Custom Tooling using Burp

The ability to create your own custom tooling is critically important for web application red teaming. Rarely will you be able to find a tool or plugin that will do exactly what you need. This then calls for you to develop custom tooling! This custom tooling module will showcase different ways you can approach this problem. Each option is unique and has its benefits and drawbacks.

In this room, we will focus on using Burp plugins to create tools and exploit them. Burp acts as an intercepting proxy, allowing you to view and modify requests and responses as the web application interfaces with it. Burp has several features, such as repeating requests or performing automated brute forcing of specific requests and payloads. This makes plugins a unique option when you need additional versatility in your tooling to be used in an automated and manual fashion. While we will showcase using Burp plugins in this room, the principles can be applied to any intercepting proxy you choose. Let's dive in and use Burp plugins to create our very own custom tools and exploits!

Prerequisites

• Burp Suite Module

• Custom Tooling using Python

Learning Objectives

• Understand how Burp plugins work and can be used to create custom tools and exploits
• Learn how to create a custom intruder plugin
• Learn how to create a custom proxy plugin
• Learn how to craft plugins for custom cryptography, which will allow you to test it seamlessly even after it is implemented

Starting the Machine

Deploy the target VM attached to this task by pressing the green Start Lab Machine button. After obtaining the machine's generated IP address, you can either use the AttackBox or your own VM connected to TryHackMe's  VPN.

Note: This room requires you to start two VMs simultaneously. If you're not using your own machine, be sure to extend the time of the current VM in this room.

You can find and start the second VM from this room. We will use the IP address of the second VM as SECOND_VM_IP in this room.