tssci security

Extending Burp with Jython Burp API

Last year, I released the Jython Burp API, a plugin framework to Burp that allows running multiple plugins simultaneously, exposes an interactive Jython console, provides Filter-like functionality, and eases developing plugins at runtime by providing more Pythonic APIs and automatic code reloading for when code or configurations are updated. I presented an overview of my framework at an iSec Partners Forum in NYC last year. Others have released similar frameworks that also provide the ability to write Burp extensions in Jython.

Since then, PortSwigger released a new Burp Extender API, allowing users to develop all sorts of plugins and extend Burp's various tools in a myriad of ways. Regardless, I still find my framework and others like Buby still have their place. I'd like to take the next few paragraphs to guide users on setting up the Jython Burp API in their environment.

Getting Jython

First, we'll need to get the latest 2.7+ standalone version of Jython. At the time of this writing, the latest version is Jython 2.7beta1. Once you download Jython, configure Burp's Python Environment.

Loading the Jython Burp API

If you haven't already done so, download the Jython Burp API. Then, all you need to do (provided you're running Burp 1.5.04 or later), is add jython-burp-api/Lib/burp_extender.py as a Python extension to Burp:

Load Burp Extension

After you've clicked next, you should see the extension among the list of other currently loaded extensions (if any).

Burp Extensions

An additional feature you may find useful is an interactive Jython console tab, that allows you to interact with the Burp Extender object and any other variables in the local namespace. I find it useful to iterate over requests in Burp's Proxy History, collecting various information or highlighting/commenting requests that may contain a specific header or string in the response body.

Jython Console

I added a right-click context menu item so you could select specific requests and send them to the items variable, accessible from the console.

assign to local variable `items` in console working with requests set to the `items` local variable

In a future blog post, I may dive into using some of the other features of the framework. In the mean time, please feel free to fork and contribute to the Jython Burp API!

Posted by Marcin on Thursday, February 14, 2013 in Security.

blog comments powered by Disqus
blog comments powered by Disqus