Writing a Burp Plugin in Ruby Part 1

Carl Sampson
Writing a Burp Plugin in Ruby Burp extensions can be written in 3 languages - Java, Python, and Ruby. Since Burp is a java app, in order to write extensions in Python you need Jython and in Ruby you need JRuby. For this example, we’ll use Ruby. Step 1 - Downloading JRuby The first step is to download JRuby from https://jruby.org/download. For this example we will be using the latest - 9.

Passive Search Burp Extension

Carl Sampson
Introducing my latest Burp extension - “Passive Search”. Passive Search searches for a list of terms in HTTP responses and creates an issue if it finds one. I got the idea of after maintaining a list of things that I was checking for in responses and using either the search in HTTP History on an item by item basis or using the global Search. It was a completely manual process.

New Project!

Carl Sampson
Today I started a new project that I’ve been thinking about for awhile. It’s located at – https://appsec.fyi. It is a growing collection of interesting links that I’ve found regarding varying application security topics. The basic site is up and the plumbing is there. Just need to add more content. Check it out!

Python List Comprehensions

Carl Sampson
Python List Comprehensions is a pretty interesting feature that I haven’t seen in other languages (at least that I’ve played with). The basic idea is that they create lists from other iterables. They consists of brackets containing the expression which is executed against each item in the iterable object. One or more conditionals dictate if the item is added to the new list. The basic format is – list = [expression for_loop_one_or_more conditions]

Auth Header Updater Released!

Carl Sampson
Excited to release Auth Header Updater today – a Burp extension to update Authorization headers during a scan and also guest post about it on ihackthings.online. Read more about it at ihackthings.online or chs.us. Source code and plugin available on GitHub. ~

New version of jekyll-clicky!

Carl Sampson
I’ve updated jekyll-clicky to version 0.1.3. This fixes an issue where some posts weren’t getting the javascript code and changed it to be asynchronous.. Check it out at RubyGems and find the source at Github.

New Burp Extension – Perfmon

Carl Sampson
Just whipped together a new Burp extension called perfmon (not to be confused with the Windows tool of the same name). I was really interested in the the resource usage of Burp while doing certain activities. It adds a new tab to Burp and samples every 5 seconds- Current and max number of threads in use Current and max memory used Current and max memory allocated

Writing a Burp Extension – Part One

Carl Sampson
This is the first part in a series that I plan to write on how to create Burp extensions. I became interested in writing Burp extensions at a previous company where we were fortunate enough to be given time to do research presentations and then present them to our peers. My first presentation topic was to write an Active Scanning extension in Burp that would look for XXE (XML External Entity Injection).

BinPeek – an app to determine if a #Windows executable is managed or unmanaged.

Carl Sampson
BinPeek is an application that checks to see if a Windows application is managed(.NET) or unmanaged(native). It handles x86 and x84 executables. If doing it manually, you must check several values in the PE (Portable Executable) file header that differ slightly based on whether the executable is 32-bit or 64-bit. BinPeek does that work for you. Usage Project Page on Github Install Build with Visual Studio or just use the release version in the repo.

Secure Design Principles

Carl Sampson
Sitting here on a cold, snowy day thinking about secure design principles. These are key to think about during the design phase of a feature/project? Total Mediation – every access to every resource must be validated every time Economy of Mechanism – keep it as simple as possible Fail-Safe – in case of failure, default to a secure state Defense in Depth – layer security Open Design – the security of a system should not be dependent on secrecy of its design or implementation

2 Gems Updated

Carl Sampson
PwnedCheck PwnedCheck is a gem that checks http://haveibeenpwned.comto see if an email address or user handle has been involved in a breach. How to Install How to Use Jekyll-Clicky Jekyll-clicky is a gem to add clicky analytics to a site generated with Jekyll. Installation Add this line to your application’s Gemfile: And then execute: Or install it yourself as: ### Usage Add- to _config.yml in your jekyll site directory. Replace ### with the id of your clicky site.

Extending Burp at DerbyCon VII

Carl Sampson
Just finished my talk about extending Burp at Derbycon VII. Thanks to everyone that attended! I’m really thankful for the opportunity to present on the topic. The Details- Slides – Video in Slides (Slide 14) Source Code – https://github.com/sampsonc/searchplusplusVideo of the Presentation I’d love to hear any comments/questions.