Burp plugin for scanning GWT and JSON HTTP requests
Update: Burp Suite Pro 1.4.10 supports JSON scanning out of the box, see http://releases.portswigger.net/2012/06/v1410.html
A while ago Alex came up with a solution to get Burp to scan JSON formatted requests. It required a rather involved setup with two Burp listeners and an Apache server acting as a proxy packing and unpacking JSON data for Burp's consumption.
A more straightforward solution to the problem would be making a Burp plugin using BurpExtender interface that parses the request, marks appropriate insertion points and feeds it to Burp.
Running Burp on Unix/Linux:
java -classpath burpsuite_pro_v1.4.07.jar:Gwtscan.jar burp.StartBurp
Running Burp on Windows:
java.exe -classpath burpsuite_pro_v1.4.07.jar;Gwtscan.jar burp.StartBurp
Using the plugin:
- Select the reques or requests you want to scan in Burp proxy or target
- Select "Actively scan GWT request(s)" or "Actively scan JSON request(s)" from the context menu
- That's all