login

Burp Suite, the leading toolkit for web application security testing

PortSwigger Web Security Blog

Monday, 10 December 2012

New Burp Suite Extensibility

We will shortly be releasing Burp Suite Pro v1.5.01, which contains a new framework for extensibility in Burp.

A Short History

Burp has supported extensions for years. Burp's extensibility began its live very simple, and has evolved gradually without any overall plan.

The existing API is fairly limited, and its main uses have been for:
  • Changing HTTP messages on the fly
  • Initiating some testing tasks (e.g. to automate crawling / scanning)
The existing framework has been used to good effect to extend Burp's capabilities, for example:
  • WCF Binary Soap plugin, by GDS
  • Deflate plugin, by GDS
  • DSer plugin for JAVA serialized objects, by Attack & Defense Labs
  • w3af plugin, by David Robert

Current Limitations

The existing extensibility framework contains some significant limitations:
  • You can only run one extension at a time.
  • You can only load an extension at launch time, by modifying Burp's classpath.
  • Only the Java language is natively supported.
  • The processing of writing, compiling and loading an extension can be challenging for non-programmers.
  • The API doesn't expose very much in many areas that would be extremely useful to be able to extend. For example: Burp's user interface, the Scanner, Intruder and session handling.
  • Extensions are effectively bolt-ons, not properly integrated with Burp's internals.
In an attempt to address these limitations, several people have developed extensibility frameworks layered over Burp's, including:
  • Buby (Ruby)
  • Burp Suite Extended (Python)
  • Hiccup (Python)
  • Resty-Burp (REST / JSON)
These third-party frameworks are well designed, and address some of Burp's shortcomings. Nevertheless, it is cumbersome to need to install an additional framework, and the limitations in the current API still remain.

The efforts that people were evidently going to, in an attempt to improve on what Burp itself offered, made me realize: it's time to fix Burp natively.

Objectives for New Extensibility

The overall objectives for the new extensibility framework are:
  • Allow multiple extensions to run simultanously.
  • Support dynamic loading and unloading of extensions at runtime.
  • Support languages other than Java. In the initial release, Python is supported via the Jython interpreter.
  • Provide a much, much richer API that allows extensions to really integrate with Burp's internals.
  • Use a more future-proof API design, to allow easier enhancements in future.
  • As far as possible, ensure backwards compatibility with legacy extensions.
A key aspiration for the new extensibility is that people should find it quick and easy to create extensions mid-testing to work around all kinds of obstacles that can arise. For example, tasks like writing a Scanner check, creating a session handling action, or adding a new HTTP message analyzer to Burp's editor, should all be achievable in less time than it takes to work around an obstacle manually. With the new support for Python scripting, and a much more helpful API, even users without much programming experience will hopefully feel tempted to have a go, and so dramatically enhance the power of their testing with Burp.

6 comments:

Anonymous said...

Best christmas news this year, I am truly excited.

Anonymous said...

Please support JRUBY!

Anonymous said...

Caught up in tons of work, so short response here:

Awesome, just awesome! After the new year, I'll try and give a ton of feedback.

Best feature since the addition of session handling rules!

Eric Monti said...

This is a great step forward. But I have to say, as the original author of Buby, it's pretty disappointing that you seem to be leaving jruby behind in this effort (even initially).

point: Buby was probably the first public effort to bring dynamic language support to burp. Where's the love? :)

I hope you guys consider providing jruby support in the very near term. Anything the ruby/buby community can do to help?

Anonymous said...

Yes please support Jruby, there are tons of people that prefer Ruby over Python.

Anonymous said...

gys, this is not exactly a language preference thing (python/jython or ruby/jruby). Its obvious that python serves a better purpose here -with a more exposed core suitable to pen testing as opposed to the 'magic' more dynamic nature of ruby.


User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Copyright 2014 PortSwigger Ltd. All rights reserved.