Dave Blandford, Web App, Webcast Wrap-Up Burp, Burp extensions, Burp Suite, extensions, Web Application Testing

Creating Burp Extensions: A Beginner’s Guide

This webcast was originally published on December 12, 2024.

In this video, Dave Blandford discusses a beginner’s guide to creating Burp Suite extensions. The session covers an overview of what Burp extensions are, how they can improve testing capabilities, and the tools and languages used in developing them. Additionally, Dave provides insights into the Montoya API and demonstrates his own extension, aiming to inspire and assist viewers in enhancing their skills in security testing.

The webinar focuses on creating Burp Suite extensions, particularly for beginners.
Burp Suite is a web application proxy used for testing traffic between clients and servers, allowing modification of requests and responses.
Creating extensions for Burp Suite can enhance its functionality beyond the default capabilities, making testing more efficient and comprehensive.

Highlights

Full Video

Transcript

Jason Blanchard

Hello, everybody. Welcome to today’s Black Hills Information Security webcast. My name is Jason Blanchard. I’m the content community director here at Black Hills Information Security. If you ever read need a red team, active SOC, ANTISOC, pentest, please come and find us.

We absolutely want to help you, especially in 2025 with the year coming up. so, so reach out. All right, so Dave is going to be giving our webcast today. Today is Dave’s first Black Hills webcast.

All right, so, testers, join the team. We have 40, 40 plus full time testers. And so at any given time, I will reach out to those testers and say, hey, here are the dates that we have available.

Would you like to give a webcast? And so Dave was new and I reached out to Dave and I was like, here’s, here’s the dates, Dave. And he’s like, yeah, I’ll take that one. I was like, cool, what do you want to talk about? And he’s like, I don’t know, what should we talk about?

I was like, what is something that you love and that you’re excited about? He’s like, how about a beginner’s guide to creating burp Suite Extensions? And I was like, that’s awesome. All right, so that’s what’s going to happen here today.

Dave’s going to give his very first Black Hills Information Security webcast. Please welcome Dave Blandford. Dave, I’ll be backstage in case people have questions or in case you have questions. you can always engage on Discord.

That’s for the community. Feel free to engage in Discord. Make sure to check in for hacking today if you don’t know what that means. I’ll come back at the end and explain it. And for everyone else, thank you so much for joining us today, for spending your time with us and hopefully, hopefully you’ve had a great 2024, and thank you so much for all the time you spent with us and that you may spend with us again next year.

We have one more webcast next week, then after that, Christmas break, and then we’ll be back in the new year. So, Dave, are you ready?

Dave Blandford

I’m good to go.

Jason Blanchard

All right, I’m going to head backstage. I’ll be here if you need me for anything at all. Good luck, Dave.

Dave Blandford

Will do. Thank you. Thank you. Well, good afternoon. Thanks for joining. so, yeah, we’re just gonna, we’re gonna talk about creating burp extensions.

It’s gonna be just a broad overview. if we have time at the end we’ll dive into a demo. But yeah, we’ll just it’ll be just that, just at that beginner’s level on creating a Burp extension.

So for today, for today’s agenda, we’re just gonna start with an introduction, kind of dive into what is a Burp extension. If you, if you might not be familiar with a what a burp extension is or what it does or why somebody might need it.

We’ll go into what do I need to do to create my extension. So we’ll dive into a little bit. So if you’re just getting started, how do we get the environment right? How do we, how do we prepare?

Then we’re going to talk about the Montoya API that that is used to work within Burp Suite or used in our extension to integrate into Burp Suite.

And then if we have time, like I mentioned, we’ll do a, we’ll do a demo. And now because if you were here for the pre show banter, I’ve got Bigfoot in my head. So we’ll probably talk a little bit about Bigfoot throughout.

if he’s real, if he exists, if he does, what, what Bigfoot eats, how he’s gone so long without, without being discovered. but we’ll, we’ll dive into that.

So first things first, what, what is, what is Burp Suite? So Burp Suite for, for us that do application testing. So when you think like a mobile app, a web application or maybe a desktop application, but if you.

Burp Suite is going to be a proxy that allows us to place ourselves in the middle from that client to the back end server and we’re able to see what, what’s being sent, we’re able to see what’s being sent back, what the reply is.

And within Burp Suite there’s different features where we can modify, we can modify requests, we can modify our request to do certain actions that maybe isn’t intended or might give us some results as a hacker that we like to see.

So you have like Intruder and Repeater or features that are already built in. So Repeater will let you, you can take a request, you can send it to Repeater and then you can just send that request, make modifications when they’re within it.

Excuse me, Intruder is going to let us, we can define a spot where we can define a position in our request. and then we can use Word list or certain types of different, different variables and we can supply those in multiple Requests.

So Intruder just does that. It’s just going to iterate through a bunch of requests with, in a payload position defined that changes. but the bottom line is Burp Suite is just going to be a web application proxy we use to see the traffic between the client, the back end server.

so I got my notes here. So Burp Suite. Yeah and we went over the core uses. Why would I want to create an extension? Why would you want to create an extension?

So I like Burp Suite. I think it’s great out of the box. Even the Community Edition, it serves a purpose but it doesn’t cover all use cases.

So there are like just stock out of the box. Burp Suite, you may be testing an application that does something that you need a little bit more to fully test it or fully see what what vulnerabilities might be there.

So introduce extensions. So they have the BAP store and in the BAP Store you’ll see it if you, if you, if you use Burp and then you can, it comes with, you’re able, it comes with pre configured extensions or I’m sorry not pre configured but it comes with extensions already loaded into that store that you can, you can install on your machine.

And so like we’ll cover, we’ll cover some, some really good extensions here in a minute that I, that I like. But, but it, it gives us a little bit more than what we, than what Burp Suite has out of the box.

So the prerequisites for creating extension, you have to have, you have to have a need, you have to have a you have to have a want. So there has to be a reason that you need to, that you need to make that extension.

We’ll dive into that a little bit more as well. But there, there’s a whole section on what the prerequisites are. So I I won’t dive too much into it here.

And then how can an extension prove my, improve my testing? And we’ll, we’ll cover that on the next slide as well. But it just, it gives you a lot more coverage and one example on the next slide will kind of, it’ll really highlight how it improves my testing.

So first, what is, what is that, what is a Burp extension? So this is going to solve a problem that we might not even know we had. I mean we could know we have it, but we might not know we have it.

So like I was saying earlier, out of the box Burp Suite, it doesn’t catch everything. So we can Use an extension to cover more use cases.

And a big example, one I use all the time, one I absolutely Love is the JWT editor. So the JSON web token that comes, it’s just base64 encoded, it’s used for a variety of purposes.

but, and you see them a lot in web applications, especially like a single page web application where it’s a lot of front end JavaScript and we’re going to make a back end call to an API.

They implement a JWT and then it’s kind of laborious to take it out, decode it, figure out what it’s doing, figure out if roles find out if it’s signed.

So JWT Editor, that’s an extension in the BAP Store. You can you can install and it just all of a sudden you can instantly decode, you can modify, you can check if it, you can check if it’s signed, if it isn’t signed or you, you have a workaround for that, you’re able to modify that JWT on the spot.

So when you send it to when you send it to Repeater for example. So it’s a great tool, saves a lot of time. It makes me, makes us as testers more efficient.

It’s better use of our time because a lot of times when, when you’re on a when you’re on a test you only have a limited amount of time when you’re, you have 5, 10, whatever amount of days and you have a lot of area to cover.

So JWT Editor makes us more efficient. Logger is another great one that I use all the time. So a lot of times so if I get a question like hey, I’m just starting out with web app testing, what, what extension would you recommend?

This is the one that, this is the one that I always recommend because a lot of times with web application testing, this has been my experience, the conditions for the, for the vulnerability or the conditions for your use case have already been proven.

You might have just missed it. Logger, it takes logging and turns it to 11. So it allows you to, allows you to tailor your logging to see what to see if you like in your request or in your tools if the condition you’re trying to match has already occurred.

Logger plus plus is a tool that just helps you, helps you see what you’ve done and gives you a better better insight to what’s, what’s going on when you’re running when you’re running Burp Suite, when You’re running an attack through Burp Suite or when your request are going through Burp Suite.

I absolutely love that one as well. And then there’s the copy 4 extension. So this one isn’t released publicly but I talked to tester here at Black Hills.

He is going to release it. I just. This one has been a, it’s been a real time saver for me. So back to, Back to being efficient as a tester. Being efficient with my time as a tester.

Copy 4 is it. It’s just a, It’s. It’s a Python extension that you, you just. What it allows for is you can take Nuclei Nikto just all the, all the tools that you may commonly use as a as a web application tester and you can just right click and it’ll give you the it’ll give you the command because you may be.

I’ll speak for myself. I don’t remember the nuclei command every single time in a. For every different or for every use case. So I, I’ll have to oftentimes refer back, refer back to my notes for that.

But this, this has just been a time saver. So it makes me more effective, more efficient. So I believe, I believe a blog is coming out about the tool that. This extent not tool extension that’s getting released here.

But it also. He he has a. So it didn’t have a GUI originally but now it does have a graphical user interface. And so now you can, you can set up the.

So if you, if you’re using We’ll stick with nuclei. If you’re using nuclei and you have specific templates you want to run or you have you have a specific use case that you’re always going to run into, you can put that in your You can put that in the GUI and it’s saved.

So it makes you more efficient as a tester. You’re using your time more wisely. So Burp extensions help us solve that problem. It not only does it help us solve or help us find vulnerabilities, making whatever the use case is, but we’ll stick with making.

Making your, your client more secure, finding vulnerabilities and doing that it makes us more efficient with their time. So burp extensions help improve, improve our improve our testing capabilities.

So then we ask like how are they made? So if you’ve ever taken the time to, to. To look at what, what what languages or what’s supported in Burp Suite as far as extension, they Allow for Python.

So Python you need jython or J thonser and that’s Python but in Java and it’s limited in its support.

So it supports Python 2.7. And I bet you I’ll speak for myself. I think I finally broken the habit of some of the old Python 2.7 syntax problems that I was still holding on to when I’m writing, writing in Python 3.

So I, I just try not to look back, I try not to look back at Python 2.7. It was great, it was great, I liked it. But it’s, I’ve got to use Python 3 so it’s.

Even with the print statements it’s different. So but there, there, there are great extensions that are written in python copy ah4 being a prime example of that.

I just, I choose that just is not the path I usually choose when it comes to burp extensions. So we have Java and Java is.

Burp Suite is written in Java. So Burp Suite it, Burp Suite is going to be friendlier to. I shouldn’t even say that but I just.

In my mind it’s friendlier to extensions that are written in Java. They, it does support Kotlin. So if you’re an Android developer and that’s.

You’re comfortable, you use Kotlin a lot, go ahead and you can go ahead and write your extension in Kotlin. So I always think so with Java, writing a burp extension in Java, I always think so.

I’m here in Michigan and this time of year the deer are running, the deer are running around everywhere. So, so if, if you’re lucky enough to not hit a deer, somebody that’s hit a deer and so they have the car at the body shop and you’ll get the, you’ll get the estimate and it’ll say well it’s this amount of money and you can use the the OEM original equipment from the manufacturer or it’s cheaper but you can use something that wasn’t made by the manufacturer.

So I, in my mind I have that example of why I want to use Java. That’s the oem, language for Burp Suite. So that’s why I’ve chosen to write my extensions in Java.

one thing to note though is Burp Suite supports extensions written in Java 21 or lower. Just, just making a note of that. Just so, just so we cover.

It shouldn’t affect too much. but you just, when you’re making your extension you just have to account for that if you choose to write it in Java and Ruby. So that one, you do need JRuby to run those extensions.

On a personal note, I’m a little bit scarred by a Ruby on the Ruby on Rails web app that I, I managed for a little bit. So I will avoid Ruby at all cost. I will.

If, if, if you see me at a conference and you want to talk Ruby, I just, I, I, I, I, I’ll talk about anything but Ruby. and that’s, that’s a joke.

But, it was, yeah, the, I inherited, I inherited a, Sorry, Jason.

Jason Blanchard

Hey, Dave. I got a quick thing for you. Yeah, just take a little bit of water.

Dave Blandford

Okay.

Jason Blanchard

Okay, yeah, just, we’ll help you with that cough and then that way we’ll get back to it. All right, Dave, you’re doing great.

Dave Blandford

All right, awesome.

Jason Blanchard

I’m heading back.

Dave Blandford

All right. But yeah, so I, I got a, I got a web application that I took over. It was Ruby, it was written, it was a Ruby on Rails app, and it, it just, it was a pain.

So it was infrastructure as a service and it, the, there were updates before I got in. And the reason, the reason I got to take over the application is the application just didn’t exist anymore.

And it was, I won’t, I won’t bore everybody with a really long story, but I am, I am scarred by that experience. So no Ruby. And then this, this, this extension here, I meant to have this slide one back, but this, this extension I have big hopes for.

I still, it still needs to get, I still need a use case to try it out, but it’s Snyx, Socket Sleuth. So this is, this is designed to extend intruder, interception and a whole lot of other functionality to WebSockets.

And if you’re not familiar with what WebSockets are. So if you have kids or if you, if you, if you’ve been a kid before or seen how a parent and a child reacts.

So I, I imagine, this is how I imagine in my head. So an HTTP request that’s going to be like a parent talking to a child because you’re going to say, do you have homework?

And you’ll just get like a yes, no back. So you get that 200 response or where is your jacket? So you get like a 301, 302 redirect and that’ll, I’m, gonna have to ask mom.

go ask Mom. Or like, how did the test go 500. You’ll get an error in WebSockets. I imagine it as like if the child had initiated the conversation and like, hey, can I go to the game?

So it’s full duplex. The side, the exchanges are back and forth in a full duplex mode. And there’s there’s, it’s not getting that, it’s not getting that server response.

It’s just a lot of can I go to the game? Can I go to the game? Can I go to the game? And the topics, the topic may change. So that’s, that’s, I think about analogies a lot and that’s how I, that’s how I, that’s how I have websockets in my head.

But all that to say it is a little difficult. Burp Suite is not the best at handling how, handling WebSockets requests or for, for testing it, for extending the testing.

So this is a, this is, this one, this particular extension is not in the BAP Store, but it, but it, but it is publicly available and it does extend some of that testing to WebSockets.

So if, if anybody’s used it, I’d throw it in the chat if you’ve had success with it. but this is one that I have big hopes for. So this kind of goes back to why is an extension made?

There is a, there is a problem. So WebSockets testing it, fully extending, extending. I just saw somebody put a 404 for the code.

So that’s funny, in the chat. But there’s, there’s a problem with WebSocket testing to fully extend it. This is an extension that somebody has made to extend Burp Suite’s testing, functionality to WebSockets.

So we’ll talk for a little bit about the environment. So what do we need to create an extension? If you, if you’re new to this, how, how do we, how do we create, how do we create our environment?

So you’re going to need, you’re going to need Java and if you’re going to develop in Java, you’re going to need the Java Development Kit that’s a JDK or the open jdk, which is the open version.

but you may be saying, well I have Java on my computer, but it all depends to you may have Java but you may not have the Java Development Kit.

So a, key point is we have our Java Development Kit which is a JDK which extends if we’re going to develop it extends some functionality for that we have our JRE which, which is our Java runtime environment and then we have a JVM which is our Java virtual machine.

So the JRE is the runtime environment that is going to give us, that is going to give us the Java extent or the Java functionality to run Java on our.

Run on our host. The JVM M is going to be what actually runs the Java. So er, that’s gonna, yeah, the JVM is the Java virtual machine that is gonna run it.

So we have in Burp or the BURP installer actually has a bundled JRE in in.

In that as well. So it, so you’ll be able to run Burp even that solves a lot of Java issues. when you’re running Burp, the only hiccups you’ll encounter with that is if you’re running it from the command line.

So if you think, if you’re running it as a JAR file, you may encounter issues there. But the key takeaway from here is if you’re going to develop in Java, huh, you’re going to need to have the JDK on your host.

So let’s take a break and just go over the history of Java a little bit. So the hat tip goes to James Gosling. So this language has been, he’s the creator of Java and it’s been around for a long time.

So Java was created in about 1990s give or take. it’s been around a long time. So it was created to run on embedded devices.

So they I think it was C. plus plus was going to be the first, was the first choice. But C has some memory, some memory issues.

So they ended up creating Java to solve that. The name is uninspired. It was just, it literally drinking coffee and thought I should name this Java.

but that was, that was around 1990. So it’s been around a long time and Java is everywhere. And I have this, I have this football picture here because it’s because it’s I’m in Michigan.

The Detroit Lions are doing good and I was thinking, well, how would you describe if, if people were asking you? Like every time I hear somebody talk about Java, it’s always kind of like how they talk about the Detroit Lions pre 2020.

Oh, oh, it’s written in Java. Oh it’s. But I, I don’t take Java Java. It just where it kind of had like a negative, like, oh, it’s written in Java. Oh it can’t be that good.

It’s in Java. But Java, Java is a great language. I’ve really I’ve really grown to like it over the years and does have, it does extend some great functionality.

So it is a compiled language and you might be saying, well I thought it was interpreted. So technically it’s both. so you take, you take your, your your Java file and then it gets compiled into the, into a class file and that’s the bytecode and then there is an, there is.

It’s interpreted at runtime. So technically it’s both. and you might be in. So Java, it can come in a couple different file extensions.

you can think of a WAR file if you’re thinking like a web application. but most common, most commonly it’s going to come as a JAR file, which is, which is going to be just a, it’s just a zipped file.

If you think of it at. It’s at the simplest level, with the compiled, with the compiled Java classes in it, there’s more in it, but that’s, that’s that.

And so when it, when it’s run you’ll have Another term just to familiar size or familiarize yourself with is the just in time or jit.

So when Java, when, when that program is running, a way to make it more efficient is a lot of times it’ll be interpreted right at runtime and that’s with just to make Java more efficient.

It’s going to use that just in time, interpretation. So if we, if we’ve started making our, if we started making our code, we have our Java code, we have all our classes and we have, we have our properties and all that.

How do, how do we get it into a Java or into a JAR file? Well, we need to compile that. So with Javic we have.

That’s the, that’s the native compilation. So I use that. I still do use it, but I used it before but for bigger projects. I’d like to enjoy my weekends.

It’s kind of a pain. It doesn’t do, it gets a little complicated. So it’s great for a single file but you have to manage your own dependencies.

and if you use this for a large project, if you’re at an enterprise or an org, and you’re using this for a large project, I’d love to hear about it.

If you throw it in the chat, if you’re not using a build tool like Gradle or Maven. then there’s Gradle.

It’s a fast building build tool that’s another way we can compile. It’s a build tool that compiles Android loves it.

If you’ve ever used Android Studio, that’s built with Gradle it can be a little bit hard to debug.

It’s great for mobile app development. Now Burp Suite actually in their documentation they recommend using Gradle as they recommend using Gradle over Maven but it has built in features for Groovy and Kotlin so it’s good for Android building.

APK building Maven is what I use and that’s what we’ll cover in the next couple slides. It does have some, it does have some cool plugins.

I like it because it’s easy versioning. it does have some built in test as well and for me it was the, it’s the easy button for dependency management.

So it’s real easy just to when you’re bringing in your dependencies, when you’re using dependencies this is, it makes it real easy just handle it in a XML and an XML configuration file.

So yep, with Maven we need to take our code and make it compile bytecode so it easily, it’s an easy way to make a JAR file but Maven will help us accomplish that task.

So the key thing to take away from this slide is it’s, it’s not just a compiler, it still uses the it still uses the Java compiler via a plugin but it’s a build tool.

It’s a build tool that helps us do that. So for the command structure for Maven, so just MVN and then your, then your command so you can clean your directory, you can compile, you can install, you can deploy.

So the key difference with install and deploy is install is going to be local. Deploy is going to be if you, you were Hosting on GitHub or GitLab or somewhere, you can, you can go there and then it lets you run unit tests.

So if you want to run, if you write some unit tests you’ll be able to Maven will handle that for you. So the typical build order is going to be that it’ll validate, it’ll compile, it’ll test and do your unit test, it’ll package, it’ll verify, it’ll install locally and then if you have it defined, it’ll deploy.

So what is the Palm XL file? So this is, this is going to Be, this is gonna be kind. This is gonna be the quarterback or like the main. This is gonna be where we’re gonna define our dependencies, defined our repo that we might be deploying to.

a lot of it’s covered in here or a lot it’s gonna be covered in the Palm XL file. So you’ll have your project configuration, your dependency management, the build lifecycle and the version control.

So this is one from Apache’s maven project utils. I just grabbed it off GitHub and I cut some stuff out of it. But the main things there is it’ll have the metadata of the file.

so we have the group ID and that’s usually going to be in the reverse domain name. So you see it there. Org, Apache, we’ll have the artifact ID and the version and how we’re gonna package it.

So in here we’ve got our properties that are defined. And then the key thing that I like about what I like about this and what I wanted to show was the dependencies.

I only showed one dependency here. But this is, you just define the dependency in here and you have to include the group id, artifact ID and the version and the project, I’m sorry, and the scope and then that it handles the dependencies for you.

because when you’re, when you’re writing, you’re gonna, you’re gonna end up using, you’re gonna end up using dependencies specifically, Specifically for like we’re gonna, we’re gonna use the Montoya API, so we’re gonna need to import that in.

So this is a way to handle that. So we got writing your code next. So you’re gonna need, you’re gonna need a place to write your code, so a text editor or an ID ide.

I’ve kind of gotten in the bad habit of using Visual Studio code. And I only say that like, sorry, the Free Software foundation. Because I’ve, I’ve gone through. I, don’t have a Microsoft account, I don’t have a Google account.

I’ve just cut everything out. But I still use Visual Studio code. The reason it’s real easy, the plugins are great, makes it real easy to code.

It’s really easy to debug. I like Visual Studio code. I haven’t used it, but I do get a lot of feedback that Intellij their, their ID is great, for Java products, but I, I haven’t used it.

So that’s just what I’ve heard. I have used Eclipse. It’s been around for a long time and it’s, it just integrates easy with, with Java as well. It’s just been around.

but you’re going to need a place to, to write your code and it’s a little bit easier if you’re just starting out than using the or vim to use an ide.

So you will need, you will need Burp. So you’re going to need to, you’re going to need to test your extension. You’re going to need to, you’re going to need to make sure you hit what your requirements are.

that you’re actually, that your, your extension loads, it unloads, it’s doing what it’s supposed to do. so from portswicker’s site they just, this is what, this is their basic recommendations.

If you’ve been using Burp for a, you kind of have an idea where it will run. And but they’re saying the recommended is 2 cores and 16 gigs of RAM and then it’s going to take up space.

So Burp just naturally takes up a lot of space. So saying from their site it’s two gigs, two gigs of space per per project file, then the operating system in the browser.

I just, I was going to talk a little bit about that. So I don’t like when I’m using Burp. I don’t like to use the embedded browser. I like Firefox for the most part just easily works in there.

And I recently heard it, I recently heard at a conference that the browser is not ideal for using that because it’s only embedded in there for Burp Suite’s own testing or the own test that they that are in Burp are the, the old extensions.

So it’s not fully a fully functional browser. Haven’t had a chance to really dive into that. but it was just like a, it was an offhanded comment. So I like to have Firefox.

But I, I made a note here to stop talking about Burp because I could probably talk about Burp the I could probably talk about Burp for the rest of the, for the rest of this presentation and a positive attitude.

I wrote that in there for myself, and for you if you need it. But when, when I’m coding it just. You’re gonna hit, you’re gonna hit you’re gonna hit the wall.

I’m, I’m gonna hit walls. I’m gonna hit roadblocks. I’m gonna, I, I don’t mean Literally hitting the wall, but just hitting, hitting a wall with as far as progress, little things I can get hung up on.

So just keeping a positive attitude, getting that extension, getting your code to where it needs to be. So now, now we’ll dive into the Montoya API.

So this is this is the eight. This is what we use to write our extension in. So I put a couple links in there.

and what you’re looking, what you’re looking for here is the Or what, what the picture showing here is the documentation. It’s the Java doc that’s produced from from the Montoya API.

So a little note about JavaDoc. Like with Java, a Java doc basically allows you, if you comment and write your code appropriately, you can just create a, like a Java, you can create HTTP like basically all your.

What the code supposed to do, as an HTTP website, as an HTTP document. Sorry. And it just, it’s an easy way to view what the code’s supposed to do.

So with the Montoya API, they have a lot of examples. So on their, on their GitHub page they have a lot of examples. So it’s a great resource if you’re, if you’re trying to write one thing specifically or if you’re hitting a roadblock or you want to see it implemented in a way, they’ve got examples that they’ve done it already.

let me grab a quick drink of water. So with the examples they’ve done a great, they’ve done a great job of documenting everything, everything along the way.

So this is that they have done a great job of documenting. So it’s a, it’s a good use case if you, if you not too comfortable or not too familiar with how to, how to code or how to write the extension.

They’ve got, they’ve got examples, and they’ve got great examples. So I kept, I wanted to really stress that they have really good examples. So in here is an example of the.

Yeah. Website. yeah, the interface, the proxy websocket, Create, Handle, or class. So it’s just a great example to refer back to when you’re writing, when you’re writing your, when you’re writing your code.

So when dealing with the API, we need to start thinking about interfaces. So the interface. So the, the Montoya API is going to, it includes the interface and the interface is what contains the methods.

So the interface is not going to implement those methods. It contains those methods. So what we need to do when we write our extension is we need to implement the interface.

Or we need. Yeah, we have to implement the interface. So what we need to do is we need to create a class to use that interface.

So here is an example of the interface. So this is the HTTP handler interface. And what it is, is it’s just saying we have a, so this is the interface we’re going to use in a later example.

but yeah, this is, this is what’s going to let us, Or this, sorry, this is invoked by BURP when that HD HTTP request is about to be sent.

And then when we were talking about Java Docs earlier, if you’ll see that app Paramount, that is that notation right there that’s used in the Java doc. So that’s just an example of how to document your code and it’ll return.

and you can generate that Java doc just with detailed. Note. Detailed. sorry, create a detailed Java document.

Sorry. Last. But, but yeah, this is the interface we’re going to represent earlier. So this is, Yeah, this is just for the request and the response received.

So this. And we’ll, I’ll sit here and read the. I’ll just read what they have. So the extension can implement this interface and then call the register HTTP handler to register an HTTP handler.

The handler will be notified of requests and responses made and received by any BURP tool. Extensions can perform custom analysis or modification of these messages by registering an HTTP handler.

So next we’re going to make that simple class. So what we need, what we need when we make the class, what we need, the import. So we, the package we don’t necessarily need, but we’ll, we’re going to include it in the example.

but we need to, we need to import the stuff that we need from the Montoya API. And then in Java we’re going to have our class and our constructor.

We need to create our own object. And then in the methods, the methods are going to allow us to do something. So in Java we’re going to have our methods and we’re going to need to do something or allow our code to do something.

So in this, in this example we have our package up at the top and the. Any package because this is a demo.

And then we have our import. So from the Montoya API, we’re we’re going to import the HTTP handler. HTTP request to be sent.

HTTP response received, the request to be sent sent Action and the response received Action.

And then in the public class, look, Mom, I’m doing a webinar we have our class and class variables being declared and then from there we have our constructor and constructor assignment and then we’re gonna, we have our interface declaration and then this override that is our compiler check.

So that’s just the Java annotation, that’s what we tell. So we are taking another. We are overriding that. We’re overriding something.

So we’re telling the compiler. But it’s also a great thing to do if you’re working on it.

Jason Blanchard

If.

Dave Blandford

You’Re working on a team project or somebody else is gonna be looking at your code. Cause it’s just, it’s a good way to note to them that what’s happening here. And then all we’re going to do here is so we are going to just log all the method is doing and all it’s doing is just logging the URL and the status code of the response received.

And then in our method return statement, if we, if we were going to use that, if we were going to use that in another class, we just have, we’ll be able to return it and use it in another class or another, somewhere else.

So a couple quick thoughts. So when you’re using the Montoya API, it has to include the BURP extension interface.

So you need a class that implements the BURP extension interface. So that, that’s typically, that’s going to be your extensions entry point is where you’re going to implement that interface.

and that’s it. You’re just going to import burp.API. montoya extension extension. And when that’s initialized that’s how we gain access to the Montoya API.

And this is a case of a Do as I say not as I do is to, is to design the flow first. So I think it’s been like the last three projects I’ve done where I’ve had to.

I feel like I’ve spent more time. More time at the end trying to get it worked around because it was trying to, trying to refactor the code or actually not trying refactoring the code because I had said like oh, it’ll be a simple script, I can get it done there.

And then 2000 lines of JavaScript later I need to refactor to make the code more efficient. So it, it does really help to design the flow first, what classes are gonna do what.

And then you can, you, you are able to submit your your extension, if it meets certain requirements to the BAP Store. So I did Put this, I did put this on here from this.

These are the requirements from Port Swigger site if you wanted to submit an extension. So it has to have a unique name. It can’t, it can’t conflict with another another name out there.

And it has to be somewhat descriptive of what the what the extension does. The name has to be clear, it has to be secure. So if you’re if you’re designing, if you’re designing something, it can’t, it can’t.

You can’t use insecure coding practices or put the user at more risk than they, than they were prior to your extension being installed. they do require that you use or your extension has to include all dependencies.

So it has to be, it has to be bundled in at the time and it has, it has to use threads. So when you’re coding this is, this is a way to help the UI. So Burp portswigger doesn’t want your extension to make their product look bad.

So when you’re, this will take account for, this will, this takes into account for slower processes. a thread is going to have its own stack and its own its own register and Yeah the extension has to unload cleanly.

So when you’re when you’re unloading the, when you’re unloading the extension and I’ve encountered this before where you write an extension and when you unload it it’ll cause BURP to crash or there’ll be some, there’ll be some issues.

Again kind of back to why you need to use threads like portswigger wants Burp suite to run. They don’t want their product to look bad as well.

So when you’re, when your extension is unloaded it has to unload cleanly and it has to use burp networking so you can’t use like java.net.ah URL in there.

You have to use, you have to use Burps networking. one example they gave with it talking about offline working why they need it to work offline.

The example they gave is if A lot of the. Not a lot but they, they had mentioned in the example like an air gap network or they have, they have customers that are clients that work in situations that don’t allow or secure environments that don’t, don’t require or are not allowed Internet access.

So the extension to get it submitted into the BAB Store needs to be able to work offline and it has to work with Large projects. So that was that was one of the, one of the extensions that I wrote.

It just, it worked with small projects. But when it got to, when it got to, like maybe we’ll say like a two gig file just didn’t, didn’t want to work.

Two gig project file, it just didn’t work. and then it needs a, it needs a parent for the GUI elements. And the reasoning behind that is that it needs.

So if you’re working with dual monitors, it doesn’t. If, if you have a pop up or some, if we use a pop up. For example, if you have a pop up and you don’t have that and it doesn’t.

The that parent element or the parent isn’t there for the GUI element, your pop up may end up on another screen. And it just might not, it might not.

for usability, you want that in there. And then it has to use a Montoya API artifact. And that’s where in their documentation it says Gradle or Maven.

And the reason being. So there’s a couple ways you can get to the Montoya API. And because, you can take the Community Edition, you can decompile that jar, or you can unpack that jar and inside there the Montoya API will be in there and you can use that as.

You can use that. Highly frowned upon. not highly frowned upon, but they discourage it and they want the Montoya API artifact.

So that’s having it in your POM XML file for Maven, that’s going to give you that artifact.

Okay, so we have, I think we’ve got about five minutes. I was gonna, I’m gonna quit sharing here for a second and I’m gonna pull up my VM and kind of, we’re gonna go over or kind of show the last extension I made and it awesome and kind of bring it all together.

So what we, what we discussed at a real high level for this cla for this class. Let me grab a quick drink.

All right. So the extension I made was. What it was, is ideally what I wanted to do was visualize web requests, the response and all that.

What’s loaded, as a burp extension. Now, burp just wasn’t the right tool for that. I ended up offloading a lot of it, to a flask app.

But what I needed was access to the burp, the BERT project history.

So what I have this is the extension loading and we have that. What this does is it gives it, so I can either specify A path and a file name to make, to make a JSON file from the project history.

Or I have an API server. So BURP does have, does have an API server, but it does it. It’s basically to start and stop scans.

it doesn’t have much functionality to it. So this extends. What this does is it gives me what I, it gives me, I’m able to make an API call and get the, get the JSON history.

So I can use, I can use my BERT project history and another tool. But what I kind of wanted to go over just at a just at a high level is how I, is the structure.

So I’ve got my, I’ve got my Visual Studio and then we have our packages.

So one thing with a with a Java package it’s just an added defense is when you specify by package it is a way. If you’re coding for like a large project more outside of like a BURP extension you can set up like access control boundaries by package.

it’s not the best but it is there where you can do that. I didn’t want to move that but so we have in here, in our project file we have our burp which is going to have the Montoya API and then we have what, My class here.

So basically what it’s doing Wichita is going to be our entry point and I’ll apologize ahead of time, I’m terrible with variable names.

so that’s kind of more of a. If you’re just getting into it, a do as I say, not as I do. But what this does is this, this is the, this gives us our.

The gui, the GUI portion inside Burp and it’s our, it’s our application entry point. And then I have divided it up by classes.

So I have, I have a class that’s able or I have a class that import creates that Spark server. And so in the Spark server is based. Basically it’s a, it’s a wrapper for a jetty or for a jetty server.

So it just, it’s perfect for making REST API calls. Because what I needed to do my use case is I needed. I needed my JSON JSON output of the project file so other tools could consume it.

So I have that in and this one here.

So I’m, I’m importing the Spark server which I also in my POM xml, I’m bringing that in as a dependency here and when I’m able to call it here or to import it here and this is what gives us.

This, is what gives us that, that API server. So, so in there are, And then in this one is.

This is really. I just added this because I took a bunch of stuff out. And this one. If this particular class here, this is just what gives me the.

The. If you. If you’ll see the welcome to Agra finder, the journey begins flowing across the panel. That’s what gives me that.

And then maybe outside of this is. This is what I’m using to actually write the file to d. To create the. To create that JSON file.

But that is, if we had a little bit more time, which I, I thought I’d wrap up a little sooner, I was going to dive in. But this, I think, this is a good place to stop.

Jason Blanchard

Hey, Dave.

Dave Blandford

Hey. Hey.

Jason Blanchard

How you doing?

Dave Blandford

Good, good.

Jason Blanchard

Yeah.

Dave Blandford

Yeah.

Jason Blanchard

Was there more code stuff you wanted.

Dave Blandford

To show or if we got some time? I was gonna kind of just walk through the whole thing, but I, I,

Jason Blanchard

Just keep going, Dave.

Dave Blandford

Just keep going. Okay. Okay.

Jason Blanchard

I’ll go backstage. You keep going.

Dave Blandford

All right. All right. So we do have a little bit more time. So I did want to kind of tie into this. So what we, what we have is when m.

When you’re thinking about dividing up your project, when you’re just starting out, when you’re making your. When you’re making your Java file which is going to. When you compile it this. The. The dot Java will be the dot class.

You want to start logically creating boundaries between for what each action is going to do. So if you’re going to create. In this example, if I needed to create that API server, I want that in its own class.

If I’m going to be doing visualization elements, I want that in its own class. And really personally I’d like to have an entry point as its own class.

So when I’m just the app entry point, just make it its own class. And then the. Creating the. Creating the JSON file in this example, making that its own class.

It turns out to it. It makes your life a lot easier when you’re troubleshooting or in the. In the event that you want to add something, remove instead and take that from.

I’ve tried creating or just out of bad habit, I’ve created just one class to handle it all. It’s a pain to troubleshoot. but ultimately what we, what we have are.

Sorry what we ended up doing. So what this wind up doing. What this extension ends up doing here is I used 1Password and the Reason I use them, they have a they have a bug bounty and this one’s in game.

We’re not actually. Or it’s fair play. We’re not actually going to hack it but so we have, we have built up a list of their accounts or not their account.

Sorry. When we load up the login page this is what this, these URIs load and then if we create our API server, this right here.

That’s probably not fun to watch I just realized but this is going to give it. This gives me the JSON output of the history of my of my Burp project history or my.

Yeah, the project history, the Burp history. So what I have here now I’m able to take that into a different tool and use it what I need it for.

So what I have actually the. Oh forget I updated that. So what I have here, this is, this is the visualization tool. We got a couple minutes so I can show that.

Let’s actually write it to a project file for that though. Mhm.

And the reason I’m writing it not using the API because the history, the way I, the way I wrote it, there’s a history and an update endpoint. The history endpoint just. It’ll spit the.

It’ll give you the JSON once but then it resets and it only update and then the history is cleared out and it only, it’ll only provide Or you’ll have to get the rest through update and what this is doing.

So this is. I tried doing the visualization in in Burp suite but it just wasn’t. It wasn’t.

It didn’t work well with the memory. It was just easier to port it into a Flash server. Just kept causing BURP to crash.

but here, now I’m able to. Now I’m able to get what is. When I. With this API v2 pre registration features I get to find out what resources loads in there where it’s pulled into.

So I use this, this create. This was a need that I wanted and that’s why I created the BURP extension. Well and this this tool as well.

But this was, this helped me out. It helps me out with my testing kind of audit and I’m able to visualize some of the some of the requests and when you get into JavaScript like a like a single page application that is pulling in from a hundred different places and it’s got JavaScript loading, that’s loading JavaScript that’s loading kind of like an infinite JavaScript load and redirects.

This. This helps out. So. All right. I think that’s a good place to.

Jason Blanchard

Also, I was muted, so all of that was nothing. Okay, Dave, if you could sum up everything that you talked about today in one final thought.

If you. If you could just say, hey, here’s everything, and if I could just say one thing, what would it be? What would it be, Dave?

Dave Blandford

Yeah, one final thought. Burp extensions have made my life better and haven’t been able to create my own, have helped me as a tester.

So I encourage you to as well.

Jason Blanchard

And, Moto JP said burping ain’t easy, so well done, Dave. First, Black Hills Information Security webcast. How do you feel?

Dave Blandford

I feel good. I feel okay. Felt like I felt. Felt like I talked too much.

Jason Blanchard

Well, when there’s no one to like, like, yeah, it’s just, gonna talk at you, and then. Yeah, I got to watch the chat, so I got a chance to see everyone, like, interacting and posting memes and GIFs.

Memes and GIFs are the head nods of the Internet generation, the zoom generation. So whenever you see a GIF or head nod, just, imagine people smiling in an audience or going like this.

Right. All right, so, Dave, I have a question that I ask every tester, and it’s a very personal question, and it’s at the very end, and if people need to go.

Understood. If you didn’t get your gift, of the survival guide and the comic book, Deb’s gonna post it into the chat. Yes. so you can order it. Apparently, some of you ordered it as far as Argentina, and New Zealand, before we realized.

Oh, no, because, that’s fine. Cost like a hundred dollars a piece.

Deb Wigley

But we’ll probably throw in other things in there just to make it the shipping.

Jason Blanchard

Yeah, well, we’ll figure it out. We probably suck at capitalism, and this is an example. All right, so, Dave, here’s the question I ask everyone. It’s incredibly personal, and it may cause you to think deeply about your life and the choices you’ve made.

Are you ready, Dave?

Dave Blandford

I. I was, but then. We’ll see. We’ll see.

Jason Blanchard

All right. During a test, if you are not finding a way to bypass someone’s security or not finding vulnerability, if you’re not finding something to exploit, do you feel like they have good security and they have secured themselves, or do you feel like your skills are lacking and you need to improve?

Dave Blandford

I always think it’s a me problem. Not like it’s just always like, I always won’t think I’m doing something wrong over, like, the security.

Turns out maybe the security is great, but it’s just, just, just the way I am, I guess.

Jason Blanchard

Yeah. And, the reason I like to ask that question is because, I was on Paul Security Weekly one time and they had a guy that had a piece of software that would fuzz, stuff and look for vulnerabilities.

And. And so I asked him the question. I was like, if you don’t find any, let’s say you run your tool. If you don’t find anything, do you assume that your tool is fantastic and they have no issues, or do you assume that your tool is terrible and it can’t find the issues?

And, like, you could see it was the first time you ever thought, like, I had not thought about that. so, for those of you out there, that learning pen testing, learning burp suite, learning these things, if you don’t know how to do them when you’re first getting started, well, keep learning them.

But also sometimes their security is just very good. And as a pen tester, you’ve just come across something that, they’ve done a very good job. And some. Sometimes it’s not you and sometimes it is.

So. All right, Dave, I, am going to ask the audience a question here and we’re going to look at the chat. So this was a beginner’s guide to Burps extensions.

So I’m going to ask the audience, did you feel like this was beginner below beginner or above beginner? Just so that you can see. Because sometimes when you’re creating content, you think something’s beginner, but it’s actually not beginner, or you think something’s beginner and it’s actually you is beginner.

Dave Blandford

So, so get lots of different.

Deb Wigley

Just like Goldilocks Porridge.

Jason Blanchard

And Dave, this is your feedback. So that way, if you’re looking at making contents in the future, there’s nothing good or bad about it. It’s just, yeah, we have a different diverse audience of people who have knowledge and skills.

and so we’re just trying to figure out, yeah, beginner is relative. That is correct. Beginner is relative. If you haven’t checked in for Hackett, please do so. And if you have questions for Dave, we’re going to ask those questions now.

Deb Wigley

I didn’t really see a lot during. So if you, if we missed something, now’s the time to ask. ask the question to Dave. You have a little bit of time left and if not, that’s fine.

That means Dave did a great job of answering everything.

Jason Blanchard

Okay, great overview. Definitely necessary to do further research on subjects brought up. Thank you for that comment. Dave, did you have any like, thing that you wanted to say, like, came up that you’re like, oh, I forgot that.

If, if not, that’s fine.

Dave Blandford

There was, there was a point on there. The point was I, I think like, the hardest thing for me for starting to. I just wanted to make a point with starting from, like to develop anything is to just get over like the.

I don’t know where to start, but I think if, if I can make things as simple as possible in my mind. So if I just know like, hey, I need a method, I need a class, and I need this class or I need this method to do this.

If you just kind of take the big picture and just make the little items that. It helped me out. So I, I meant to put. I meant to keep kind of talking about that in the talk and I, I think I missed that a couple times.

So that, that’s the only thing I’d like to add.

Jason Blanchard

Yeah. And Dave, some of the feedback I’m seeing is that it was slightly above beginner, but you did a really good job of explaining and introducing new concepts. so, yeah, so some people were saying beginner, a little above beginner.

But, as far as you did a good job of like going back and saying this is what this is, this is where it came from, this is good. So, all right, any, from someone coming from Python and wanting to write burp extensions, that’s the only main purpose for learning Java.

Do you recommend Java or Kotlin?

Dave Blandford

Me personally, I will tell you I would recommend Java. Now I will, I will say there’s a Dana Epps, he’s a kind of prolific API hacker and, and that he is all 100 in on Kotlin.

So, for whatever reason, I just, I like Java. It’s a little. It’s just more what I’m comfortable with and what, why. If you’re coming over from Python, the thing I would like to is with Java, there’s going to be more examples out there.

I feel like, like with the, with the port Swagger’s documentation, if you can keep it in Java rather than try to learn the new language and not have the examples as well.

so I would say Java. Short answer, Java. Cool.

Jason Blanchard

I think we’re going to end with this question. well done. Dave, have you tried chatgpt to create burp extensions?

Dave Blandford

I’ve not. No. Do I need to?

Deb Wigley

Our AI overlords would say yes.

Dave Blandford

So I kind of on that, like, I, I had this thought, like, so the 70s always had, like, good music that came out. And I wonder if, like, the music would be so good if Chat GPT was around and it was all kind of created by AI or.

Yeah, like it. So I’d like to. I kind of. It’s point being on that is I, I feel like I still get to use my brain a little bit when I, When I’m coding, so.

Jason Blanchard

All right, so everybody, thank you so much for joining us today. if you’re in Discord, please stick around. there’s the career chat section where you can actually get, career advice.

If you’re currently job hunting, please put the word hunter into the Discord chat. So that way we can give you the job Hunter role, which will unlock a message board for you. but here’s the thing.

Like, once you actually engage today with the webcast live, that automatically unlocks the message board for you. And the reason we have it locked is so that way people don’t spam our server.

They don’t come in. So you actually have to engage in some way for us to build a little bit of trust with you before we unlock that message board. But if you have a job that you currently need to fill a role on your team, feel free to use the Black Hills to Discord server.

And I know that might be weird that we’re a company and we’re a pen testing company and we do red teaming. We do all these things. You’re somehow finding people to hire from this community. Like, no, it’s totally fine because there’s like 40,000 people here and there’s an opportunity for them to come join your team.

And here’s the thing about the people who are watching this. They want to get better, they want to learn new things, and they want to improve themselves. That’s why they’re here. And so that would make a great person to potentially hire onto your team.

So if you want to post a job, just say the word hunter too. We’ll give you the job Hunter role just so that you can post the job that you’re currently, hunting, or trying to fill. All right, Dave, thank you so much.

Dave, this was your first Black Hills webcast. I’m going to reach out to you soon about scheduling your next one for next year. we’re already scheduled out until, like, April of next year, so somewhere in the summer or in the fall.

and, Deb, any final thoughts for you, kindness and generosity Director?

Deb Wigley

Well, when you said the summer, I started thinking about all the new fun shirts that we’ll have created.

Dave Blandford

And,

Deb Wigley

You don’t have to spotlight me, Yuri. I really hate that that’s my final thoughts. But, yes, no. Thank you guys so much for being here. We realize that you have lots of different options and where to invest your time.

There’s no shortage of things to watch now. And, have your intention. So we appreciate that you give us an hour of your day every week.

Dave Blandford

We love it. Yeah. All right, Yuri.