Awesome
Piper for Burp Suite
Piper integrates external tools and their pipelines to Burp Suite. The extension can pass HTTP requests and responses from Burp to external programs, then feed the execution result back to Burp. With Piper you can create:
- Commentators: Display the output of an external program in Proxy History
as comments. For example, you can display the cryptographic hash of every
request by piping their content to
sha256sum
. - Highlighters: Highlight items in the proxy history based on their contents. For example, you can highlight items where HTTP response includes elements of a wordlist.
- Message Viewers: Display the contents of HTTP messages with custom
formatting. For example, you can display Protobuf structures by piping message
contents to
protoc
. - Context Menu Items: Invoke external tools from context menu. For example, you can use an external diff GUI to compare HTTP messages.
- Intruder Payload Generators: Generate payloads for Intruder with external tools. For example, you can make Intruder use password candidates generated by John the Ripper.
- Intruder Payload Processors: Transform Intruder payloads. For example, you can apply base64 encoding with a custom alphabet using an external script.
- Macros: You can use external tools as part of Macros. For example, you can automatically generate predictable CSRF tokens for every outgoing request.
- HTTP Listeners: Transform outgoing and incoming HTTP messages. For example, you can use an external Python script to handle custom encryption.
Detailed usage information is provided in the original GWAPT Gold Paper, and in this demonstration video.
Building
Execute ./gradlew build
and you'll have the plugin ready in
build/libs/burp-piper.jar
Known issues
- The terminal emulator ignores background color when Look and feel is set to Nimbus, see https://bugs.openjdk.java.net/browse/JDK-8058704
Security
Piper configurations can be exported and imported. As configurations define commands to be executed on the user's machine, importing malicious configurations is a security risk.
Piper disables configurations loaded via the GUI to prevent exploitation, and
unexpected behavior (e.g.: modification of HTTP messages). To support
automation, Piper enables configurations loaded via the PIPER_CONFIG
environment variable, so extra care must be taken in this use case.
Users should always review configurations before importing or enabling them.
License
The whole project is available under the GNU General Public License v3.0,
see LICENSE.md
. The swing-terminal component was developed by
@redpois0n, released under this same license.