Burp2Json consists of a Burp extension (Burp2Json) that takes requests from Burp and generates JSON call templates for those requests, a python module (also called Burp2Json) that has functionality to read JSON call templates and make HTTP calls based on those templates, and an example python code and REST service to use those.
Run
gradle build
This will create a build/libs/Burp2Json-1.0.jar file. Open the Extensions tab in Burp and add this jar file as extension
If you don't have graddle installed, can use dockerized gradle:
Welcome to Gradle 8.4!
...
Starting a Gradle Daemon (subsequent builds will be faster)
> Task :compileJava
> Task :processResources NO-SOURCE
> Task :classes
> Task :jar
...
BUILD SUCCESSFUL in 8s
2 actionable tasks: 2 executed
% ls -l build/libs/project-1.0.jar
-rw-r--r-- 1 abb staff 823387 Oct 26 12:10 build/libs/project-1.0.jar
Run once:
pip install -e .
Run the sample web service
Depending on your version of flask:
Flask 2.0.x :
> export FLASK_APP=sample_server
> flask run
Flask 3.0.x
> flask --app sample_server run
This will run a web server on http://localhost:5000 provising a simple REST web service. The source code for the service is in sample_service.py
Start Burp proxy on port 8080.
Now read and run the example code
> python examples.py
- Collect the REST requests you want in Burp proxy or repeater.
- In Proxy or Target tool select the requests you want to export.
- Right-click on the selected requests, choose Extension -> Burp2Json -> Burp2Json (# request(s) selected) - generate . This will generate a JSON array ([]) consisting of JSON objects for each request and place it in the clipboard
- Open a new test file in any editor and paste the generated JSON code.
- Save the JSON file in your working directory.
- Write a python script that uses Burp2Python module (import Burp2Python), loads your JSON file (b2j = burp2json.Burp2Json("sample.json")) and executes your test scenarios. Use examples.py for inspiration
Burp2Json disables SSL server certificate validation and warnings by default because this is what we generally want in test scenarios . Do not use it in any kind of scenario where transport level security is important.
You can enable server certificate validation by doing:
b2j = burp2json.Burp2Json("sample.json")
b2j.ssl_verify = true
- Burp2Json supports any kind of HTTP verbs, and different kind of body content (i.e. url-encoded body paramters, multipart/form-data, JSON, XML, and arbitrary body data). Binary body data, particularly large blobs of binary data probably will not work very well, or not at all
- Requests can be customised by adding headers, cookies, query parameters, POST url-encoded parameters. If a header. cookie, query paramter or POST url-encoded parameter with the same name already exists in the JSON template it will be replaced. The tool does not support multiple paramters with the same name
- Requests can be customised by substituting values in JSON body and request path. To facilitate this, you need to create placeholders in JSON templates. See examples.py
- Burp2Json python module can use python requests session object. This allows using cookie-based sessions in multi-step scenarios and SSL client certificate authentication.
- do_request() method returns python requests response object. You can analyze all aspects of the response.
- do_all() method accepts a response_handler function as a parameter. It can be used, for example, to print the result of every request made in CSV format, and then easily analyze the output in a spreadsheet app that allows sorting and filtering
- Automating authentication/authorization testing. You can run a set of requests with/without a particular cookie, with/without Authorization header , with/without client SSL certificate
- Implementing multi-step authentication scenarios before running access control tests
- Simplifying access control tests. Write an authentication sequence, call it to obtain the necessary tokens, pass the tokens to do_all(). Make all requests as different users, output as CSV, check where the actual behaviour deviates from expectations
- Reproducability. You can easily replay your test scenarios (after fixes has been implemented, in a different environment, with different user accounts, etc.)