PyScripter-er (you can thank @kevcody for the name :-P) is a framework built on top of the Python Scripter Burp Suite extension.
PyScripter-er is designed to make wielding the power of Python Scripter easier by providing interfaces to common functionality not already provided within the Burp Suite set of tools.
- Watch the these videos to gain a basic understanding of the Python Scripter extension and the PyScripter-er module.
- Configure Burp Extender's Python Environment to use Jython 2.7.1.
pyscripterer.pyin the path configured for Burp Extender's Python Environment.
- Manually install the modified Python Scripter extension (included in this repo).
- The custom extension provides access to macros from within the script. Everything but the methods that require macros will work using the original Python Scripter extension.
- Paste the following script into the "Script" tab.
from pyscripterer import BaseScript as Script args = [extender, callbacks, helpers, toolFlag, messageIsRequest, messageInfo, macroItems] script = Script(*args) script.help()
- Send a request from anywhere in Burp Suite.
- View the output in the Extender tab.
- Use methods independently, dependently, or with custom code to achieve a desired result.
1. Intro to Python Scripter (from time stamp)
2. Intro to PyScripter-er
A message object is an Extender object that consists of both a request and a response. It represents a full request/response cycle.
A message's context is defined by where it came from and what stage of the request/response cycle it is in. For instance, a request coming from Repeater, or a response headed back through the Proxy. Enforcing context is essential to preventing scripts from acting on unintended parts of the message.
Scripts are evaluated on every request, response, and when a macro message is passed to the script from a session handling rule. Requests and responses from macros themselves are also evaluated, but are flagged as coming from the originating tool. The macro tool flag is only set when a message is sent from a macro to the Python Scripter extension using the "Run a macro" session handling rule.
For example, when using a macro that interacts with the Python Scripter extension, the script is evaluated five times:
|3||Session handling rule||macro|
The macro message object from step 2 is evaluated by the script via the session handling rule in step 3 along with the original message object and the macro tool flag. Here, scripts can make modifications to the original message based on information from the macro message before sending the message in step 4. You would obviously want to restrict that logic to a very specific context so that the script doesn't try to make the same change the other 4 times the script is evaluated.
When not using a macro, the flow is much simpler.
If you log things with Logger++ like me, then the below message flow diagram may be useful for debugging. BLUF, Logger++ always sees the modified message.
Burp -> Scripter (request) -> Logger++ -> application -> Scripter (response) -> Logger++ -> Burp