Skip to content

Python Burp Suite Extension – Part 3

Burp Suite

In the last two parts, we have seen how to work with some common burp APIs. Also, we have seen how to add GUI in our extension with a custom tab. One of the issues with extensions in python is GUI. As we need to use java APIs like swing in our python, sometimes it becomes difficult to add everything manually in GUI. For that let’s look at how to automate some of the parts of GUI for our extension.

So to automate some processes, we are going to use Netbeans to create UI in Java. And later see how we can effectively convert that java GUI into Jython. We are not going to see how to install Netbeans as I believe it’s a simple process and also if you are following the series you might know to install applications. You can download it from here.

Overview

Setting up Netbeans for GUI

Firstly we need to create a new project and select the Java with Maven –> Java Application. Click next and finish and your project will be created.

NetBeans Project

Once our project is created we need to create a new panel to create a UI. And Right-click on the project file and select new. You can see the list of options, select the JPanel Form.

NetBeans Design

Now we can see all the options. At the top, we have source and design available. The source will allow us to view the code of the UI in Java. The design will allow us to create UI with the drag and drop method. On the right side, we have all the swing methods which we can use to create our UI.

NetBeans GUI

Objective

Now as we went through the basic UI in the previous part. We know that we need a jpanel to start working with GUI. As we are using the NetBeans we don’t need a Jpanel as it’s by default integrated into the code

As I as said we are creating a UI for our next fully working logging extension. So let’s figure out what we want to add for UI. We want 3 buttons at the top, which will allow us to export, import data and clear all rows. Apart from the 3 buttons, we want a table. Remember we are just creating a UI so our table will be a custom table model which we need to code manually. We will just use NetBeans to place our table in the UI or for layout management.

Final UI
Final UI

The table should be similar to the proxy history tab. So with the table, we want to show the request and response at the bottom of the table. So we will split the screen vertically and at the top part, there will be a table. And at the bottom part, we will again split the screen horizontally and will show the request and response on the left and right sides.

Creating a GUI for Logger Extension

Let drag and drop 3 buttons from the right side and place them as you want and rename the button name.

Firstly we need to drag and drop three buttons into the UI from the palette. And align the buttons as you want. Right-click on each button and change the button name as well as the button variable name. You can see the below image we have added an import button and changed the button and variable name. You have to follow the same for all three buttons.

JButton
JButton

As explained after the button we want to split the screen vertically. To do that drag and drop the split-pane same as the button. and change the orientation from the properties. There are lots of options available for all the elements in the properties. You can add or edit whatever you want. As of now, we are going with default settings and only change them if required.

JSplitPane
JSplitPane

As we can see in the final UI output from the above image. We need a table on the top side of the split window. Or we can say we want a table on the left button. To make sure the table here is only for demo or our UI purpose. We will add a default table from Netbeans and will replace it later with a custom table model. We can right-click on the top side of the split pane and select add from Palette and select the table from swing controls.

JTable
JTable

Now at the bottom, we again want to use JSplitPane to split the bottom window just to show both requests and responses. Also after splitting the screen we have to add a text box that will be used to show the request and response. We will change the text box variable name to request and response text box so we can use them later.

JSplitPane
JSplitPane

So far our UI is ready and it’s time to change the java code into python code. So copy the whole code from the source and paste it anywhere you want. We will convert the code line by line and for that, we will follow everything from this GitHub code.

To make changes, we need to how to create basic elements in Jython like button tables etc. If you don’t know how to create those, we have covered everything from basic in Part 2 of this series. You can read it here.

Java to Jython

Firstly we want to remove the code which is useless to us. Remove the code from lines number 1 to 28, 40 to 45 and 104 to 122 as we don’t need anything. Once we remove the unwanted code we are left with actual useful code. Now we will follow this particular code to convert it into python.

To convert any code for this UI. We first need to remove the word new from the whole code. As we are doing line by line let’s take lines 1 to 9. Also from the last blog, we know that to create anything we need to import that API. Also, we don’t need to define the whole world as javax.swing.anyting. We can import and directly use it.

        ###Java Code
        Importbutton = new javax.swing.JButton();
        Exportbutton = new javax.swing.JButton();
        Clearbutton = new javax.swing.JButton();
        jSplitPane1 = new javax.swing.JSplitPane();
        jScrollPane1 = new javax.swing.JScrollPane();
        jTable1 = new javax.swing.JTable();
        jSplitPane2 = new javax.swing.JSplitPane();
        RequestTextbox = new javax.swing.JTextField();
        ResponseTextbox = new javax.swing.JTextField();

      ## Python Code
        from javax.swing import JButton, JSplitPane,JTable, JScrollPane, JTextField
        Importbutton = JButton();
        Exportbutton = JButton();
        Clearbutton = JButton();
        jSplitPane1 = JSplitPane();
        jScrollPane1 = JScrollPane();
        jTable1 = JTable();
        jSplitPane2 = new javax.swing.JSplitPane();
        RequestTextbox = new javax.swing.JTextField();
        ResponseTextbox = new javax.swing.JTextField()

What we did in the above code is have removed the new keyword. And Also remove the Javax.swing.. Make sure you do the same for whole codes. Also, remember to import the package wherever you remove the Javax.swing.. After removing the javax.swing. and new we have this particular code to follow.

In the previous blog, we created buttons and we know we can define the button name while creating the button itself. So remove the lines from 13 to 15, and add the button name to the lines 3 to 5.

## java Code
Importbutton = JButton();
Exportbutton = JButton();
Clearbutton = JButton();

## Python Code
Importbutton = JButton("Import");
Exportbutton = JButton("Export");
Clearbutton = JButton("Clear");

We can do the same for line number 17 which split the screen. We can remove line number 17 and can add the code within line number 6.

#Java Code
jSplitPane1 = JSplitPane();

#Python Code
jSplitPane1 = JSplitPane(JSplitPane.VERTICAL_SPLIT);

Now from lines number 19 to 29, we have a table with the Default table model. We have created the Default table model in the last part so we will replace the lines number 19 to 29 with the same code which we used in the last part. Make sure that while replacing the code you keep the variable name the same.

## Java Code
jTable1.setModel(DefaultTableModel(
            Object [][] {
                {null, null, null, null},
                {null, null, null, null},
                {null, null, null, null},
                {null, null, null, null}
            },
            String [] {
                "Title 1", "Title 2", "Title 3", "Title 4"
            }
        ));

## Python Code
self.colname = ['Number','String']
self.rowvalue = [['1','One'],['2','Two']]
self.DefaultModel = DefaultTableModel(self.rowvalue, self.colname)
jTable1 = JTable(self.DefaultModel)

Now everything is fine let’s jump to lines number 42 and 43. We can see that there is a keyword as this. We need to remove this keyword the same as we did for new the keyword. But here this keyword is used to show something or pretend something. As we know from the previous blog every element is added to the JPanel and we have not added the Jpanel as it was by default in the Netbeans. Also, the keyword is representing the Jpanel as the layout is added to Jpanel.

So firstly we need to import and create jpanel. then we need to replace lines 42 and 43 with python code. So we will name our jpanel the same as we did in the last article while creating an empty custom tab.

## java Code
GroupLayout layout = GroupLayout(this);
this.setLayout(layout);

### Python Code
from javax.swing import JPanel
self.Customtabui = JPanel()
layout = GroupLayout(self.Customtabui)
self.Customtabui.setLayout(layout)

If you look at the above code it’s just simple. As I said the keyword this represents the JPanel. As in our code, we don’t have JPanel we import it and create a JPanel. Then in java code, it creates a variable name layout so we do the same. Also as I said the this = JPanel so in our python code we replaced this with the variable which defines the Jpanel.

Now if you look at line number 68 or 56 we have word short. Which is part of java so we need to import that as well.

from java.lang import Short

Now our UI is completed. You can verify the whole converted code from here. Now our GUI part or UI is ready so all we need to do is use our default burp code to add the UI. if you remember from the previous blog to create an empty tab we can use this code.

from burp import ITab
from burp import IBurpExtender

class BurpExtender(IBurpExtender, ITab):

    def registerExtenderCallbacks(self, callbacks):
        self.callbacks = callbacks
        self.callbacks.setExtensionName("Test Extension")
        self.callbacks.addSuiteTab(self)

    def getTabCaption(self):
    	return "Custom Tab"

    def getUiComponent(self):
    	return self.Customtabui

All we need to do is paste our UI code into the above code. Paste the UI python code just after line number 10. While pasting the code make sure that python has a strict indentation so it could give you an error while pasting it. So make sure you check it properly. Now after adding the UI with the above code we can see that we got the UI we wanted. You can check out the full code from here.

Burp Extension
Burp Extension

Now our UI is ready and we can start working on burp APIs to use the extension as a logger. Also while importing the extension if you find that Ui is not the same as Netbeans then make sure you did the changes correctly or your UI was correct in NetBeans as well. You can view the demo in NetBeans as well.

NetBeans Design
NetBeans Design

Finally, if we compare our UI with our goal we can see that the text box at the bottom doesn’t look the same and it’s not good enough to show the request and response. The reason is we have a normal text editor view. We have a burp API which allows us to show the request and response text editor box.

### Old Code
RequestTextbox =  JTextField()
ResponseTextbox =  JTextField()
RequestTextbox.setText("Request");
ResponseTextbox.setText("Response");
jSplitPane3.setLeftComponent(RequestTextbox);
jSplitPane3.setRightComponent(ResponseTextbox);

### New Code
RequestTextbox = self.callbacks.createMessageEditor(None, True)
ResponseTextbox = self.callbacks.createMessageEditor(None, True)
jSplitPane3.setLeftComponent(RequestTextbox.getComponent());
jSplitPane3.setRightComponent(ResponseTextbox.getComponent());

Just after replacing the few lines of code, we can use the burp editor in our extension. Firstly we removed the text field and its text from the code. And instead, we have created a message editor from the burp using the callback method. Then we have to call the UI component from the message editor. Our final code from the extension can be found here.

In the next and final part of this series, we will use the burp APIs in python to get and capture the request and store the request in our table. Also, we will change our current default table with a custom table with all the button listeners and a properly working extension.

Follow us

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.