Burp Extension Development Part 3 - Singletons & Scope

The Cyber Mentor · Beginner ·🔐 Cybersecurity ·2y ago

Key Takeaways

The video covers Burp Extension Development, focusing on Singletons and Scope, and demonstrates how to create a Singleton class, modify the main class, and rebuild the extension for testing in Burp Suite.

Full Transcript

hello and welcome everyone tiberious here and today we are continuing our series creating burps with extensions using the shiny new Montoya API this is part three and if you've missed one of our thrilling previous installments you can find the links in the video description trust me you do not want to miss out on those last time we shuffled some functionality around tweaked how our custom header value was calculated and implemented a Nifty save and restore feature today we're going to keep things relatively simple adding a special object which allows us to make calls to the Montoya API without having to pass an instance of the API around all of the time plus we're going to make sure our custom header only shows up in requests we want it to as always if you have Amazing Ideas you want to see me code please share them in the comments and I'll do my best to bring the most popular ones to life in future videos if you enjoy the content please consider giving the video a like and of course subscribing to the the channel as cyber threats grow so does the need for skilled professionals TCM security certifications are here to elevate your skills to meet these challenges our courses are tailored to give you an edge with practical scenario based exams step into the world of advanced cyber security at certifications dotcms sec.com and make your mark all right let's geek out for a sec and talk about software design patterns these are General reusable solutions to Common problems in software design think of them like tried andrue recipes created by Michelin star software Engineers ever heard of an object pool pattern it's like a recycling center for objects in your code improving performance by reusing objects instead of creating them on demand several web and database servers use object pools to handle connections as the high number of incoming requests can cause performance issues if new connection objects have to be continually created and destroyed you can read more more about software design patterns at will link on the screen and of course in the video description the reason we're talking about them is we are going to use a popular one the Singleton pattern a Singleton is a special type of object which can only ever be created once we don't necessarily need this but it will save us a lot of time when coding an instance of The Monto API is provided to our extension in the initialized method of our my first extension class this is the the only instance of the Montoya API we are ever given so if we need to use it in other classes we currently must pass it to an instance of the Class via a Constructor we did this already when we created the unloading Handler but since the Montoya API instance contains a lot of useful functionality we'll likely need it throughout our extension instead of passing it by our a Constructor each time let's create a new class using the Singleton pattern give that an instance of the Montoya API and then simply use that new class whenever we need to use the API first let's create a new Java class file called M api. Java we add the word final to the class declaration this isn't strictly necessary but for the purposes of following the design pattern we will include it next we add a class variable to store the actual Montoya API instance and we'll call it instance in all caps just to make that clear the static keyword tells Java that the variable belongs to the class rather than an instance of the class for this kind of Singleton we don't actually need any instances of this class to be created since it's more of a wrapper around the Montoya API instance to prevent instances from being created we can simply Define a private Constructor now we need a method we can call when our extension loads to pass our Montoya API instance into the Class via a parameter called API in this method since we only ever want one instance of the Montoya API to be passed we'll create an if statement where the API variable is only assigned to our class variable if the class variable is currently null I.E nothing has been assigned to it yet finally we need a geta method to retrieve the Montoya API instance in the my first extension class in the initialized method we need to make a call to the mapi classes initialized method and pass in the Montoya API instance since we no longer want to pass the Montoya API around via Constructors we can also remove the API reference from the unloading Handler Constructor call here this will cause an error since at the moment the unloading Handler Constructor needs an instance of The Monto API let's fix that by removing the instance variable the Constructor argument and the assignment finally we need to replace the this. API call down here with mapi do get API all good so far let's change our HTTP Handler code so that the header is only applied to and only generated from requests which are considered in the scope our handle HTTP request to be sent method already has a handy if statement surrounding the relevant code so we just need to add another conditional check to it since we only want the code within the if statement braces to run if both our conditionals are true we need to separate them using two ampersound symbols which represents a logical and operation luckily the HTTP request be sent object has a handy is in scope method we can use for this check in the handle HTTP response received method we need to create a new if statement surrounding all the code except for the return null at the end the conditional here is similar though the HTTP response received object does not have an is in scope method instead we can actually access the request which triggered this response via the initiating request method then call is in scope from that finally to show off our amazing API rapper again after the hex format line add a call to the logger by the API and log the hash that has been generated save and rebuild the extension then reload it in burp Suite load example.com and then check the logger in burp note that this time no header was added to the request this is because example.com is not in scope since we haven't added anything to burp scope settings yet let's do that now you can access the scope settings on the target tab I prefer using Advanced modes since it's more flexible click add and then enter example.com in the host field click okay and refresh the example.com page now back in burps logger we can see that the header value is being added again in my next video We'll add more features to our extension exploring other parts of the Montoya API as I mentioned at the St of the video if you have any requests for specific features please let me know in the comments I'll upload the code from this video to GitHub and provide all the important links in the video description that's all for now if you enjoyed the video and found it informative please consider giving it a like subscribing to the channel and I will see you next time

Original Description

0:00 Intro 1:00 TCM Certifications with Alex 1:23 Geeking out over Software Design Patterns 3:04 Creating our Singleton class 4:32 Modifying our main class to use our new Singleton 5:00 Fixing the UnloadingHandler class 5:24 Changing our HTTP Handler code 7:01 Rebuilding our extension and testing it in Burp Suite 8:00 Outro Useful Links: https://en.wikipedia.org/wiki/Software_design_pattern https://github.com/Tib3rius/burpsuite-montoya-dev Are you interested in Sponsoring one of our YouTube Videos? Contact us with the form here: https://www.tcm.rocks/Sponsors Pentests & Security Consulting: https://tcm-sec.com Get Trained: https://academy.tcm-sec.com Get Certified: https://certifications.tcm-sec.com Merch: https://merch.tcm-sec.com Sponsorship Inquiries: info@thecybermentor.com 📱Social Media📱 ___________________________________________ Twitter: https://twitter.com/thecybermentor Twitch: https://www.twitch.tv/thecybermentor Instagram: https://instagram.com/thecybermentor LinkedIn: https://www.linkedin.com/in/heathadams TikTok: https://tiktok.com/@thecybermentor Discord: https://discord.gg/tcm 💸Donate💸 ___________________________________________ Like the channel? Please consider supporting me on Patreon: https://www.patreon.com/thecybermentor Support the stream (one-time): https://streamlabs.com/thecybermentor Hacker Books: Penetration Testing: A Hands-On Introduction to Hacking: https://amzn.to/31GN7iX The Hacker Playbook 3: https://amzn.to/34XkIY2 Hacking: The Art of Exploitation: https://amzn.to/2VchDyL The Web Application Hacker's Handbook: https://amzn.to/30Fj21S Real-World Bug Hunting: A Field Guide to Web Hacking: https://amzn.to/2V9srOe Social Engineering: The Science of Human Hacking: https://amzn.to/31HAmVx Linux Basics for Hackers: https://amzn.to/34WvcXP Python Crash Course, 2nd Edition: https://amzn.to/30gINu0 Violent Python: https://amzn.to/2QoGoJn Black Hat Python: https://amzn.to/2V9GpQk My Build: lg 32gk850g-b 32" Gaming Monitor:https://am
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from The Cyber Mentor · The Cyber Mentor · 0 of 60

← Previous Next →
1 Buffer Overflows Made Easy - Part 1: Introduction
Buffer Overflows Made Easy - Part 1: Introduction
The Cyber Mentor
2 Buffer Overflows Made Easy - Part 2: Spiking
Buffer Overflows Made Easy - Part 2: Spiking
The Cyber Mentor
3 Buffer Overflows Made Easy - Part 3: Fuzzing
Buffer Overflows Made Easy - Part 3: Fuzzing
The Cyber Mentor
4 Buffer Overflows Made Easy - Part 4: Finding the Offset
Buffer Overflows Made Easy - Part 4: Finding the Offset
The Cyber Mentor
5 Buffer Overflows Made Easy - Part 5: Overwriting the EIP
Buffer Overflows Made Easy - Part 5: Overwriting the EIP
The Cyber Mentor
6 Buffer Overflows Made Easy - Part 6: Finding Bad Characters
Buffer Overflows Made Easy - Part 6: Finding Bad Characters
The Cyber Mentor
7 Buffer Overflows Made Easy - Part 7: Finding the Right Module
Buffer Overflows Made Easy - Part 7: Finding the Right Module
The Cyber Mentor
8 Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
The Cyber Mentor
9 HackTheBox - Sunday Walkthrough (Re-Up)
HackTheBox - Sunday Walkthrough (Re-Up)
The Cyber Mentor
10 Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
The Cyber Mentor
11 Networking for Ethical Hackers - Network Subnetting (Re-Up)
Networking for Ethical Hackers - Network Subnetting (Re-Up)
The Cyber Mentor
12 Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
The Cyber Mentor
13 Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
The Cyber Mentor
14 HackTheBox - Fighter Walkthrough (Re-Up)
HackTheBox - Fighter Walkthrough (Re-Up)
The Cyber Mentor
15 Beginner Linux for Ethical Hackers - Navigating the File System
Beginner Linux for Ethical Hackers - Navigating the File System
The Cyber Mentor
16 Beginner Linux for Ethical Hackers - Users and Privileges
Beginner Linux for Ethical Hackers - Users and Privileges
The Cyber Mentor
17 Beginner Linux for Ethical Hackers - Common Network Commands
Beginner Linux for Ethical Hackers - Common Network Commands
The Cyber Mentor
18 Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
The Cyber Mentor
19 Beginner Linux for Ethical Hackers - Controlling Kali Services
Beginner Linux for Ethical Hackers - Controlling Kali Services
The Cyber Mentor
20 Beginner Linux for Ethical Hackers - Scripting with Bash
Beginner Linux for Ethical Hackers - Scripting with Bash
The Cyber Mentor
21 Beginner Linux for Ethical Hackers - Installing and Updating Tools
Beginner Linux for Ethical Hackers - Installing and Updating Tools
The Cyber Mentor
22 Cracking Linux Password Hashes with Hashcat
Cracking Linux Password Hashes with Hashcat
The Cyber Mentor
23 Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
The Cyber Mentor
24 Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
The Cyber Mentor
25 Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
The Cyber Mentor
26 Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
The Cyber Mentor
27 New Zero to Hero Pentest Course, New Website, and 2K Subs?!
New Zero to Hero Pentest Course, New Website, and 2K Subs?!
The Cyber Mentor
28 Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
The Cyber Mentor
29 Zero to Hero Pentesting: Episode 2 - Python 101
Zero to Hero Pentesting: Episode 2 - Python 101
The Cyber Mentor
30 Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
The Cyber Mentor
31 Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
The Cyber Mentor
32 Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
The Cyber Mentor
33 Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
The Cyber Mentor
34 Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
The Cyber Mentor
35 Installing Windows Server 2016 on VMWare in 5 Minutes
Installing Windows Server 2016 on VMWare in 5 Minutes
The Cyber Mentor
36 Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
The Cyber Mentor
37 A Day in the Life of an Ethical Hacker / Penetration Tester
A Day in the Life of an Ethical Hacker / Penetration Tester
The Cyber Mentor
38 Active Directory Exploitation - LLMNR/NBT-NS Poisoning
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
The Cyber Mentor
39 Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
The Cyber Mentor
40 Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
The Cyber Mentor
41 Writing a Pentest Report
Writing a Pentest Report
The Cyber Mentor
42 Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
The Cyber Mentor
43 The Complete Linux for Ethical Hackers Course for 2019
The Complete Linux for Ethical Hackers Course for 2019
The Cyber Mentor
44 Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
The Cyber Mentor
45 Popping a Shell with SMB Relay and Empire
Popping a Shell with SMB Relay and Empire
The Cyber Mentor
46 Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
The Cyber Mentor
47 Pentesting for n00bs: Episode 2 - Lame
Pentesting for n00bs: Episode 2 - Lame
The Cyber Mentor
48 Pentesting for n00bs: Episode 3 - Blue
Pentesting for n00bs: Episode 3 - Blue
The Cyber Mentor
49 Web App Testing: Episode 1 - Enumeration
Web App Testing: Episode 1 - Enumeration
The Cyber Mentor
50 Pentesting for n00bs: Episode 4 - Devel
Pentesting for n00bs: Episode 4 - Devel
The Cyber Mentor
51 Pentesting for n00bs: Episode 5 - Jerry
Pentesting for n00bs: Episode 5 - Jerry
The Cyber Mentor
52 Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
The Cyber Mentor
53 Pentesting for n00bs: Episode 6 - Nibbles
Pentesting for n00bs: Episode 6 - Nibbles
The Cyber Mentor
54 Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
The Cyber Mentor
55 How NOT to Approach a Cybersecurity Mentor
How NOT to Approach a Cybersecurity Mentor
The Cyber Mentor
56 Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
The Cyber Mentor
57 Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
The Cyber Mentor
58 Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
The Cyber Mentor
59 Pentesting for n00bs: Episode 9 - Grandpa
Pentesting for n00bs: Episode 9 - Grandpa
The Cyber Mentor
60 Top 5 Internal Pentesting Methods
Top 5 Internal Pentesting Methods
The Cyber Mentor

This video teaches Burp Extension Development, covering Singletons and Scope, and provides hands-on experience with creating and testing extensions in Burp Suite.

Key Takeaways
  1. Create a Singleton class
  2. Modify the main class to use the Singleton
  3. Fix the UnloadingHandler class
  4. Change the HTTP Handler code
  5. Rebuild and test the extension in Burp Suite
💡 Using Singletons can improve code organization and performance in Burp extensions.

Related Reads

📰
How One Missing Check Can Quietly Take Down a “Secure” Infrastructure
A single missing check can compromise a secure infrastructure through a denial-of-service attack, highlighting the importance of thorough security measures
Medium · Cybersecurity
📰
New Spirals Ransomware Demonstrates How Fast Modern Cyberattacks Can Escalate
Learn how modern ransomware like Spirals can quickly escalate and impact organizations, and why prompt detection and response are crucial
Medium · Cybersecurity
📰
How to Detect Malicious Traffic for Free
Learn to detect malicious traffic for free by analyzing access logs and identifying suspicious patterns
Medium · Programming
📰
How to Detect Malicious Traffic for Free
Learn to detect malicious traffic for free using access logs analysis and improve your server's security
Medium · DevOps

Chapters (9)

Intro
1:00 TCM Certifications with Alex
1:23 Geeking out over Software Design Patterns
3:04 Creating our Singleton class
4:32 Modifying our main class to use our new Singleton
5:00 Fixing the UnloadingHandler class
5:24 Changing our HTTP Handler code
7:01 Rebuilding our extension and testing it in Burp Suite
8:00 Outro
Up next
Best VPN For China 2026 — Which One Actually Works?
Tutorial Stack
Watch →