Running w3af plugins in Burp Suite
I am quite enthusiastic about the Burp Suite
Python extension I wrote. This is a Python (Jython) binding written in Java
implementing the Burp Suite extension API.
In the to-do list, I mentioned that more examples need to be written to show the benefit of having the Python support in Burp Suite to write extensions.
w3af is a web application attack and audit framework written in Python with a plugin based model. I found interesting to see what's involved in enabling Burp Suite to use w3af plugins.
While I may look at implementing other categories of plugins, having access
to the grep plugins is nice, all the traffic going through Burp will be
passively scanned by the plugins, and weaknesses will be reported in the Alert
tab and in the console.
How to use it:
- Download the BurpSuite w3af plugin
- Follow the instructions for the installation of the Burp suite Python extension
- You need to select which plugins you want to use - This is in the first lines of the BurpExtender.py:
# Here you define the name of the plugins you want (category.plugin) plugins = ['grep.domXss', 'grep.error500', 'grep.errorPages', 'grep.feeds', 'grep.fileUpload','grep.hashFind', 'grep.httpAuthDetect', 'grep.privateIP', 'grep.ssn', 'grep.strangeHeaders', 'grep.strangeHTTPCode', 'grep.strangeReason', 'grep.svnUsers', 'grep.wsdlGreper']
You need to specify the path of the w3af python modules. I have tested this program with w3af version 1.0-rc3.
# Here you should define the location of your w3af installation w3afPath="C:\\local\\Program Files\\w3af\\w3af" # Example for Unix "/usr/local/w3af/w3af"
- Start Burp (example below with Windows):
C:\Burp>java -Xmx512m -classpath burpsuite_v1.3.03.jar;burppython.jar burp.Start Burp init: Bootstrapping class not in Py.BOOTSTRAP_TYPES[class=class org.python.core.PyStringMap] BurpExtender.py needs to be in a folder listed below: ['C:\\Burp\\Lib', '/C:/Burp/burppython.jar/Lib', '__classpath__', '__pyclasspath__/'] loading w3af plugins --------------------- Loading grep.domXss... Success Loading grep.error500... Success Loading grep.errorPages... Success Loading grep.feeds... Success Loading grep.fileUpload... Success Loading grep.hashFind... Success Loading grep.httpAuthDetect... Success Loading grep.privateIP... Success Loading grep.ssn... Success Loading grep.strangeHeaders... Success Loading grep.strangeHTTPCode... Success Loading grep.strangeReason... Success Loading grep.svnUsers... Success Loading grep.wsdlGreper... Success Failed plugins are ignored and won't be proceeded. You can uncomment the line 'print str(e)' in the module to see the actual exception
While browsing, if issues are passively identified, they will appear in the console and in the alert tab:
- As stated previously, not all plugins categories are supported, I may look in the future and please email me if you have this need
- I probably need to put more work on the evasion plugins support since there are some issues in relation to the order in which the http headers are sent back to Burp
- Some grep plugins won't work out of the box because they require
sqlite3python module which is not available in the Java python implementation used by the python extension (Jython). However, it is possible to have this working using the sqlite jdbc support. Please drop me an email if you need help in implementing this so you will have all plugins working.
Please give me some feedback if you try it: firstname.lastname@example.org