HomeBlogsalla's blog

Burp plugin for scanning GWT and JSON HTTP requests

Submitted by alla on 1 June, 2012 - 13:36
in

Update: Burp Suite Pro 1.4.10 supports JSON scanning out of the box, see http://releases.portswigger.net/2012/06/v1410.html

A while ago Alex came up with a solution to get Burp to scan JSON formatted requests. It required a rather involved setup with two Burp listeners and an Apache server acting as a proxy packing and unpacking JSON data for Burp's consumption.

A more straightforward solution to the problem would be making a Burp plugin using BurpExtender interface that parses the request, marks appropriate insertion points and feeds it to Burp.

And now we have it. As a bonus, it is also capable of scanning GWT (Google Web Toolkit) requests. Download the JAR file or the source code.

Running Burp on Unix/Linux:

java -classpath burpsuite_pro_v1.4.07.jar:Gwtscan.jar burp.StartBurp

Running Burp on Windows:

java.exe -classpath burpsuite_pro_v1.4.07.jar;Gwtscan.jar burp.StartBurp

Using the plugin:

  1. Select the reques or requests you want to scan in Burp proxy or target
  2. Select "Actively scan GWT request(s)" or "Actively scan JSON request(s)" from the context menu
  3. That's all
Bookmark/Search this post with
AttachmentSize
Gwtscan.jar15.92 KB
gwtscan.tgz14.5 KB

Comments

Handling GWT XSRF Protection

Submitted by Anonymous on 17 October, 2012 - 17:50.

This is super useful, thank you! I'd like to make a small contribution -In cases where the GWT site you are trying to scan is using GWT XSRF protection there are two extra tokens in the GWT payload, like this:

7|2|11|https://mysite.com/app/app/|6FBE13170553777A0AB54ACB6AE8FBD1|com.google.gwt.user.client.rpc.XsrfToken/4254043109|AC68E4A714B29BC91B0E0B8962BB9C7F|com.mysite.DispatchService|dispatch|com.mysite.dispatch.Action|java.lang.String/2004016611|com.mysite.commands.LayoutAction/2006706871|Y7HETKD72af299c40a51dcb|E330E570-F83F-4AE2-B1A9-5AD67C33B4A6|1|2|3|4|5|6|2|7|8|9|10|11|

To account for the extra tokens I've updated GwtParser.java to define ParameterOffset within the body of the parse() method, like so:


//does the body include an Xsrf token?
//Use 6 is XSRF token is included, 4 otherwise
int ParameterOffset = 4;
if (body.indexOf("XsrfToken") > 0) ParameterOffset = 6;

Otherwise it throws an ArrayIndexOutOFBoundsException and the request does not get added to the scanner.

Thanks for this great tool! You should post a link to it on the BurpSuite User Forum.

-August

Great, thanks

Submitted by alla on 25 October, 2012 - 14:52.

I haven't figured out that one. Thanks.

> You should post a link to it on the BurpSuite User Forum.

Done that already.

Awesome !!

Submitted by Anonymous on 26 June, 2012 - 02:04.

Thanks !! what such a pain before !!

Typo

Submitted by Anonymous on 2 June, 2012 - 12:38.

There is a small typo. Between the jars have to be a semicolon.

A semicolon on Windows, a

Submitted by alla on 2 June, 2012 - 19:18.

Thanks. Indeed, it's a semicolon on Windows, a colon on Unix/Linux