SlideShare a Scribd company logo

Burp plugin development for java n00bs (44 con)

Download as pptx, pdf
Marc Wickenden
Marc Wickenden

Introduction to using BurpExtender to write plugins for Web application assessment tool Burp Suite. Aimed at testers who have never coded Java before.

1 of 65
Downloaded 119 times
1
Burp Plugin Development for Java n00bs 44Con 2012 www.7elements.co.uk | blog.7elements.co.uk | @7elements
2
/me • Marc Wickenden • Principal Security Consultant at 7 Elements • Love coding (particularly Ruby) • @marcwickenden on the Twitterz • Most importantly though….. www.7elements.co.uk | blog.7elements.co.uk | @7elements
3
I am a Java n00b
4
If you already know Java You’re either: • In the wrong room • About to be really offended!
5
Agenda • The problem • Getting ready • Introduction to the Eclipse IDE • Burp Extender Hello World! • Manipulating runtime data • Decoding a custom encoding scheme • “Shelling out” to other scripts • Limitations of Burp Extender • Really cool Burp plugins already out there to fire your imagination
6
Oh…..and there’ll be cats
7
Burp plugin development for java n00bs (44 con)
8
The problem • Burp Suite is awesome • De facto web app tool • Open source alternatives don’t compare IMHO • Tools available/cohesion/protocol support • Burp Extender
Most read
9
The problem
10
I wrote a plugin Coding by Google FTW!
11
How? - Burp Extender • “allows third-party developers to extend the functionality of Burp Suite” • “Extensions can read and modify Burp’s runtime data and configuration” • “initiate key actions” • “extend Burp’s user interface” http://portswigger.net/burp/extender/
Most read
12
Burp Extender • Achieves this via 6 interfaces: – IBurpExtender – IBurpExtenderCallbacks – IHttpRequestResponse – IScanIssue – IScanQueueItem – IMenuItemHander
13
Java 101 • Java source is compiled to bytecode (class file) • Runs on Java Virtual Machine (JVM) • Class-based • OO • Write once, run anywhere (WORA) • Two distributions: JRE and JDK
14
Java 101 continued… • Usual OO stuff applies: objects, classes, methods, properties/variable s • Lines end with ;
15
Java 101 continued… • Source files must be named after the public class they contain • public keyword denotes method can be called from code in other classes or outside class hierarchy
16
Java 101 continued… • class hierarchy defined by directory structure: • uk.co.sevenelements.HelloWorld = uk/co/sevenelements/HelloWorld.class • JAR file is essentially ZIP file of classes/directories
17
Java 101 continued… • void keyword indicates method will not return data to the caller • main method called by Java launcher to pass control to the program • main must accept array of String objects (args)
18
Java 101 continued… • Java loads class (specified on CLI or in JAR META-INF/MANIFEST.MF) and starts public static void main method • You’ve seen this already with Burp: – java –jar burpsuite_pro_v1.4.12.jar
19
Enough 101
20
Burp plugin development for java n00bs (44 con)
21
Let’s write some codez
22
First we need some tools • Eclipse IDE – de facto free dev tool for Java • Not necessarily the best or easiest thing to use • Alternatives to consider: – Jet Brains IntelliJ (my personal favourite) – NetBeans (never used) – Jcreator (again, never used) – Terminal/vim/javac < MOAR L33T
23
Download Eclipse Classic Or install from your USB drive
24
Eclipse 4.2 Classic • http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/dr ops4/R-4.2-201206081400/eclipse-SDK-4.2-win32-x86_64.zip&type=sha1 • 6f4e6834c95e9573cbc1fc46adab4e39da6b4b6d • eclipse-SDK-4.2-win32-x86_64.zip • http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/dr ops4/R-4.2-201206081400/eclipse-SDK-4.2-win32.zip&type=sha1 • 68b1eb33596dddaac9ac71473cd1b35f51af8df7 • eclipse-SDK-4.2-win32.zip
25
Java JDK • Used to be bundled with Eclipse • Due to licensing (I think) this is no longer the case • Grab from Sun Oracle’s website: • http://download.oracle.com/otn-pub/java/jdk/7u7-b11/jdk-7u7-windows- x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5
26
Welcome to Eclipse
27
Create a Java Project • File > New > Java Project • Project Name: Burp Hello World! • Leave everything else as default • Click Next
28
Burp plugin development for java n00bs (44 con)
29
Java Settings • Click on Libraries tab • Add External JARs • Select your burpsuite.jar • Click Finish
30
Create a new package • File > New > Package • Enter burp as the name • Click Finish
Most read
31
Create a new file • Right-click burp package > New > File • Accept the default location of src • Enter BurpExtender.java as the filename • Click Finish
32
Burp plugin development for java n00bs (44 con)
33
We’re ready to type
34
Loading external classes • We need to tell Java about external classes – Ruby has require – PHP has include or require – Perl has require – C has include – Java uses import
35
Where is Burp? • We added external JARs in Eclipse • Only helps at compilation • Need to tell our code about classes – import burp.*;
36
IBurpExtender • Available at http://portswigger.net/burp/extender/burp/IBurpExtender.html – “ Implementations must be called BurpExtender, in the package burp, must be declared public, and must provide a default (public, no-argument) constructor”
37
In other words public class BurpExtender { } • Remember, Java makes you name files after the class so that’s why we named it BurpExtender.java
38
Add this package burp; import burp.*; public class BurpExtender { public void processHttpMessage( String toolName, boolean messageIsRequest, IHttpRequestResponse messageInfo) throws Exception { System.out.println("Hello World!"); } }
39
Run the program • Run > Run • First time we do this it’ll ask what to run as • Select Java Application
40
Select Java Application • Under Matching items select StartBurp – burp • Click OK
41
Burp runs • Check Alerts tab • View registration of BurpExtender class
42
Console output • The console window shows output from the application • Note the “Hello World!”s
43
Congratulations
44
Burp plugin development for java n00bs (44 con)
45
What’s happening? • Why is it spamming “Hello World!” to the console? • We defined processHttpMessage() • http://portswigger.net/burp/extender/burp/IB urpExtender.html – “This method is invoked whenever any of Burp's tools makes an HTTP request or receives a response”
46
Burp Suite Flow
47
RepeatAfterMeClient.exe processProxyMessage processHttpMessage Burp Suite http://wcfbox/RepeaterService.svc
48
Burp plugin development for java n00bs (44 con)
49
We’ve got to do a few things • Split the HTTP Headers from FI body • Decode FI body • Display in Burp • Re-encode modified version • Append to headers • Send to web server • Then the same in reverse
50
Burp plugin development for java n00bs (44 con)
51
• Right-click Project > Build Path > Add External Archives • Select FastInfoset.jar • Note that imports are now yellow
52
Decoding the Fastinfoset to console
53
First: we get it wrong • Burp returns message body as byte[] • Hmm, bytes are hard, let’s convert to String • Split on rnrn
54
Burp plugin development for java n00bs (44 con)
55
Then we do it right • Fastinfoset is a binary encoding • Don’t try and convert it to a String • Now things work
56
Burp plugin development for java n00bs (44 con)
57
Decoding Fastinfoset through Proxy
58
Burp plugin development for java n00bs (44 con)
59
We’re nearly there……
60
Burp plugin development for java n00bs (44 con)
61
Running outside of Eclipse • Plugin is working nicely, now what? • Export to JAR • Command line to run is: • java –jar yourjar.jar;burp_pro_v1.4.12.jar burp.startBurp
62
Limitations • We haven’t coded to handle/decode the response • Just do the same in reverse • processHttpMessage fires before processProxyMessage so we can’t alter then re-encode message • Solution: chain two Burp instances together
63
Attribution • All lolcatz courtesy of lolcats.com • No cats were harming in the making of this workshop • Though some keyboards were….
64
Questions ? www.7elements.co.uk | blog.7elements.co.uk | @7elements
65
www.7elements.co.uk | blog.7elements.co.uk | @7elements
Burp Plugin Development for Java n00bs 44Con 2012 www.7elements.co.uk | blog.7elements.co.uk | @7elements
/me • Marc Wickenden • Principal Security Consultant at 7 Elements • Love coding (particularly Ruby) • @marcwickenden on the Twitterz • Most importantly though….. www.7elements.co.uk | blog.7elements.co.uk | @7elements
I am a Java n00b
If you already know Java You’re either: • In the wrong room • About to be really offended!
Agenda • The problem • Getting ready • Introduction to the Eclipse IDE • Burp Extender Hello World! • Manipulating runtime data • Decoding a custom encoding scheme • “Shelling out” to other scripts • Limitations of Burp Extender • Really cool Burp plugins already out there to fire your imagination
Oh…..and there’ll be cats
Burp plugin development for java n00bs (44 con)
The problem • Burp Suite is awesome • De facto web app tool • Open source alternatives don’t compare IMHO • Tools available/cohesion/protocol support • Burp Extender
The problem
I wrote a plugin Coding by Google FTW!
How? - Burp Extender • “allows third-party developers to extend the functionality of Burp Suite” • “Extensions can read and modify Burp’s runtime data and configuration” • “initiate key actions” • “extend Burp’s user interface” http://portswigger.net/burp/extender/
Burp Extender • Achieves this via 6 interfaces: – IBurpExtender – IBurpExtenderCallbacks – IHttpRequestResponse – IScanIssue – IScanQueueItem – IMenuItemHander
Java 101 • Java source is compiled to bytecode (class file) • Runs on Java Virtual Machine (JVM) • Class-based • OO • Write once, run anywhere (WORA) • Two distributions: JRE and JDK
Java 101 continued… • Usual OO stuff applies: objects, classes, methods, properties/variable s • Lines end with ;
Java 101 continued… • Source files must be named after the public class they contain • public keyword denotes method can be called from code in other classes or outside class hierarchy
Java 101 continued… • class hierarchy defined by directory structure: • uk.co.sevenelements.HelloWorld = uk/co/sevenelements/HelloWorld.class • JAR file is essentially ZIP file of classes/directories
Java 101 continued… • void keyword indicates method will not return data to the caller • main method called by Java launcher to pass control to the program • main must accept array of String objects (args)
Java 101 continued… • Java loads class (specified on CLI or in JAR META-INF/MANIFEST.MF) and starts public static void main method • You’ve seen this already with Burp: – java –jar burpsuite_pro_v1.4.12.jar
Enough 101
Burp plugin development for java n00bs (44 con)
Let’s write some codez
First we need some tools • Eclipse IDE – de facto free dev tool for Java • Not necessarily the best or easiest thing to use • Alternatives to consider: – Jet Brains IntelliJ (my personal favourite) – NetBeans (never used) – Jcreator (again, never used) – Terminal/vim/javac < MOAR L33T
Download Eclipse Classic Or install from your USB drive
Eclipse 4.2 Classic • http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/dr ops4/R-4.2-201206081400/eclipse-SDK-4.2-win32-x86_64.zip&type=sha1 • 6f4e6834c95e9573cbc1fc46adab4e39da6b4b6d • eclipse-SDK-4.2-win32-x86_64.zip • http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/dr ops4/R-4.2-201206081400/eclipse-SDK-4.2-win32.zip&type=sha1 • 68b1eb33596dddaac9ac71473cd1b35f51af8df7 • eclipse-SDK-4.2-win32.zip
Java JDK • Used to be bundled with Eclipse • Due to licensing (I think) this is no longer the case • Grab from Sun Oracle’s website: • http://download.oracle.com/otn-pub/java/jdk/7u7-b11/jdk-7u7-windows- x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5
Welcome to Eclipse
Create a Java Project • File > New > Java Project • Project Name: Burp Hello World! • Leave everything else as default • Click Next
Burp plugin development for java n00bs (44 con)
Java Settings • Click on Libraries tab • Add External JARs • Select your burpsuite.jar • Click Finish
Create a new package • File > New > Package • Enter burp as the name • Click Finish
Create a new file • Right-click burp package > New > File • Accept the default location of src • Enter BurpExtender.java as the filename • Click Finish
Burp plugin development for java n00bs (44 con)
We’re ready to type
Loading external classes • We need to tell Java about external classes – Ruby has require – PHP has include or require – Perl has require – C has include – Java uses import
Where is Burp? • We added external JARs in Eclipse • Only helps at compilation • Need to tell our code about classes – import burp.*;
IBurpExtender • Available at http://portswigger.net/burp/extender/burp/IBurpExtender.html – “ Implementations must be called BurpExtender, in the package burp, must be declared public, and must provide a default (public, no-argument) constructor”
In other words public class BurpExtender { } • Remember, Java makes you name files after the class so that’s why we named it BurpExtender.java
Add this package burp; import burp.*; public class BurpExtender { public void processHttpMessage( String toolName, boolean messageIsRequest, IHttpRequestResponse messageInfo) throws Exception { System.out.println("Hello World!"); } }
Run the program • Run > Run • First time we do this it’ll ask what to run as • Select Java Application
Select Java Application • Under Matching items select StartBurp – burp • Click OK
Burp runs • Check Alerts tab • View registration of BurpExtender class
Console output • The console window shows output from the application • Note the “Hello World!”s
Congratulations
Burp plugin development for java n00bs (44 con)
What’s happening? • Why is it spamming “Hello World!” to the console? • We defined processHttpMessage() • http://portswigger.net/burp/extender/burp/IB urpExtender.html – “This method is invoked whenever any of Burp's tools makes an HTTP request or receives a response”
Burp Suite Flow
RepeatAfterMeClient.exe processProxyMessage processHttpMessage Burp Suite http://wcfbox/RepeaterService.svc
Burp plugin development for java n00bs (44 con)
We’ve got to do a few things • Split the HTTP Headers from FI body • Decode FI body • Display in Burp • Re-encode modified version • Append to headers • Send to web server • Then the same in reverse
Burp plugin development for java n00bs (44 con)
• Right-click Project > Build Path > Add External Archives • Select FastInfoset.jar • Note that imports are now yellow
Decoding the Fastinfoset to console
First: we get it wrong • Burp returns message body as byte[] • Hmm, bytes are hard, let’s convert to String • Split on rnrn
Burp plugin development for java n00bs (44 con)
Then we do it right • Fastinfoset is a binary encoding • Don’t try and convert it to a String • Now things work
Burp plugin development for java n00bs (44 con)
Decoding Fastinfoset through Proxy
Burp plugin development for java n00bs (44 con)
We’re nearly there……
Burp plugin development for java n00bs (44 con)
Running outside of Eclipse • Plugin is working nicely, now what? • Export to JAR • Command line to run is: • java –jar yourjar.jar;burp_pro_v1.4.12.jar burp.startBurp
Limitations • We haven’t coded to handle/decode the response • Just do the same in reverse • processHttpMessage fires before processProxyMessage so we can’t alter then re-encode message • Solution: chain two Burp instances together
Attribution • All lolcatz courtesy of lolcats.com • No cats were harming in the making of this workshop • Though some keyboards were….
Questions ? www.7elements.co.uk | blog.7elements.co.uk | @7elements
www.7elements.co.uk | blog.7elements.co.uk | @7elements
Ad

Recommended

Developing real-time data pipelines with Spring and Kafka
Developing real-time data pipelines with Spring and KafkaDeveloping real-time data pipelines with Spring and Kafka
Developing real-time data pipelines with Spring and Kafka
marius_bogoevici
 
The Dream Stream Team for Pulsar and Spring
The Dream Stream Team for Pulsar and SpringThe Dream Stream Team for Pulsar and Spring
The Dream Stream Team for Pulsar and Spring
Timothy Spann
 
Microservices Platform with Spring Boot, Spring Cloud Config, Spring Cloud Ne...
Microservices Platform with Spring Boot, Spring Cloud Config, Spring Cloud Ne...Microservices Platform with Spring Boot, Spring Cloud Config, Spring Cloud Ne...
Microservices Platform with Spring Boot, Spring Cloud Config, Spring Cloud Ne...
Tin Linn Soe
 
Optimizing and Profiling Golang Rest Api
Optimizing and Profiling Golang Rest ApiOptimizing and Profiling Golang Rest Api
Optimizing and Profiling Golang Rest Api
Iman Syahputra Situmorang
 
Fido Technical Overview
Fido Technical OverviewFido Technical Overview
Fido Technical Overview
FIDO Alliance
 
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallDetect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Huda Seyam
 
Orion Context Broker 20220301
Orion Context Broker 20220301Orion Context Broker 20220301
Orion Context Broker 20220301
Fermin Galan
 
Technical Deep Dive: Using Apache Kafka to Optimize Real-Time Analytics in Fi...
Technical Deep Dive: Using Apache Kafka to Optimize Real-Time Analytics in Fi...Technical Deep Dive: Using Apache Kafka to Optimize Real-Time Analytics in Fi...
Technical Deep Dive: Using Apache Kafka to Optimize Real-Time Analytics in Fi...
confluent
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
Event Driven Architecture with a RESTful Microservices Architecture (Kyle Ben...
Event Driven Architecture with a RESTful Microservices Architecture (Kyle Ben...Event Driven Architecture with a RESTful Microservices Architecture (Kyle Ben...
Event Driven Architecture with a RESTful Microservices Architecture (Kyle Ben...
confluent
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
Metrics for the Win: Using Micrometer to Understand Application Behavior
Metrics for the Win: Using Micrometer to Understand Application BehaviorMetrics for the Win: Using Micrometer to Understand Application Behavior
Metrics for the Win: Using Micrometer to Understand Application Behavior
VMware Tanzu
 
Event-Driven Messaging and Actions using Apache Flink and Apache NiFi
Event-Driven Messaging and Actions using Apache Flink and Apache NiFiEvent-Driven Messaging and Actions using Apache Flink and Apache NiFi
Event-Driven Messaging and Actions using Apache Flink and Apache NiFi
DataWorks Summit
 
Storage Capacity Management on Multi-tenant Kafka Cluster with Nurettin Omeroglu
Storage Capacity Management on Multi-tenant Kafka Cluster with Nurettin OmerogluStorage Capacity Management on Multi-tenant Kafka Cluster with Nurettin Omeroglu
Storage Capacity Management on Multi-tenant Kafka Cluster with Nurettin Omeroglu
HostedbyConfluent
 
Maximize Greenplum For Any Use Cases Decoupling Compute and Storage - Greenpl...
Maximize Greenplum For Any Use Cases Decoupling Compute and Storage - Greenpl...Maximize Greenplum For Any Use Cases Decoupling Compute and Storage - Greenpl...
Maximize Greenplum For Any Use Cases Decoupling Compute and Storage - Greenpl...
VMware Tanzu
 
Python3 (boto3) for aws
Python3 (boto3) for awsPython3 (boto3) for aws
Python3 (boto3) for aws
Sanjeev Kumar Jaiswal
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
CODE WHITE GmbH
 
Ngfw overview
Ngfw overviewNgfw overview
Ngfw overview
Motty Ben Atia
 
Streaming with Spring Cloud Stream and Apache Kafka - Soby Chacko
Streaming with Spring Cloud Stream and Apache Kafka - Soby ChackoStreaming with Spring Cloud Stream and Apache Kafka - Soby Chacko
Streaming with Spring Cloud Stream and Apache Kafka - Soby Chacko
VMware Tanzu
 
ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!
Guido Schmutz
 
Transactional File System In Java - Commons Transaction
Transactional File System In Java - Commons TransactionTransactional File System In Java - Commons Transaction
Transactional File System In Java - Commons Transaction
Guo Albert
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
Versioned State Stores in Kafka Streams with Victoria Xia
Versioned State Stores in Kafka Streams with Victoria XiaVersioned State Stores in Kafka Streams with Victoria Xia
Versioned State Stores in Kafka Streams with Victoria Xia
HostedbyConfluent
 
FInal Project - USMx CC605x Cloud Computing for Enterprises - Hugo Aquino
FInal Project - USMx CC605x Cloud Computing for Enterprises - Hugo AquinoFInal Project - USMx CC605x Cloud Computing for Enterprises - Hugo Aquino
FInal Project - USMx CC605x Cloud Computing for Enterprises - Hugo Aquino
Hugo Aquino
 
Cloud and Virtualization Security
Cloud and Virtualization SecurityCloud and Virtualization Security
Cloud and Virtualization Security
Rubal Sagwal
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
confluent
 
Restoring Restoration's Reputation in Kafka Streams with Bruno Cadonna & Luca...
Restoring Restoration's Reputation in Kafka Streams with Bruno Cadonna & Luca...Restoring Restoration's Reputation in Kafka Streams with Bruno Cadonna & Luca...
Restoring Restoration's Reputation in Kafka Streams with Bruno Cadonna & Luca...
HostedbyConfluent
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
Luca Carettoni
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
August Detlefsen
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 

More Related Content

What's hot (20)

OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
Event Driven Architecture with a RESTful Microservices Architecture (Kyle Ben...
Event Driven Architecture with a RESTful Microservices Architecture (Kyle Ben...Event Driven Architecture with a RESTful Microservices Architecture (Kyle Ben...
Event Driven Architecture with a RESTful Microservices Architecture (Kyle Ben...
confluent
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
Metrics for the Win: Using Micrometer to Understand Application Behavior
Metrics for the Win: Using Micrometer to Understand Application BehaviorMetrics for the Win: Using Micrometer to Understand Application Behavior
Metrics for the Win: Using Micrometer to Understand Application Behavior
VMware Tanzu
 
Event-Driven Messaging and Actions using Apache Flink and Apache NiFi
Event-Driven Messaging and Actions using Apache Flink and Apache NiFiEvent-Driven Messaging and Actions using Apache Flink and Apache NiFi
Event-Driven Messaging and Actions using Apache Flink and Apache NiFi
DataWorks Summit
 
Storage Capacity Management on Multi-tenant Kafka Cluster with Nurettin Omeroglu
Storage Capacity Management on Multi-tenant Kafka Cluster with Nurettin OmerogluStorage Capacity Management on Multi-tenant Kafka Cluster with Nurettin Omeroglu
Storage Capacity Management on Multi-tenant Kafka Cluster with Nurettin Omeroglu
HostedbyConfluent
 
Maximize Greenplum For Any Use Cases Decoupling Compute and Storage - Greenpl...
Maximize Greenplum For Any Use Cases Decoupling Compute and Storage - Greenpl...Maximize Greenplum For Any Use Cases Decoupling Compute and Storage - Greenpl...
Maximize Greenplum For Any Use Cases Decoupling Compute and Storage - Greenpl...
VMware Tanzu
 
Python3 (boto3) for aws
Python3 (boto3) for awsPython3 (boto3) for aws
Python3 (boto3) for aws
Sanjeev Kumar Jaiswal
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
CODE WHITE GmbH
 
Ngfw overview
Ngfw overviewNgfw overview
Ngfw overview
Motty Ben Atia
 
Streaming with Spring Cloud Stream and Apache Kafka - Soby Chacko
Streaming with Spring Cloud Stream and Apache Kafka - Soby ChackoStreaming with Spring Cloud Stream and Apache Kafka - Soby Chacko
Streaming with Spring Cloud Stream and Apache Kafka - Soby Chacko
VMware Tanzu
 
ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!
Guido Schmutz
 
Transactional File System In Java - Commons Transaction
Transactional File System In Java - Commons TransactionTransactional File System In Java - Commons Transaction
Transactional File System In Java - Commons Transaction
Guo Albert
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
Versioned State Stores in Kafka Streams with Victoria Xia
Versioned State Stores in Kafka Streams with Victoria XiaVersioned State Stores in Kafka Streams with Victoria Xia
Versioned State Stores in Kafka Streams with Victoria Xia
HostedbyConfluent
 
FInal Project - USMx CC605x Cloud Computing for Enterprises - Hugo Aquino
FInal Project - USMx CC605x Cloud Computing for Enterprises - Hugo AquinoFInal Project - USMx CC605x Cloud Computing for Enterprises - Hugo Aquino
FInal Project - USMx CC605x Cloud Computing for Enterprises - Hugo Aquino
Hugo Aquino
 
Cloud and Virtualization Security
Cloud and Virtualization SecurityCloud and Virtualization Security
Cloud and Virtualization Security
Rubal Sagwal
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
confluent
 
Restoring Restoration's Reputation in Kafka Streams with Bruno Cadonna & Luca...
Restoring Restoration's Reputation in Kafka Streams with Bruno Cadonna & Luca...Restoring Restoration's Reputation in Kafka Streams with Bruno Cadonna & Luca...
Restoring Restoration's Reputation in Kafka Streams with Bruno Cadonna & Luca...
HostedbyConfluent
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
Luca Carettoni
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
Event Driven Architecture with a RESTful Microservices Architecture (Kyle Ben...
Event Driven Architecture with a RESTful Microservices Architecture (Kyle Ben...Event Driven Architecture with a RESTful Microservices Architecture (Kyle Ben...
Event Driven Architecture with a RESTful Microservices Architecture (Kyle Ben...
confluent
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
Metrics for the Win: Using Micrometer to Understand Application Behavior
Metrics for the Win: Using Micrometer to Understand Application BehaviorMetrics for the Win: Using Micrometer to Understand Application Behavior
Metrics for the Win: Using Micrometer to Understand Application Behavior
VMware Tanzu
 
Event-Driven Messaging and Actions using Apache Flink and Apache NiFi
Event-Driven Messaging and Actions using Apache Flink and Apache NiFiEvent-Driven Messaging and Actions using Apache Flink and Apache NiFi
Event-Driven Messaging and Actions using Apache Flink and Apache NiFi
DataWorks Summit
 
Storage Capacity Management on Multi-tenant Kafka Cluster with Nurettin Omeroglu
Storage Capacity Management on Multi-tenant Kafka Cluster with Nurettin OmerogluStorage Capacity Management on Multi-tenant Kafka Cluster with Nurettin Omeroglu
Storage Capacity Management on Multi-tenant Kafka Cluster with Nurettin Omeroglu
HostedbyConfluent
 
Maximize Greenplum For Any Use Cases Decoupling Compute and Storage - Greenpl...
Maximize Greenplum For Any Use Cases Decoupling Compute and Storage - Greenpl...Maximize Greenplum For Any Use Cases Decoupling Compute and Storage - Greenpl...
Maximize Greenplum For Any Use Cases Decoupling Compute and Storage - Greenpl...
VMware Tanzu
 
Python3 (boto3) for aws
Python3 (boto3) for awsPython3 (boto3) for aws
Python3 (boto3) for aws
Sanjeev Kumar Jaiswal
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
CODE WHITE GmbH
 
Ngfw overview
Ngfw overviewNgfw overview
Ngfw overview
Motty Ben Atia
 
Streaming with Spring Cloud Stream and Apache Kafka - Soby Chacko
Streaming with Spring Cloud Stream and Apache Kafka - Soby ChackoStreaming with Spring Cloud Stream and Apache Kafka - Soby Chacko
Streaming with Spring Cloud Stream and Apache Kafka - Soby Chacko
VMware Tanzu
 
ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!
Guido Schmutz
 
Transactional File System In Java - Commons Transaction
Transactional File System In Java - Commons TransactionTransactional File System In Java - Commons Transaction
Transactional File System In Java - Commons Transaction
Guo Albert
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
Versioned State Stores in Kafka Streams with Victoria Xia
Versioned State Stores in Kafka Streams with Victoria XiaVersioned State Stores in Kafka Streams with Victoria Xia
Versioned State Stores in Kafka Streams with Victoria Xia
HostedbyConfluent
 
FInal Project - USMx CC605x Cloud Computing for Enterprises - Hugo Aquino
FInal Project - USMx CC605x Cloud Computing for Enterprises - Hugo AquinoFInal Project - USMx CC605x Cloud Computing for Enterprises - Hugo Aquino
FInal Project - USMx CC605x Cloud Computing for Enterprises - Hugo Aquino
Hugo Aquino
 
Cloud and Virtualization Security
Cloud and Virtualization SecurityCloud and Virtualization Security
Cloud and Virtualization Security
Rubal Sagwal
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
confluent
 
Restoring Restoration's Reputation in Kafka Streams with Bruno Cadonna & Luca...
Restoring Restoration's Reputation in Kafka Streams with Bruno Cadonna & Luca...Restoring Restoration's Reputation in Kafka Streams with Bruno Cadonna & Luca...
Restoring Restoration's Reputation in Kafka Streams with Bruno Cadonna & Luca...
HostedbyConfluent
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
Luca Carettoni
 

Viewers also liked (20)

Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
August Detlefsen
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 
AppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp SuiteAppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp Suite
August Detlefsen
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
Zack Meyers
 
Burpsuite yara
Burpsuite yaraBurpsuite yara
Burpsuite yara
Rinaldi Rampen
 
Extending burp with python
Extending burp with pythonExtending burp with python
Extending burp with python
Hoang Nguyen
 
Extending burp with python
Extending burp with pythonExtending burp with python
Extending burp with python
Luis Goldster
 
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challengeITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp
 
Paypal-IPN
Paypal-IPNPaypal-IPN
Paypal-IPN
Mindfire Solutions
 
How to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourHow to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an Hour
Cyren, Inc
 
The impact of sqli (sql injection)
The impact of sqli (sql injection)The impact of sqli (sql injection)
The impact of sqli (sql injection)
Sqa Enthusiast
 
Resumen de referencias (6)
Resumen de referencias (6)Resumen de referencias (6)
Resumen de referencias (6)
Esteban Garzon
 
Pyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringPyscho-Strategies for Social Engineering
Pyscho-Strategies for Social Engineering
Ishan Girdhar
 
Burp suite
Burp suiteBurp suite
Burp suite
Ammar WK
 
Windows Azure Versioning Strategies
Windows Azure Versioning StrategiesWindows Azure Versioning Strategies
Windows Azure Versioning Strategies
Pavel Revenkov
 
Wcf security session 1
Wcf security session 1Wcf security session 1
Wcf security session 1
Anil Kumar M
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
n|u - The Open Security Community
 
Basics of WCF and its Security
Basics of WCF and its SecurityBasics of WCF and its Security
Basics of WCF and its Security
Mindfire Solutions
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
Ishan Girdhar
 
WCF Security, FSec
WCF Security, FSecWCF Security, FSec
WCF Security, FSec
Ante Gulam
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
August Detlefsen
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 
AppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp SuiteAppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp Suite
August Detlefsen
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
Zack Meyers
 
Burpsuite yara
Burpsuite yaraBurpsuite yara
Burpsuite yara
Rinaldi Rampen
 
Extending burp with python
Extending burp with pythonExtending burp with python
Extending burp with python
Hoang Nguyen
 
Extending burp with python
Extending burp with pythonExtending burp with python
Extending burp with python
Luis Goldster
 
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challengeITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp
 
Paypal-IPN
Paypal-IPNPaypal-IPN
Paypal-IPN
Mindfire Solutions
 
How to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourHow to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an Hour
Cyren, Inc
 
The impact of sqli (sql injection)
The impact of sqli (sql injection)The impact of sqli (sql injection)
The impact of sqli (sql injection)
Sqa Enthusiast
 
Resumen de referencias (6)
Resumen de referencias (6)Resumen de referencias (6)
Resumen de referencias (6)
Esteban Garzon
 
Pyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringPyscho-Strategies for Social Engineering
Pyscho-Strategies for Social Engineering
Ishan Girdhar
 
Burp suite
Burp suiteBurp suite
Burp suite
Ammar WK
 
Windows Azure Versioning Strategies
Windows Azure Versioning StrategiesWindows Azure Versioning Strategies
Windows Azure Versioning Strategies
Pavel Revenkov
 
Wcf security session 1
Wcf security session 1Wcf security session 1
Wcf security session 1
Anil Kumar M
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
n|u - The Open Security Community
 
Basics of WCF and its Security
Basics of WCF and its SecurityBasics of WCF and its Security
Basics of WCF and its Security
Mindfire Solutions
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
Ishan Girdhar
 
WCF Security, FSec
WCF Security, FSecWCF Security, FSec
WCF Security, FSec
Ante Gulam
 
Ad

Similar to Burp plugin development for java n00bs (44 con) (20)

Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012
44CON
 
Packaging perl (LPW2010)
Packaging perl (LPW2010)Packaging perl (LPW2010)
Packaging perl (LPW2010)
p3castro
 
Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1
Andrei KUCHARAVY
 
Presentation on java
Presentation on javaPresentation on java
Presentation on java
shashi shekhar
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
infodox
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
Fundamentals of java --- version 2
Fundamentals of java --- version 2Fundamentals of java --- version 2
Fundamentals of java --- version 2
Uday Sharma
 
Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012
Anton Arhipov
 
EhTrace -- RoP Hooks
EhTrace -- RoP HooksEhTrace -- RoP Hooks
EhTrace -- RoP Hooks
Shane Macaulay
 
JavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesJavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for Dummies
Charles Nutter
 
Practical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgPractical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbg
Sam Bowne
 
Habitat Overview
Habitat OverviewHabitat Overview
Habitat Overview
Mandi Walls
 
Getting Started with Go
Getting Started with GoGetting Started with Go
Getting Started with Go
Steven Francia
 
これからのPerlプロダクトのかたち(YAPC::Asia 2013)
これからのPerlプロダクトのかたち(YAPC::Asia 2013)これからのPerlプロダクトのかたち(YAPC::Asia 2013)
これからのPerlプロダクトのかたち(YAPC::Asia 2013)
goccy
 
Lesson1 intro
Lesson1 introLesson1 intro
Lesson1 intro
attiqrocket
 
Lesson1 intro
Lesson1 introLesson1 intro
Lesson1 intro
attiqrocket
 
Introduction to java
Introduction to javaIntroduction to java
Introduction to java
attiqrocket
 
basic core java up to operator
basic core java up to operatorbasic core java up to operator
basic core java up to operator
kamal kotecha
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1
Payampardaz
 
Java introduction
Java introductionJava introduction
Java introduction
The icfai university jaipur
 
Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012Burp Plugin Development for Java n00bs - 44CON 2012
Burp Plugin Development for Java n00bs - 44CON 2012
44CON
 
Packaging perl (LPW2010)
Packaging perl (LPW2010)Packaging perl (LPW2010)
Packaging perl (LPW2010)
p3castro
 
Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1
Andrei KUCHARAVY
 
Presentation on java
Presentation on javaPresentation on java
Presentation on java
shashi shekhar
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
infodox
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
Fundamentals of java --- version 2
Fundamentals of java --- version 2Fundamentals of java --- version 2
Fundamentals of java --- version 2
Uday Sharma
 
Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012
Anton Arhipov
 
EhTrace -- RoP Hooks
EhTrace -- RoP HooksEhTrace -- RoP Hooks
EhTrace -- RoP Hooks
Shane Macaulay
 
JavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesJavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for Dummies
Charles Nutter
 
Practical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgPractical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbg
Sam Bowne
 
Habitat Overview
Habitat OverviewHabitat Overview
Habitat Overview
Mandi Walls
 
Getting Started with Go
Getting Started with GoGetting Started with Go
Getting Started with Go
Steven Francia
 
これからのPerlプロダクトのかたち(YAPC::Asia 2013)
これからのPerlプロダクトのかたち(YAPC::Asia 2013)これからのPerlプロダクトのかたち(YAPC::Asia 2013)
これからのPerlプロダクトのかたち(YAPC::Asia 2013)
goccy
 
Lesson1 intro
Lesson1 introLesson1 intro
Lesson1 intro
attiqrocket
 
Lesson1 intro
Lesson1 introLesson1 intro
Lesson1 intro
attiqrocket
 
Introduction to java
Introduction to javaIntroduction to java
Introduction to java
attiqrocket
 
basic core java up to operator
basic core java up to operatorbasic core java up to operator
basic core java up to operator
kamal kotecha
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1
Payampardaz
 
Java introduction
Java introductionJava introduction
Java introduction
The icfai university jaipur
 
Ad

Recently uploaded (20)

Securiport - A Border Security Company
Securiport - A Border Security CompanySecuriport - A Border Security Company
Securiport - A Border Security Company
Securiport
 
6th Power Grid Model Meetup - 21 May 2025
6th Power Grid Model Meetup - 21 May 20256th Power Grid Model Meetup - 21 May 2025
6th Power Grid Model Meetup - 21 May 2025
DanBrown980551
 
Soulmaite review - Find Real AI soulmate review
Soulmaite review - Find Real AI soulmate reviewSoulmaite review - Find Real AI soulmate review
Soulmaite review - Find Real AI soulmate review
Soulmaite
 
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Safe Software
 
Co-Constructing Explanations for AI Systems using Provenance
Co-Constructing Explanations for AI Systems using ProvenanceCo-Constructing Explanations for AI Systems using Provenance
Co-Constructing Explanations for AI Systems using Provenance
Paul Groth
 
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
Jasper Oosterveld
 
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und AnwendungsfälleDomino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
panagenda
 
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and ImplementationAI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
Christine Shepherd
 
The case for on-premises AI
The case for on-premises AIThe case for on-premises AI
The case for on-premises AI
Principled Technologies
 
Jeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software DeveloperJeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software Developer
Jeremy Millul
 
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Infrassist Technologies Pvt. Ltd.
 
Trends Report: Artificial Intelligence (AI)
Trends Report: Artificial Intelligence (AI)Trends Report: Artificial Intelligence (AI)
Trends Report: Artificial Intelligence (AI)
Brian Ahier
 
Dancing with AI - A Developer's Journey.pptx
Dancing with AI - A Developer's Journey.pptxDancing with AI - A Developer's Journey.pptx
Dancing with AI - A Developer's Journey.pptx
Elliott Richmond
 
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOMEstablish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
Anchore
 
Cybersecurity Fundamentals: Apprentice - Palo Alto Certificate
Cybersecurity Fundamentals: Apprentice - Palo Alto CertificateCybersecurity Fundamentals: Apprentice - Palo Alto Certificate
Cybersecurity Fundamentals: Apprentice - Palo Alto Certificate
VICTOR MAESTRE RAMIREZ
 
Improving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevExImproving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevEx
Justin Reock
 
AI Creative Generates You Passive Income Like Never Before
AI Creative Generates You Passive Income Like Never BeforeAI Creative Generates You Passive Income Like Never Before
AI Creative Generates You Passive Income Like Never Before
SivaRajan47
 
Trends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary MeekerTrends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary Meeker
Clive Dickens
 
Extend-Microsoft365-with-Copilot-agents.pptx
Extend-Microsoft365-with-Copilot-agents.pptxExtend-Microsoft365-with-Copilot-agents.pptx
Extend-Microsoft365-with-Copilot-agents.pptx
hoang971
 
Top 25 AI Coding Agents for Vibe Coders to Use in 2025.pdf
Top 25 AI Coding Agents for Vibe Coders to Use in 2025.pdfTop 25 AI Coding Agents for Vibe Coders to Use in 2025.pdf
Top 25 AI Coding Agents for Vibe Coders to Use in 2025.pdf
SOFTTECHHUB
 
Securiport - A Border Security Company
Securiport - A Border Security CompanySecuriport - A Border Security Company
Securiport - A Border Security Company
Securiport
 
6th Power Grid Model Meetup - 21 May 2025
6th Power Grid Model Meetup - 21 May 20256th Power Grid Model Meetup - 21 May 2025
6th Power Grid Model Meetup - 21 May 2025
DanBrown980551
 
Soulmaite review - Find Real AI soulmate review
Soulmaite review - Find Real AI soulmate reviewSoulmaite review - Find Real AI soulmate review
Soulmaite review - Find Real AI soulmate review
Soulmaite
 
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Safe Software
 
Co-Constructing Explanations for AI Systems using Provenance
Co-Constructing Explanations for AI Systems using ProvenanceCo-Constructing Explanations for AI Systems using Provenance
Co-Constructing Explanations for AI Systems using Provenance
Paul Groth
 
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
Jasper Oosterveld
 
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und AnwendungsfälleDomino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
panagenda
 
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and ImplementationAI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
Christine Shepherd
 
The case for on-premises AI
The case for on-premises AIThe case for on-premises AI
The case for on-premises AI
Principled Technologies
 
Jeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software DeveloperJeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software Developer
Jeremy Millul
 
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Infrassist Technologies Pvt. Ltd.
 
Trends Report: Artificial Intelligence (AI)
Trends Report: Artificial Intelligence (AI)Trends Report: Artificial Intelligence (AI)
Trends Report: Artificial Intelligence (AI)
Brian Ahier
 
Dancing with AI - A Developer's Journey.pptx
Dancing with AI - A Developer's Journey.pptxDancing with AI - A Developer's Journey.pptx
Dancing with AI - A Developer's Journey.pptx
Elliott Richmond
 
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOMEstablish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
Anchore
 
Cybersecurity Fundamentals: Apprentice - Palo Alto Certificate
Cybersecurity Fundamentals: Apprentice - Palo Alto CertificateCybersecurity Fundamentals: Apprentice - Palo Alto Certificate
Cybersecurity Fundamentals: Apprentice - Palo Alto Certificate
VICTOR MAESTRE RAMIREZ
 
Improving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevExImproving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevEx
Justin Reock
 
AI Creative Generates You Passive Income Like Never Before
AI Creative Generates You Passive Income Like Never BeforeAI Creative Generates You Passive Income Like Never Before
AI Creative Generates You Passive Income Like Never Before
SivaRajan47
 
Trends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary MeekerTrends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary Meeker
Clive Dickens
 
Extend-Microsoft365-with-Copilot-agents.pptx
Extend-Microsoft365-with-Copilot-agents.pptxExtend-Microsoft365-with-Copilot-agents.pptx
Extend-Microsoft365-with-Copilot-agents.pptx
hoang971
 
Top 25 AI Coding Agents for Vibe Coders to Use in 2025.pdf
Top 25 AI Coding Agents for Vibe Coders to Use in 2025.pdfTop 25 AI Coding Agents for Vibe Coders to Use in 2025.pdf
Top 25 AI Coding Agents for Vibe Coders to Use in 2025.pdf
SOFTTECHHUB
 

Burp plugin development for java n00bs (44 con)

  • 1. Burp Plugin Development for Java n00bs 44Con 2012 www.7elements.co.uk | blog.7elements.co.uk | @7elements
  • 2. /me • Marc Wickenden • Principal Security Consultant at 7 Elements • Love coding (particularly Ruby) • @marcwickenden on the Twitterz • Most importantly though….. www.7elements.co.uk | blog.7elements.co.uk | @7elements
  • 3. I am a Java n00b
  • 4. If you already know Java You’re either: • In the wrong room • About to be really offended!
  • 5. Agenda • The problem • Getting ready • Introduction to the Eclipse IDE • Burp Extender Hello World! • Manipulating runtime data • Decoding a custom encoding scheme • “Shelling out” to other scripts • Limitations of Burp Extender • Really cool Burp plugins already out there to fire your imagination
  • 8. The problem • Burp Suite is awesome • De facto web app tool • Open source alternatives don’t compare IMHO • Tools available/cohesion/protocol support • Burp Extender
  • 10. I wrote a plugin Coding by Google FTW!
  • 11. How? - Burp Extender • “allows third-party developers to extend the functionality of Burp Suite” • “Extensions can read and modify Burp’s runtime data and configuration” • “initiate key actions” • “extend Burp’s user interface” http://portswigger.net/burp/extender/
  • 12. Burp Extender • Achieves this via 6 interfaces: – IBurpExtender – IBurpExtenderCallbacks – IHttpRequestResponse – IScanIssue – IScanQueueItem – IMenuItemHander
  • 13. Java 101 • Java source is compiled to bytecode (class file) • Runs on Java Virtual Machine (JVM) • Class-based • OO • Write once, run anywhere (WORA) • Two distributions: JRE and JDK
  • 14. Java 101 continued… • Usual OO stuff applies: objects, classes, methods, properties/variable s • Lines end with ;
  • 15. Java 101 continued… • Source files must be named after the public class they contain • public keyword denotes method can be called from code in other classes or outside class hierarchy
  • 16. Java 101 continued… • class hierarchy defined by directory structure: • uk.co.sevenelements.HelloWorld = uk/co/sevenelements/HelloWorld.class • JAR file is essentially ZIP file of classes/directories
  • 17. Java 101 continued… • void keyword indicates method will not return data to the caller • main method called by Java launcher to pass control to the program • main must accept array of String objects (args)
  • 18. Java 101 continued… • Java loads class (specified on CLI or in JAR META-INF/MANIFEST.MF) and starts public static void main method • You’ve seen this already with Burp: – java –jar burpsuite_pro_v1.4.12.jar
  • 22. First we need some tools • Eclipse IDE – de facto free dev tool for Java • Not necessarily the best or easiest thing to use • Alternatives to consider: – Jet Brains IntelliJ (my personal favourite) – NetBeans (never used) – Jcreator (again, never used) – Terminal/vim/javac < MOAR L33T
  • 23. Download Eclipse Classic Or install from your USB drive
  • 24. Eclipse 4.2 Classic • http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/dr ops4/R-4.2-201206081400/eclipse-SDK-4.2-win32-x86_64.zip&type=sha1 • 6f4e6834c95e9573cbc1fc46adab4e39da6b4b6d • eclipse-SDK-4.2-win32-x86_64.zip • http://www.eclipse.org/downloads/sums.php?file=/eclipse/downloads/dr ops4/R-4.2-201206081400/eclipse-SDK-4.2-win32.zip&type=sha1 • 68b1eb33596dddaac9ac71473cd1b35f51af8df7 • eclipse-SDK-4.2-win32.zip
  • 25. Java JDK • Used to be bundled with Eclipse • Due to licensing (I think) this is no longer the case • Grab from Sun Oracle’s website: • http://download.oracle.com/otn-pub/java/jdk/7u7-b11/jdk-7u7-windows- x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5
  • 27. Create a Java Project • File > New > Java Project • Project Name: Burp Hello World! • Leave everything else as default • Click Next
  • 29. Java Settings • Click on Libraries tab • Add External JARs • Select your burpsuite.jar • Click Finish
  • 30. Create a new package • File > New > Package • Enter burp as the name • Click Finish
  • 31. Create a new file • Right-click burp package > New > File • Accept the default location of src • Enter BurpExtender.java as the filename • Click Finish
  • 34. Loading external classes • We need to tell Java about external classes – Ruby has require – PHP has include or require – Perl has require – C has include – Java uses import
  • 35. Where is Burp? • We added external JARs in Eclipse • Only helps at compilation • Need to tell our code about classes – import burp.*;
  • 36. IBurpExtender • Available at http://portswigger.net/burp/extender/burp/IBurpExtender.html – “ Implementations must be called BurpExtender, in the package burp, must be declared public, and must provide a default (public, no-argument) constructor”
  • 37. In other words public class BurpExtender { } • Remember, Java makes you name files after the class so that’s why we named it BurpExtender.java
  • 38. Add this package burp; import burp.*; public class BurpExtender { public void processHttpMessage( String toolName, boolean messageIsRequest, IHttpRequestResponse messageInfo) throws Exception { System.out.println("Hello World!"); } }
  • 39. Run the program • Run > Run • First time we do this it’ll ask what to run as • Select Java Application
  • 40. Select Java Application • Under Matching items select StartBurp – burp • Click OK
  • 41. Burp runs • Check Alerts tab • View registration of BurpExtender class
  • 42. Console output • The console window shows output from the application • Note the “Hello World!”s
  • 45. What’s happening? • Why is it spamming “Hello World!” to the console? • We defined processHttpMessage() • http://portswigger.net/burp/extender/burp/IB urpExtender.html – “This method is invoked whenever any of Burp's tools makes an HTTP request or receives a response”
  • 47. RepeatAfterMeClient.exe processProxyMessage processHttpMessage Burp Suite http://wcfbox/RepeaterService.svc
  • 49. We’ve got to do a few things • Split the HTTP Headers from FI body • Decode FI body • Display in Burp • Re-encode modified version • Append to headers • Send to web server • Then the same in reverse
  • 51. • Right-click Project > Build Path > Add External Archives • Select FastInfoset.jar • Note that imports are now yellow
  • 53. First: we get it wrong • Burp returns message body as byte[] • Hmm, bytes are hard, let’s convert to String • Split on rnrn
  • 55. Then we do it right • Fastinfoset is a binary encoding • Don’t try and convert it to a String • Now things work
  • 61. Running outside of Eclipse • Plugin is working nicely, now what? • Export to JAR • Command line to run is: • java –jar yourjar.jar;burp_pro_v1.4.12.jar burp.startBurp
  • 62. Limitations • We haven’t coded to handle/decode the response • Just do the same in reverse • processHttpMessage fires before processProxyMessage so we can’t alter then re-encode message • Solution: chain two Burp instances together
  • 63. Attribution • All lolcatz courtesy of lolcats.com • No cats were harming in the making of this workshop • Though some keyboards were….
  • 64. Questions ? www.7elements.co.uk | blog.7elements.co.uk | @7elements

Editor's Notes

  • #5: In the wrong roomAbout to be really offendedI don’t know much about Java, I don’t know the right terms for things and I don’t know the best style of writing it. But this code will work and that’s my primary objective today.It don’t have to be pretty, it just has to work. That’s the difference between delivering a good test or a bad one imho
  • #6: So, what are we going to cover?
  • #7: Can’t do a slide deck without cats
  • #9: Particularly Professional
  • #10: Previous app testWCF Service written in C#Not using WCF Binary protocolSOAP with Fastinfoset XML encodingBurp Suite couldn’t read it
  • #23: IntelliJ Community Edition is availableWe’re going with Eclipse because it works and is free and fully functionalYou can port this learning to anything else
  • #25: SHA1’s are here if you want to verify them
  • #27: Package Explorer – like a directory listing of your classes and src filesMain window where we edit filesTask list – I normally close this to be honestOutline view, quite useful, gives a break down of methods, properties of classes you are working onProblems – keep your eye on this bad boy, can be very useful
  • #36: Notice how it’s already popping up little tips. In this case we’ve declared an import but not used any of the classes.We’ll fix that…
  • #37: Javadoc is the Java standard for documentation. It is generated automatically from comments in the code.Burp Extender has javadoc available online. We are going to use this a lot.Let’s start…..er, right….
  • #38: This is our bare bones. Note the import burp.*; isn’t shown
  • #39: Don’t worry too much about what it all means just at the secondhttps://github.com/7Elements/burp_workshop/tree/master/Burp%20Hello%20World!
  • #44: Congratulations, you’re first Burp plugin
  • #45: This code is however, as useful as one of these
  • #48: https://github.com/7Elements/burp_workshop/tree/master/Burp%20Interface%20Flow
  • #49: Our problem was fastinfoset. Start google coding: find out about it, look for code snippets. Work out the approach.
  • #51: We’ve imported some fastinfoset classes but Eclipse is telling us it can’t find them. We need to add an external jar.
  • #54: https://github.com/7Elements/burp_workshop/tree/master/Burp%20Fastinfoset%20Decoder
  • #56: https://github.com/7Elements/burp_workshop/tree/master/Burp%20Fastinfoset%20Decoder%20-%20Take%20Two
  • #58: That’s great, writing out to the console – but we need to intercept and send onwardsWe need to shuffle stuff around a bit then..https://github.com/7Elements/burp_workshop/tree/master/Burp%20Fastinfoset%20Decoder%20-%20Take%20Three
  • #59: Walk through adding code to processProxyMessageShow how we can decode in the Burp Proxy window by returning new byte[]Then how it fails because the app receives plain text not FI
  • #60: Now we add a re-encode method to the processHttpMessage using custom HTTP headerWe can exploit the flow order in Burp.Remember proxyProxyMessage is called *before* processHttpMessage– winhttps://github.com/7Elements/burp_workshop/tree/master/Burp%20Fastinfoset%20Decoder%20-%20Take%20Four