Beruflich Dokumente
Kultur Dokumente
¡ Questions ?
Minimum Requirements
Platform Requirements:
JAVA JDK v1.8+
2
Jython v 2.0+ (Most Extensions use Creepy JPython)
Jruby v X (Yet Another Java troll to Ruby programmers)
3. If you run into issues in invoking JAVA v.1.8 when running Burp Suite or
extension development
Quick & Dirty Fix : sudo ln -s /Library/Java/JavaVirtualMachines/jdk1.8.0_20.jdk
/System/Library/Java/JavaVirtualMachines/1.6.0.jdk
Environment Requirements
Burp Supports Extensions written by ‘Ruby’ and ‘Python’ syntax
¡ For extensions written in Ruby syntax (Jruby required)
3
¡ For extensions written in Python synax (Jython required)
(Jython + Jruby) vs Java
Purpose
7
BurpExtender To write our own extension
Purpose
8
.NET Beautifier Makes VIEWState info human readable
-> What happens if the length of the data isn't a multiple of the block size?
-> What happens if more than one block is identical, and therefore encrypts
identically?
Case Study: Padding Oracle via Burp
Padding Padding Padding ….
Padbuster Exploit:
http://downloads.securityfocus.com/vulnerabilities/exploits/43316.pl
Case Study: Padding Oracle via Burp
Exploiting ASP.NET Oracle Padding - MS10-070
(CVE-2010-3332)
28
If Exploitation Successful ASP.NET page would reveal the
database credentials.
Questions ?
29
30