Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/silentsignal/burp-piper
Piper Burp Suite Extender plugin
https://github.com/silentsignal/burp-piper
burp-extensions burp-plugin burpsuite-extender
Last synced: about 2 months ago
JSON representation
Piper Burp Suite Extender plugin
- Host: GitHub
- URL: https://github.com/silentsignal/burp-piper
- Owner: silentsignal
- License: gpl-3.0
- Created: 2018-12-18T14:33:57.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2024-02-29T09:58:49.000Z (7 months ago)
- Last Synced: 2024-05-10T00:04:44.386Z (4 months ago)
- Topics: burp-extensions, burp-plugin, burpsuite-extender
- Language: Kotlin
- Homepage: https://blog.silentsignal.eu/2020/03/27/unix-style-approach-to-web-application-testing/
- Size: 479 KB
- Stars: 104
- Watchers: 12
- Forks: 12
- Open Issues: 8
-
Metadata Files:
- Readme: README.md
- License: LICENSE.md
Awesome Lists containing this project
- WebHackersWeapons - burp-piper - piper?label=%20)||[](/categorize/langs/Kotlin.md)| (Weapons / Burpsuite, Caido and ZAP Addons)
- awesome-burp-extensions - Piper for Burp Suite - Piper Burp Suite Extender plugin. (Custom Features)
README
Piper for Burp Suite
====================
Piper integrates external tools and their pipelines to Burp Suite. The
extension can pass HTTP requests and responses from Burp to external programs,
then feed the execution result back to Burp. With Piper you can create:
* **Commentators**: Display the output of an external program in Proxy History
as comments. For example, you can display the cryptographic hash of every
request by piping their content to `sha256sum`.
* **Highlighters**: Highlight items in the proxy history based on their
contents. For example, you can highlight items where HTTP response includes
elements of a wordlist.
* **Message Viewers**: Display the contents of HTTP messages with custom
formatting. For example, you can display Protobuf structures by piping message
contents to `protoc`.
* **Context Menu Items**: Invoke external tools from context menu. For example,
you can use an external diff GUI to compare HTTP messages.
* **Intruder Payload Generators**: Generate payloads for Intruder with external
tools. For example, you can make Intruder use password candidates generated by
John the Ripper.
* **Intruder Payload Processors**: Transform Intruder payloads. For example, you
can apply base64 encoding with a custom alphabet using an external script.
* **Macros**: You can use external tools as part of Macros. For example, you
can automatically generate predictable CSRF tokens for every outgoing request.
* **HTTP Listeners**: Transform outgoing and incoming HTTP messages. For
example, you can use an external Python script to handle custom encryption.
Detailed usage information is provided in the original [GWAPT Gold
Paper](https://www.sans.org/white-papers/39440/), and in [this demonstration
video](https://vimeo.com/401007109).
Building
--------
Execute `./gradlew build` and you'll have the plugin ready in
`build/libs/burp-piper.jar`
Known issues
------------
- The terminal emulator ignores background color when _Look and feel_ is set
to _Nimbus_, see https://bugs.openjdk.java.net/browse/JDK-8058704
Security
--------
Piper configurations can be exported and imported. As configurations define
commands to be executed on the user's machine, importing malicious
configurations is a security risk.
Piper disables configurations loaded via the GUI to prevent exploitation, and
unexpected behavior (e.g.: modification of HTTP messages). To support
automation, Piper enables configurations loaded via the `PIPER_CONFIG`
environment variable, so extra care must be taken in this use case.
Users should always review configurations before importing or enabling them.
License
-------
The whole project is available under the GNU General Public License v3.0,
see `LICENSE.md`. The [swing-terminal component][1] was developed by
@redpois0n, released under this same license.
[1]: https://github.com/redpois0n/swing-terminal