Burp Suite Extender lets us expand our Burp Suite installation with additional modules created for the community. You can even create your own modules too!
Let’s see how it works in our daily #FromZeroToHacker challenge.
| Table of contents |
| Introduction |
| What I have learnt today? |
| Stats |
| Resources |
Introduction to Burp Suite Extender
We are going to focus now on Burp’s Suite modular aspects: The exposed functionality that allows developers to create additional modules for the framework. Burp Extender lets us extend (hah!) the functionality of Burp Suite with new extensions created by the community. Even you can create your own!
The extensions interface
Right now, as you can see, we have no extensions loaded yet.
The first box, the one on the top of the screenshot, provides us with a list of extensions that we have installed, allowing us to activate or deactivate them.
The options to the left of this box, allow us to add and remove extensions, while up and down let us order them. Extensions are loaded and used in descending order based on this list. That means the traffic will pass through the extensions in that order. Sometimes we may incur errors due to this, so you will have to reorder or even deactivate them.
The BApp store
The Burp App Store (or BAPP) gives us a way to download and install new extensions seamlessly with Burp Suite. Extensions are written in Java, but also can be written in other languages like Python (using the Jython interpreter).
And this is what the main section looks after an extension has been installed:
Jython
If we want to use Python modules in Burp Suite, we need to include a separate Jython Interpreter JAR file. We can install it either as a standalone archive or install Jython in our own system. Let’s try to install it as a standalone archive to integrate it with Burp.
First, download an up-to-date copy of Jython JAR archive from the Jython website Jython website; the Jython Standalone option.
Save the JAR somewhere on your computer, then go to Options sub-tab in Extender. Scroll down to the Python environment section, and then set the Location of Jython standalone JAR file to the path in your computer.
That’s it. As simple as that. Now, we can install Python modules from the BApp store.
And we can do the same with other languages. For example, we can install JRuby, an interpreter for Ruby language from here
The Burp Suite API
While it would take me a lot of time to teach you how to create a Burp Suite module (as I would have to learn to do it myself…), it is worth having a brief look at how can be done.
Extender exposes a large number of API endpoints that new modules can hook when integrating with Burp Suite. Let’s go to the APIs sub-tab:
Each item in the list on the left is a different API endpoint we can hook to. These endpoints give us a lot of power when writing extensions to interact with the existing functionality of Burp Suite. And we can use any of the languages supported by Burp Suite: Java (native), Python and Ruby via their interpreters.
If you are an advanced user and know how to code, PortSwigger has a great reference which can be found on their website.
Summary
Time for a recap. We have learned about:
- What is the Extender sub-tab
- How to install extensions from the BApp store
- How we can add extensions in Python and Ruby with Jython and JRuby
- What the Burp Suite API is and works, and how to create our own extensions
Stats
From 132.059th to 131.834th. Still in the top 7% in TryHackMe!
Here is also the Skill Matrix:
Resources
Path: Web Fundamentals
Introduction to Web Hacking
TryHackMe: Burp Suite Extender
Other resources
Jython installer
JRuby installer
PortSwigger: Writing your first Burp Suite extension
