Home » Security Bloggers Network » Extending Burp with Jython Burp API

Extending Burp with Jython Burp API

by Marcin Wielgoszewski on February 14, 2013

Last year, I released the Jython Burp API,
a plugin framework to Burp that allows running multiple plugins simultaneously,
exposes an interactive Jython console, provides Filter-like
functionality, and eases developing plugins at runtime by providing more
Pythonic APIs and automatic code reloading for when code or configurations
are updated. I presented an overview of my framework at an iSec Partners Forum
in NYC last year. Others have released similar frameworks that also provide the
ability to write Burp extensions in Jython.

Since then, PortSwigger released a new Burp Extender API, allowing users
to develop all sorts of plugins and extend Burp’s various tools in a myriad
of ways. Regardless, I still find my framework and others like Buby still
have their place. I’d like to take the next few paragraphs to guide users
on setting up the Jython Burp API in their environment.

Getting Jython

First, we’ll need to get the latest 2.7+ standalone version of Jython.
At the time of this writing, the latest version is Jython 2.7beta1.
Once you download Jython, configure Burp’s Python Environment.

Loading the Jython Burp API

If you haven’t already done so, download the Jython Burp API. Then, all
you need to do (provided you’re running Burp 1.5.04 or later), is add
jython-burp-api/Lib/burp_extender.py as a Python extension to Burp:

After you’ve clicked next, you should see the extension among the list of other
currently loaded extensions (if any).

An additional feature you may find useful is an interactive Jython console
tab, that allows you to interact with the Burp Extender object and any other
variables in the local namespace. I find it useful to iterate over requests in
Burp’s Proxy History, collecting various information or highlighting/commenting
requests that may contain a specific header or string in the response body.

I added a right-click context menu item so you could select specific requests
and send them to the items variable, accessible from the console.

In a future blog post, I may dive into using some of the other features of
the framework. In the mean time, please feel free to fork and contribute to
the Jython Burp API!

*** This is a Security Bloggers Network syndicated blog from tssci-security authored by Marcin Wielgoszewski. Read the original post at: http://www.tssci-security.com/archives/2013/02/14/extending-burp-with-jython-burp-api

February 14, 2013February 14, 2013 Marcin Wielgoszewski

Extending Burp with Jython Burp API

Getting Jython

Loading the Jython Burp API

Senator Sanders Wants to Own AI Companies — and Hand America’s Adversaries the Keys

NIST’s Nine: The PQC Signature Race Moves to Round Three

The Quantum Arms Race: Why Washington Just Wrote a $2 Billion Check to Nine Companies

Beyond Moore’s Law: The Hyper-Acceleration of Autonomous AI Cyber Capabilities

The Exception Economy: When Security Teams Stop Protecting and Start Negotiating

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

Randall Munroe’s XKCD ‘Soniferous Aether’