Burp plugin for scanning GWT and JSON HTTP requests

Update: Burp Suite Pro 1.4.10 supports JSON scanning out of the box, see http://releases.portswigger.net/2012/06/v1410.html
Update 2: The plugin is released under the terms of GNU GPL. In short it means that you can use it and change it as you like, publish the changes under GNU GPL if you like, but cannot include it as a part of any closed-source software. If you really want to use it as a part of closed-source software, contact me, we can figure something out.

A while ago Alex came up with a solution to get Burp to scan JSON formatted requests. It required a rather involved setup with two Burp listeners and an Apache server acting as a proxy packing and unpacking JSON data for Burp's consumption.

A more straightforward solution to the problem would be making a Burp plugin using BurpExtender interface that parses the request, marks appropriate insertion points and feeds it to Burp.

And now we have it. As a bonus, it is also capable of scanning GWT (Google Web Toolkit) requests. Download the JAR file or the source code.

Running Burp on Unix/Linux:

java -classpath burpsuite_pro_v1.4.07.jar:Gwtscan.jar burp.StartBurp

Running Burp on Windows:

java.exe -classpath burpsuite_pro_v1.4.07.jar;Gwtscan.jar burp.StartBurp

Using the plugin:

  1. Select the reques or requests you want to scan in Burp proxy or target
  2. Select "Actively scan GWT request(s)" or "Actively scan JSON request(s)" from the context menu
  3. That's all
    AttachmentSize
    File Gwtscan.jar15.92 KB
    File gwtscan.tgz14.5 KB

    Comments

    There is a small typo. Between the jars have to be a semicolon.

    Thanks. Indeed, it's a semicolon on Windows, a colon on Unix/Linux

    Thanks !! what such a pain before !!

    This is super useful, thank you! I'd like to make a small contribution -In cases where the GWT site you are trying to scan is using GWT XSRF protection there are two extra tokens in the GWT payload, like this:

    7|2|11|https://mysite.com/app/app/|6FBE13170553777A0AB54ACB6AE8FBD1|com.google.gwt.user.client.rpc.XsrfToken/4254043109|AC68E4A714B29BC91B0E0B8962BB9C7F|com.mysite.DispatchService|dispatch|com.mysite.dispatch.Action|java.lang.String/2004016611|com.mysite.commands.LayoutAction/2006706871|Y7HETKD72af299c40a51dcb|E330E570-F83F-4AE2-B1A9-5AD67C33B4A6|1|2|3|4|5|6|2|7|8|9|10|11|

    To account for the extra tokens I've updated GwtParser.java to define ParameterOffset within the body of the parse() method, like so:


    //does the body include an Xsrf token?
    //Use 6 is XSRF token is included, 4 otherwise
    int ParameterOffset = 4;
    if (body.indexOf("XsrfToken") > 0) ParameterOffset = 6;

    Otherwise it throws an ArrayIndexOutOFBoundsException and the request does not get added to the scanner.

    Thanks for this great tool! You should post a link to it on the BurpSuite User Forum.

    -August

    I haven't figured out that one. Thanks.

    > You should post a link to it on the BurpSuite User Forum.

    Done that already.

    I have used your source as a starting point for a plugin that works with the new Burp 1.5.x Extender API and I would like to open-source it. I couldn't find any license information however.

    Is it OK to open source this (with credit to the original author of course)?

    Yes, sure. Consider it GPL.

    Alla

    Was this ever published in the BURP App store?

    Could you please provide some information about the license terms for this plugin? Is there any cost or restrictions associated with this plugin?

    See Update 2 above. The license is GNU GPL. You can use the plugin without any restricition, you can modify it, you can publish your changes under GNU GPL. You cannot include it in closed-source software.

    Is the GPL v2 license the one that applies?

    Which one would you like? I am not sure how they differ in terms and conditions. Is there any particular clause or condition you want to apply?

    It’s not that there are specific terms that we like in one version or the other. The main reason for this question is that it’s hard to convince management that it’s OK to use a product when we’re not sure what the specific terms are (even if we say that all possible terms should be generally fine). For other open source products in use, they have already reviewed/approved the terms of GPLv2 and that’s why I would prefer v2.

    Okay, it is GPLv2 then. If you want I can put it in a comment in the source file.

    Alla

    Thank you very much for your help and prompt response. Yes, we would apprieciate it if you could add a comment in the source file to specify that the software is licensed under GPLv2.