Let's Code A Burp Extension!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello hello and welcome let's see got eight viewers so far that is good one person in chat deebo mc loves the music thank you this was like this is uh ncs releases it's a copyright free playlist so hopefully no issues when i uploaded to youtube which as you know i always try to do so yeah coding with staticflow welcome what extension we gonna build you know what i i figured we're not gonna focus on necessarily building like a good extension what we're just gonna do is we're gonna mess around and and because there's the key thing to extensions is generally what you do is you have an idea beforehand right and then you you know you plan it out and you code it but to do that you still need to know exactly how to to like the basics of coding extension so what we're going to cover is we're going to explain what burp extensions are um and then we're just going to dive into one and you know we'll just make it up as we go along we'll see what we can do because realistically we you know we could do anything um but i think the main things i want to cover are how to sort of edit requests on the fly maybe even edit responses if we want to because that i i tend to find when i'm making extensions um at least when i'm when i'm making them for pen tests uh being able to edit requests uh or responses um is is one of the the main things i do um like so for example uh extension i created recently for work uh the web application used like a real really custom authentication um mechanism which basically had to sign it almost like signed every request and obviously burp can't do that um because it doesn't understand you know exactly how the signature works uh so it could proxy everything fine because obviously the application is signing everything um but if you tried to modify part of the request the signature wouldn't match up um and and obviously when you're scanning when you're using intruder uh burp is doing a lot of modifications so what i ended up having to do is i understood how to generate the signature for the requests so i just coded a simple extension which regenerated the signature before the before burp sent it out and so that's probably what we'll we'll end up doing we'll just mess around um i think if we you know if people want to we can start uh doing some gooey stuff as well um but you know i think it's important to learn the basics first so that's what we're going to do ragnarok's here welcome ragnarok please tell me we will write extension in python we are not going to write our extension in python we may if we're feeling good at the end um try and write one in jython um because effectively i mean so extensions if you don't know you can write them in three languages uh you can write them in java which is what uh burp is written in uh and java is the easiest uh to write in uh in terms of burp extensions um mostly because it's native right native to burp uh you can write them in python technically it's not python it's jython um because uh effectively jython is a java interpreter for python all right so you are you are writing python code um but you're interacting with objects the same way you wouldn't in java um so it's kind of like uh it's almost like an interface written in python to to the java um api uh and you can also write them in ruby which is technically j ruby exactly the same thing so we're we're going to write in java i apologize um only because that is native it's it's much easier because you can import uh the jar the with all the api extensions and you can use autocomplete and everything um you might you might be able to do that in python i'm not entirely sure all i know is when i when i do write things or extensions in python which i do a lot if i'm writing a quick extension i'll write it in python um if i do if i'm doing that i will often have uh eclipse open um just so i can see what the api does and do auto-complete um but you know we can we can have a go at that uh i'm not even sure if i have jython's actually i must have jython set up uh i do okay i have jython set up so we can we can definitely do that um all right so let's dive into it what are burp extensions um well burp is pretty basic when it comes to functionality by default um so it has all the it has all the sort of you know the useful stuff as intruder has repeater all these lovely things um and you can with like vanilla burp uh do a hell of a lot of stuff but uh there are extensions that make our lives easier they add uh add things so as you can see i'm i i love my extensions right all of these that are that don't have a check mark aren't loaded right now if they were loaded and and this is like on my regular my regular work laptop i'll have these all loaded um they uh effectively create so many tabs there's like three rows of tabs um which isn't for everyone but that's that's just how i work um so you know we got stuff like.net beautify by default burp doesn't display uh net parameters very nicely uh dotnet beautifier sorts that out active scan plus plus adds a load of scanner functionality um add custom header is useful for adding custom headers as you might imagine uh these are you can do these based on um uh other extensions i think let me check where's add custom header all right yeah you can based on session handling rules so you can add extensions based on the session which is kind of cool um i won't go down these all but these are all really cool extensions this is like my my default list um so i have got a few enabled here like hackverter tab rater and logo plus plus um that's they're just three i usually uh load for for these demos anyway um so i just haven't unloaded them but you can do quite a lot with extensions so let's uh let's go into it let's do hang on minimize that right so if you go to portsweger you can go through the support center documentation all the way to this extender this gives a load of information about extender um but the main thing you want to look at is two things really um this which i'll paste the url in the chat um so this is the javadoc for all of the um effectively the api we can use for the extender right so this is all the classes that we can use in our extension some of them are required some of them are optional but as you can see there's a load of content so if we for instance look down and let's go to i http request response uh you can see there's a number of different methods that we can use um and this kind of explains them a little bit so this is a really useful uh sort of document to have on hand uh the other thing if i go back if you go to portfolio.net burp extender and then scroll down you'll find a link to that java dock actually which i didn't realize was there that's cool but also you'll find some sample extensions and this is the best way to get started apologies i'm just drinking my coffee um so yeah there's a few great extensions here um that we can get started with so what we'll do is we'll probably just open this one um but we're going to code it from scratch but if you want to play around with these you can just copy and paste this code um let me zoom in so everyone can see it all right but yeah what we're gonna do we're gonna start from scratch so i have eclipse open um so i have spent about an hour and i'm not kidding configuring eclipse so that all the fonts are larger but some fonts i could not i could not find an option for it so none of the fonts in these menus uh i could get to change um some of the dialogue fonts i couldn't get to change uh i apologize i'll explain what's going on you'll see when i do tab complete um there's the suggester for what i can do what what code i can use uh that won't be large um and i can only apologize i did google it i don't think you can change it uh so that's fun but we're going to start off we're going to right click in the package explorer and we're going to go new and obviously this is going to be a java project right um what should we call this let's just call it tiberius burp extension okay everything is really going to be default here so i've got the java 14 jre installed so we're going to use that we don't need to change anything here if we click next this is where we need to to change stuff so currently we can define the java build settings so we have the source which is fine but what we want to do is go across to the libraries tab and you want to click class path and then click add external jar and then what you want to do is you want to navigate to wherever you have your burp suite jar file right and if you don't if you if you've installed burp in windows like i have using the installer you just need to go and fetch the um the jar file which you can download i think you can even download it from burp if you go to help download other installers right so we want to select this jar file and click open and that's that's going to add the burp suite jar to the class path and that's necessary so that we can use these functions right so we can use the api um and then i think that's it i think yeah uh we just need to click finish it says do you want to create a new module info.java file we do not um and so now we have this uh basic setup here you want to go into the source the src directory and we're going to add a new package called burp or lower case again we don't need to create a package info okay and then the only other thing we need to to make um is this burpextender.java you always need to have a burp extender.java file all right uh and so we're gonna go back to eclipse right click again click new so it's like right clicking on the burp package uh click new go to class uh apologize again they're all very small but that's basically what i was doing we're going to create burp extender don't put the java in there so the name is burp extender everything else should be default uh so if we click finish then we get this burp extender.java file all right um and all it has is the package and it has public class burp extender this skin ai thank you for the follow um okay so we're going to go back to here so the only other rule really is that we need to implement burp extender all right that is the only other thing we need to do um so what we'll do go back to this implement burp extender and we're gonna have to import that so we can oh it's i burp extender i apologize right that's why so if we do that then we get this uh so it's an influence i burp extender all the uh classes have an i in front of them okay so they'll start with i should have remembered that and then we'll get this sort of yellow light bulb with uh a red x um and if we click that it's gonna say okay well you know there's something wrong here and in this case it's just because because we're implementing this we need to um use we need to have a bunch of methods from this implemented class so you can't if you can't see this and please tell me if you can see what it says it says add unimplemented methods as the first suggestion right there's a there's a few other ones um but this one solves the problem add unimplemented methods and if i click that double click it what it's going to do is it's going to add this method register extender callbacks okay and this is basically the only method that we need to implement for the iburp extender class okay all right the other thing that is useful to have are two variables um callbacks and helpers uh if you have these it makes things so much easier to use so what i'm going to do we'll go to the top of the class i'm just going to paste that code so i've made a private variable the type is ibup extend the callbacks and it's called callbacks and then i've made another private variable i extension helpers and it's called helpers all right so technically these are instance variables um but if you don't understand java object orientation that's absolutely fine these are just just variable okay all right um so the next thing that we want to do if we go back and look at this code you'll see this is the register extender callbacks uh method that this like this example extension has uh implemented what it does is it sets um the instance object to this uh the instance here of callbacks it creates a new helpers object and then it sets the extension name so that's what we'll do so as you can see there's this callbacks variable here which is different from this one so what we want to do is we want to set um the value of this variable to this right or a reference really so what i'll do is we'll do this callbacks equals callbacks okay and so now we want to use the callbacks functionality um of this iburp extender callbacks class we can just reference this.callbacks and we can do this from anywhere in this class right so if otherwise you wouldn't uh you wouldn't be able to do that you'd only be able to access callbacks from this method right here um so when we do this it means that even if we're down here in some random method rate down here um we can just uh call this.callbacks and that's because we're using it this instance variable up here and the same thing with helpers so we're going to set this.helpers equal to dot um and this is what this is why i like coding these extensions in um in eclipse or at least some uh ide is because it understands that this dot helpers is an eye extension helpers object all right it's expecting an eye extension helpers object so when i type callbacks and i put the dot there it's going to give me a list of suggestions right and the first one is going to be oh it's the get helpers method which returns an eye extension helpers object so that's the one i want okay so we've done that so now we have the helpers object and the helpers object is really helpful ironically you can do a bunch of stuff with it uh especially um let's just let's just have a look at what it has right so it has these analyze request methods it has analyzed response methods it has base64 decoding and encoding you can build http messages with it um what else can you do you can get request parameters you can make scanner insertion points there's all this stuff url decoding as well um so it's basically a it's a really helpful class um that allows us to just do a bunch of functionality rough and oh relevant rolfin thank you for the follow okay so the only other thing we really need to do right now is uh register our extension uh actually so we need to set the extension name which set extension name right so we're going to set the extension name to tiberius to various burp extension okay and we'll save that and i think uh you have to excuse me i haven't coded the burp extension in a while so i think we do need to do is add well maybe not um so let me just check over here i think that's it actually so that that's the basics for an extension list i mean let's try okay so i've saved the webextender.java um this warning is just saying that uh helpers isn't being used yet uh we probably will use it at some point uh but that won't stop us from compiling um so what we're gonna do we're gonna right click on this uh project nerdwood smith thanks for the follow so we're going to right click on this project again i apologize i tried so hard to change the um the font size here if you cannot see this i'm going to tell you exactly what's happening so if you right click on the project name there's an export uh option here so we're going to click export and the jar file one is the one we want but like like let's just assume that we we didn't have that set if you just type jar okay you'll get two options jar file or runnable jar file we just want a jar file okay i'm gonna click next select the resources to export we only want this tiberius burp extension um everything really should be default you just need to set the jar file location so in this case i've set it to the same directory that burp is in um but you shouldn't need to do that i'm just going to call it tiberius.jar okay i think everything else should be default i have set overwrite existing files without warning and that's only because i'm going to be recompiling this and i don't want to have to say yes you can save over what i have um so click next i again everything is default um so you click through and you can click finish java export finishes warnings see the details yeah compile warnings were what we expected um because helpers isn't being used but that's okay warnings are fine errors are bad all right so we have uh our burp extension compiled so if we go back to burp uh we're on extender tab we're in the extension sub tab we click add make sure that extension type java is selected and then we're going to go in here and here's our extension right tiberius.jar if we open it and we click next extension load is successfully any output or error message generated are shown below well there's no output no errors which is great and as you can see right it's loaded at the bottom of the list and there's the extension name we set divers is burp extension okay and so that's that's loaded right that's loaded in but it's not doing anything apart from displaying its own name but we've just coded the verb extension all right um so the other thing that we can do which is helpful is potentially output stuff down here if we want to output debugging things um then we can do that um i'm used to coding these in um uh environments that are used for uh like linux and mac so generally if you're on linux and mac you can just do system.out so you can write system.out.printline whatever and then that will get printed down here i don't think that works um but actually we should give it a shot um so again i'm gonna select everything and once you once you compile the first time you can pretty much just click finish it's gonna remember where the jar is and since we have overwrite existing files without warning checked uh everything should be fine if you want to reload so you can either remove it or you can click the check mark to unload it and then click it again to load it or if you want to be really fancy you can hold down control and click it once and that will unload it and then immediately reload it and as you can see we did that and it did not uh put anything down there so i think what we have to do um is use this code um so if we have the this is a print writer object um we're calling it std out standard out uh we're creating a new print writer and we're using callbacks.getstd out right so this is why callbacks is useful we can get the standard output um and what does true do you know if we just create a new print writer down here we can see what options we get uh all right auto flush so i'm i'm basically saying so actually i don't even need this flush line so if this is set to true it auto flushes which means whenever you print something it's going to flush that to the standard output all right and that's actually going to display so if we save this right click again export jar file next finish forget about the warnings uh go down to burp and again hold down control and click it then we get hello okay so this is really useful for debugging um so what we could do is we could create private um sd or issue private print writer debug right and then what we can do is we can change this to just debug okay so what i'm going to do is i'm going to right click i'm going to click refactor rename and we're going to say this is going to be this dot debug okay um why is that worked [Music] uh oh i don't i don't need the print writer this way all right because because uh debug was already defined as a print writer it was like i was trying to trying to find it twice um so now we can use this.debug um anywhere in the code all right um as long as we're we're within this class okay um so let's just comment out that line we don't want it printing hello every time um but yeah okay so the next question i guess is what do we actually want to code well and this in this case uh this extension is a custom logger if we go back to this this extension adds a new tab to burp's user interface and displays a log of http traffic for all burp tools okay um so really what it's doing is it's intercepting uh traffic um and it's displaying it so it's using this i http listener so what we'll do is we'll we'll implement this i http listener and see what that does so again we go back to up here and i don't think i can did i type it wrong oh i need a comma right okay cool so i put a comma ihdp listeners now we're implementing two things again it's going to show this light bulb and who just followed sam zero t sec thank you for following if we click that it's going to say okay the type of extender hang on it's not giving me an option to fix uh quick fix no i'm not sure let's just delete that and try again hang on okay i http listener there should be like a box that pops up and sell tells me what's what it needs like it did before which is interesting but it's not usually that happens okay um so i guess you can just right click and do quick fix or you can if it worked um it's down here i did it so i right clicked on this quick fix and then it said okay add unimplemented methods which is what it should do right okay um it's like the demo bug right nothing ever works um so yeah usually when you click that it pops up and and says this time we just had to go down to this problems tab at the bottom um yeah i don't know why that didn't work uh that's weird okay uh these errors i think are from this project which i'm just gonna uh close yeah okay so we're gonna ignore that now um so what happened when we implemented the http listener we we had to create a new method here process http method and this method has uh three parameters it has this tool flag which is an integer it has a boolean so basically a true or false called message is request so obviously when you're intercepting http messages they can be either request or response and so if this boolean if it intercepts uh uh our extension is intercepts a http message um and it's a request then this messages request will be true if it's a response then this will be false okay and then finally it's going to give us this message info which is an object i http request response okay so what we can do is i'm going to delete that i guess the the easiest thing we can see is we can check right if message is request then we can use this.debug to print a line uh intercepted request okay um else we'll use this debug front line intercepted response okay so there's no compiler errors there so we can go to export again select the jar click finish and then if we reload this so remember we removed the code that said hello and now though if we go here let's go to example.com so this should be proxying through everything um why did that not work is it actually proxying hmm um [Music] i don't see that's an interesting one let me just make sure that's i'll put the hello back in and we'll see if that's working yeah so that's working but then i reload this page we get nothing why that is oh i know why um this is why i haven't coded this in a while so even when you implement a listener it doesn't actually run any of this code you have to actually register the listener so this is this is me uh clearly not understanding uh right so if we go this dot callbacks register http listener and then we put this and this basically uh is referring to this an object of this burp extender right so basically it's we're kind of referring to the extension itself okay and actually we should have noticed this if you go to you click on the extension and you go to details um it will tell you what is implemented so if we go to logger right it says it's got an extension state list now it's got an http listener a proxy list it's got a sweet tab um and r1 had absolutely nothing all right so once we've done that uh if we recompile so let me take out the hello message we recompile this and click finish okay and then if we reload okay now you see we have an http listener down here all right registered so hopefully if i reload this page um there we go so it sent one two three requests and it intercepted three responses and if we scroll down that's actually because um this was the first request just to example.com and then it loaded the uh the favicon or the fave icon however you want to pronounce it um and then also apparently firefox did a demo domain reliability upload as well so intercepted all three of those okay uh and you're gonna have to excuse me the reason i didn't uh noticed that earlier is generally speaking when i'm coding burp extensions i'll like just copy and paste a lot um because as you can see coding it from scratch is kind of annoying so i'll like have a like a default register extender callbacks that i'll paste from other things so that's why uh i forgot you need to register them okay but now we have well we have it doing something right um so i guess what we can do if we only wanna and and go back to the start when i said what we're gonna try so we'll play around with stuff so let's i tell you what we'll try is we'll try um extracting some headers from requests um and maybe adding a custom header okay and i understand you can do this um in burp easily with the proxy um you can go to options uh and you can do a match and replace to create a header uh but that can only be done with the proxy right much harder to do it if you want to add headers um to like a thing that's being scanned it's a bit difficult um so let's try that so we'll delete this code because we don't really care about responses so we want to only do it if a message is a request we can take out this debug code now so how do we get hold of requests right well actually you know what it would be it would be great if this only applied to things we sent with repeater okay uh and how can we do that well remember the tool flag um that's important so if we do this.callbacks i believe there is right this dot callbacks has this list of integers and if you can't see this i apologize um but it has uh a list of integers tool under school comparer tool understood decoder all of them for every single uh default tab in burp right so even has one for tool underscore repeater all right and that integer right will match this integer from tool flag if the request was sent from from repeater so inside our if messages request we can also do um if this.callbackstool.repeater equals equals tool flag okay and so everything inside here will only be actioned if the request came from the repeater okay so now we can play about with this message info object so let's just have a look and see what message info uh has so it has these things get host which is a string it has to get port to get protocol uh get url um so i guess we can do is we could actually let's just get the host uh and let's print it out oh somehow that uh some of that got rid of the message info okay so again we're just we're just really just playing around we're going to take it slow we're just going to print out the the host from the intercepted request right uh provided that we send it in repeater uh so let's compile this java and do that go to burp again go back to extender uh hold down control and click that and now if we reload the page we shouldn't get anything here right we don't however hopefully if we send this to repeater and click send yeah we get example.com down here okay so uh and you'll notice we don't get anything for a uh a response all right because we've taken out the code that deals with the responses okay so comment out that again we don't really care about that but the message info has a bunch of other things we can do so we can get the request in bytes right uh we can also get the response in bytes um this is where the helper method um this will help us because if we do analyze um request all right actually hang um so the analyze request it takes an http service and it takes the bytes by array of the request and it returns an i request info object so what we need to do is we need to create an i irequest info object and we'll call it request and then we'll sit set this to this dot helpers analyze request and the http service which is what it requires is you can get it from message info dot get http service um and then the bytes message info dot get request okay and that will create uh i'm just gonna move this a bit so that's gonna create a an object called request and then what does request have in it well in request you can get all this lovely information so you can get the headers you can get the method get parameters get the url um you can even get uh i think the the content types so we want to get the headers right um and the headers returns a so it returns a string list so i believe we can do for string s in [Music] request.getheaders i think that debug.printline s okay so all we're doing iterating over the headers and we're gonna print each one out uh so we'll export that and reload holding down control if i send this again uh scroll up right so we got all the headers out uh okay um so let's say uh that we want to um hmm what do we want to do with these headers i think i think we can uh create headers we have to have a look at the um documentation here um has been a while since i've done this there is a way [Music] sorry so i'm just searching some other code that i've written okay yeah you can't do that all right i thought maybe um wouldn't you create headers for the response um not necessarily i mean you can do you can do both we're just modifying headers for the request um so we iterated over that um but that was honestly just to show that we could um so we can delete that let's add a header um so we can do this easily we can do get headers and remember get headers returns a list so we can just add a string to this list um and so let's add a header right x custom header uh tiberius okay but that only adds it to the list right now we need to do is build a new request object all right so we need to create a new i request our request info let's call it new request and what we'll do this dot help us um uh build http request right so we can build an http request using uh hang on a minute using a string so a list of headers and the bytes of the body okay i actually don't think we need um sorry let me confusing myself here let me just do this there is a way to set headers and i think message info dot all right that's how you do it set request okay uh right okay so we basically need to build um a byte array uh which is the new request that we're building so i think build http request right should return a buy array okay that's where i got confused i thought it was returning an eye extension helpers object but it's not um so this will take uh a list of headers so this should take the request.getheaders uh get headers and then this should this should take the um the bite uh by array i think of the um the body so basically the body of the request and to get that that is a slightly more complicated um i have some code that does it i think uh right so up here what we want to get is we want to get the offset of the body so request offset actually body offset i guess oh which is request dot get body offset uh what get body offset does it returns an integer um so if we go back to here the body starts here right this is these are all um headers and then the bodies down here what the get offset will do it will convert this to effectively um a list of characters and it will say okay so say there's how many characters are in this let's there's for let's just say there's like 200 characters here and the body starts at 201 right so let's say there was a body there and that started at 201 um the offset would return 201 right i hope that makes sense um so now if we get the string body we can create a new string um from the request dot gets um actually not the request sorry the message info info.get request dot substring and then the beginning index which is going to be body offset i hope that makes sense um so effectively what we're doing was okay we're getting the offset of the body so basically where the body starts um in the request we're creating a new string called body which gets the all the bytes of the request okay and then creates a sub string and the substring is going to basically be um starting at the body offset all the way to the end of the string so what we effectively have here is a string called body which just contains the the bytes from the body and then we should just be able to do body dot get bytes and obviously this builds an http message which is a byte array so we'll say new new request equals that and then to set it uh we have to go to message info dot set request new request okay so what should happen is uh it's going to analyze the request if it comes from repeater it's going to add a custom header it's going to rebuild the request and then set that request before it gets sent okay so all this happens before the request gets sent um so hopefully this is going to work this is the trouble with coding stuff live let's finish that the other thing we'll need to do currently my extension is loaded last in the list which means effectively all other extensions get to process things before mine does what we want to do is we want to move it up at least so that logger um displays everything because what logger should do then is catch the extension it should enter this way you should intercept the request after i've modified it so let's just hope that works uh i'm gonna control reload that um so let's send it we got a bad oh hang on let's send it again let's go down to this one um did it send did not ah why did that not work did we get any error messages we didn't um i honestly wonder let's let's just uh honestly wonder if it didn't actually add it to the request headers uh so debug dot uh print line yes i guess we could do as well is do a debug print line um and create a new string out of this new request hey anxiety one d yeah we're we're um we're trying to write both extensions on the fly without any real practice and me having not coded one in months um so as you can imagine it's going is this being fun uh right let's try reloading it and see now we have some debugging this is why debugging is great okay so let's um send this go to extender all right um okay so it's not actually adding it so i think i think my mistake was assuming that this ad changed the value of get heads which it didn't um that's okay though so what we can do is we can just create a new list called new headers okay and we will uh then add the custom header um to new headers i think that's i have to import something uh let me find out what type it is this string i think it's you java.util oops i'm pretty sure it's java.util we need to use all right cool so now we can do we can replace that with new headers to make sure and also replace this when we're building the http message replacement new headers all right so i think i think honestly this should work now i think my main issue was assuming that the um the get headers function returned uh an object which was mutable and it wasn't that's on me okay let's refresh that click send go down okay here we go so you can see right scroll up we've added the x custom header tiberius and and the the request itself has that so if we go to logger there we go it's there okay did everyone understand that are there any questions so far thankfully 1d says wouldn't you need to extend the class holding get headers and write your own method in that case um so yeah i i think i just honestly i haven't coded in java for so long i forgot how objects worked um but yeah effectively yeah get headers builds a list and returns that it doesn't use that list as like an instance variable or anything so that was on me you sh um but again this is why we debug stuff uh this is no no way like uh an expert tutorial in in building extensions this is trial and error all right um let's comment out all this lovely debug information um because we don't need that anymore so i guess what we could do let's say that instead of um this x custom header right um what we needed to do was uh take take the request url and uh a known password right and somehow generate an authentic authentication token using that all right so how do we get the url let's see let's see what message info has message info has a get url object which we can get the path and we can get the query from okay so that's probably in uh useful information so let's let's get the path from that and let's get the query okay um and you know what let's let's print those out and see what that looks like so we'll we'll print out path and we'll concatenate it with just you know what's concatenated with the question mark because that's how it's done um because we want to debug we want to see what happens does query return anything when there's no query does it return like a null or something so let's do this again we'll export finish reload the extension by holding down control um so currently there's no there there is a path which is just forward slash but there's no query okay um and so yeah we do get a null so that's important um we basically want to ensure that if there's no um query we don't have a query uh reflected back so that's useful no there should always be a path um because uh http spec should not just allow you to do that for instance um yeah in this case it thinks that http 1.1 is the path um so that's okay uh i forgot to ask what functionality are we trying to create we are not trying to create any kind of functionality we are just coding a burp extension as we go um just to show exactly what steps you need to do um so that's why there's a lot of debugging um i had the basic idea of you know just modifying a request um which i think is useful uh so that's what we're gonna do we're probably gonna at some point also create a new tab and maybe show how you can how you can modify things like that but uh for the moment this is a simple uh extension that's just gonna extract path query information and do a few things to them so what we want to do is after this we want to check if query is equal to null then we need to set query equal to just empty string really okay and that's gonna say save that uh um uh error gang uh place them okay um then okay so now what we'll do is we'll do the string i guess uh your url oh not really the url it's kind of a uri uh we'll set that to nothing and then we'll build it here so if the query is null we just want url to ura to be equal to the path um otherwise we want it to be equal to the path plus question mark plus the query okay um and so now if we do if we just output the your uri i'll be yuri or however you want to pronounce it um so let's send just that we get that if we have a query i guess no query we get no queries perfect and if we have testicles test we get testicles test perfect uh okay so let's say we want to [Music] create fury that'll get bytes let's add some of this content back so we're going to import message digest and we're going to import standard char sets and this is probably going to get me surrounded to try catch and we need to initialize the variable okay so let's see what encoded hash prints out finish um and go back to extender okay we got that um so that's a byte object though isn't it so we actually probably need to create a new string from that let's see okay and send lovely um i guess what we could just we just base64 encoder you know um so what we're going to do we're going to say we're going to append our secret password all right secret password who just followed christy thank you for the follow um and here again we're gonna we're gonna append our secret password um and then what we're going to do is we're going to create a new string auth token equals and then we're going to use the helpers object to base64 in code our encoded hash all right and so now if we output our string oops if we i'll put our auth token export reload this and send it again so now we get this lovely base64 object and if we send it again we get the same thing if we change this test equals i don't know all of that we get a completely different object okay so now we can say okay let's cut some header um and we'll append earth token all right and let's re-oops reload it and send again and get a logger we get this x custom header so the idea here being if if there is some kind of app and it doesn't even have to be a web app right as long as it's sending http requests if it's using some kind of custom authentication method that is based on signing the request with a key right like looking at the body if it has a body and it signs the body and then puts a custom authentication header in this is how you can code burp um to automatically do that now remember we've we've limited it to the repeater tool but you know if we took out this and allowed it to run against any tool in burp then you could do intruder attacks you know you could use the scanner you could do pretty much anything does that make sense to everyone awesome all right so let's let's do something slightly uh i guess difficult let's uh i'm just having to review some of the code i already wrote um what we'll do is we're going to implement an i tab add unimplemented methods okay um and obviously we need to register it register tab i guess um oh actually i don't think we need to we don't need to register a tab that's one of the things we don't need to do okay but what we do need to do is uh create utilities invoke later a new runable that should i believe uh so i'm just running down i think now oh call backs uh add sweet tab that's the one extended of this i think this is all we need to do um and if we add the tab caption uh let's just put test so what i did there was this should create a new tab in burp called test um this weird code i put up here is where we're gonna put all the code like it like builds uh everything in the tab uh let's just double check it works though uh so if we reload it oh errors here we go component cannot be known all right that makes sense um i need to create a um a ui component so give me two minutes uh let's go to our code up here um we'll need to create a private jpal panel and let's do pal equals new jpanel uh we'll probably actually need to load what type of panel uh there we go import that um okay that should be fine and then if we get on here i think that should load it um and then the only other thing we need to do is call back start customize ui component panel so i mean this is all going kind of confusing uh if you go back to one of the examples um where are they so this uses an eye tab here and you can see this is basically the same thing right so uh you can basically just copy this and understand kind of what's going on um but let's compile that and see what happens there we go there it is up there okay so we've created a new tab in burp um which just called test and you know right now it doesn't do anything but we can start uh we can start doing stuff um so one of the things that obviously we might want to do currently right we have this secret password um which is static right so it's coded statically um so what we might want to do is create um a a dialogue maybe or the ability to set a password right um so what we can do is just give me a second so i think what we need to do we need to add a new uh so private string password uh um we'll initialize it to that and then we can create a uh not a j label but hey forget the name of the actual um the actual thing we need to create a text box yeah is it just j text box oh is it j text field it might be j text field you know let's just try j text field um password field equals new j text field um yeah i think that does it okay um now we need to actually add it to our this is where it gets complicated um adding text fields is kind of complicated um but i think um we should be able so i'm going to use a group layout layout equals new group layout on the panel um panel dot set layout to layout so this is kind of complicated and it's going to get kind of complicated um doing graphic design like gui design in java is kind of difficult um this is definitely not the easiest way to do it however it's the most powerful way but effectively what group layout does is you describe the layout horizontally and then you describe it vertically and java sort of magically puts it together so you'll see what i mean gonna oops where's why is that not auto completing add component password field um and then i think that's everything so for the vertical group um and i can find a positive field okay [Music] that's done i i mean let's just try let's just see what happens i have not coded um java gooeys in a while uh so we'll do that test yeah it didn't do anything all right there is something i missed here um i'm just scrolling back through code that i wrote like years ago um because there is definitely a way of doing this um i think i need to be there is a way to like force it i think um yeah i might just set the visibility [Music] maybe visible i'm just trying to find let's try that and see there's no errors right unless it's oh i know what it's there it's it's the entire thing all right no no we can do this this is fine this is okay it was always there um what i need to do is hang on it is just a little too big all right here we go so password field dot set maximum size new dimension um should be integer.max value and then the uh password field dot get preferred size dot height and then password field set minimum size new dimension 300 and then password field dot get preferred preferred psi that's not preferred size a little high again i mean let's just try that i think that's the code um we'll see oh there it is okay so we made it like quite big right um we can we can change that we can set an integer here so maybe we just always want to be 300 width um um so let's do that and extender test yeah there we go all right so now we want to do gonna add a label um so up here we'll add a j label uh let's just do password field label equals new jlabel and the j level is gonna be password right over the code uh uh i need to import uh is j level wrong oh huh i got j level equals [Music] um okay so i think the j level should be fine that should default to a good size um all right now we just need to add it so [Music] um if we think about horizontally right we should just be able to add actually add a new component component um password field label to there because you think about a horizontal group that's sequential means um these two will be right next to each other one after the other um setting a vertical group uh is a little different so we don't want them to be sequential so instead we want them to be on the same line so we're going to add um i'm going to create so add a group and it's going to be layout dot create parallel group right and we're going to add that and add this before it if i remember how this works this should just work um all right my extender perfect okay um so what i did there if you don't understand so like i said the layout group layout um is really powerful because you define the layout twice um so we define it horizontally so if you set a horizontal group you need to have like a main group in here and the main group should always be sequential sequential means one after the other right so if you're looking at this layout horizontally um what happens well first there's going to be a password field label and then to the right of it there's going to be a password field okay so that's that works that's easy one now for setting a vertical group if you think about looking at it vertically well if you go um if you go down you're hitting both the password text field and this uh sorry both the label and the password fill at the same time so they need to be grouped together and so that's what this parallel group is they're parallel because when you're looking at it from a vertical point these are parallel to each other okay so um you honestly play around with it it makes so much more sense if you just mess around um but yeah uh it's a super powerful layout it's actually what um if you go into an id that has like a draggable layout thing uh it's what that uses i believe mostly um and uh it's just really really nice uh so yeah uh but let's add a button because we want the button to um be able to set that password right so we'll do a j button password button equals new j button um i think we can add i can update whoops all right me too import j button so let's put the button below everything all right um and so what we're going to do is when we're looking from this left to right the um the past the so these two things are going to be parallel with the button all right um so what we'll do is after this sequential group we'll do an ad group layout dot uh create parallel group and we'll take that out within this parallel group we're gonna have like firstly we're gonna have um a new group which is sequential and that is going to contain these two all right and then after that we're gonna have components oh what have i done i didn't do a component okay add component we're gonna have the password button okay um and in this group um so vertically we already have this sequential group which has a parallel group here so after this group is done we can just add a component password button i think um honestly this is a lot of trial and error but you end up with really beautiful looking layouts if you do it right perfect there you go it worked uh well it will always align it to the left [Music] um i'm not sure you can actually now you can align it hang on uh so if we're doing it horizontally we can add a group layout dot alignment dot uh trailing i think i think that will do it if it doesn't there's other ways other things we can do but this might work yeah there we go um but yeah you can you can get some really nice layouts using this um it just takes a lot of code because effectively you're describing you're describing the layout twice um but yeah it's uh it's really nice i definitely recommend using this okay so we have uh our button um uh and now we wanna do is add an action to our button so password button add action listener new action listener all right so this will get triggered when her buttons clicked um and so what i think we need to do actually is is make this password field um accessible to everything uh so what we'll do up here is we'll do private uh password field and then we can just take this do this.password field uh actually i should probably rewrite all this refactor and so that will update everything uh oh okay hang on right because we're in a runnable ah that's that's annoying they're definitely should be a way um what if just password field will that work oh right yeah that might work um okay perfect all right that worked um i'm not sure if this works either okay that doesn't work all right so that's fine um and so now we should just be able to set the um the password the string password equal to password field field dot uh get text i think um can we access debug we can so let's print line the password as well so so let's set the password to default um and then we'll see what happens uh actually i guess what we can do is here we can replace this secret password with password export finish reload okay um so let's send let's just send a get request and we get that and if we send it again we'll get the same thing so now what happens if we just type password and click update did anything break right okay so output password now for resend we get a different thing yes okay it worked all right um so that's like this really quick uh and dirty sort of gui um other things you could do you could get it so that you know it stores this somewhere in a database um and loads it when you reload the extension you know it'll still persist it right pre-fill the password field so you can do that easily actually so up here when we define our password field here we can do password field dot uh set value i think or i think so i said text that's the one set text to password it already guessed it was password that's nice um so now if we reload oh and compile reload and reload it and go to tests there we go it's default so yeah um that's in a roundabout way is how you can create both extensions and kind of trial and error we got layout working um i have not coded a layout in java in so long um but uh are there any questions uh see we've got a few people in the chat uh i wang thanks for all the recon yeah no problem uh should line 28 be an error maybe it was at some point um it's fine now oh i think that's what i missed jtextfield right so i mean really that's all i had planned for this stream was to get get some basic functionality coded and and do that well what you can see if you go back to this page um you know there's there's a bunch of custom code here um like uh like examples um so uh life yeah like i said at the start what i've found is that if you intercept requests a lot you can do you can do so much um but like for instance custom scanner checks for fun if you have access to the scanner um because you can do you can create passive scan checks you can create active scan checks um so you know if you if you want to create your own um scanner checks for things you can do that uh intruder payloads so in intruder there's an option um extension generated and it'll like one or one come up here you can create a generator uh for extension payloads i've never done that um but it looks like in this case like you know they're just defining an array um so it's a really simple thing but yeah i definitely encourage people to play around with it um but uh and then create pub extensions it's uh it's a lot of fun hopefully the stream helped um but yeah i i know at the start of the stream i said maybe we'd look at python but i think the stream went on for quite a while so um i probably need to be getting some dinner so there's no other questions maybe we'll do jython or python another day all right taking there's no other questions from the chat um but yeah thank you very much for watching uh some information on the screen how to subscribe or follow me on various social media platforms um tomorrow i think we'll be doing uh portswigger web academy again um at least that's the plan and then friday i want to do some more trey hackney so we'll try and round the week off with some of that but yeah thank you very much for watching everyone

Info

Channel: Tib3rius

Views: 6,493

Rating: undefined out of 5

Keywords:

Id: IdM4Sc7WVGU

Channel Id: undefined

Length: 99min 8sec (5948 seconds)

Published: Sun Jan 24 2021