Burp Extension Development Part 3 - Singletons & Scope
Key Takeaways
The video covers Burp Extension Development, focusing on Singletons and Scope, and demonstrates how to create a Singleton class, modify the main class, and rebuild the extension for testing in Burp Suite.
Full Transcript
hello and welcome everyone tiberious here and today we are continuing our series creating burps with extensions using the shiny new Montoya API this is part three and if you've missed one of our thrilling previous installments you can find the links in the video description trust me you do not want to miss out on those last time we shuffled some functionality around tweaked how our custom header value was calculated and implemented a Nifty save and restore feature today we're going to keep things relatively simple adding a special object which allows us to make calls to the Montoya API without having to pass an instance of the API around all of the time plus we're going to make sure our custom header only shows up in requests we want it to as always if you have Amazing Ideas you want to see me code please share them in the comments and I'll do my best to bring the most popular ones to life in future videos if you enjoy the content please consider giving the video a like and of course subscribing to the the channel as cyber threats grow so does the need for skilled professionals TCM security certifications are here to elevate your skills to meet these challenges our courses are tailored to give you an edge with practical scenario based exams step into the world of advanced cyber security at certifications dotcms sec.com and make your mark all right let's geek out for a sec and talk about software design patterns these are General reusable solutions to Common problems in software design think of them like tried andrue recipes created by Michelin star software Engineers ever heard of an object pool pattern it's like a recycling center for objects in your code improving performance by reusing objects instead of creating them on demand several web and database servers use object pools to handle connections as the high number of incoming requests can cause performance issues if new connection objects have to be continually created and destroyed you can read more more about software design patterns at will link on the screen and of course in the video description the reason we're talking about them is we are going to use a popular one the Singleton pattern a Singleton is a special type of object which can only ever be created once we don't necessarily need this but it will save us a lot of time when coding an instance of The Monto API is provided to our extension in the initialized method of our my first extension class this is the the only instance of the Montoya API we are ever given so if we need to use it in other classes we currently must pass it to an instance of the Class via a Constructor we did this already when we created the unloading Handler but since the Montoya API instance contains a lot of useful functionality we'll likely need it throughout our extension instead of passing it by our a Constructor each time let's create a new class using the Singleton pattern give that an instance of the Montoya API and then simply use that new class whenever we need to use the API first let's create a new Java class file called M api. Java we add the word final to the class declaration this isn't strictly necessary but for the purposes of following the design pattern we will include it next we add a class variable to store the actual Montoya API instance and we'll call it instance in all caps just to make that clear the static keyword tells Java that the variable belongs to the class rather than an instance of the class for this kind of Singleton we don't actually need any instances of this class to be created since it's more of a wrapper around the Montoya API instance to prevent instances from being created we can simply Define a private Constructor now we need a method we can call when our extension loads to pass our Montoya API instance into the Class via a parameter called API in this method since we only ever want one instance of the Montoya API to be passed we'll create an if statement where the API variable is only assigned to our class variable if the class variable is currently null I.E nothing has been assigned to it yet finally we need a geta method to retrieve the Montoya API instance in the my first extension class in the initialized method we need to make a call to the mapi classes initialized method and pass in the Montoya API instance since we no longer want to pass the Montoya API around via Constructors we can also remove the API reference from the unloading Handler Constructor call here this will cause an error since at the moment the unloading Handler Constructor needs an instance of The Monto API let's fix that by removing the instance variable the Constructor argument and the assignment finally we need to replace the this. API call down here with mapi do get API all good so far let's change our HTTP Handler code so that the header is only applied to and only generated from requests which are considered in the scope our handle HTTP request to be sent method already has a handy if statement surrounding the relevant code so we just need to add another conditional check to it since we only want the code within the if statement braces to run if both our conditionals are true we need to separate them using two ampersound symbols which represents a logical and operation luckily the HTTP request be sent object has a handy is in scope method we can use for this check in the handle HTTP response received method we need to create a new if statement surrounding all the code except for the return null at the end the conditional here is similar though the HTTP response received object does not have an is in scope method instead we can actually access the request which triggered this response via the initiating request method then call is in scope from that finally to show off our amazing API rapper again after the hex format line add a call to the logger by the API and log the hash that has been generated save and rebuild the extension then reload it in burp Suite load example.com and then check the logger in burp note that this time no header was added to the request this is because example.com is not in scope since we haven't added anything to burp scope settings yet let's do that now you can access the scope settings on the target tab I prefer using Advanced modes since it's more flexible click add and then enter example.com in the host field click okay and refresh the example.com page now back in burps logger we can see that the header value is being added again in my next video We'll add more features to our extension exploring other parts of the Montoya API as I mentioned at the St of the video if you have any requests for specific features please let me know in the comments I'll upload the code from this video to GitHub and provide all the important links in the video description that's all for now if you enjoyed the video and found it informative please consider giving it a like subscribing to the channel and I will see you next time
Original Description
0:00 Intro
1:00 TCM Certifications with Alex
1:23 Geeking out over Software Design Patterns
3:04 Creating our Singleton class
4:32 Modifying our main class to use our new Singleton
5:00 Fixing the UnloadingHandler class
5:24 Changing our HTTP Handler code
7:01 Rebuilding our extension and testing it in Burp Suite
8:00 Outro
Useful Links:
https://en.wikipedia.org/wiki/Software_design_pattern
https://github.com/Tib3rius/burpsuite-montoya-dev
Are you interested in Sponsoring one of our YouTube Videos? Contact us with the form here: https://www.tcm.rocks/Sponsors
Pentests & Security Consulting: https://tcm-sec.com
Get Trained: https://academy.tcm-sec.com
Get Certified: https://certifications.tcm-sec.com
Merch: https://merch.tcm-sec.com
Sponsorship Inquiries: info@thecybermentor.com
📱Social Media📱
___________________________________________
Twitter: https://twitter.com/thecybermentor
Twitch: https://www.twitch.tv/thecybermentor
Instagram: https://instagram.com/thecybermentor
LinkedIn: https://www.linkedin.com/in/heathadams
TikTok: https://tiktok.com/@thecybermentor
Discord: https://discord.gg/tcm
💸Donate💸
___________________________________________
Like the channel? Please consider supporting me on Patreon:
https://www.patreon.com/thecybermentor
Support the stream (one-time): https://streamlabs.com/thecybermentor
Hacker Books:
Penetration Testing: A Hands-On Introduction to Hacking: https://amzn.to/31GN7iX
The Hacker Playbook 3: https://amzn.to/34XkIY2
Hacking: The Art of Exploitation: https://amzn.to/2VchDyL
The Web Application Hacker's Handbook: https://amzn.to/30Fj21S
Real-World Bug Hunting: A Field Guide to Web Hacking: https://amzn.to/2V9srOe
Social Engineering: The Science of Human Hacking: https://amzn.to/31HAmVx
Linux Basics for Hackers: https://amzn.to/34WvcXP
Python Crash Course, 2nd Edition: https://amzn.to/30gINu0
Violent Python: https://amzn.to/2QoGoJn
Black Hat Python: https://amzn.to/2V9GpQk
My Build:
lg 32gk850g-b 32" Gaming Monitor:https://am
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from The Cyber Mentor · The Cyber Mentor · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Buffer Overflows Made Easy - Part 1: Introduction
The Cyber Mentor
Buffer Overflows Made Easy - Part 2: Spiking
The Cyber Mentor
Buffer Overflows Made Easy - Part 3: Fuzzing
The Cyber Mentor
Buffer Overflows Made Easy - Part 4: Finding the Offset
The Cyber Mentor
Buffer Overflows Made Easy - Part 5: Overwriting the EIP
The Cyber Mentor
Buffer Overflows Made Easy - Part 6: Finding Bad Characters
The Cyber Mentor
Buffer Overflows Made Easy - Part 7: Finding the Right Module
The Cyber Mentor
Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
The Cyber Mentor
HackTheBox - Sunday Walkthrough (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Network Subnetting (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
The Cyber Mentor
HackTheBox - Fighter Walkthrough (Re-Up)
The Cyber Mentor
Beginner Linux for Ethical Hackers - Navigating the File System
The Cyber Mentor
Beginner Linux for Ethical Hackers - Users and Privileges
The Cyber Mentor
Beginner Linux for Ethical Hackers - Common Network Commands
The Cyber Mentor
Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
The Cyber Mentor
Beginner Linux for Ethical Hackers - Controlling Kali Services
The Cyber Mentor
Beginner Linux for Ethical Hackers - Scripting with Bash
The Cyber Mentor
Beginner Linux for Ethical Hackers - Installing and Updating Tools
The Cyber Mentor
Cracking Linux Password Hashes with Hashcat
The Cyber Mentor
Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
The Cyber Mentor
Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
The Cyber Mentor
Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
The Cyber Mentor
Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
The Cyber Mentor
New Zero to Hero Pentest Course, New Website, and 2K Subs?!
The Cyber Mentor
Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
The Cyber Mentor
Zero to Hero Pentesting: Episode 2 - Python 101
The Cyber Mentor
Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
The Cyber Mentor
Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
The Cyber Mentor
Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
The Cyber Mentor
Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
The Cyber Mentor
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
The Cyber Mentor
Installing Windows Server 2016 on VMWare in 5 Minutes
The Cyber Mentor
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
The Cyber Mentor
A Day in the Life of an Ethical Hacker / Penetration Tester
The Cyber Mentor
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
The Cyber Mentor
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
The Cyber Mentor
Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
The Cyber Mentor
Writing a Pentest Report
The Cyber Mentor
Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
The Cyber Mentor
The Complete Linux for Ethical Hackers Course for 2019
The Cyber Mentor
Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
The Cyber Mentor
Popping a Shell with SMB Relay and Empire
The Cyber Mentor
Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 2 - Lame
The Cyber Mentor
Pentesting for n00bs: Episode 3 - Blue
The Cyber Mentor
Web App Testing: Episode 1 - Enumeration
The Cyber Mentor
Pentesting for n00bs: Episode 4 - Devel
The Cyber Mentor
Pentesting for n00bs: Episode 5 - Jerry
The Cyber Mentor
Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
The Cyber Mentor
Pentesting for n00bs: Episode 6 - Nibbles
The Cyber Mentor
Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
The Cyber Mentor
How NOT to Approach a Cybersecurity Mentor
The Cyber Mentor
Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
The Cyber Mentor
Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 9 - Grandpa
The Cyber Mentor
Top 5 Internal Pentesting Methods
The Cyber Mentor
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
How One Missing Check Can Quietly Take Down a “Secure” Infrastructure
Medium · Cybersecurity
New Spirals Ransomware Demonstrates How Fast Modern Cyberattacks Can Escalate
Medium · Cybersecurity
How to Detect Malicious Traffic for Free
Medium · Programming
How to Detect Malicious Traffic for Free
Medium · DevOps
Chapters (9)
Intro
1:00
TCM Certifications with Alex
1:23
Geeking out over Software Design Patterns
3:04
Creating our Singleton class
4:32
Modifying our main class to use our new Singleton
5:00
Fixing the UnloadingHandler class
5:24
Changing our HTTP Handler code
7:01
Rebuilding our extension and testing it in Burp Suite
8:00
Outro
🎓
Tutor Explanation
DeepCamp AI