BURPKIT: Using WebKit to Own the Web
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 109 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/36404 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON 2331 / 109
12
19
20
23
24
29
32
33
36
51
58
60
62
66
67
68
69
70
71
77
82
84
85
88
89
92
98
99
103
104
107
00:00
Software Development KitLucas-ZahlenreiheHackerBenutzerbeteiligungSoftware Development Kit
00:31
Pi <Zahl>ComputersicherheitProxy ServerKontrollstrukturWeb-Seite
00:59
ImplementierungIntegralComputersicherheitMultiplikationsoperatorDemo <Programm>Suite <Programmpaket>Software Development Kit
01:29
W3C-StandardAggregatzustandEinfach zusammenhängender RaumMereologieSystemaufrufRuhmasseComputersicherheitWeb-SeiteSpielkonsoleClientSichtenkonzeptWeb SiteWeb ServicesProxy ServerMultiplikationsoperatorBenutzerbeteiligungSuite <Programmpaket>Web-ApplikationMashup <Internet>Twitter <Softwareplattform>FacebookApp <Programm>HackerInhalt <Mathematik>
02:43
SoftwaretestComputersicherheitProxy ServerBenutzerbeteiligungSuite <Programmpaket>VolumenvisualisierungApp <Programm>EinsSichtenkonzept
03:13
ParserInhalt <Mathematik>InterpretiererMereologieBrowserBenutzerbeteiligung
03:51
SpeicherabzugProdukt <Mathematik>GefrierenMereologieGraphische BenutzeroberflächeBrowserKomponente <Software>PufferüberlaufBenutzerbeteiligungHumanoider RoboterSchnittmenge
04:30
ProgrammbibliothekMAPMereologieSpeicherabzugZusammenhängender GraphAbstraktionsebeneSpeicherbereinigungSchnittmengeWeb-SeiteDifferenteElement <Gruppentheorie>BenutzerbeteiligungExogene Variable
05:16
Metropolitan area networkImplementierungCodeFormale SpracheGraphImplementierungProgrammbibliothekMereologiePhysikalisches SystemProjektive EbeneVerschlingungProgrammfehlerWeb-SeiteBrowserAppletSkriptspracheSoundverarbeitungSchnelltasteClientWeb SiteSystemplattformFreewareHumanoider RoboterGoogle ChromeSchaltnetzSichtenkonzeptBenutzerbeteiligung
08:02
RenderingAppletImplementierungSchaltnetzSoftwaretestComputersicherheitAppletSoundverarbeitungSichtenkonzeptBenutzerbeteiligungSuite <Programmpaket>Web-ApplikationHackerMAPEntscheidungstheorieDebuggingReelle ZahlBridge <Kommunikationstechnik>Web-SeiteRechter WinkelDemo <Programm>VolumenvisualisierungRendering
09:09
BrowserImplementierungProgrammbibliothekEntscheidungstheorieMereologieProjektive EbeneTermÄußere Algebra eines ModulsBrowserAppletSoundverarbeitungQuellcodeBenutzerbeteiligungInterface <Schaltung>Softwareentwickler
10:04
ImplementierungInformationInformation RetrievalHackerDebuggingFunktionalIndexberechnungInjektivitätMereologieTermQuick-SortProzess <Informatik>ProgrammfehlerZusammenhängender GraphGraphische BenutzeroberflächeVollständigkeitBridge <Kommunikationstechnik>Arithmetische FolgeBrowserAppletSkriptspracheFramework <Informatik>SoundverarbeitungQuellcodeJava Virtual MachineHook <Programmierung>Objekt <Kategorie>BenutzerbeteiligungProfil <Aerodynamik>Virtuelle MaschineSystemaufruf
11:44
Graphische BenutzeroberflächeImplementierungEingebettetes SystemBenutzerbeteiligungSoftware Development KitBildgebendes VerfahrenProgrammbibliothekArithmetisches MittelInhalt <Mathematik>LastLoopNumerische IntegrationQuick-SortServerZusammenhängender GraphWeb-SeiteAppletSoundverarbeitungClientEreignishorizontDifferenteURLSuite <Programmpaket>Sichtenkonzept
12:49
VerklemmungFunktionalLoopThreadAppletSoundverarbeitungEreignishorizontWrapper <Programmierung>MultiplikationsoperatorZweiSynchronisierungSystemaufrufGraphische Benutzeroberfläche
13:38
URLAbstraktionsebeneCodeImplementierungOrdnung <Mathematik>Ganze FunktionInhalt <Mathematik>Lokales MinimumTermServerExogene VariableProzess <Informatik>SummierbarkeitProtokoll <Datenverarbeitungssystem>AppletFramework <Informatik>QuellcodeHook <Programmierung>MultiplikationsoperatorURLCachingSuite <Programmpaket>VolumenvisualisierungMathematikSichtenkonzeptBenutzerbeteiligung
15:18
AppletBridge <Kommunikationstechnik>AlgorithmusProdukt <Mathematik>VerklemmungFunktionalLoopCASE <Informatik>Zusammenhängender GraphDatenfeldBridge <Kommunikationstechnik>Klasse <Mathematik>Spiegelung <Mathematik>EreignishorizontWrapper <Programmierung>Objekt <Kategorie>Rechter WinkelBenutzerbeteiligung
16:06
Produkt <Mathematik>GoogolProgrammierumgebungKonfiguration <Informatik>Proxy ServerDemo <Programm>Web-SeiteRechter WinkelBrowserTouchscreenSoftware Development KitBenutzerbeteiligungComputeranimation
16:40
Demo <Programm>ProgrammierumgebungMaßerweiterungProxy ServerGoogolInnerer PunktInhalt <Mathematik>Web-SeiteMinimumSpielkonsoleHyperlinkMereologieFramework <Informatik>Suite <Programmpaket>Computeranimation
17:08
ProgrammierumgebungKompakter RaumDemo <Programm>Proxy ServerKonfiguration <Informatik>TexteditorMailing-ListeSichtenkonzeptTouchscreenCookie <Internet>Proxy ServerMessage-PassingSuite <Programmpaket>Software Development KitComputeranimation
17:47
Demo <Programm>ProgrammierumgebungKonfiguration <Informatik>Proxy ServerMaßerweiterungMailing-ListeProxy ServerInformationProgrammierumgebungWeb-SeiteSkriptspracheMultiplikationsoperatorPlug inSuite <Programmpaket>Web-ApplikationGebäude <Mathematik>BenutzerbeteiligungComputeranimation
18:43
Graphische BenutzeroberflächeDemo <Programm>DateiformatBildschirmfensterDemo <Programm>VektorpotenzialTouchscreenAuflösung <Mathematik>SoftwareschwachstelleWeg <Topologie>
19:42
DatensichtgerätDemo <Programm>BitTouchscreenComputeranimation
20:09
AnalysisVektorraumDreiInhalt <Mathematik>MereologieTexteditorQuaderWeb-SeiteAppletApp <Programm>Software Development KitSpielkonsoleSoftwareschwachstelleBenutzerbeteiligungComputeranimation
21:42
Quader
22:11
Hill-DifferentialgleichungMereologieInteraktives FernsehenDemo <Programm>BenutzerbeteiligungSuite <Programmpaket>Rechter WinkelComputeranimation
22:39
ProgrammierumgebungHyperbelverfahrenLoopProjektive EbeneWeb-SeiteSkriptspracheMinimumMultiplikationsoperatorRechter WinkelDemo <Programm>Twitter <Softwareplattform>
23:37
ProgrammierumgebungInformationSelbst organisierendes SystemDateiverwaltungProgrammbibliothekSoftwaretestBeweistheorieMaßerweiterungResultanteE-MailVerzeichnisdienstInstantiierungMailing-ListeSkriptspracheProxy ServerMessage-PassingTwitter <Softwareplattform>
25:09
ProgrammierumgebungBenutzeroberflächePlug inSuite <Programmpaket>TexteditorGraphische BenutzeroberflächeProgramm/Quellcode
25:39
ProgrammbibliothekProjektive EbeneTermSerielle SchnittstelleVektorpotenzialEin-AusgabeWeb-SeiteInteraktives FernsehenSuite <Programmpaket>App <Programm>MultiplikationComputersicherheitBenutzerbeteiligungSoftware Development KitComputeranimation
26:48
Haar-MaßRückkopplungSoftwareSoftwaretestTermZusammenhängender GraphCoxeter-GruppeBrowserMultiplikationsoperatorData Mining
27:31
CodeSoftwareAppletProzess <Informatik>Zusammenhängender GraphSoundverarbeitungDatenfeldMultiplikationsoperatorComputeranimation
28:15
InformationImplementierungProgrammbibliothekE-MailFlächeninhaltPunktRahmenproblemPlastikkarteZoomProxy ServerMultiplikationsoperatorCross-site scriptingSoftware Development KitComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:00
This is burpkit using webkit to own the web. Please welcome Nadeem Duba. Hi, everybody. Thank you for coming out. I thought I was going to have some big competition with Charlie Miller. I thought none of you were going to come out and go
00:21
see some car hacking, but I guess thank you for coming out. So my name is Nadeem, and today I'll be presenting burpkit using webkit to own the web. I'm currently the founder of Red Canary in Ottawa, a one-man shop, security shop. I love hacking, exploiting stuff, making tools to break stuff. I've done some prior work,
00:43
sploitgo, DEF CON 20, and canary, which was a fork of sploitgo. Now it's being used by a bunch of companies and pie my proxy. So if you want to see my GitHub page, there's plenty of tools there that you can play with. I'm sure there's something that will meet your requirements. What I'll be talking about is basically how to integrate webkit
01:03
into your security tools and how I manage to integrate webkit into burp suite. So we'll be going over just kind of the basics of what webkit is and how I used it in burpkit design considerations, implementation, and I'll show you some demos. And finally we'll have some
01:23
final thoughts and hopefully some time to answer any questions. So burpkit came out because I kind of felt that we were stuck in this state where, you know, we have these massive web applications running the web today. They're all kind of mashups of
01:45
everything. They've got Facebook connect, they've got Twitter feeds, they've got AJAX web service calls, they're kind of rendering different parts of the web page, and we're not really getting the full picture if we're simply HTML scraping. But our security tools,
02:01
they're not really advancing. We're still stuck doing kind of console based hacking. We have some gooey apps like burp suite and so on. In fact, the only app that I think has a web view is proxy.app from web securefy, but it's not really a security tool. So we're kind of stuck in the middle ages. And I was really getting frustrated at client sites
02:25
because they had these really huge apps and I'm using burp suite and there's no real way to see if there was an XSS, if there was a bunch of AJAX calls that had to be made ahead of time within burp suite to render the content in the page. So like I said, our toolkit,
02:47
mostly console, we have burp suite, which is like the defacto web pen testing tool. And in burp suite, we only have that really lame renderer tab, which uses Lobo, and it's kind of like the neglected child because nobody ever uses it from the guys that I've spoken
03:04
to. And the other ones, trials and zed, are just proxies and web security, securefy's proxy.app, as I said, has a web view. So when I set out to build the tool, I kind of had this criteria. I said we really need to start taking advantage of modern web
03:22
browsing capabilities in our tools. And these tools, like the web, they need to be able to interpret JavaScript. They need to be able to dynamically render and inspect content. Because the web browser itself is an excellent parser. It's an excellent tool and it can give
03:41
you a lot of capabilities. We're not taking advantage of it. And most importantly, we needed the tool to interact with the DOM and vice versa. So webkit. What is webkit? If you're not familiar with webkit, most people think it's Safari, but really it's the core of Safari. It's the layout engine, and it's the core of a lot of other web browser
04:03
products, but it's basically the web layout engine software component that renders different parts of the page, and we've seen forks of it in Chrome and other Android browsers and other products. I like this definition, though, from the grub. Webkit is basically collection of use after freeze that somehow manages to render HTML probably via
04:26
buffer overflow in WebGL. So if you look at webkit, it's essentially this core set of libraries and they're broken up into two major components. One is the JavaScript core. It's responsible for everything JavaScript. So parsing, interpreting JavaScript, JSON,
04:44
garbage collection, debugging, et cetera. The second one is the web core, and that's responsible for everything else. So you get the web inspector, that neat thing where you right click on the web page and inspect elements, that's part of web core. The HTML rendering, that's part of web core. CSS, et cetera, all of that is part of web core.
05:03
And essentially when you try to bring webkit into your tool, you're primarily dealing with these two major components, and different libraries will give you different levels of abstraction to webkit, because webkit can kind of get really hairy. So here are a few
05:23
examples, Apple, Safari, the web browser, Android. Nokia has an implementation in QT, and Java effects just recently after the release of 1.8 update 30 I think started getting web view natively bundled with Java. And we have GTK and so on. And what's interesting here on
05:41
the graph on the left, you can kind of see that two major companies that are driving the project are still Apple and Google, even though Google has completely forked away from webkit, they now have their Google Chrome, but there's still major contributors to the project. So there's a lot of players. And so the question is why use webkit? Why did I use
06:04
webkit? So the reason why is because primarily we have widespread adoption. So what that means is that the websites that are out there today, they're all going to be compatible with webkit. You're not going to ‑‑ you're not using links browser, I'm not going to embed links browser where nobody is barely using it and no website is catered to
06:24
that technology. I want to use something that everybody is kind of coding their websites for. And the second part is that there's lots of language support. So if you go on the web and you're looking for a language binding for webkit, there's tons of stuff out there for Java, Python, C, C++, JavaScript, there's lots of
06:43
implementations out there. It's portable across many platforms, primarily because Google and Apple wanted their browser to work on all the major platforms. So you're good in that respect. And it can interact with the DOM and JS engine. It gives you
07:00
basically an API. So the cons are you're going to be susceptible to the same bugs that affect the webkit libraries. So if there's a use after free that somebody finds, your tool is probably going to be susceptible to that same thing. It's hungrier for system resources. That's kind of expected because you have a whole bunch of stuff going on to
07:21
render the page, execute the JavaScript, et cetera. But that really ‑‑ those two cons were not ‑‑ you know, they didn't really drive me away from webkit. I mean, okay, so what? The code is susceptible to bugs, but really I'm assessing client websites. Unless they want to exploit me, you know, I'm not really worried. So I'm going to
07:46
actually use webkit. So how can you use webkit? As I said before, there's a whole bunch of language bindings available. These are some of the major languages that are supported already. Libraries on the other side. What I used in this project was effects web view.
08:01
And I'll go over why. So burpkit. Burpkit is basically the combination of burp suite, one of the best tools for security testing web apps and Java effects is web view or webkit implementation. In Java effects, what they provide you is essentially the very high
08:31
level API which gives you direct access to the web view which is responsible for rendering the web page and the debugger, needs some hacking, as well as the web engine
08:41
which is responsible for JavaScript rendering. And what I was able to do with this is provide a real rendering tab. That's right. There's no more Lobo. So what you're going to see in a few minutes is a demo of a real render tab where you see Google fully rendered, not broken up in a Lobo tab. It also has a bidirectional bridge between
09:05
burp suite and webkit. I'll go into that in a few minutes. Some of the design decisions. When I was actually designing this, I was looking all over the web for Java implementations of webkit and I came across two leaders. Java effects which comes with Java and JX browser. JX browser is an excellent alternative. It uses chromium to
09:29
provide you with a Java interface. But the only problem was that to redistribute my
09:40
webkit, I had 150 megs of libraries with the project. So that was kind of unattractive. The other part of it is that it wasn't free. It was closed source and basically I was tied to whatever the developers chose to expose to me in terms of an interface. And finally, the
10:01
API wasn't that clean. It was kind of clunky. So some of the pros and cons of Java effects. It's easy to use. The webkit implementation has a clean API. It's very Java-esque. You're not going to be confused with all sorts of funky function calls. It has a complete JavaScript bridge. So that means you can actually inject Java objects
10:23
into the JavaScript engine and you can actually retrieve JavaScript objects and play with them in the Java virtual machine. It leverages the Java URL framework which is applicable and I'll go into that later. It does provide some debugging, profiling information, which is only available through some hacking. They don't really
10:45
document it. So it's still a work in progress. But at least it's bundled with Java 1.8 plus. The cons in terms ‑‑ when I say the API is incomplete, I mean you're not getting web inspector, you're not getting any of the things, the nice things that you see in a web browser. Some of the stuff you have to kind of
11:02
reinvent the wheel. You have to redesign those GUI components. There's little documentation on the advanced features. What I mean by that is if you wanted to actually use the debugger function, you really have to dig through that source code to find where the debugger is exposed in the API and they're kind of labeled as
11:23
deprecated so it makes you nervous. Is this thing going to go away in the near future? Is it going to stick around? So it gives you an indication that they're still working through the API, but at least they give you enough to work with so that you can actually make some really neat tools. And there are still some rendering bugs as expected, but for the most part it does a really great job. So the
11:45
implementation. So I had various challenges when I had actually tried to embed web kit into burp suite. One of them was that burp suite was using the swing event loop. Swing is this really old GUI library that for some reason a lot of people are still hooked
12:07
on to probably because of the availability of some advanced GUI components. And web view was written for Java effects, the effects event loop. So there had to be some sort of integration point there. Web engine doesn't have a load content with base URL. What
12:24
that means is that if I wanted to load an HTML page with a base URL so that I can get different images and stuff from the server but have the content in my desktop on the client, it wasn't possible. So I had to find some way of hacking it. And finally burp
12:44
suite had to interact with JavaScript and vice versa. So the first challenge was very easy to solve. There were a few gotchas. Java effects luckily gives you a JFX panel which allows you to embed an effects event loop into swing GUIs. But you had to be really
13:05
careful with interweaving synchronous function calls. So what that means is that if I had a getter method that went through swing thread first, Java effects second and then back to swing or the other way around, then I would run into deadlock issues because the
13:20
threads would be waiting. So there was a lot of hacking with wrappers. I had to do a lot of eager fetching to make sure that the appropriate resources were allocated on the appropriate event loop. And this is something that you would have to do if you were working with swing and Java effects at the same time. The second challenge, loading
13:40
content with a base URL, the reason we needed that is because burp suite actually has a repeat request, look at the response. Now in order to look at the response in a real render, basically with webkit, I didn't want to reissue the request because all I have access to in terms of support for requests was get. So and the other reason is that I
14:06
don't want the response to change based on time. I want to actually see what I got in the response tab in webkit. So I had to hook the Java dot net URL protocol handling framework. And luckily web view uses that framework to process HTTP requests, any HTTP
14:25
request really. So the entire HTTP request framework is hookable. You can intercept responses, change these responses and so on. So I implemented two new handlers and that's basically what you see the code there is basically the minimum API, the minimal amount
14:44
of implementation that you have to do in terms of overriding the preexisting protocol handlers. And what those protocol handlers did was they actually just tagged requests that were supposed to be repeated. They tagged the user agent with a SHA1 sum of the response and if my protocol handler saw that SHA1 sum, it would then just fetch
15:06
the content from a cache rather than going live to the server. So that was a really fun exercise because it involved a lot of just digging in the source code and figuring out how things worked. The third challenge was really easy to fix in the end. The only
15:23
thing that I ran to were the deadlocks but essentially that web engine bridge is readily available for you to use. You just need to know how to use it, how the web engine returns objects, that's all documented. The only thing, the only gotchas there are that in
15:42
some cases this web engine uses a really funky reflection algorithm to determine whether or not a field or function is accessible. So you had to write a lot of wrapper classes to get around that funky reflection algorithm. And as I said before, there's a lot of cases where you have to eagerly instantiate swing components in the right event loop, in the
16:05
swing event loop. So this is the final product, the before and after. On the left you see Lobo, very ugly Google page and on the right you see Google in all its glory. So here,
16:20
let's show you what burpkit looks like. So burpkit, you get three extra tabs, one of them is a bonus. Burpkitty, which is a full web browser, which you, and you have
16:46
basically a JavaScript console here at the bottom, an XSS tracker, which I'll show you later, a page resource tab which shows you kind of H ref references and other references to content within the page. And the nice thing here is that you can right
17:01
click on these and you can send them to any part of the burp suite framework. So if I send to repeater, you'll see that in the repeater I get the request that webkit made with all the cookies that it has in its store so that you can maintain the session within burp suite. And as well, if I go into, if I repeat a request, you'll see that there's
17:23
an extra burpkit tab and that's essentially the same view that you see in burpkitty. Unfortunately the screen is too small here. Let me see if I can get rid of this tool bar. Okay. So you see Google here. And basically this view you're going to be able to
17:43
see in any message editor tab within burp suite. So it'll even manifest itself here in the proxy history list. So if we have an HTML document that gets returned, you're going to see these as well here. Even intruder. The other nice thing here is that I've
18:02
added a burp script IDE tab. And what that allows you to do is it allows you to build JavaScript‑based web applications, client‑side web applications. So if you wanted to write a burp suite plug‑in in JavaScript, you can. If you want to write some advanced HTML scraper, you can. It basically allows you to use webkit to navigate pages, to
18:27
extract that information, to interact with burp suite at the same time, send that information from webkit to burp suite and so on. And finally there's a Jython tab for all you Python users. It's not related to webkit, but that's just an extra bonus. So no
18:47
more Lobo. And I hope that was kind of impressive, but we'll give you some demos. So the first demo, the XSS tracker. And this is where I think a lot of the ‑‑ is my
19:04
screen still up there? Okay. A lot of the potential for webkit, where we can use webkit really effectively here, is in XSS tracking. So let's say you have a scenario which I come across a lot where I want to know where ‑‑ how bad a stored XSS vulnerability
19:28
is. So what I can do is I can send ‑‑ I can send this to the repeater ‑‑ oh, sorry. I don't know what happened to the resolution there. It just kind of flipped on me. Thank you for telling me. Let me see if we can ‑‑ is that better? Just let me know.
19:56
Arrangement, mirror. I don't know why it changed. Is that better? Sorry about that.
20:01
Let's see if we can just increase it just a bit just to get some more real estate on the screen there. Is that good? All right. Great. So let's say I want to track an XSS. So one of the things is ‑‑ I'm using triad editor. Obviously it allows you to render random
20:21
HTML. And I find this XSS vector. Let's just pretend this is the app. And I want to track XSS across the app. So what I can do is I can taint a value in the alert box. I can put a tainting value. And I'll just generate a random ID. And when I press go, you'll
20:43
see that when I go to the burp kit tab, it tells me that I've had one alert. You don't see an alert box. You just see that one alert. And it shows you what the contents of the alert are in JavaScript console. Now if I push over to XSS tracker, you'll see there's an entry there. It basically says that I've detected the tainting value. I've detected
21:02
an alert. It originally came from this web page and now it's in this web page. So now you have a really easy way of understanding how far a stored XSS vector ‑‑ XSS vulnerability has gone in the app. So how bad it is. So that's the XSS tracker. I think that's an example of how we can use web kit to perform dynamic analysis in the app in a
21:26
very easy way. So we don't have to inspect HTML. The nice part about this now is let's say I want to get the money shot and I really want that alert box so I can take a screenshot. So you can toggle this button here. You can press go again. You get the alert
21:43
box. Let's take the money shot. Screenshot there. And we're good to go. Let's find that screenshot. All right. Let's put it in the desktop. There we go. Just so we show you.
22:07
And there we go. So that's the money shot. So and the last thing that I'd like to show you here is that let's say you wanted to do some web inspect. You can always launch
22:21
firebug light. It comes up with an inspector and you can do all the same things that you do with firebug right from burp suite. So that's the XSS demo and part of the repeater tab. So now the next demo I'm going to show you is some DOM interaction and
22:41
how we can actually scrape Twitter for followers. So I've included on the DVD with this project a bunch of examples and this is going to be on GitHub later. But I've included a bunch of examples that you can use. And this is kind of one of the things that I do when I do OSINT. And it's just a quick way of just dumping a user's Twitter
23:03
followers. So I just want to highlight this one feature here. In the bottom right hand corner you'll see that refresh button. I don't know why it's blanking out there. But what that does is it essentially creates this loop that you can trigger every time a page navigation happens. So every time document.onload is triggered this script gets run.
23:25
So you've essentially created a loop with the document.onload. So let's press play. It asks you what user you want to scrape. I'm going to pick this random user that I picked in the demo room. And as you can see it's scrolling down to get all of the user's
23:41
followers and collecting all of this information. And now I can save to CSV. And let's take a look at the results. And there you go. I got a full list of Twitter followers not doing
24:02
anything. Just running my burp script. So essentially what I've done there is I've extended the JavaScript API to include a whole bunch of things like injecting JavaScript libraries like jquery, csvlib, a whole bunch of things that come from Node.js. And I've also added some extensions to allow you to write directly to the file system so
24:24
that you can create, you know, scrapers for things like LinkedIn, for instance. If you're doing a penetration test and you want to know all the employees of a certain organization, you want to collect that so you can build an email list and hit it against OWA, then you can go on LinkedIn. There's an example for LinkedIn in the
24:40
examples directory where you can scrape all the employees' names and create the email list. The next example that I'd like to show you is an example of how I was able to get this to work with the burp extender API. So I'm just going to use a simple example here. I'm going to use the verbose proxy listener. And what that does is essentially just gives
25:04
me a brief listing of what messages are going through the proxy. So this is just proof that you can use JavaScript to write your burp suite plug-ins. Did I press play? I don't think I did. There we go. So there we go. So that's an example of a burp suite plug-in
25:24
written in JavaScript. And finally, if you wanted to do something GUI based, you could always use, there's also an example there for the text editor and where's the
25:42
burp suites from port swiggers web page. So if I just press go there, come on, you see serialized input tab, that was created using JavaScript as well. So I've basically given you the facilities to interact with WebKit from burp suite and vice versa. Have
26:04
JavaScript interact with burp suite as well. And I hope to extend this to include some new features like multi-tabbing and so on. There's a lot of examples in the project and I'm very eager to see what you guys can come up with in terms of ideas to extend the
26:24
project, ideas on how we can leverage WebKit. As you can see, there's a lot of potential promise using WebKit, the WebKit library with our security tools. And we don't have to be stuck in the middle ages with console-based apps or very rudimentary
26:46
rendering apps like Lobo library. So to end this talk, I think I'm ahead of time, but I'd like to thank my lovely wife who let me come here after having our beautiful baby two
27:02
weeks ago. And Justin Sights, he's been a really good friend of mine. He's been a great guy in terms of feedback and testing and giving me tips on the presentation. So
27:21
thank you, Justin. Dirk Lieberman, he was the guy that actually created the network browser component, the network timeline component that you see in burp kit, this thing here, network timeline. And finally, the Java, sorry, Thomas, who created the code
27:42
editing component as well, great job on that. Java, Java effects team and a whole bunch of other people. If there's plenty of time for questions, I'd be more than happy to field them. The question is, is it available on GitHub? It will be tonight. My GitHub is, let
28:16
me put it up here. I forgot that. There's my GitHub. And zoom in. There you go. And I
28:34
have business cards here if you'd like to chat with me over email if you have questions
28:40
regarding the burp kit toolkit. The question was does burp kitty go through the proxy history? Does it have a burp kit tab in the proxy history? Oh, not yet, but I'm working on that. HTTP 2 support, what about HTTP 2 support? That would be based on what the
29:20
question is, does cross-site scripting work for DOM or any kind of cross-site scripting?