My next step was to start researching other Burp extensions with similar characteristics to what I was trying to accomplish-definitely did not want to waste time developing something that already existed. Getting Startedįor my first try, I used some Python scripts provided by the vendor to resign the requests, but that was slow and unpractical-for each request, I had to copy or capture it from Burp to the scripts, update the values on it, and resign the request before then finally sending it to the end server to analyze the response.Įven worse than the tediousness of that, that process also created an additional problem in that the scanning capabilities or any other Burp extensions that could change the packets were no longer usable-all of them would modify the request and change the initial signature of the packet. Writing your own extension is certainly not a cure-all to all obstacles we all might come across working in AppSec, but who knows? It did help me, and it may serve you too in the future, or if you’re facing some of Burp’s limitations right now. You’ll find how I troubleshot for a bit before settling on a process to write my own extension and thereby solve my problem. If you’ve ever been in a similar situation, trying to write your own solution to a Burp problem that crops up, read on. In my case, I reasoned that maybe a Burp extension could help me work around my specific problem.īut what I then realized was, there was no extension out there that could help. I think we’d all agree that Burp is a fantastic tool, but like all things, it does have its limitations. While it was still easy for me to intercept the traffic using Burp, I found that I was unable to modify any of the requests-if I tried, the end server generated an authentication error, as the signature did not match the original request. At the time, I was working on a big project where the main web application was signing all the requests. However, a couple of years ago, I did hit a snag. For those of you who work in web application security, maybe you’re familiar with Burp.Īs a senior pen tester at Schellman, I certainly am-I work with it a lot and it serves me well.
0 Comments
Leave a Reply. |