Burp plugin for scanning GWT and JSON HTTP requests

Submitted by alla on Fri, 06/01/2012 - 14:36

Update: Burp Suite Pro 1.4.10 supports JSON scanning out of the box, see http://releases.portswigger.net/2012/06/v1410.html
Update 2: The plugin is released under the terms of GNU GPL. In short it means that you can use it and change it as you like, publish the changes under GNU GPL if you like, but cannot include it as a part of any closed-source software. If you really want to use it as a part of closed-source software, contact me, we can figure something out.

A while ago Alex came up with a solution to get Burp to scan JSON formatted requests. It required a rather involved setup with two Burp listeners and an Apache server acting as a proxy packing and unpacking JSON data for Burp's consumption.

A more straightforward solution to the problem would be making a Burp plugin using BurpExtender interface that parses the request, marks appropriate insertion points and feeds it to Burp.

And now we have it. As a bonus, it is also capable of scanning GWT (Google Web Toolkit) requests. Download the JAR file or the source code.

Running Burp on Unix/Linux:

java -classpath burpsuite_pro_v1.4.07.jar:Gwtscan.jar burp.StartBurp

Running Burp on Windows:

java.exe -classpath burpsuite_pro_v1.4.07.jar;Gwtscan.jar burp.StartBurp

Using the plugin:

  1. Select the reques or requests you want to scan in Burp proxy or target
  2. Select "Actively scan GWT request(s)" or "Actively scan JSON request(s)" from the context menu
  3. That's all


    +32 (0) 2 215 53 58

    Gremwell BVBA
    Sint-Katherinastraat 24
    1742 Ternat
    VAT: BE 0821.897.133.