Luca Carettoni: Developing Burp Suite Extensions

Presented By: Luca Carettoni

Ensuring the security of web applications in continuous delivery environments is an open challenge for many organizations. Traditional application security practices slow development and, in many cases, don’t address security at all. Instead, a new approach based on security automation and tactical security testing is needed to ensure important components are being tested before going live. Security professionals must master their tools to improve the efficiency of manual security testing as well as to deploy custom security automation solutions.

Based on this premise, we have created a brand-new class taking advantage of Burp Suite – the de-facto standard for web application security. In two days, we show you how to use Burp Suite’s extension capabilities and unleash the power of the tool to improve efficiency and effectiveness during security audits.

After a quick intro to Burp and its extension APIs, we work on setting up an optimal development environment enabling fast coding and debugging. While we develop our code in Java using Oracle’s NetBeans, we also provide templates for IntelliJ IDEA and Eclipse. Additionally, we discuss and provide code for both Python and Ruby so that you can work using your favorite programming language.

We will discuss and create many different types of plugins, including:

* A custom logger to provide persistence and data export functionalities using MongoDB

* A simple (and yet useful) replay tool

* Passive check for Burp’s scanning engine to detect missing SubResource Integrity (SRI) attributes

* Active check for Burp’s scanning engine to detect Expression Language (EL) injection vulnerabilities

* A custom Intruder payload generator to fuzz using Radamsa

Finally, we leverage our extensions to build a security automation toolchain integrated in a CI environment (Jenkins). This workshop is based on real-life use cases where the combination of custom checks and automation can help your organization to evolve from manual testing to security automation.

All templates and code-complete Burp Suite extensions are available for free on Doyensec’s Github –

The 2 day course will take place on the 12th & 13th September 2017 at etc venues The Hatton.

Cost is £ 1,300.00 (inc VAT). Buy your place in our shop now.

Course Outline

Day 1

  • Introduction to “Tactical Testing” with Burp Suite
  • A quick recap of Burp Suite’s Tools
  • Understanding Burp’s Extensibility APIs
  • IDE setup and “Hello Burp” extension
  • Developing a custom Logger
  • Developing a Replay&Diff tool

Day 2

  • Developing a Passive check for Burp’s scanning engine
  • Developing an Active check for Burp’s scanning engine
  • Designing a security automation toolchain integrated in CI environments
  • Building a security pipeline with our extensions and Jenkins
  • Bonus material: Understanding a custom Intruder payload generator

Target Audience

The training is suitable for both web application security specialists and developers

Student Requirements

  • Attendees are expected to have rudimentary understanding of Burp Suite as well as basic Object-Oriented Programming experience. While Burp extensions are developed live in Java, attendees can work on Python or Ruby since all exercises are also provided in those languages
  • Attendees should bring their own laptop with the latest Java JDK installed, and a working IDE (preferably Oracle’s NetBeans)
  • The laptop should be of a reasonable specification. We recommend at least 8GB of RAM with at least 16GB of disk space, wired and wireless network adapters
  • Administrative access to the laptop is also required since you may need to install/configure missing components

What students will be provided with

  • Training slides
  • Code-complete Burp Suite extensions (Java, Python and Ruby)
  • Certificate of Completion
  • Burp Suite and Doyensec swag!

What to Bring

Attendees should bring their own laptop with the latest Java JDK installed, and a working IDE. While we develop in NetBeans, Eclipse and IDEA are also good alternatives. Even for attendees that plan to use Python/Ruby, we still recommend to set up a working Java development environment.

About the Trainer

With over 14 years of experience in the application security field, Luca Carettoni is a respected web security expert. Throughout his career, he worked on security problems across multiple industries and companies of different size. He is the co-founder of Doyensec, an application security consultancy working at the intersection of offensive engineering and software development. At LinkedIn, he led a team responsible for identifying new security vulnerabilities in applications, infrastructure and open source components. Prior to that, Luca worked as the Director of Information Security at Addepar, a startup that is reinventing global wealth management. Proud to be a Matasano Security alumni, he helped bootstrapping the Silicon Valley office by delivering high-quality security assessments to software vendors and startups. As a security researcher, he discovered numerous vulnerabilities in software products of multiple vendors including 3com, Apple, Barracuda, Cisco, Citrix, HP, IBM, Oracle, Sun, Siemens, VMware, Zend and many others. Since the beginning of his career, he has been an active participant in the security community and a member of the Open Web Application Security Project (OWASP). Luca holds a Master’s Degree in Computer Engineering from the Politecnico di Milano University.


Book your 44CON 2017 training course now!