I'm trying to compose my first Burp extension, and stumbled upon some problems I haven't been able to resolve with google's help. I have to mention that I'm not so skillfull programmer, also, so I'm in search for simplest solution possible to complete the task (this extension is actually a meaningfull project, I need it asap to do my daily work), what will probably be some Burp's own API libraries, or python modules, etc. Yes, I use python as a programming language because of its simplicity.
The extension itself will automate insertions of different payloads into parameters transmited in POST requests. At the very least it will check is intercepted POST request contains parameters from some list provided via configuration file, and if it is, then insert some payload into them (different modes of insertion are suggested). The basic functionality is already at work, but I'm seeking the way to improve its usability and applicability further. For that I need additional knowledge in this 3 general directions:
1) I need to be able to program some rich GUI features for my tool, and failed to find a good explanation how to do so. Examples on Burp's website mention only standard GUI elements - edtior, log panel etc. But I need to know how to add some buttons which will reset specific variables in my code, as well as input fields (including multiline ones), file loading/saving functionality (with ability to traverse local directories while searching for file), checkboxes and drop-down lists, and some pop-up panels with all the elements mentioned before (I would like that my tool be able to parse POST parameters in real-time (atm I do this beforehand, manually, and sumbit them in conf. file) and present them to user in some pop-up window where he can select with checkboxes those which will receive the payload)
2) I would like that my tool be able to store its configuration data (including long lists of parameters, payloads and target urls) in some consistent manner, by using the same approach other extensions and native Burp's modules use. I.e., I would like to get rid of my custom configuration files (only allow users to feed tool with input from files, but after that all this input should be stored the same way Burp stores all its other configuration data, in some its internal(?) storage). How can I do that?
3) Currently the tool is able to handle parameters, presented as simple string with "&" as delimiter, as well as those transmited in multipart/form-data format. I simply use some simple regexps to search for signatures like (rougly) "\&[^&]\=" or "Content-Disposition[^\n]\n\r\n\r", i.e. it's handled by code, written by myself. I would rather like to use some respected and well-established parameters' parser instead, as I doubt my code applicability for all possible (non-standard?) causes, and I need it to be able to handle much broader selection of possible protocols that can use POST requests (json, to name one). Is there such kind of a thing one could handle with python code?
Aucun commentaire:
Enregistrer un commentaire