Looking for our research? We've moved it to a dedicated page

[MoBP] Burp Extender extended

Dafydd Stuttard | 25 November 2008 at 07:12 UTC
MoBP burp extender burp

Burp Extender is an interface which allows third-party code to extend Burp's functionality. As it currently stands, the interface is fairly basic, but several people have used it to do cool stuff. I would like to see this interface get a lot more sophisticated, and the new release sees a step in this direction.

The IBurpExtender interface now has a new method:

public void registerExtenderCallbacks
(burp.IBurpExtenderCallbacks callbacks);

This is invoked on startup, and passes to implementations an instance of the new IBurpExtenderCallbacks interface, which provides methods that may be used by the implementation to perform various actions. The IBurpExtenderCallbacks interface currently looks like this, but it may change slightly before release:

package burp;

public interface IBurpExtenderCallbacks
{
public byte[] makeHttpRequest(
String host,
int port,
boolean useHttps,
byte[] request) throws Exception;

public void sendToRepeater(
String host,
int port,
boolean useHttps,
byte[] request,
String tabCaption) throws Exception;

public void sendToIntruder(
String host,
int port,
boolean useHttps,
byte[] request) throws Exception;

public void sendToSpider(
java.net.URL url) throws Exception;

public void doActiveScan(
String host,
int port,
boolean useHttps,
byte[] request) throws Exception;

public void doPassiveScan(
String host,
int port,
boolean useHttps,
byte[] request,
byte[] response) throws Exception;

public void issueAlert(String message);
}

As you can see, the new methods enable you to pro-actively interface with several of the Burp tools. Note that the new way of making HTTP requests replaces the old, rather clunky method, so anyone who has used the old method will need to tweak their code a little.

The next phase of development for Burp Extender will see several new ways in which Burp can call out to your code, to enable custom implementations of key tasks. Unfortunately, these are unlikely to make an appearance in the forthcoming release, but they are on the list for the future:

If anyone has further suggestions for extensibility, do let me know.