Detection of unauthorized access vulnerabilities in burpsuite plugin development

The drunk night can’t stop our pace

A few days ago, the company bought some BurpSuite licenses, and finally can use the genuine, first to the company to Bozan! Well, get down to business, BurpSuite as a great artifact of Web security testing, one of the advantages is its scalability. BurpSuite supports Java, Python, and Ruby as extensions to its plugins, and there are many powerful plugins in its built-in Bapp_Store. As a program, I thought it was time to develop a proprietary plug-in myself. With this mentality, I began to try to learn to explore Coding, so I got this article.

Selection of plugin language

The above mentioned Burp supports Java, Python, and Ruby language extensions. Relatively speaking, I am more familiar with Python, so I started learning to write plug-ins in Python. For high-speed friends, I can write in Java. Friends who are familiar with Python must know that Python is divided into Cython, Jython, and so on. The former is what we usually call Python, the latter is the Java version of Python, and the simple understanding is that Java can be called with Jython.

burpsuite jython development environment

To develop and use your own BurpSuite plugin, you must deploy the Jython development environment and the Jython runtime environment. The former needs to build an environment on the platform that develops the jython program, and the latter needs to build the environment on the platform where the burstite is running. Since general development and the use of plugins are on a platform, such as mac, this article describes how to install the jython environment on the mac.

install jython for Mac

First we need to install the jython environment on the mac in order to develop the jython program, just like installing the python environment, install the jython command on the mac:

1
brew install jython

After installation, jython is installed in the /usr/local/Cellar/jython/ directory. You need to set the environment variable, add /usr/local/Cellar/jython/2.7.1/libexec/bin to the environment variable, and then in the shell. Enter:

1
2
3
4
5
$jython
Jython 2.7.1 (default:0df7adb1b397, Jun 30 2017, 19:02:43)
[Java HotSpot(TM) 64-Bit Server VM (Oracle Corporation)] on java1.8.0_111
Type "help", "copyright", "credits" or "license" for more information.
>>>

Note: Other platforms (windows, linux) install jython way please google yourself, it should be similar.

Load Jython to Burpsuite

After installing the jython environment on the mac, you need to load the jython environment in the burstite. Note that the jar file is selected here.

Developing jython programs

This article introduces a plug-in that detects unauthorized access vulnerabilities as an example to introduce the development process of the plug-in. Since the focus of this article is on how to develop a bp plug-in and some force majeure factors, the plug-ins introduced in this article are simplified versions. .

Create main.py file

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#! -*- coding:utf-8 -*-
import re
From burp import IBurpExtender # Define the basic information class of the plugin
From burp import IHttpListener # http traffic listener class
from noauth import noauth_request
# sensitive interface detection, and output sensitive interface information
res_host = re.compile(r'Host: ([^,]*)')
res_path = re.compile(r'(GET|POST) ([^ ]*) HTTP/')
class BurpExtender(IBurpExtender, IHttpListener):
def registerExtenderCallbacks(self, callbacks):
self._callbacks = callbacks
Self._helpers = callbacks.getHelpers() #general functions
self._callbacks.setExtensionName("sensitive_interface_scan")
print "load sensitive_interface_scan plugin success!"
print "============================================="
print ""
# register ourselves as an HTTP listener
callbacks.registerHttpListener(self)
def processHttpMessage(self, toolFlag, messageIsRequest, messageInfo):
if toolFlag == 4:
if not messageIsRequest:
response = messageInfo.getResponse() # get response
analyzedResponse = self._helpers.analyzeResponse(response)
body = response[analyzedResponse.getBodyOffset():]
body_string = body.tostring() # get response_body
request = messageInfo.getRequest()
analyzedRequest = self._helpers.analyzeResponse(request)
request_header = analyzedRequest.getHeaders()
try:
method,path = res_path.findall(request_header[0])[0]
host = res_host.findall(request_header[1])[0]
url = method" "+post+path
except:
url = ""
if method=="GET":
#Detect the interface of the GET request
print "[Info]Check url is ",url
cur = noauth_request(host,path,body_string)
noauth_result = cur.run()
if noauth_result:
print "[Info]Found it is a noauth Interface %s" % noauth_result[0][0]
print "[Info]remove param is ",noauth_result[0][1]
print "======================================================================================"
print ""

Description: This file is a plugin entry file, in which the imported burp built-in class IBurpExtender is the base class, that is, all plugins need to use inheritance class, IHttpListener class is used to get http request and response content.

Create noauth.py file

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#! -*- coding:utf-8 -*-
'''Unauthorized access to poc(GET)'''
import requests
from furl import furl
auth_params=["token","sign","ticket"]
# headers inside remove cookies
headers={
"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36",
"Accept-Language":"zh-CN,zh;q=0.9,en;q=0.8,mt;q=0.7,zh-TW;q=0.6",
"Accept-Encoding":"gzip, deflate",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Cookie":"test",
}
class noauth_request(object):
# Unauthorized access vulnerability detection
def __init__(self,host,path,body_string):
self.url = "http://"+host+path
self.uri = str(furl(self.url).remove(args=True))
self.body_string = body_string
self.param = dict(furl(self.url).args)
self.remove_param = []
def run(self):
result_list=[]
self.remove_auth() # remove params,example:auth,token,sign......
response_body,current_url = self.get_response()
if response_body == self.body_string:
result_list.append((current_url,self.remove_param,response_body))
return result_list
def remove_auth(self):
# Delete user authentication parameters
for i in auth_params:
if self.param.has_key(i):
self.remove_param.append(i)
self.param.pop(i)
def get_response(self):
# Replay interface gets the return value
current_url = ""
response_body = ""
try:
res=requests.get(url=self.uri, params=self.param, timeout=20, headers=headers)
except Exception,e:
print "[noauth_request:get_response]"+str(e)
if "HTTPSConnectionPool" in str(e):
try:
res=requests.get(url=self.uri.replace("http://","https://"), params=self.param, timeout=20, headers=headers)
except Exception,e:
print "[noauth_request:get_response]"+str(e)
else:
current_url = res.url
response_body = res.text
else:
current_url = res.url
response_body = res.text
return response_body,current_url

Description: This file is used to detect unauthorized access classes. It is relatively simple to obtain the original request and response packets, remove the cookie of the request interface, and replay the authentication after token authentication. Check whether the returned result has changed. In general, it will also detect whether the response packet contains sensitive information. Here, for the convenience of the demonstration, the plug-in function is simplified.

Add jython program to burstite

Choose to add a plugin:

Note the markup section in the image below:

Description: Type select python, file select entry file, bulpsuite will automatically get the local dependent file; output here selects the console output, because this plugin does not write ui interface.

After loading successfully, it will be output in the console:

Then we will open the browser proxy, close the bp interception, and happily test the web system. If the plugin detects an interface that is not authorized to access, the output will be similar as follows:

Add UI interface code

The way the console is output is not so elegant, so it’s better to output it on the interface like its built-in features. The following is a simple ui interface development code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# -*- coding:utf-8 -*-
# Import burp interface
from burp import IBurpExtender, ITab
# Import Java Library
from javax.swing import JPanel
from javax.swing import JButton
class BurpExtender(IBurpExtender, ITab):
''' Inherited burp java parent class '''
def registerExtenderCallbacks(self, callbacks):
#Register plugin information
Self._cb = callbacks # callback
Self._hp = callbacks.getHelpers() # help information
self._cb.setExtensionName('python_test_plugin') # plugin name
print 'load python_test_plugin success!'
self.testBtn = JButton(u'a button', actionPerformed=self.testBtn_onClick) # Initialize a JButton and bind the click event
self.mainPanel.add(self.testBtn) # Add this button to the panel
self._cb.customizeUiComponent(self.mainPanel)
self._cb.addSuiteTab(self)
def testBtn_onClick(self, event):
# Click button event
print "click button"
def getTabCaption(self):
# Get the tab button name
return 'python_test_plugin'
def getUiComponent(self):
return self.mainPanel

Description: This is just a demo of ui interface development, the effect is as follows:

burp plugin development documentation

Here are a few common burb classes:

1
2
3
4
5
6
7
8
9
10
11
1. Plugin entry and help interface classes: IBurpExtender, IBurpExtenderCallbacks, IExtensionHelpers, IExtensionStateListener
The IBurpExtender interface class is the entry point for the Burp plugin. All Burp plugins need to implement this interface, and the class is named BurpExtender. The IBurpExtenderCallbacks interface class is the link between the implementation class of the IBurpExtender interface and other components of the Burp (Scanner, Intruder, Spider...) and the various communication objects (HttpRequestResponse, HttpService, SessionHandlingAction). The two interface classes, IExtensionHelpers and IExtensionStateListener, are interface definitions for the help and management operations of the plugin.
2. UI related interface classes: IContextMenuFactory, IContextMenuInvocation, ITab, ITextEditor, IMessageEditor, IMenuItemHandler
This type of interface class is mainly used to define the processing events of the UI display and actions of the Burp plugin, mainly used in software interaction.
The function of these interface classes is very well understood. Burp uses the well-known specification in the naming of interface definitions. When you see the name of the interface class, you can basically guess which tool component this interface is applicable to.
4. HTTP message processing interface class: ICookie, IHttpListener, IHttpRequestResponse, IHttpRequestResponsePersisted, IHttpRequestResponseWithMarkers, IHttpService, IRequestInfo, IParameter, IResponseInfo
The definition of these interfaces is mainly around the cookie, Request, Response, and Parameter messages involved in the HTTP message communication process. The data processing of the communication message header and the message body is used to control the HTTP message transmission.

For more information about burp development, please refer to the following: https://portswigger.net/burp/extender/

This article refers to

http://xdxd.love/2015/04/20/burpsuite%E6%8F%92%E4%BB%B6%E5%BC%80%E5%8F%91%E4%B9%8Bpython%E7%AF%87/

Can’t write ~

本文标题:Detection of unauthorized access vulnerabilities in burpsuite plugin development

文章作者:nmask

发布时间:2018年05月04日 - 15:05

最后更新:2019年07月11日 - 16:07

原始链接:https://thief.one/2018/05/04/1/en/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

nmask wechat
欢迎您扫一扫上面的微信公众号,订阅我的博客!
坚持原创技术分享,您的支持将鼓励我继续创作!

热门文章推荐: