Piper for Burp Suite

Piper integrates external tools and their pipelines to Burp Suite. The extension can pass HTTP requests and responses from Burp to external programs, then feed the execution result back to Burp. With Piper you can create:

• Commentators: Display the output of an external program in Proxy History as comments. For example, you can display the cryptographic hash of every request by piping their content to sha256sum.
• Highlighters: Highlight items in the proxy history based on their contents. For example, you can highlight items where HTTP response includes elements of a wordlist.
• Message Viewers: Display the contents of HTTP messages with custom formatting. For example, you can display Protobuf structures by piping message contents to protoc.
• Context Menu Items: Invoke external tools from context menu. For example, you can use an external diff GUI to compare HTTP messages.
• Intruder Payload Generators: Generate payloads for Intruder with external tools. For example, you can make Intruder use password candidates generated by John the Ripper.
• Intruder Payload Processors: Transform Intruder payloads. For example, you can apply base64 encoding with a custom alphabet using an external script.
• Macros: You can use external tools as part of Macros. For example, you can automatically generate predictable CSRF tokens for every outgoing request.
• HTTP Listeners: Transform outgoing and incoming HTTP messages. For example, you can use an external Python script to handle custom encryption.

Detailed usage information is provided in the original GWAPT Gold Paper, and in this demonstration video.

Building

Execute ./gradlew build and you'll have the plugin ready in build/libs/burp-piper.jar

Known issues

• The terminal emulator ignores background color when Look and feel is set to Nimbus, see https://bugs.openjdk.java.net/browse/JDK-8058704

Security

Piper configurations can be exported and imported. As configurations define commands to be executed on the user's machine, importing malicious configurations is a security risk.

Piper disables configurations loaded via the GUI to prevent exploitation, and unexpected behavior (e.g.: modification of HTTP messages). To support automation, Piper enables configurations loaded via the PIPER_CONFIG environment variable, so extra care must be taken in this use case.

Users should always review configurations before importing or enabling them.

License

The whole project is available under the GNU General Public License v3.0, see LICENSE.md. The swing-terminal component was developed by @redpois0n, released under this same license.