Monday, December 17, 2012

Sample Burp Suite extension: custom editor tab

This extension demonstrates how you can extend Burp's own HTTP message editor to handle the display and editing of unsupported data formats. This capability can let you handle custom serialization implemented by specific applications, or any other data format that Burp does not natively support.

In the past, some extensions have handled unsupported serialization formats by hooking into Burp's HTTP stack, and modifying incoming and outgoing messages, in order to unpack and repack the serialized data. Although this approach can work, it is quite restricted in the type of data it can handle. And it is also inelegant: it would be preferable to customize Burp to understand the custom format itself, rather than tampering with the integrity of HTTP messages.

The new extensibility API lets you add custom tabs to Burp's HTTP message editor. When a message is about to be displayed, Burp will ask the tab whether it can handle the message. If so, the custom tab will be shown in the editor, and can support rendering and editing of the message within its own UI:

The sample extension uses an artificially simple serialization format: the serialized data is simply Base64-encoded within a request parameter. This example was chosen so as to keep the code that handles the serialization as simple as possible. But the format itself isn't the point: what matters is that you can now easily extend Burp to understand any format that you may encounter in a test.

As well as the new API for adding message editor tabs, this example also makes use of Burp's new helper methods, to carry out common tasks such as parsing and updating request parameters, encoding and decoding data in different formats, and conversion of data between String and byte forms.

Download the custom editor tab extension. The download includes source code for Java and Python, and the compiled JAR file for Java. It also includes an ASP.NET page that implements the serialization format on the client and server side, so that you can send serialized data from your browser, edit this on the fly within Burp, and see the effect in the server's response. Note: the sample ASP.NET page uses the JavaScript btoa() function to perform Base64-encoding on the client side. This function is not supported by Internet Explorer, but works on most other browsers.

[Really astute testers might spot a deliberate vulnerability in the sample ASP.NET page. More on that soon.]


Anonymous said...

Very good example! Can you add support for auto-colorization of XML,HTML,js, etc.

PortSwigger said...

Burp natively handles auto-colorization of those formats in its own editor tabs. The purpose of custom tabs is that your extension can handle formats that Burp doesn't natively support, so obviously any syntax colorization for those formats will be a matter for the extension.

Anonymous said...

Following your example on de-serialization, the data that will be put on the new tab may be deserialised, decrypted or any other kind of data that may be represented in xml format or as POST data as you used. Is there support or any way on how to instruct burp that those are xml, post data,etc. so that it can colour them?

Anonymous said...

Was this extension broken by an update? I cannot seem to get a new tab by loading the extension.

PortSwigger said...

This extension should still be working fine. You'll need to use the sample ASP.NET page provided, to get the tab to display.

Anonymous said...

Is there an example for adding a non-editable deserialization tab in the response?

Dafydd Stuttard said...

There isn't, but this should be simple. Just configure any relevant UI controls (such as text panels) to be not editable. And always tell Burp that the message was not edited.