Burp plugin for scanning GWT and JSON HTTP requests
Update: Burp Suite Pro 1.4.10 supports JSON scanning out of the box, see http://releases.portswigger.net/2012/06/v1410.html
Update 2: The plugin is released under the terms of GNU GPL. In short it means that you can use it and change it as you like, publish the changes under GNU GPL if you like, but cannot include it as a part of any closed-source software. If you really want to use it as a part of closed-source software, contact me, we can figure something out.
A while ago Alex came up with a solution to get Burp to scan JSON formatted requests. It required a rather involved setup with two Burp listeners and an Apache server acting as a proxy packing and unpacking JSON data for Burp's consumption.
A more straightforward solution to the problem would be making a Burp plugin using BurpExtender interface that parses the request, marks appropriate insertion points and feeds it to Burp.
Running Burp on Unix/Linux:
java -classpath burpsuite_pro_v1.4.07.jar:Gwtscan.jar burp.StartBurp
Running Burp on Windows:
java.exe -classpath burpsuite_pro_v1.4.07.jar;Gwtscan.jar burp.StartBurp
Using the plugin:
- Select the reques or requests you want to scan in Burp proxy or target
- Select "Actively scan GWT request(s)" or "Actively scan JSON request(s)" from the context menu
- That's all