Share this page!

Mastering Burp Suite Pro Profile picture
Twitter logo
4 Jun, 19 tweets, 5 min read
Simplifying the development of your own one-shot extensions, a thread ⤵️
First, a warning ⚠️ I don’t recommend writing custom extensions every now and them. It's much more efficient to master a few highly-configurable ones, like Logger++ or Hackvertor. Let's do it anyway... 😉
The use-case is basic: we want to append a string to the User-Agent header. Quite a common scenario during assessments or bug hunting, for logging or filtering purposes
Which language? Java, Ruby or Python? I'll try not to start a war 🕊️
I used Python for ages, but let's face it... Jython will never see an upgrade to v3. Debugging is a mess. Some types are a PITA to manipulate, like java.util.List<int[]> (👋 applyMarkers())
Ruby? Not my cup of tea. And if I have to learn a new language, I prefer building a skill I can re-use in other contexts
Java? It’s very verbose… but that's the best dev environment when dealing with Burp Suite. Cool kids like @h3xstream @floyd_ch @albinowax @BitK_ use Kotlin, which promises less code and no NullPointer issues 💪
Which part of the extension API should we use? Why not the often overlooked performAction(), which is executed from session handling rules? It has the incredible advantage of outsourcing a lot of complexity to the rule itself 🤩 portswigger.net/burp/extender/…
An example: wanna execute your extension only for Proxy and Repeater, on a single host? Lucky you, that's exactly what is offered by the Scope tab! Zero lines of code, just a few checkboxes 🦥
Recap: an extension modifying the User-Agent, developed in Kotlin and triggered by session handling rules. Go!
For the initial setup (IDE, skeleton), look at this article from @yeswehack. That’s really all you need! 🎁 blog.yeswehack.com/yeswerhackers/…
Implementing getActionName() is mandatory, we simply return a string. On the more complex performAction(), we start seeing some benefits of Kotlin. Easy loops, direct access to getters and setters, … 👍
The code ⬇️
gist.github.com/ngregoire/d4fc…
Copy to BurpExtender(.)tk, save, build, load the resulting JAR in Burp, add a session handling rule and… it works! 🥳
(when modifying the code, keep in mind that Burp's shortcut Ctrl-Click will quickly reload an extension) 🤫
And what is the curlx command used in the screenshot? Just a Bash alias... No, I’m kidding, I use Zsh 🦹‍♂️
TL;DR 1⃣ Python for Burp is slowly dying, switch to Kotlin 2⃣ Use session handling rules to manage the execution scope of your extension
Done? I think so! I hope you found it useful. 🖤
@threadreaderapp unroll

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Mastering Burp Suite Pro

Mastering Burp Suite Pro Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @MasteringBurp has new unrolls!

Check out other threads from @MasteringBurp!

Read all threads by @MasteringBurp

:(