SlideShare a Scribd company logo

DEFCON-23-Nadeem-Douba-BurpKit

N
Nadeem Douba

Nadeem Douba presents BurpKit, a tool that integrates the WebKit rendering engine with Burp Suite to allow security tools to dynamically render and interact with web pages like modern browsers. BurpKit uses JavaFX's implementation of WebKit to provide a real-time rendering tab in Burp Suite that supports JavaScript. It also includes a bidirectional bridge between Burp Suite and WebKit to allow interaction with the DOM. Demos show features like DOM manipulation, XSS tracking, and Burp extensions. The goal of BurpKit is to evolve security tools to keep up with the increasing complexity of web applications.

1 of 33
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
BURPKIT Using WebKit to Own the Web 1 2015-07-15 Presented by: Nadeem Douba
INTRODUCTION • Nadeem Douba • Founder of Red Canari, Inc. • Based out of Ottawa, ON. • Hacker • Interests: • Exploiting stuff • Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune 100s) • PyMiProxy (used by Internet Archive) BurpKit - UsingWebKit to Own the Web 2 2015-07-15
OVERVIEW • WebKit • What is it? • Why use it? • How can we use it? • BurpKit • Design Considerations • Implementation • Demos! • Conclusion • Questions? 2015-07-15BurpKit - UsingWebKit to Own the Web 3
THE WEB PEN-TESTER’S CONUNDRUM • Today’s web applications are complex beasts • Heavy use of JavaScript for: • Rendering pages • Rendering page elements • Performing web service requests • ¿But our security tools are still scraping HTML!? 2015-07-15BurpKit - UsingWebKit to Own the Web 4
OUR TOOLKIT 2015-07-15BurpKit - UsingWebKit to Own the Web 5 • Reconnaissance & Scanning: • Most tools (nikto, cewl, etc.) just scrape HTML • Attack: • BurpSuite Pro/Community • Lobo-based Renderer tab (Burp’s neglected child) ! • No JavaScript/HTML5 support • Charles & Zed are just proxies • WebSecurify’s Proxy.app only has a web view
MODERN TOOLKIT REQUIREMENTS 2015-07-15BurpKit - UsingWebKit to Own the Web 6 • Web penetration testing tools that: • Have modern web browser capabilities • Parse and interpret JavaScript • Dynamically render and inspect content • Most importantly: • Our tools need to be able to interact with the DOM!
WEBKIT What is it good for? - Lots of things! 2015-07-15BurpKit - UsingWebKit to Own the Web 7
WHAT IS WEBKIT? “WebKit is a layout engine software component for rendering web pages in web browsers. It powers Apple's Safari web browser, and a fork of the project is used by Google's Chrome web browser.” - Wikipedia (https://en.wikipedia.org/wiki/WebKit) 2015-07-15BurpKit - UsingWebKit to Own the Web 8 Image credit: Smashing Magazine
(UN)OFFICIAL DEFINITION… 2015-07-15BurpKit - UsingWebKit to Own the Web 9
WEBKIT API • Made up of two major components. • JavaScriptCore - responsible for everything JavaScript: • JavaScript/JSON parsing & execution • Garbage collection • Debugger • Etc. • WebCore – responsible for everything else: • Resource loading • Content parsing & rendering • Web Inspector • Etc. 2015-07-15BurpKit - UsingWebKit to Own the Web 10
KNOWN IMPLEMENTATIONS & FORKS 2015-07-15BurpKit - UsingWebKit to Own the Web 11 • Apple’s Safari • Android’s web browser • Nokia QT • JavaFX WebView • WebKitGTK+ • PhantomJS • Google Chromium • Node WebKit • Many more… (https://trac.webkit.org/wiki/Applicatio ns%20using%20WebKit) Image credit: http://bitergia.com/public/reports/webkit/2013_01/
WHY USE WEBKIT? Pros "Widespread adoption "Lots of language support: Java, Python, C/C++, JavaScript, etc. "Portable across many platforms "Can interact with the DOM and JS Engine. Cons ✗ Your code will be susceptible to the same bugs that plague modern browsers ✗ Tools will be hungrier for system resources (i.e. RAM, CPU). 2015-07-15BurpKit - UsingWebKit to Own the Web 12
HOW CAN YOU USE WEBKIT? Language • JavaScript (NodeJS) • Python • JAVA • Swift/ObjC • Ruby • C/C++ Libraries • Node WebKit • WebKitGTK+, PyQt • FX WebView, Qt Jambi, JxBrowser • UIWebView • WebKitGTK+, Qt • Chromium, WebKit 2015-07-15BurpKit - UsingWebKit to Own the Web 13
BURPKIT How we used WebKit. 2015-07-15BurpKit - UsingWebKit to Own the Web 14 + =
WHAT IS BURPKIT? • BurpKit = BurpSuite + WebKit • Used JavaFX’s implementation of WebKit • WebView & Debugger • WebEngine • Provides a real rendering tab (that’s right… no more lobo) • Has a bidirectional bridge between BurpSuite & WebKit! • And more! BurpSuite Extender- API Java4based- WebKit API Rendering- engine 2015-07-15BurpKit - UsingWebKit to Own the Web 15 BurpKit
DESIGN DECISIONS • Chose to go with JavaFX over JxBrowser – why? • Redistribution: • JavaFX comes with Java 1.8+. • JxBrowser needs bundling (>250MB) • Cost: • JavaFX is FREE! • JxBrowser is not! • API: • JavaFX has a cleaner API • JxBrowser’s is a bit ¿clunky? 2015-07-15BurpKit - UsingWebKit to Own the Web 16
JAVAFX: PROS AND CONS Pros "Easy-to-use & clean API "Complete JavaScript bridge "Portable across many platforms "Leverages the Java URL framework (hookable) "Does provide debugging/profiling information (with some hacking) "Bundled with Java 1.8+ Cons ✗ API is incomplete – under development ✗ No GUI components for WebInspector and friends ✗ Little documentation on advanced features (must look at code) ✗ Still a bit buggy 2015-07-15BurpKit - UsingWebKit to Own the Web 17
IMPLEMENTATION Nerd Rage 2015-07-15BurpKit - UsingWebKit to Own the Web 18
CHALLENGES • Burp uses Swing for its GUI • WebView and WebEngine need to run on FX event loop • WebEngine does not have a loadContentWithBaseUrl(content,6url) method - only has: • loadContent(content,6type); and • load(url) • BurpSuite had to be able to interact with JavaScript and vice-versa 2015-07-15BurpKit - UsingWebKit to Own the Web 19
CHALLENGE: SWING/FX INTEROP • Solution: javafx.embed.swing.JFXPanel • Gotchas: • Must avoid interweaving blocking calls • i.e. Swing # JavaFX # Swing = ¡DEADLOCK! • Always check if you’re on the right event loop! • Workarounds: • Eagerly initializing resources sometimes necessary • Lots of wrapping code! 2015-07-15BurpKit - UsingWebKit to Own the Web 20
CHALLENGE: LOADING CONTENT WITH A BASE URL 2015-07-15BurpKit - UsingWebKit to Own the Web 21 Credit: http://media.techtarget.com/tss/static/articles/content/dm_protocolHandlers/j ava_protocol.pdf • Why? • Required to render responses for repeated requests • Solution: hook java.net.URL protocol handling framework • WebView uses framework to issue HTTP(S) requests • Challenge: • Our new handlers would have to support both live and repeated requests.
CHALLENGE: REPEATER 2015-07-15BurpKit - UsingWebKit to Own the Web 22 • Background: did not want to reissue a live request because content may change. • Solution: overrode HTTP(s) handlers and used User4Agent to “tag” repeated requests. • If User4Agent contains SHA1 hash, give URL handler fake output stream • Else, continue with live request • See BurpKit Java package com.redcanari.net.http for code.
CHALLENGE: JAVASCRIPT BRIDGE • Background: need to be able to query and manipulate DOM • Solution: inject JAVA objects into JS engine! • Gotchas: • Funky reflection algorithm in WebEngine prevented straight-forward JAVA object interaction. • Lots of deadlock scenarios • Workarounds: • Wrapper classes galore! • Eager instantiation of Swing components. 2015-07-15BurpKit - UsingWebKit to Own the Web 23
THE FINAL PRODUCT Google: Before & After 2015-07-15BurpKit - UsingWebKit to Own the Web 24
WELL? 2015-07-15BurpKit - UsingWebKit to Own the Web 25
BURPKIT DEMOS There’s lots to see! 2015-07-15BurpKit - UsingWebKit to Own the Web 26
DEMO: GUI WALKTHROUGH Feature set 2015-07-15BurpKit - UsingWebKit to Own the Web 27
XSS TRACKER Tainting applications 2015-07-15BurpKit - UsingWebKit to Own the Web 28
DEMO: DOM INTERACTION Analyzing Twitter Followers 2015-07-15BurpKit - UsingWebKit to Own the Web 29
DEMO: BURP EXTENSIONS Proxy Listeners, Message Editors, and Context Menus 2015-07-15BurpKit - UsingWebKit to Own the Web 30
CONCLUSION • Let’s stop scraping and let’s start DOMinating the web! • Our security tools need to evolve just like the web. • We have the tools/libraries at our disposal • Please contribute your ideas and code to BurpKit! • We need to make it the standard! 2015-07-15BurpKit - UsingWebKit to Own the Web 31
KUDOS • My Lovely Wife $ • Justin Seitz • http://automatingosint.com/ • Dirk Lemmermann • http://dlsc.com/ • Tomas Mikula • https://github.com/TomasMikula/Ri chTextFX • Java/JavaFX team • The Noun Project • All the contributors! 2015-07-15BurpKit - UsingWebKit to Own the Web 32
¿QUESTIONS? We aim to please… 2015-07-15BurpKit - UsingWebKit to Own the Web 33

More Related Content

What's hot (20)

PDF
Using Magnolia in a Microservices Architecture
Magnolia
 
PDF
Performance and Scalability Art of Isomorphic React Applications
Denis Izmaylov
 
PDF
Salvatore Laisa - Da Angular a React - Un viaggio inaspettato
Codemotion
 
PDF
Introduction to Web Components & Polymer Workshop - JS Interactive
John Riviello
 
PDF
Headless Drupal: A modern approach to (micro)services and APIs
sparkfabrik
 
PPTX
How we built a job board in one week with JHipster
Kile Niklawski
 
PDF
Digital Success Stack for DCBKK 2018
Kyvio
 
PDF
HTML5のご紹介
yoshikawa_t
 
PDF
Grails Plugin Best Practices
Burt Beckwith
 
PDF
Migrating from Grails 2 to Grails 3
Michael Plöd
 
PDF
Isomorphic React Applications: Performance And Scalability
Denis Izmaylov
 
PPT
Introduction to Google Web Toolkit
Didier Girard
 
PDF
RichFaces CDK: Rapid JSF Component Development
Lukáš Fryč
 
PDF
Going mobile with RichFaces
Lukáš Fryč
 
PDF
10 things you should know about django
Adieu
 
PDF
Jhipster
Edlaine Zamora
 
PDF
淺談 Startup 公司的軟體開發流程 v2
Wen-Tien Chang
 
PDF
Building Grails Plugins - Tips And Tricks
Mike Hugo
 
KEY
jQuery Conference Boston 2011 CouchApps
Bradley Holt
 
PDF
Intoduction to React
Rubizza
 
Using Magnolia in a Microservices Architecture
Magnolia
 
Performance and Scalability Art of Isomorphic React Applications
Denis Izmaylov
 
Salvatore Laisa - Da Angular a React - Un viaggio inaspettato
Codemotion
 
Introduction to Web Components & Polymer Workshop - JS Interactive
John Riviello
 
Headless Drupal: A modern approach to (micro)services and APIs
sparkfabrik
 
How we built a job board in one week with JHipster
Kile Niklawski
 
Digital Success Stack for DCBKK 2018
Kyvio
 
HTML5のご紹介
yoshikawa_t
 
Grails Plugin Best Practices
Burt Beckwith
 
Migrating from Grails 2 to Grails 3
Michael Plöd
 
Isomorphic React Applications: Performance And Scalability
Denis Izmaylov
 
Introduction to Google Web Toolkit
Didier Girard
 
RichFaces CDK: Rapid JSF Component Development
Lukáš Fryč
 
Going mobile with RichFaces
Lukáš Fryč
 
10 things you should know about django
Adieu
 
Jhipster
Edlaine Zamora
 
淺談 Startup 公司的軟體開發流程 v2
Wen-Tien Chang
 
Building Grails Plugins - Tips And Tricks
Mike Hugo
 
jQuery Conference Boston 2011 CouchApps
Bradley Holt
 
Intoduction to React
Rubizza
 

Viewers also liked (13)

PPTX
Pentingnya perawatan
liawindhi
 
PDF
elm
Xiaoyu Sun
 
PPTX
Pentingnya perawatan tubuh
liawindhi
 
PPTX
Het bijvoeglijk naamwoord
Chaymae Tijane
 
PDF
Final PPP Full Sail
jabmw007
 
ODP
From hobby developer to game company founder in 36 months - The story behind ...
Kiemura
 
PDF
RBala_CV
Balasubramaniam Rangasamy
 
PDF
Manual de initiere in limba romana si de orientare culturala pentru straini
Florina Pirjol
 
PPT
1362573078 dr. rajdeep agrawal
dfsimedia
 
PPTX
Як раціонально використати сонячну енергію?
biblioteka2015
 
PPTX
Презентація до дослідницької роботи
biblioteka2015
 
PPTX
NOSA Products and Sevices
NOSA (Pty) Ltd
 
PPTX
SHEQ Legal updates and development
NOSA (Pty) Ltd
 
Pentingnya perawatan
liawindhi
 
elm
Xiaoyu Sun
 
Pentingnya perawatan tubuh
liawindhi
 
Het bijvoeglijk naamwoord
Chaymae Tijane
 
Final PPP Full Sail
jabmw007
 
From hobby developer to game company founder in 36 months - The story behind ...
Kiemura
 
RBala_CV
Balasubramaniam Rangasamy
 
Manual de initiere in limba romana si de orientare culturala pentru straini
Florina Pirjol
 
1362573078 dr. rajdeep agrawal
dfsimedia
 
Як раціонально використати сонячну енергію?
biblioteka2015
 
Презентація до дослідницької роботи
biblioteka2015
 
NOSA Products and Sevices
NOSA (Pty) Ltd
 
SHEQ Legal updates and development
NOSA (Pty) Ltd
 
Ad

Similar to DEFCON-23-Nadeem-Douba-BurpKit (20)

PDF
WebKit and Blink: Open Development Powering the HTML5 Revolution (LinuxCon No...
Igalia
 
PPTX
WebKit, why it matters?
Kenneth Rohde Christiansen
 
PDF
The WebKit project
juanjosanchezpenas
 
PDF
WebKit and Blink: Bridging the Gap Between the Kernel and the HTML5 Revolutio...
Igalia
 
PDF
WebKit and Blink: Bridging the Gap Between the Kernel and the HTML5 Revolution
juanjosanchezpenas
 
PDF
WebKit and Blink: open development powering the HTML5 revolution
juanjosanchezpenas
 
PDF
The WebKit project (LinuxCon North America 2012)
Igalia
 
PDF
WebKit, why it matters (PDF version)
Kenneth Rohde Christiansen
 
PDF
Building a Browser for Automotive: Alternatives, Challenges and Recommendations
juanjosanchezpenas
 
PDF
Building a browser for automotive. alternatives, challenges and recommendatio...
Igalia
 
PDF
WebKit2 And You (GUADEC 2013)
Igalia
 
PDF
Developments in the Qt WebKit Integration
account inactive
 
PDF
The Evil Tester's Guide to HTTP proxies Tutorial
Alan Richardson
 
PDF
Browsers and Web Runtimes for Automotive: Alternatives, Challenges, and Curre...
Igalia
 
PDF
Ugly truths about html5 moosecon - robert virkus - 2013-03-07
Enough Software
 
KEY
HTML5 and the Mobile Web
MrJ1971
 
PDF
Best practices for delivering quality web experiences
Ben Mantooth
 
PDF
Writing Tools using WebKit
Ariya Hidayat
 
PDF
Multimedia in WebKitGtk+, past/present/future
philn2
 
PDF
Building a Next Generation Mobile Browser using Web technologies
n_adam_stanley
 
WebKit and Blink: Open Development Powering the HTML5 Revolution (LinuxCon No...
Igalia
 
WebKit, why it matters?
Kenneth Rohde Christiansen
 
The WebKit project
juanjosanchezpenas
 
WebKit and Blink: Bridging the Gap Between the Kernel and the HTML5 Revolutio...
Igalia
 
WebKit and Blink: Bridging the Gap Between the Kernel and the HTML5 Revolution
juanjosanchezpenas
 
WebKit and Blink: open development powering the HTML5 revolution
juanjosanchezpenas
 
The WebKit project (LinuxCon North America 2012)
Igalia
 
WebKit, why it matters (PDF version)
Kenneth Rohde Christiansen
 
Building a Browser for Automotive: Alternatives, Challenges and Recommendations
juanjosanchezpenas
 
Building a browser for automotive. alternatives, challenges and recommendatio...
Igalia
 
WebKit2 And You (GUADEC 2013)
Igalia
 
Developments in the Qt WebKit Integration
account inactive
 
The Evil Tester's Guide to HTTP proxies Tutorial
Alan Richardson
 
Browsers and Web Runtimes for Automotive: Alternatives, Challenges, and Curre...
Igalia
 
Ugly truths about html5 moosecon - robert virkus - 2013-03-07
Enough Software
 
HTML5 and the Mobile Web
MrJ1971
 
Best practices for delivering quality web experiences
Ben Mantooth
 
Writing Tools using WebKit
Ariya Hidayat
 
Multimedia in WebKitGtk+, past/present/future
philn2
 
Building a Next Generation Mobile Browser using Web technologies
n_adam_stanley
 
Ad

DEFCON-23-Nadeem-Douba-BurpKit

  • 1. BURPKIT Using WebKit to Own the Web 1 2015-07-15 Presented by: Nadeem Douba
  • 2. INTRODUCTION • Nadeem Douba • Founder of Red Canari, Inc. • Based out of Ottawa, ON. • Hacker • Interests: • Exploiting stuff • Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune 100s) • PyMiProxy (used by Internet Archive) BurpKit - UsingWebKit to Own the Web 2 2015-07-15
  • 3. OVERVIEW • WebKit • What is it? • Why use it? • How can we use it? • BurpKit • Design Considerations • Implementation • Demos! • Conclusion • Questions? 2015-07-15BurpKit - UsingWebKit to Own the Web 3
  • 4. THE WEB PEN-TESTER’S CONUNDRUM • Today’s web applications are complex beasts • Heavy use of JavaScript for: • Rendering pages • Rendering page elements • Performing web service requests • ¿But our security tools are still scraping HTML!? 2015-07-15BurpKit - UsingWebKit to Own the Web 4
  • 5. OUR TOOLKIT 2015-07-15BurpKit - UsingWebKit to Own the Web 5 • Reconnaissance & Scanning: • Most tools (nikto, cewl, etc.) just scrape HTML • Attack: • BurpSuite Pro/Community • Lobo-based Renderer tab (Burp’s neglected child) ! • No JavaScript/HTML5 support • Charles & Zed are just proxies • WebSecurify’s Proxy.app only has a web view
  • 6. MODERN TOOLKIT REQUIREMENTS 2015-07-15BurpKit - UsingWebKit to Own the Web 6 • Web penetration testing tools that: • Have modern web browser capabilities • Parse and interpret JavaScript • Dynamically render and inspect content • Most importantly: • Our tools need to be able to interact with the DOM!
  • 7. WEBKIT What is it good for? - Lots of things! 2015-07-15BurpKit - UsingWebKit to Own the Web 7
  • 8. WHAT IS WEBKIT? “WebKit is a layout engine software component for rendering web pages in web browsers. It powers Apple's Safari web browser, and a fork of the project is used by Google's Chrome web browser.” - Wikipedia (https://en.wikipedia.org/wiki/WebKit) 2015-07-15BurpKit - UsingWebKit to Own the Web 8 Image credit: Smashing Magazine
  • 9. (UN)OFFICIAL DEFINITION… 2015-07-15BurpKit - UsingWebKit to Own the Web 9
  • 10. WEBKIT API • Made up of two major components. • JavaScriptCore - responsible for everything JavaScript: • JavaScript/JSON parsing & execution • Garbage collection • Debugger • Etc. • WebCore – responsible for everything else: • Resource loading • Content parsing & rendering • Web Inspector • Etc. 2015-07-15BurpKit - UsingWebKit to Own the Web 10
  • 11. KNOWN IMPLEMENTATIONS & FORKS 2015-07-15BurpKit - UsingWebKit to Own the Web 11 • Apple’s Safari • Android’s web browser • Nokia QT • JavaFX WebView • WebKitGTK+ • PhantomJS • Google Chromium • Node WebKit • Many more… (https://trac.webkit.org/wiki/Applicatio ns%20using%20WebKit) Image credit: http://bitergia.com/public/reports/webkit/2013_01/
  • 12. WHY USE WEBKIT? Pros "Widespread adoption "Lots of language support: Java, Python, C/C++, JavaScript, etc. "Portable across many platforms "Can interact with the DOM and JS Engine. Cons ✗ Your code will be susceptible to the same bugs that plague modern browsers ✗ Tools will be hungrier for system resources (i.e. RAM, CPU). 2015-07-15BurpKit - UsingWebKit to Own the Web 12
  • 13. HOW CAN YOU USE WEBKIT? Language • JavaScript (NodeJS) • Python • JAVA • Swift/ObjC • Ruby • C/C++ Libraries • Node WebKit • WebKitGTK+, PyQt • FX WebView, Qt Jambi, JxBrowser • UIWebView • WebKitGTK+, Qt • Chromium, WebKit 2015-07-15BurpKit - UsingWebKit to Own the Web 13
  • 14. BURPKIT How we used WebKit. 2015-07-15BurpKit - UsingWebKit to Own the Web 14 + =
  • 15. WHAT IS BURPKIT? • BurpKit = BurpSuite + WebKit • Used JavaFX’s implementation of WebKit • WebView & Debugger • WebEngine • Provides a real rendering tab (that’s right… no more lobo) • Has a bidirectional bridge between BurpSuite & WebKit! • And more! BurpSuite Extender- API Java4based- WebKit API Rendering- engine 2015-07-15BurpKit - UsingWebKit to Own the Web 15 BurpKit
  • 16. DESIGN DECISIONS • Chose to go with JavaFX over JxBrowser – why? • Redistribution: • JavaFX comes with Java 1.8+. • JxBrowser needs bundling (>250MB) • Cost: • JavaFX is FREE! • JxBrowser is not! • API: • JavaFX has a cleaner API • JxBrowser’s is a bit ¿clunky? 2015-07-15BurpKit - UsingWebKit to Own the Web 16
  • 17. JAVAFX: PROS AND CONS Pros "Easy-to-use & clean API "Complete JavaScript bridge "Portable across many platforms "Leverages the Java URL framework (hookable) "Does provide debugging/profiling information (with some hacking) "Bundled with Java 1.8+ Cons ✗ API is incomplete – under development ✗ No GUI components for WebInspector and friends ✗ Little documentation on advanced features (must look at code) ✗ Still a bit buggy 2015-07-15BurpKit - UsingWebKit to Own the Web 17
  • 18. IMPLEMENTATION Nerd Rage 2015-07-15BurpKit - UsingWebKit to Own the Web 18
  • 19. CHALLENGES • Burp uses Swing for its GUI • WebView and WebEngine need to run on FX event loop • WebEngine does not have a loadContentWithBaseUrl(content,6url) method - only has: • loadContent(content,6type); and • load(url) • BurpSuite had to be able to interact with JavaScript and vice-versa 2015-07-15BurpKit - UsingWebKit to Own the Web 19
  • 20. CHALLENGE: SWING/FX INTEROP • Solution: javafx.embed.swing.JFXPanel • Gotchas: • Must avoid interweaving blocking calls • i.e. Swing # JavaFX # Swing = ¡DEADLOCK! • Always check if you’re on the right event loop! • Workarounds: • Eagerly initializing resources sometimes necessary • Lots of wrapping code! 2015-07-15BurpKit - UsingWebKit to Own the Web 20
  • 21. CHALLENGE: LOADING CONTENT WITH A BASE URL 2015-07-15BurpKit - UsingWebKit to Own the Web 21 Credit: http://media.techtarget.com/tss/static/articles/content/dm_protocolHandlers/j ava_protocol.pdf • Why? • Required to render responses for repeated requests • Solution: hook java.net.URL protocol handling framework • WebView uses framework to issue HTTP(S) requests • Challenge: • Our new handlers would have to support both live and repeated requests.
  • 22. CHALLENGE: REPEATER 2015-07-15BurpKit - UsingWebKit to Own the Web 22 • Background: did not want to reissue a live request because content may change. • Solution: overrode HTTP(s) handlers and used User4Agent to “tag” repeated requests. • If User4Agent contains SHA1 hash, give URL handler fake output stream • Else, continue with live request • See BurpKit Java package com.redcanari.net.http for code.
  • 23. CHALLENGE: JAVASCRIPT BRIDGE • Background: need to be able to query and manipulate DOM • Solution: inject JAVA objects into JS engine! • Gotchas: • Funky reflection algorithm in WebEngine prevented straight-forward JAVA object interaction. • Lots of deadlock scenarios • Workarounds: • Wrapper classes galore! • Eager instantiation of Swing components. 2015-07-15BurpKit - UsingWebKit to Own the Web 23
  • 24. THE FINAL PRODUCT Google: Before & After 2015-07-15BurpKit - UsingWebKit to Own the Web 24
  • 26. BURPKIT DEMOS There’s lots to see! 2015-07-15BurpKit - UsingWebKit to Own the Web 26
  • 27. DEMO: GUI WALKTHROUGH Feature set 2015-07-15BurpKit - UsingWebKit to Own the Web 27
  • 28. XSS TRACKER Tainting applications 2015-07-15BurpKit - UsingWebKit to Own the Web 28
  • 29. DEMO: DOM INTERACTION Analyzing Twitter Followers 2015-07-15BurpKit - UsingWebKit to Own the Web 29
  • 30. DEMO: BURP EXTENSIONS Proxy Listeners, Message Editors, and Context Menus 2015-07-15BurpKit - UsingWebKit to Own the Web 30
  • 31. CONCLUSION • Let’s stop scraping and let’s start DOMinating the web! • Our security tools need to evolve just like the web. • We have the tools/libraries at our disposal • Please contribute your ideas and code to BurpKit! • We need to make it the standard! 2015-07-15BurpKit - UsingWebKit to Own the Web 31
  • 32. KUDOS • My Lovely Wife $ • Justin Seitz • http://automatingosint.com/ • Dirk Lemmermann • http://dlsc.com/ • Tomas Mikula • https://github.com/TomasMikula/Ri chTextFX • Java/JavaFX team • The Noun Project • All the contributors! 2015-07-15BurpKit - UsingWebKit to Own the Web 32
  • 33. ¿QUESTIONS? We aim to please… 2015-07-15BurpKit - UsingWebKit to Own the Web 33