Awesome

Developing Burp Suite Extensions

This repository contains the slides and code for the training Developing Burp Suite Extensions - From Manual Testing to Security Automation

Content

• BurpExtensionTemplate - Empty extension templates for NetBeans, Eclipse and IDEA
• HelloBurp - Our first Burp extension
• SiteLogger - Log sitemap and findings to database (MongoDB)
• ReplayAndDiff - Replay a scan with a fresh session and diff the results
• DetectSRI - Passive scanner check to detect the use of Subresource Integrity (SRI) attribute
• DetectELJ - Active scanner check to detect Expression Language (EL) injection vulnerabilities
• Bradamsa - Simplified code of Bradansa Intruder payloads generator
• Doyensec_DevelopingBurpSuiteExtensionsTraining.pdf - Full slides of the training (PDF, 155 pages)

All exercises are provided in Java, Python and Ruby.

This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported (CC BY-NC-SA 3.0). You are free to Share and Adapt under the following terms: Attribution, NonCommercial, ShareAlike.

Overview of the class

In this hands-on class, attendees will learn how to design and develop Burp Suite extensions for a variety of tasks. In a few hours, we work on several plugins to improve manual security testing efforts as well as to create fully-automated security tools. This workshop is based on real-life use cases where the extension capabilities of the tool can be unleashed to improve efficiency and effectiveness of security auditing. As an attendee, you will bring home a full bag of tricks that will take your web security skills to the next level. The class is available in 1-day and 2-days versions.

Audience

Suitable for both web application security specialists and developers. Attendees are expected to have rudimental understanding of Burp Suite as well as basic object-oriented programming experience. While Burp extensions are developed live in Java, attendees can work on Python or Ruby since all exercises are also provided in those languages.

Interested?

More details on what to expect from this class can be found on our blog post. We deliver this class during public events (e.g. security conferences) as well as private company workshops. If you're interested in a forthcoming public training or you want to know more about private classes, please contact info@doyensec.com