AuthHeader Updater listed on snoopysecurity/awesome-burp-extensions

Excited to see AuthHeader Updater on a list of awesome burp extensions!

Posted in Burp, Security | Leave a comment

Auth Header Updater Released!

Excited to release Auth Header Updater today – a Burp extension to update Authorization headers during a scan and also guest post about it on ihackthings.online.

Read more about it at ihackthings.online or chs.us.

Source code and plugin available on GitHub.
~

Posted in Burp, General | 1 Comment

New version of jekyll-clicky!

I’ve updated jekyll-clicky to version 0.1.3. This fixes an issue where some posts weren’t getting the javascript code and changed it to be asynchronous..

Check it out at RubyGems and find the source at Github.

Posted in General | Leave a comment

New Burp Extension – Perfmon

Just whipped together a new Burp extension called perfmon (not to be confused with the Windows tool of the same name). I was really interested in the the resource usage of Burp while doing certain activities.

It adds a new tab to Burp and samples every 5 seconds-

* Current and max number of threads in use
* Current and max memory used
* Current and max memory allocated
* Ticker to set how often the stats update. 1 – 5 seconds.

Burp Screenshot

I plan to add a few more things and clean up the UI a bit, but it was an interesting exercise.

The source and plugin are on github.

Posted in Burp, Security | Leave a comment

Writing a Burp Extension – Part One

This is the first part in a series that I plan to write on how to create Burp extensions. I became interested in writing Burp extensions at a previous company where we were fortunate enough to be given time to do research presentations and then present them to our peers. My first presentation topic was to write an Active Scanning extension in Burp that would look for XXE (XML External Entity Injection). I also implemented a standalone app that could run on a host (external from the scan target) and listen for the XXE payload calling out (by making an HTTP request, for example). Literally that same week Collaborator came out and stole my thunder. 🙂 . Last Fall, I was also accepted to DerbyCon and presented a stable talk on Extending Burp.

This series will start with the very basics of creating a working an extension and then continue building out a full-featured extension as we go along. Burp extensions can be written in Java, Ruby (using JRuby), and Python (using Jython). For this series we will write in Java. Here we go…

Extension Basics

In the very simplest case, a Burp extension is a jar file with a class called BurpExtender in a package called Burp. This is the file that Burp looks for when loading an Extension. Based on what you implement in that class is the functionality that the extension will have.

Steps to create a Burp extension

1. In your favorite Java editor, create a project of type “Class Library” or whatever the equivalent project type where the output is a jar file containing the classes from the project
2. Open Burp and go the Extender tab. Click on “Save Interface Files” and save them in a folder called “burp” in your file system where the source is for the project you created in Step 1
3. Create a class called BurpExtender in the burp package in your project and implement IBurpExender. This will require that you implement the registerExtenderCallbacks method. This is the method that you will do any kind of setup for your extension and setup anything that your extension needs
4. Compile the extension into a jar file and load it into Burp by going to Extender -> Extensions -> Add. That will prompt you to specify the type of extension (Java in this example) and the path to the jar file. Click Next and your extension is loaded!

Sample Code

  1. package burp;
  2. package burp;
  3. import java.io.IOException;
  4. import java.io.OutputStream;
  5. import java.util.logging.Level;
  6. import java.util.logging.Logger;
  7.  
  8. /**
  9.  *
  10.  * @author chs
  11.  */
  12. public class BurpExtender implements IBurpExtender
  13. {
  14.     private IExtensionHelpers helpers;
  15.     private static final String EXTENSION_NAME = "Sample Burp Extension";
  16.     private OutputStream os;
  17.  
  18.     @Override
  19.     public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks)
  20.     {
  21.         this.helpers = callbacks.getHelpers();
  22.         callbacks.setExtensionName(EXTENSION_NAME);
  23.         os = callbacks.getStdout();
  24.         try
  25.         {
  26.             os.write("Hello, World".getBytes());
  27.         } catch (IOException ex)
  28.         {
  29.             Logger.getLogger(BurpExtender.class.getName()).log(Level.SEVERE, null, ex);
  30.         }
  31.     }
  32.  
  33. }

The interesting lines are 14, 15, and 16. In line 14, getHelpers() returns an object that implements IExtensionHelpers. IExtensionHelpers is an interface that provides methods that are useful by the extension, like encoding/parsing requests/responses, etc. Line 15 sets the name of the extension. This is displayed in the Extender tab. Line 16 saves a reference to the OutputStream for the extension. When you write to it, it shows up in the output window of the extension in the Extender tab.

Once you load the extension and navigate to Extender->Extensions, you will see- Extender->Extensions Details

It shows the name of the extension, it’s location in the filesystem, and methods from the interfaces it implements.

If you click on the Output tab, you will see-

Extender->Extensions->Output Details

This shows the output from registerExtenderCallbacks.

That’s it for this time.  Next post will dive deeper…

Posted in Burp | Leave a comment

BinPeek – an app to determine if a #Windows executable is managed or unmanaged.

BinPeek is an application that checks to see if a Windows application is managed(.NET) or unmanaged(native). It handles x86 and x84 executables. If doing it manually, you must check several values in the PE (Portable Executable) file header that differ slightly based on whether the executable is 32-bit or 64-bit. BinPeek does that work for you.

Usage

D:\source\repos\BinPeek>binpeek BinPeek.exe
BinPeek.exe --> Unmanaged

Project Page on Github

Install

Build with Visual Studio or just use the release version in the repo.

License

MIT

Posted in Code, Open Source | Leave a comment

Secure Design Principles

Sitting hear on a cold, snowy day thinking about secure design principles. These are key to think about during the design phase of a feature/project?

Total Mediation – every access to every resource must be validated every time
Economy of Mechanism – keep it as simple as possible
Fail-Safe – in case of failure, default to a secure state
Defense in Depth – layer security
Open Design – the security of a system should not be dependent on secrecy of its design or implementation
Psychological Acceptability – security mechanisms must not make resources more difficult to access then if they weren’t there
Least Privilege – limit access to a system/feature to only those that \*need\* to access it for the shortest duration possible
Minimize attack surface – reduce risk by reducing the attack surface area
Secure Defaults – default to a secure state

Any others you can think of?

Posted in Software Security | Leave a comment

2 Gems Updated

PwnedCheck

PwnedCheck is a gem that checks http://haveibeenpwned.com to see if an email address or user handle has been involved in a breach.

How to Install

gem install PwnedCheck

How to Use

require 'pwnedcheck'
 
# The 4 cases.
# foo@bar.com is a valid address on the site
# foo232323ce23ewd@bar.com is a valid address, but not on the site
# foo.bar.com is an invalid format
# mralexgray is a user id in snapchat
list = ['foo@bar.com', 'foo232323ce23ewd@bar.com', 'foo.bar.com', 'mralexgray']
 
list.each do |item|
  begin
    sites = PwnedCheck::check(item)
    if sites.length == 0
      puts "#{item} --> Not found on http://haveibeenpwned.com"
    else
      sites.each do |site|
        #site is a hash of data returned
        puts item
        puts "\tTitle=#{site['Title']}"
        puts "\tBreach Date=#{site['BreachDate']}"
        puts "\tDescription=#{site['Description']}"
      end
    end
  rescue PwnedCheck::InvalidEmail => e
    puts "#{item} --> #{e.message}"
  end
end
require 'pwnedcheck'
 
 
# The 4 cases to check for pastes.
# foo@bar.com is a valid address on the site
# foo232323ce23ewd@bar.com is a valid address, but not on the site
# foo.bar.com is an invalid format
# mralexgray is a user id in snapchat
list = ['foo@bar.com', 'foo232323ce23ewd@bar.com', 'foo.bar.com', 'mralexgray']
 
list.each do |item|
  begin
    sites = PwnedCheck::check_pastes(item)
    if sites.length == 0
      puts "#{item} --> Not found on http://haveibeenpwned.com"
    else
      sites.each do |site|
        #site is a hash of data returned
        puts item
        puts "\tSource=#{site['Source']}"
        puts "\tTitle=#{site['Title']}"
        puts "\tDate=#{site['Date']}"
        puts "\tEmail Count=#{site['EmailCount']}"
      end
    end
  rescue PwnedCheck::InvalidEmail => e
    puts "#{item} --> #{e.message}"
  end
end

Jekyll-Clicky

Jekyll-clicky is a gem to add clicky analytics to a site generated with Jekyll.

Installation

Add this line to your application’s Gemfile:

And then execute:

$ bundle

Or install it yourself as:

$ gem install jekyll-clicky

### Usage Add-

jekyll_clicky:              #Add this if you want to track with Clicky analytics
  site:
    id: ###          # Required - replace with your tracking id

to _config.yml in your jekyll site directory. Replace ### with the id of your clicky site.

Posted in Ruby, Security | Leave a comment

Extending Burp at DerbyCon VII

Just finished my talk about extending Burp at Derbycon VII. Thanks to everyone that attended! I’m really thankful for the opportunity to present on the topic.

The Details-

Slides –

Video in Slides (Slide 14)

Source Code – https://github.com/sampsonc/searchplusplus

Video of the Presentation

I’d love to hear any comments/questions.

Posted in Security | Leave a comment