Burp Suite stands out as the de-facto attack proxy for web application assessments. Part of its power lies in the Burp Extender interface which allows "developers" to extend Burp's functionality, including reading and modifying runtime data and configuration, trigger key actions such as Burp Scanner or extend the Burp user interface itself with custom menus and windows.
"That's great, but I'm not a developer, I'm a webapp tester and I want the goodness too"
This practical workshop will take you from zero to hero even if you've never coded a line of Java in your life. Through some basic hands-on examples I will guide you through the process of getting your machine ready for coding, the key features of Burp Extender and how to use it to solve some real world web application testing scenarios.
A rough agenda for the workshop is as follows:
- The problem Burp Extender solves
- Getting ready
- Introduction to the Eclipse IDE
- Burp Extender Hello World!
- Manipulating runtime data
- Decoding a custom encoding scheme
- "Shelling out" to other scripts
- Limitations of Burp Extender
- Examples of really cool Burp plugins to fire your imagination
Those looking to attend will require:
- Laptop running Windows 7 (or OSX/Linux but I won't be demonstrating with/troubleshooting these) with WiFi capability. VM is fine, if not preferred)
- Java Runtime Environment 6 or above
- Burp Suite 1.4 and above (Professional preferred but Free will be ok)
- Administrator rights to the machine as they will need to install software (supplied on USB stick)
- Some programming experience with other languages is assumed. My background is in Bash, Perl, PHP, Python and Ruby if that helps to guage your own capabilities.