed.

The last parameter of the processProxyMessage() method is an array of type integer. There are a series of integer variables defined inside IBurpExtender interface which can be used to guide Burp on what to do with the received request/response. The variables and their values are as follows

ACTION_FOLLOW_RULES has value 0
ACTION_DO_INTERCEPT has value 1
ACTION_DONT_INTERCEPT has value 2
ACTION_DROP has value 3
ACTION_FOLLOW_RULES_AND_REHOOK has value 4
ACTION_DO_INTERCEPT_AND_REHOOK has value 5
ACTION_DONT_INTERCEPT_AND_REHOOK has value 6

How to get the above code working

I am using Linux as the operating system to create this burp extender. So the steps for windows may vary accordingly.

a) Create a folder (e.g. oldmanlab) and Save the above code as BurpExtender.java.
b) Create a folder named burp inside the oldmanlab folder.
c) Download all these (1, 2, 3, 4, 5, 6) .java files and save them under the "oldmanlab\burp\" folder
d) Compile the BurpExtender.java file to its class file using the command "javac BurpExtender.java".
e) Copy the BurpExtender.class file to the burp folder "mv BurpExtender.class burp/"
f) Create the final jar file using the command "jar -cf burpextender.jar burp/BurpExtender.class".
g) Now open up the burpsuite with this extender "java -classpath burpextender.jar:burpsuite_v1.4.01.jar burp.StartBurp"

If everything goes well then you will see that alert window will glow up once the burp opens up. It will display the message of the method found and the methods not implemented.

Now configure your browser to tunnel through burp suite and open up "www.facebook.com". You will see that the request to facebook will be dropped by Burp Suite.

That is all for the first part. In the next part we will create some more samples using other interfaces.