Monday, December 14, 2009

MilkSwigger

MilkSwigger and PortSwigger

This little chap showed up a couple of weeks ago, somewhat earlier than expected. Needless to say, this event has thrown my meticulous plans for the final release of Burp v1.3 into disarray.

Many thanks to everyone who has emailed with bugs and suggestions from the beta release, and apologies for the lack of responses. Normal service will be resumed in January.

Monday, November 30, 2009

[V13P] Pro beta version now available

A beta version of the new release of Burp is now available for Professional users. The free edition will be available in two or three weeks time. If you don't have a Pro license and are eager to try out the new features, why not treat yourself here?

As always, any help flushing out bugs will be much appreciated. Please email these directly, so that I can easily get back to you for more details if required.

The final edition will be released just as soon as we are happy with it, but the beta release is highly stable and suitable for day-to-day working right away. Have fun!

Sunday, November 29, 2009

[V13P] Other bits and pieces

I've described most of the major additions to Burp's functionality that are arriving in v1.3. There are a few other smaller tweaks that are worth drawing attention to:

  • The tables in the site map and search results now include a timestamp column. Sorting the results on this column lets you easily see when new items are added. This is handy when you are running spidering or content discovery exercises, or when performing dynamic searches, all of which add new entries to these tables periodically.

  • The background autosave feature now optionally performs a final autosave on exit, so that you will always have a current snapshot of your work provided Burp closes down gracefully.

  • Repeater now shows a response timer in milliseconds, which can help you verify time-delay-based tests for code injection bugs.

  • Scope rules can be individually toggled on and off, so you can easily switch between different targets which you have configured.

  • Scanner and Spider now support request throttling with optional random variations, to help you avoid overwhelming flimsy applications, and avoid alerting pattern-based intrusion detection systems.

Apologies to the many people whose requests haven't been met on this occasion - there will be further development efforts fairly early in 2010.

Friday, November 27, 2009

[V13P] Target analyser

For Pro users, Burp now includes a function to analyse a target web application and tell you how many static and dynamic URLs it contains, and how many parameters each URL takes. This can help you assess how much effort a penetration testing engagement is likely to involve, and can help you decide where to focus your attention during the test itself.

To access this feature, you select one or more hosts or branches within the site map, and launch it using the context menu. The summarised information looks like this:

And you can drill down into more detail about individual URLs:

You can also export all of this information as an HTML report, which you can attach to client proposals and reports to show the attack surface you have covered.

A couple of caveats should be noted. Firstly, this function only analyses the content already captured within the site map, so you should ensure that you have fully browsed or spidered all of the application's content and functionality before running it. Secondly, URLs are deemed to be "static" if they no not take any parameters in the URL or message body; however the responses from these URLs may still be dynamically generated by the application.

Thursday, November 26, 2009

[V13P] Exporting of request information

In the new release, Burp lets you export full details of interesting requests and responses in XML format, including all relevant metadata such as response length, HTTP status code and MIME type. For example:

If you have annotated any of the exported items, your comments will also be included within the XML.

You can access this feature via the context menu anywhere in Burp that you see requests and responses, and you can include individual items or multiple selections. The raw data and analysis captured within Burp is thereby available for any external tools that can process the XML export.

Wednesday, November 25, 2009

[V13P] Manual testing simulator

This feature won't exactly enhance your productivity, but you may sometimes find it useful nonetheless. In the new release, lazy Pro users can make Burp simulate manual testing activities, by sending common test payloads to random URLs and parameters within a target application, at irregular intervals. Burp doesn't do anything with the responses, so you won't find out about any bugs in this way. But if you think that someone might be reviewing the application's logs to confirm that you are working, you can use this feature while you nip out for a long lunch, gym session, drinking binge, or whatever happens to be your preferred diversion.

Regarding the obvious feature request, for you to be able to configure your day-rate, and have Burp calculate how much the simulation has cost your client; no, I don't think that would be appropriate, do you?

[V13P] Laser-guided scanning

To my great pride, nearly everyone who has tried out Burp Scanner absolutely loves it. But people still helpfully come back with tons of feature requests for it.

One of the biggest complaints is the relatively crude way in which Burp lets you send items for active scanning from the site map. For example, when you have mapped out all of the content and functionality within your target application, you can select the relevant host (or branch within the host), and choose "actively scan selected items" from the context menu. Currently, when you do this, Burp will perform an active scan on every single item within this selection, which often is not quite what you want: your selection may include multiple superfluous submissions to the same form handlers, items you have scanned already, items with irrelevant file extensions or MIME types, and specific items which you have excluded from the target scope, such as logout or administrative functions. Currently, the only workarounds for this limitation are to go through the site map individually selecting the specific items which you do actually want to scan, or to send everything for scanning and then cancel the irrelevant items within the scan queue. Neither option is painless.

The new release gives you much easier and fine-grained control over what gets scanned in this situation. Any time you select multiple items for active scanning, Burp launches a brief wizard which lets you fine-tune your selection. The first screen of the wizard offers you various intuitive filters to remove potentially unnecessary items (duplicates, already scanned items, media content, etc.), and shows you how many items will be affected by each filter:

The second screen of the wizard shows you a list of the remaining items, and lets you sort the table by various relevant properties, view the full requests and responses, and delete individual items:

The wizard then completes and the selected items are sent for scanning in the usual way.

Hopefully this feature will let you make much more effective use of Burp's scanning capabilities, avoid filling the scan queue with junk, and find more bugs more quickly than before.

Tuesday, November 24, 2009

[V13P] New display filters

The display filters used in the proxy history and site map are now more powerful, and allow you to filter on:

  • Simple and regex search terms (Pro version only) - this is often handier than using the suite-wide search function.

  • File extension - this supplements the MIME type filter, and is useful for unusual content types, and when HTTP 304 responses do not contain any content.

  • Annotations made by the user.

The new filter configuration panel looks like this:

[V13P] Scripts and comments search

Pro users can now search part or all of the site map for scripts and comments. This feature is accessed by selecting relevant branches within the site map, and using the context menu.

The search results window shows responses from all Burp tools containing either scripts or comments. Selecting an individual item shows the full request and response in a preview pane, with relevant items automatically highlighted, and also extracted into their own tab:

You can use the "export" button to save all of the scripts or comments to file or to the clipboard, optionally consolidating duplicated items. I know a lot of people have been grepping Burp's log files to get this kind of information. Hopefully the new feature will make this task a lot easier.

Monday, November 23, 2009

[V13P] Content discovery

Burp now includes a content discovery function, similar in concept to OWASP's DirtBuster. You can access this feature by selecting a request or URL anywhere within Burp, and using the context menu to start content discovery.

Burp uses various techniques to discover content, including name guessing, web spidering, and extrapolation from naming conventions observed in use within the application. The feature is highly configurable, as shown by the available options which are explained below:

Target - These options control which directory to begin discovery from. Only items within this path and its subdirectories will be requested during the session. You can choose to discover files or directories or both, and how deep to recurse into discovered subdirectories.

Test case generation - These options control which file and directory names Burp will use when making requests to discover content. As well as built-in lists, Burp can harvest names used elsewhere within an application, and retry them at other locations, and can construct names based on discovered items, for example by cycling values in filenames containing numbers.

File extensions - You can specify a list of file extensions with which to test each possible filename. Burp can harvest file extensions observed in use within the application, and test these with every filename. When a file has been confirmed, Burp can also try a specific list of variant extensions with that filename, for example to check for old or backup versions of the same file.

Discovery engine - You can control how many threads are used for content discovery and spidering, whether file names are handled case sensitively, and how the discovery session interacts with Burp's main site map (in the target tab of the suite).

When you have configured your discovery session, you can start it from the control tab, which also provides runtime information about the actions being performed. The work is divided into numerous discrete tasks, which are prioritised according to their likelihood of quickly discovering new content, and new tasks are generated recursively as content is confirmed:

The discovery session employs its own site map, showing all of the content which has been discovered within the defined scope. If you have configured Burp to do so, newly discovered items will also be added to Burp's main site map.

Sunday, November 22, 2009

[V13P] SSL pain relief

In v1.2.11, Burp introduced a new method of generating the server SSL certificates which are presented to your browser when you connect via Burp Proxy. This involved creating a root CA certificate (per user), which you can install into your browser, and using this to sign each host certificate, thus enabling you to eliminate SSL certificate errors. Read more here.

Unfortunately, in v3.5 Firefox changed the way it handles root CA certificates, which stopped Burp's root CA certificate from working. This problem has now been fixed, and Firefox should accept Burp's certificates again:

Note that if you have previously installed Burp's CA certificate into any of your browsers, you may need to remove this before you can install the new root certificate, as described here.

Another occasional source of SSL pain happens when Burp fails to negotiate connections using the combination of protocols offered by the destination web server. The Java SSL stack contains a few gremlins, and fails to work with certain unusual server configurations. To help you troubleshoot this problem, Burp now lets you specify which protocols should be offered to servers during SSL negotiations:

Note that Burp already implements a few workarounds for SSL issues, and if a negotation fails with the protocols you have configured, Burp will still try some alternative combinations of protocols which often work. So you shouldn't use this new feature as a method of testing which protocols are actually supported by the server. People often ask if Burp can perform these checks, but Java is a bit too far removed from the SSL action for this to be done reliably, so you are better off sticking to a dedicated tool for investigating server SSL configurations.

Saturday, November 21, 2009

[V13P] Upstream proxy rules

If I had a beer for every time someone has requested this feature, I'd have been way too wasted to implement it.

Burp already supports upstream web proxies, but only as a global configuration which affects all outgoing traffic. In the new release, Burp allows you to configure rules specifying different proxy settings for different (ranges of) destination hosts.

The following configuration will make Burp talk directly to staging.intranet.corp.com, use an internal proxy server without authentication for everything else on *.intranet.corp.com, and use an authenticated gateway web proxy for everything else, including the public internet:

You can use standard wildcards in the destination host specification. Rules are applied in sequence, and the first rule which matches the web server you are communicating with will be used. If no rule is matched, Burp defaults to direct, non-proxy connections.

Friday, November 20, 2009

[V13P] Request annotation

You can now add comments and coloured highlights to items in the site map and proxy history:

You can highlight individual items using a drop-down menu on the left-most table column:

And you can comment individual items in-place by double-clicking and editing the table cell:

Alternatively, if you want to annotate several items at once, you select the relevant items and use the context menu to add comments or apply highlights:

When you have annotated interesting requests, you can use column sorting and display filters to quickly find these items later.

[V13P] Improved search

The suite-wide search function has had a revamp, with a number of useful features added:

  • regex mode;

  • optional restriction to target scope;

  • optional dynamic updating of existing search results as new requests are made;

  • ability to search selected hosts/branches within the site map, via the site map context menu.

Here's an example of using a regex search term with dynamic updating, to monitor all responses containing HTML comments as they are received from the server:

The searchable text viewer/editor used throughout Burp also now supports regex and case sensitive searches. These features are accessed via a new pop-up panel at the left of the search bar:

When you are viewing items found in a suite-wide search, the relevant options which you used in that search are automatically copied to the text viewer, so that the correct items are highlighted.

Burp Suite v1.3 preview

Work on the next release of Burp is inching forwards, and over the next two weeks I'll be posting regularly with previews of some of the cool new features to look forward to. Then I'll release a beta version for Pro users to play with. Everyone with a current license will receive an automatic upgrade to v1.3.

Many thanks to everyone who has submitted feature requests. A lot of these have been implemented in v1.3, though many will need to wait for next time. Hopefully I've pleased more people than I've disappointed.

Monday, November 2, 2009

Burp Suite - feature requests please

It's getting to that time of year again when all the hastily made promises about the next release of Burp need to be made good. So I'm pleased to announce that release 1.3 of Burp Suite will be available before Christmas*.

The free edition of Burp will get a roll-up of some of the new stuff that has been added to the pro edition over the past year. And the pro edition will get a bunch of cool new features of its own.

At this stage, it would be good to hear about any requests for new features that people have. Even if you've asked for them before, on several occasions, remind me again and I'll do my best to include them. You can email me or leave requests in the comments. Thanks!

*2009, hopefully.

If politicians were HTTP status codes

401 Not Authorized

George W. Bush

416 Not Satisfiable

Bill Clinton

417 Expectation Failed

Barack Obama

302 Found

Saddam Hussein

404 Not Found

Osama Bin Laden

410 Gone

John F Kennedy

500 Internal Error

Donald Rumsfeld

415 Unsupported Media Type

Tony Blair

203 Non-Authoritative Information

Sarah Palin

306 Unused

Al Gore

408 Timeout

John McCain

303 See Other

Nicolas Sarkozy

100 Continue

Vladimir Putin

405 Method Not Allowed

Richard Nixon

402 Payment Required

Silvio Berlusconi

413 Too Large

Helmut Kohl

414 Too Long

Fidel Castro

411 Length Required

Cristina Fernández de Kirchner

300 Multiple Choices

Lech & Jaroslaw Kaczynski

403 Forbidden

Geert Wilders

409 Conflict

Adolf Hitler

406 Not Acceptable

Muammar Gaddafi

503 Service Unavailable

Kim Yong Il

GIAC paper on Burp Intruder

Karl Dawson has written a nice paper about using Burp Intruder for discovering login credentials, and how you can use various tricks to reveal other useful information and anomalies, as well as actually guessing valid passwords. Download it here.

Saturday, April 11, 2009

New release notes feed

I've been releasing updates to the Pro version of Burp pretty frequently recently. Some of these are fairly minor so you won't always see alerts that a new version is available. To help people who do want to follow the latest updates, you can now subscribe to a listing of release notes.

The latest update gives Burp a new editor for raw HTTP messages, which can handle much larger messages efficiently, supports undo/redo of edits, decodes encoded content in mouse-over popups, and auto-colourises request parameters and response syntax. Here's a preview for people who don't yet have it:

As well as being prettier, it's much nicer to work with, and helps you spot interesting data more easily. It even works on Macs too, if you're into that kind of thing. Hope you enjoy.

Friday, April 10, 2009

Intercepting thick client communications

I've written before about how Burp's invisible proxying mode can help you intercept requests from non-proxy-aware thick clients. Burp Suite Pro now contains a new feature which makes this task even easier.

If you are using a thick client component which cannot be configured to use a proxy, you can force it to talk to Burp Proxy instead of the actual destination host by performing the following steps:
  1. Modify your operating system hosts file to resolve the relevant destination hostnames to your loopback address (127.0.0.1), for example:

    127.0.0.1 www.example.org
    127.0.0.1 secure.example.org
  2. For each destination port used by the application (typically 80 and 443), start a proxy listener on this port of your loopback interface, and configure the listener to support invisible proxying.
With this set-up, the thick client will talk directly to Burp Proxy, thinking it is talking to the destination application, and Burp will accept and process the non-proxy-style requests it receives. When Burp processes these requests, it determines which actual destination host to forward them to based on the Host header in the requests. And this can lead to a problem if you have modified your hosts file as described above: Burp will resolve the hostnames to your loopback address, and will forward them back to itself, creating an infinite loop.

Previously, you could work around this problem by getting Burp to rewrite the Host header, or by using multiple machines with different DNS configurations for your testing. Now, things are much easier, because you can configure hostname resolution within Burp, to override the resolution provided by your operating system:



With this configuration, Burp will redirect outbound requests to the correct destination IP addresses, based on the Host header within each request. All being well, you should be able to intercept and forward traffic to multiple external domains, despite the thick client not itself supporting proxy connections.

One further complication may arise if your client does not include a Host header in its requests. If you are only dealing with one destination host, this is easily resolved: you can configure your proxy listener to redirect all traffic to a specific IP address. If you are dealing with multiple destination hosts, things get trickier again. You may be able to use Burp Extender to figure out the host based on the URL or other features of the request, and insert the correct Host header. Or you may be left with running Burp on multiple machines, and using your hosts file to redirect traffic for each destination host to a different intercepting machine.

Thursday, April 9, 2009

Burp problems after Windows update

If you use Windows, you may have encountered a problem following March's security update, in that Burp Proxy listeners running on the loopback interface stopped working. This was caused by Microsoft changing the "localhost" entry in the Windows hosts file from:

127.0.0.1 localhost

to:

::1 localhost

Manually reverting to the old entry fixes the problem for a while, but Windows will silently update to the new entry periodically. (Note that if you are running Windows Defender, you may need to dismiss some alerts in order to modify your hosts file.)

The latest versions of Burp (both free and Pro editions) have been updated to work with the new hosts entry. If you were having problems, please download the latest release and things should start working again.


Wednesday, April 8, 2009

Using Burp Extender

From time to time, people ask me for help getting their code working with Burp Extender, so here is a quick worked example of how to do this. The example is based on a plugin written by Daniele Costa, which extracts HTML comments from HTTP responses, and writes these to file and to the command line.

The core of the plugin code is simple. It implements the processProxyMessage method in IBurpExtender, to get a handle to all requests and responses passing through Burp Proxy. For response messages, it checks whether the requested URL is in scope, and if so uses a regular expression to match any HTML comments within the response. Anyone with some basic Java skills can create code like this. What may be less familiar is actually getting your code to load and run within Burp.

The steps to compile and run the plugin are as follows:
  1. If you don't already have it, download and install the Java Development Kit (JDK) from Sun.
  2. Create a directory to work in, and cd into it from the command line.
  3. Copy the plugin source file (BurpExtender.java) into your working directory.
  4. Create a subdirectory called "burp", and copy the IBurpExtenderCallbacks.java file into this directory. You will need this file in the correct relative path, because the plugin code makes use of the IBurpExtenderCallbacks interface.
  5. In your working directory, compile the BurpExtender.java source file into a .class file using javac, the Java compiler. The exact command will depend on the location of your JDK - for example, on Windows, you might type: "\Program Files\Java\jdk1.6.0_04\bin\javac.exe" BurpExtender.java
  6. Confirm that the file BurpExtender.class has appeared in your working directory.
  7. Build a Java archive (JAR) file containing your .class file. Depending again on your JDK location, you might type: "\Program Files\Java\jdk1.6.0_04\bin\jar.exe" -cf burpextender.jar BurpExtender.class
  8. Confirm that the file burpextender.jar has appeared in your working directory.
  9. Copy your normal Burp JAR file into your working directory.
  10. Using the actual name of your Burp JAR file, start Burp using the command: java -Xmx512m -classpath burpextender.jar;burp.jar burp.StartBurp
If everything works, Burp should launch with a number of entries in the alerts tab, confirming which IBurpExtender methods were successfully loaded from your plugin (in this case, processProxyMessage and registerExtenderCallbacks):



To make use of the actual functionality of this plugin, you simply need to add the domains that interest you to Burp's Target Scope, and then browse to them via Burp Proxy. Any HTML comments contained within in-scope responses will be printed to the command line, and saved to a file in your working directory.