Misc. Burp Tooling

SmallBurptools.png

Much of my job consists of working with BurpSuite, so I find myself regularly needing to write small custom tools for working with it. I publish the ones that I can in the hopes that someone else might find them useful. Here are the ones I’ve published so far:

  • Burp Extension Maven Archetype — After writing a couple extensions I got tired of manually instantiating the project structure, so I wrote a Maven archetype that does it for me. One command gets you a project directory with the right imports and a copy of the PortSwigger “Hello World” demo extension’s code ready to modify into whatever you need.
  • Burp Easy Request Saver — Burp doesn’t have a fast way to export the binary contents of requests or responses, so I wrote one. It adds context menu entries to any request that lets you export the request or response headers or body to a file keeping all binary data intact. If you select multiple requests, each gets its own file.
  • Burp2Vegeta — I was asked by a client to perform load testing on their service to simulate a Denial-of-Service attack. I decided to use Vegeta to perform a classic request flooding attack, but I needed a way to quickly tell it how to send correctly-formatted API requests. As a result I wrote a small Burp extension that exports any request(s) as Vegeta JSON attack definitions to the system clipboard. You can then paste them into an attack definition file and fire away.