Skip to content
BURP extension to record every HTTP request send via BURP and create an audit trail log of an assessment.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci
gradle/wrapper
resources
src/burp
.gitignore
.travis.yml
LICENSE
README.md
build.gradle
example1.png
example2.png
example3.png
example4.png
example5a.png
example5b.png
gradlew
gradlew.bat
settings.gradle

README.md

Build Status CircleCI Coverity Status Known Vulnerabilities License: GPL v3 BAppStore Version

Log Requests to SQLite

This extension has a single objective:

Keep a trace of every HTTP request that has been sent via BURP.

Why?

When I perform an assessment of a web application, it is often spread on several days/weeks and during this assessment, I use the different tools proposed by BURP (Proxy, Repeater, Intruder, Spider, Scanner...) to send many HTTP request to the target application.

Since a few months, I have met a situation that happens more and more with the time: Some time after the closure of the assessment (mission is finished and report has been delivered), the client ask this kind of question:

  • Do you have evaluated this service or this URL?
  • Is it you that have sent this "big request" to this service/URL on this date?
  • How many requests do you have sent to the application or to this service?
  • And so on...

Most of the time, I answer to the client in this way: "This is the IP used for the assessment (the IP is also in the report by the way), check the logs of your web server, web app server, WAF..." because it's up to the client to have the capacity to backtrack a stream from a specific IP address.

In the same time, I cannot give the BURP session file to the client because:

  • I cannot ask to a client to buy a BURP licence just to see the session content.
  • I cannot ask to a client to learn what is BURP and how to use BURP.
  • Requests send via Intruder/Repeater/Spider/Scanner are not kept in the session log.

So, I have decided to write this extension in order to keep the information of any HTTP request sends in a SQLIte database that I can give to the client along the report and let him dig into the DB via SQL query to answer his questions and, in the same time, have a proof/history of all requests send to the target application...

Once loaded, the extension ask the user to choose the target database file (location and name) to use for the SQLite database or to continue using the current defined file in the previous session.

Regarding the file name to use, there no constraint applied on it but I recommend to use a file with the .db extension to facilitate the usage with a SQLite client for exploration operations.

After, the extension silently records every HTTP request send during the BURP session.

Extension Log

DB Content

Options

Scope

There is an option to restrict the logging to the requests that are included into the defined target scope (BURP tab Target > Scope):

Scope Option Menu

Images

There is an option to exclude the logging of the requests that target images (check is not case sensitive):

Image Option Menu

The list of supported file extensions is here.

Statistics

There is an option to obtain statistics about the information logged in the database:

Image Stats Menu 1

Image Stats Menu 2

Build the extension JAR file

Use the following command and the JAR file will be located in folder build/lib:

$ gradlew clean fatJar

Audit third party dependencies

The goal dependencyCheckAnalyze can be used to verify if one of the dependencies used contains CVE.

Use the command line option -PodcGradlePluginVersion=x.x.x to specify a specific version of the OWASP Dependency Check Grable plugin

$ gradlew -PodcGradlePluginVersion=3.2.1 dependencyCheckAnalyze

Night build

This link provide the url where to download a night build of the extension JAR file:

[ {
  "path" : "LogRequestsToSQLite-NightBuild.jar",
  "pretty_path" : "LogRequestsToSQLite-NightBuild.jar",
  "node_index" : 0,
  "url" : "https://11-144454154-gh.circle-artifacts.com/0/LogRequestsToSQLite-NightBuild.jar"
} ]

The attribute url must be used to download the JAR file.

BApp Store

The extension is referenced here.

Change log

1.0.6

  • Upgrade the version of the third party library used to handle the work with the SQLite DB in order to fix exposure to CVE-2018-20346.

1.0.5

  • Add new stats and update display:
    • Add the size of the biggest request sent.
    • Add the maximal number of requests sent by second.
    • Review stats display to dynamically adapt data amount in KB, MB or GB.

1.0.4

  • Fix the bug described in issue #5.
  • Add statistics about the DB content.
  • Allow the user to select the DB location and file name.

1.0.3

  • Fix the bug described in issue #4.

1.0.2

  • Add option to exclude image from logging.
  • Prepare and finalize publishing of the extension to the BAppStore.

1.0.1

  • Add the option to restrict the logging to the requests that are included into the defined target scope.

1.0.0

  • Creation of the extension and initial release.

SQLite client

Cross-platform: https://github.com/sqlitebrowser/sqlitebrowser

You can’t perform that action at this time.