New Burp extension – perfmon

Just whipped together a new Burp extension called perfmon (not to be confused with the Windows tool of the same name). I was really interested in the the resource usage of Burp while doing certain activities.

It adds a new tab to Burp and samples every 5 seconds-

  • Current and max number of threads in use
  • Current and max memory used
  • Current and max memory allocated
  • Ticker to set how often the stats update. 1 – 5 seconds.

Burp Screenshot

I plan to add a few more things and clean up the UI a bit, but it was an interesting exercise.

The source and plugin are on github.

Posted in Burp, Security | Leave a comment

Writing a Burp Extension – Part One


This is the first part in a series that I plan to write on how to create Burp extensions. I became interested in writing Burp extensions at a previous company where we were fortunate enough to be given time to do research presentations and then present them to our peers. My first presentation topic was to write an Active Scanning extension in Burp that would look for XXE (XML External Entity Injection). I also implemented a standalone app that could run on a host (external from the scan target) and listen for the XXE payload calling out (by making an HTTP request, for example). Literally that same week Collaborator came out and stole my thunder. 🙂 . Last Fall, I was also accepted to DerbyCon and presented a stable talk on Extending Burp.

This series will start with the very basics of creating a working an extension and then continue building out a full-featured extension as we go along. Burp extensions can be written in Java, Ruby (using JRuby), and Python (using Jython). For this series we will write in Java. Here we go…

Extension Basics

In the very simplest case, a Burp extension is a jar file with a class called BurpExtender in a package called Burp. This is the file that Burp looks for when loading an Extension. Based on what you implement in that class is the functionality that the extension will have.

Steps to create a Burp extension

  1. In your favorite Java editor, create a project of type “Class Library” or whatever the equivalent project type where the output is a jar file containing the classes from the project
  2. Open Burp and go the Extender tab. Click on “Save Interface Files” and save them in a folder called “burp” in your file system where the source is for the project you created in Step 1
  3. Create a class called BurpExtender in the burp package in your project and implement IBurpExender. This will require that you implement the registerExtenderCallbacks method. This is the method that you will do any kind of setup for your extension and setup anything that your extension needs
  4. Compile the extension into a jar file and load it into Burp by going to Extender -> Extensions -> Add. That will prompt you to specify the type of extension (Java in this example) and the path to the jar file. Click Next and your extension is loaded!

Sample Code

package burp;
package burp;
import java.util.logging.Level;
import java.util.logging.Logger;
 * @author chs
public class BurpExtender implements IBurpExtender
    private IExtensionHelpers helpers;
    private static final String EXTENSION_NAME = "Sample Burp Extension";
    private OutputStream os;
    public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks)
        this.helpers = callbacks.getHelpers();
        os = callbacks.getStdout();
            os.write("Hello, World".getBytes());
        } catch (IOException ex)
            Logger.getLogger(BurpExtender.class.getName()).log(Level.SEVERE, null, ex);

The interesting lines are 18, 19, and 20. In line 18, getHelpers() returns an object that implements IExtensionHelpers. IExtensionHelpers is an interface that provides methods that are useful by the extension, like encoding/parsing requests/responses, etc. Line 19 sets the name of the extension. This is displayed in the Extender tab. Line 20 saves a reference to the OutputStream for the extension. When you write to it, it shows up in the output window of the extension in the Extender tab.

Once you load the extension and navigate to Extender->Extensions, you will see- Extender->Extensions Details

It shows the name of the extension, it’s location in the filesystem, and methods from the interfaces it implements.

If you click on the Output tab, you will see-

Extender->Extensions->Output Details

This shows the output from registerExtenderCallbacks.

That’s it for this time.  Next post will dive deeper…

Posted in Burp, Security | Leave a comment

Interesting ruby related links for 04-06-2018

A collection of interesting ruby sites/articles that I’ve seen this week. Enjoy!

Posted in Uncategorized | Leave a comment

BinPeek – an app to determine if a #Windows executable is managed or unmanaged.

BinPeek is an application that checks to see if a Windows application is managed(.NET) or unmanaged(native). It handles x86 and x84 executables. If doing it manually, you must check several values in the PE (Portable Executable) file header that differ slightly based on whether the executable is 32-bit or 64-bit. BinPeek does that work for you.


D:\source\repos\BinPeek>binpeek BinPeek.exe
BinPeek.exe --> Unmanaged

Project Page on Github


Build with Visual Studio or just use the release version in the repo.



Posted in Code, Open Source | Leave a comment

Secure Design Principles

Sitting hear on a cold, snowy day thinking about secure design principles. These are key to think about during the design phase of a feature/project?

  • Total Mediation – every access to every resource must be validated every time
  • Economy of Mechanism – keep it as simple as possible
  • Fail-Safe – in case of failure, default to a secure state
  • Defense in Depth – layer security
  • Open Design – the security of a system should not be dependent on secrecy of its design or implementation
  • Psychological Acceptability – security mechanisms must not make resources more difficult to access then if they weren’t there
  • Least Privilege – limit access to a system/feature to only those that *need* to access it for the shortest duration possible
  • Minimize attack surface – reduce risk by reducing the attack surface area
  • Secure Defaults – default to a secure state

Any others you can think of?

Posted in Software Security | Leave a comment