Monday, 9 September 2013

BurpCSJ extension release

submit to reddit Vote on Hacker News Share
As part of my research and talk titled "Augmented Reality in your web proxy" presented during the HackPra AllStars program / OWASP AppSec EU 2013  security conference in Hamburg, I decided to release a new Burp Pro extension which integrates Crawljax, Selenium and JUnit.

I decided to take this approach to increase application spidering coverage (especially for Ajax web apps), speed up complex test-cases and take advantage of the Burp Extender API.

  • BurpCSJ extension JAR - download (all dependencies included)
  • BurpCSJ source code - github
  • "Augmented Reality in your web proxy" - presentation (slideshare)
Getting started
  1. Download BurpCSJ;
  2. Load BurpCSJ extension jar via the Extender tab;
  3. Choose the URL item from any Burp tab (e.g. target, proxy history, repeater); 
  4. Right click on the URL item;
  5. Choose menu item "Send URL to Crawljax";
  6. Crawljax will automatically start crawling the URL that you choose.



BurpCSJ extension in action:


  1. Bellissimo, ottimo lavoro!
    I follow you with great fashinated interest on Twitter and in all your conferences.
    Thank you.

  2. Attempting to load extension within burp suite on OSX is generating an error. (java.lang.UnsupportedClassVersionError: burp/BurpExtender : Unsupported major.minor version 51.0)
    From what i can tell it is forcing a specific JDK (Java 7?). This will not load with a standard Java installation on OSX and requires updating to a somewhat unsupported Java 7. Can anything be done for compatibility for OSX users?

    1. Hey, thanks for the feedback. I have not tested BurpCSJ on OSX so not sure what exactly could be the issue. Feel free to create a ticket on github: with full stack trace so I can try to understand why it fails. Thanks.

  3. Great work Roberto, can i also join your fan club? :)
    I heard italian hackers are the best at getting those little black boxes.