04 May, 2015

And Now... Introducing: Burp BS!

Jason Gillam
Author: Jason Gillam

Burp BS… where the “BS” stands for BeanShell.  “What on earth is BeanShell?” you may ask?  BeanShell is a very old Java library that was designed to build scripts in Java (full details on www.beanshell.org).  It never really caught on for general use because the Java language is designed from the ground up to be a strongly typed OO language, which is counter to the ‘norm’ for a scripting language.  Still, BeanShell is mature, solid, and has been used in a number of places where scripting inside of an existing Java container makes sense.

If you see where this is going and just want to find the download link, it’s here: burpco2.com/burp-bs.html. Otherwise, please read on:

With the Burp BS extension, Burp is now one of those places!  You might be thinking: “scripting is cool but when will you really need it?  Can’t Burp already handle just about every scenario?”.  Burp is pretty good at handling just about everything but sometimes you get into some tricky corner-case where the standard tools just don’t cut it.  I never write a Burp extension that I don’t use at some point need in a Web Penetration test.

In this particular case I was faced with a clever sort of MAC (Message Auth Code) check, where the MAC was a parameter derived from other POST parameters, one of which was an incrementing value.  Furthermore, the server actually kept track of these and would not process requests with a MAC that was used previously (so now the MAC is only functioning as a sort of Nonce).  I could not figure out any way in Burp to have it gather values, increment one, generate the MAC and set it…. that’s just too many things to juggle.  Sure I could have messed around with Intruder and maybe gotten parts of this to work, but that doesn’t help me with other tools such as Repeater.  But if I could write a little script to process each request…

I know some of you are thinking “Python?”.  I’m a fan of Python so I absolutely did consider just writing the logic in a Python script or extension (or using an existing Python extension) but then I remembered BeanShell.  Some of the advantages of BeanShell include:

  • I could build a little interface for running and testing scripts directly inside of Burp.  No need to keep redeploying an extension to see if the script works.
  • Completely reusable for future tests.
  • BeanShell actually runs inside the existing Burp Java environment so it has full access to the usual Java APIs as well as all the Burp APIs.
  • Although it is running in the Java environment and using Java code, BeanShell code designed to be script-friendly so it doesn’t have some of the constraints of the Java language.
  • I could easily write a wrapper around Burp’s APIs to expose intuitive objects.

In the end I decided to move forward with BeanShell.  So what does this scripting language look like, you may ask? Let’s say you need to grab parameters foo and bar, concatenate them, generate the MD5 hash and place it in the cookie foobar:

values = request.getParam(“foo”) + request.getParam(“bar”);
request.setCookie(“foobar”, utils.md5(values));

Or let’s say you need to conditionally add the header “X-Foo” whenever a parameter “bar” is set to “true”, and only on GET requests… but you need to switch them to POST requests.

if (request.getMethod().equals(“GET”) && request.getParameter(“bar”).equals(“true”))
    request.setHeader(“X-Foo”, “Burp BS Awesomeness”);

If you are familiar with Java syntax already these probably seem very easy to understand.  Note that I didn’t have to set a type for new variables (that’s a script-friendly feature of BeanShell) and I have access to some useful pre-set objects (request and utils).

If you are interested in reading more about this project please visit burpco2.com/burp-bs.html.  Please send me feedback if you find this extension useful or if you have ideas to improve on it.

Jason Gillam is a Senior Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at jgillam@secureideas.com, on Twitter @JGillam, or visit the Secure Ideas – ProfessionallyEvil site for services provided.

Join the professionally evil newsletter