What is Burp Suite
Burp Suite is one the most popular proxy application used by many penetration testers and bug bounty hunters. The Burp Suite is a proxy application that allows us to intercept the HTTP and WebSocket traffic between client and server. There are many times we use the burp suite extension to automate some of the processes.
If you are working in Application security anything related to web applications, Mobile applications or API security you must be aware of the Burp Suite application.
The Burp Suite is a powerful tool for penetration tester with many features and also allows pentester to write Burp Suite extension to extend its functionality.
The Burp Suite is purely written in JAVA language but to write the Burp Suite extension, we can use Java, Jython or JRuby.
In this series, I will cover some basics to write the Burp Suite extension in Jython. So if you are not familiar with Jython, It is a Python language created based on Java. Jython will have similar syntax as Python but we can use the Java library inside it.
Jython Environment Setup
The installation process is simple all we need to do is download the jar file for Jython.
- Download the Jar file from this URL – https://search.maven.org/artifact/org.python/jython-standalone
- Open the burp and go to the Extender -> Options
- Select the Downloaded jar file for Python
As of now, we don’t have any IDE which allows us to write Jython code. So we are going to use VS Code, you might get some errors for syntax or packages as all py files will be considered as python. We are not going to go through all the setup processes for VS Code.
Also in order to go through this series, you must know the python concepts like function, method, classes, loops etc. In this series, we will only cover the part about how to create an extension, not the fundamental of the python language.
The goal of this series is to help you to write a basic Burp Suite extension. The series will focus on some basic Burp APIs which are required to write an extension. Also, we will focus on how to create a UI in Jython.
We will create a simple logger extension with a custom export and import button to save the extension data. As there are multiple loggers available for Burp Suite, So instead of auto logging the request we will create an extension that will only log requests once the user asks to do it.
- Basic Burp Suite API
- Creating the Basic GUI
- Working with NetBeans for GUI
- Understanding how to convert Java GUI to Jython
- Creating a Logger Extension
Basic Burp Extension
When we start writing the code, we need to look at the Burp APIs as well. If you open the Burp and go to the Extender tab. you can find the list of APIs which you can integrate into your extension to perform the task.
The IBurpExtender and IBurpExtenderCallbacks are two of the most important APIs which you will always use to write an extension. The IBurpExtender is a must to write an extension. you can think of it as a way to call the script to be the part of a burp suite.
from burp import IBurpExtender class BurpExtender(IBurpExtender): def registerExtenderCallbacks(self, callbacks): self.callbacks = callbacks
Once you save the above code and load this python file in Burp Suite. You can see that file is loaded successfully without any error. The above code is simple and will be used in all the extensions.
- On line number 1 we are importing a package named as IBurpExtender from burp. You can read the documentation as well as this package is a must for all the extensions. On line 3 we are creating a class to add IBurpExtender within the class
- On line number 5 we have created a function/method and have registered for a callback. If you look at the IBurpExtender documentation you can find that it asks us to implement the IBurpExtenderCallbacks via registerExtenderCallbacks
We have created a variable name as
self.callbacks , As this variable is assigned from the callbacks method from IBurpExtenderCallbacks. We can use
self.callbacks all the methods within IBurpExtenderCallbacks.
The IBurpExtenderCallbacks interface is one of the most important to work with a burp, it allows us to perform soo many things like getting info regarding the request, setting the extension name, and tab, saving extension config data etc.
You can view the whole documentation to list all the things you can do from this URL https://portswigger.net/burp/extender/api/burp/iburpextendercallbacks.html
Working with IBurpExtenderCallbacks
Now as of now or extension is not doing anything after loading. Let’s add something to our extension. Whatever we are going to do is by using only callback API from burp. You can see all the details from the URL.
When you load an extension it provides us with 3 tabs, Details, Output, and Error tab. In order to print anything in output that we have the PrintOutput method in the callback.
from burp import IBurpExtender class BurpExtender(IBurpExtender): def registerExtenderCallbacks(self, callbacks): self.callbacks = callbacks self.callbacks.printOutput("This is an extesion")
Once we load the extension you can that our text is showing in the output tab.
We have another print method to print something on the error tab instead of the output tab
self.callbacks.printError("Something Went wrong this is an error")
If you have the above line in your code. you can see that this will be printed in the error tab. You can in the above screenshot that burp is showing the filename as text.py. What if we want to change that instead of the file name we want to set a custom text here. We can do that with setExtensionName.
There are soo many different methods available that require multiple things or can be used after a particular time. As our extension is empty and not doing anything we won’t use them. But one last thing, for now, we have an alert method.
After adding the above code you can issue an alert in the burp suite dashboard tab.
Our final code from the above task looks like this.
from burp import IBurpExtender class BurpExtender(IBurpExtender): def registerExtenderCallbacks(self, callbacks): self.callbacks = callbacks self.callbacks.printOutput("This is an extesion") self.callbacks.printError("Something Went wrong this is an error") self.callbacks.setExtensionName("Test Extension") self.callbacks.issueAlert("hello world")
As of now, we have worked on a very basic part of Burp APIs to create a very simple extension. The extension is not doing anything as we don’t have any UI to show anything. We can do other things as well without UI but those will be a little complex for now as we haven’t jumped into the request handling, or modifying etc.