Jack O'Sullivan
March 22 2021
Ok ok ok, we are splitting hairs here. It is still a Java GUI Mr CornerPirate. How pretty can we make it? For you, dear reader, I say: look at Burp itself. That is about the prettiest Java GUI out there in that they have really gone after user experience. In the world of extenders most people are programmatically creating them. That is a recipe for making life hard for yourself making the GUI part as minimal as possible.
If all you want is to get a sample project to work from then you can head straight down to Skipping to the End
If you want to know my motivations and how to do it yourself. Then work through this.
Why did I start making Extenders Now?
Over the years I have hit applications where I probably needed to make my own Extenders to solve problems. I always saw the learning curve as too high within the timescales, so I would make my own Python based tools to get the job done. While that worked for me. It is clear now that I should have taken the plunge sooner for a much easier working pattern.
What has really helped me is the readily available example code now on GitHub:
Combined with the revamped Extender documentation:
- https://portswigger.net/burp/extender/
- https://portswigger.net/burp/extender/writing-your-first-burp-suite-extension.html
These are both significant improvements over what I saw years ago when I first had the notion. So top marks to PortSwigger for really making this as easy as possible.
Prerequisites
Before we get started you are going to need to download the prerequisites:
1. https://netbeans.org – This is the Integrated Development Environment (IDE) which this tutorial is going to use. There are alternatives.
2. Burp Suite Free Edition.
Nothing earth-shattering there really.
Making your first Extender in NetBeans
The opening section of Burp's excellent starting guide effectively describes this:
But as I am focusing on NetBeans, I can get specific for you there:
- File -> New Project
- Select “Java Application”
- Give it a “Project Name” (I have gone for DemoExtender) and click on Finish.
- At this point your project will look like this:
- Right click on “demoextender” (not DemoExtender.java) and select “Refactor” and “Rename”. Alter the name to “burp”. Congrats you have renamed the package.
- Right click on “DemoExtender.java” file and delete it.
- Right click on “burp” and select “New” and “Java Class”. Enter “BurpExtender” as the Class Name and click on Finish.
- Go back to the PortSwigger Guide (https://portswigger.net/burp/extender/writing-your-first-burp-suite-extension.html) and get the source for the Java file under the top header. Copy and Paste that into NetBeans over the full contents of the “BurpExtender.java” file.
- At this point your NetBeans screen will have some errors as shown below:
- At this point your red underlines will have gone away:
To address these errors, you are going to need to export Burp Extenders interface files. To do that goto Burp and select “Extender” -> APIs and then click “Save interface files”.
- Copy these new “.java” files into the folder where your “BurpExtender.java” file is.
Pro-tip: in NetBeans go ahead and try out the “ALT” + “SHIFT” + “F” shortcut when focused on the editor. Fear the auto-beautifier for it will keep your brackets all neatly aligned.
If you see the above you are almost there.
Go ahead and find the “build” option in NetBeans. This will generate a “DemoExtender.jar” file. Check your “output” tab at the bottom to find out where the “dist” folder is on your disk.
Go back to Burp and go for “Extender” -> “Extensions” and then “Add”. Select the Java one and find your “DemoExtender.jar” file. If everything works you will see a new Extension in your list of extenders. While that one does absolutely nothing… Congratulations on extending your world.
Hooking your Extender Up to the GUI Editor
We will assume that you have a NetBeans project which contains “BurpExtender.java”. At this point most tutorials for Extenders go straight into creating GUI code manually within this class. Advanced layouts and event handlers are tricky to get done manually. This is where this tutorial is really going to kick in.
Right click on “Source Packages” and create a new package called “secarma”. Rather than keeping all my code within the burp package it made sense to start to split code into extra classes to aid extensibility. Within that package I created a new Class called “DemoExtender.java”.
This is used to pass global variables around between all other classes and is initiated when the Extender is loaded by Burp.
1
2
3
4
5
6
7
8
9
10
11
12 |
package secarma;
import burp.IBurpExtenderCallbacks;
/**
* This class is used to pass global variables between all classes.
* The fields are initiated by the BurpExtender.java class.
* @author cornerpirate
*/
public class DemoExtender {
public static IBurpExtenderCallbacks callbacks;
public static DemoExtenderGui demoExtenderGui;
public static String extensionName = "Demo Extender" ;
}
|
For explanations the following is important to know:
- callbacks – these are key to how burp operates and is how we interact with Burp.
- demoExtenderGui – which we have not made yet but it will be coming shortly. This will include all the code generated using the GUI designer.
- extensionName – storing the name of the extension in one location. While not necessary really, we can have one file for all global variables so why not.
Now we need to create that “DemoExtenderGui”. To do this select the “secarma” package and then right click -> “new” -> “JPanel Form”. This will create you a blank GUI form that gets us to where we want to be:
This is exactly what we were aiming for. Hold your horses though. we need to finish hooking that up into our “BurpExtender.java” class first. Here is the finished source code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23 |
package burp;
import java.awt.Component;
import secarma.DemoExtender;
import secarma.DemoExtenderGui;
public class BurpExtender implements IBurpExtender, ITab {
public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
DemoExtender.callbacks = callbacks;
// set our extension name
callbacks.setExtensionName(DemoExtender.extensionName);
DemoExtender.demoExtenderGui = new DemoExtenderGui();
callbacks.addSuiteTab( this );
}
@Override
public String getTabCaption() {
return DemoExtender.extensionName;
}
@Override
public Component getUiComponent() {
return DemoExtender.demoExtenderGui;
}
}
|
The changes that I have made from the PortSwigger tutorial are:
- Added import statements at the top.
- Added an extra “implements” to the class declaration for “ITab”.
- Implemented the getTabCaption and getUiComponent methods for the ITab interface.
- Added code to the registerExtenderCallbacks method.
When Burp installs or runs an Extender it calls the registerExtenderCallbacks method. The code in that method needs to establish your Extender.
My code passes the “callbacks” object off as a Global variable in the “DemoExtender.java” class, sets up the name from the global variables, and generates an instance of our “DemoExtenderGui” which is then added as the GUI portion of a new tab in Burp Suite.
If you build the solution again and then reinstall that badboy in the Extenders tab. This time you will be rewarded with a brand-new tab on the GUI:
Check that out! You have done everything you need to setup your project for use with the NetBeans GUI Designer. The topic of how to use that to make something pretty is a massive topic. Your entry point into that world is the URL below:
It is drag and drop and anyone who has used any GUI designer in the past it should make sense.
Skipping to the End
The above shows the individual steps required for you to understand. If you are having problems with that approach, or just straight up want to go right into designing your GUI. Then you can download the zip of the code from GitHub here:
I would recommend the zip file. Then you can extract it and use “File” -> “Open Project” in NetBeans to select the folder. You probably want to refactor the package name from “Secarma” and alter the class names before proceeding but you should be good to go.
SecarmaLabs Extenders
Secarma released three Extenders in the last 12 months:
There are more in the works from us. Now that I am up to speed, I have a backlog of ideas so watch this space.