Executive brief on how PCI DSS 4.0 affects offensive security practices, penetration testing, and segmentation testing. Watch Now

Powering Up Burp Suite: Building Custom Extensions for Advanced Web Application Testing

Learn how to power up web application security testing with tips on creating customized extensions featuring BurpCage, an extension that replaces any image proxied through Burp Suite leveraging the Montoya API.

Burp Suite is one of the most popular tools in the tool kit of web application pen testers, used by more than 55,000 users in over 150 countries. Countless extensions are just a download away empowering pen testers to hack more efficiently to elevate web application security. But there is a constant need for new and improved extensions to keep pace with the wide range of threats facing web applications today. 

Workshop Summary

Security consultant Chris Cerne demonstrates how security professionals can significantly enhance their web application testing capabilities by creating custom Burp Suite extensions. Cerne begins by establishing Burp Suite's position as the industry-standard proxy tool for web application security testing, highlighting how its extensibility allows pentesters to address unique application challenges that standard tooling cannot solve.

Cerne shares how his journey into extension development began with client-specific needs—applications using non-standard GraphQL implementations, complex authentication schemes with rapid token expiration, and scenarios requiring automated processing of large datasets. These real-world challenges motivated him to learn extension development to solve problems that off-the-shelf extensions couldn't address. He then walks through the technical prerequisites for extension development, comparing the older Extender API with the newer, cleaner Montoya API, and making a compelling case for using JVM-based languages like Kotlin over Python, which suffers from dependency management challenges and being limited to the deprecated Python 2.7 runtime.

The presentation's core focuses on developing "BurpCage," a humorous extension that intercepts HTTP responses containing images and replaces them with random pictures of Nicolas Cage. Using this playful example, Cerne methodically demonstrates the complete extension development workflow: configuring a Kotlin project in IntelliJ IDEA, implementing the Montoya API interfaces to intercept HTTP responses, handling image replacement logic, creating a user interface with Java Swing, and packaging everything into a deployable JAR file using Gradle's shadow plugin to include all dependencies.

The session concludes with a live demonstration showing BurpCage in action, transforming Brian Krebs' security blog into an unexpected Nicolas Cage gallery, with every image from advertisements to article photos replaced with various expressions of the actor. Throughout the Q&A segment, Cerne addresses practical considerations for extension development, emphasizing the importance of separating application logic from Burp-specific code for reusability, recommending tools for UI development, and sharing insights on staying current with evolving web application threats to inform extension development priorities.

Key Takeaway

  1. Custom extensions solve unique challenges - Standard extensions often can't address client-specific implementations like non-standard GraphQL endpoints or complex authentication flows, making custom development essential.
  2. The Montoya API simplifies extension development - Port Swigger's newer API offers cleaner interfaces and more intuitive programming patterns compared to the older Extender API.
  3. JVM languages outperform Python for extensions - While Python is popular among security professionals, its implementation in Burp (Python 2.7) creates significant limitations for dependency management and UI development.
  4. Modular design enables broader application - Separating business logic from Burp-specific code allows reusing components in other security tools like OWASP ZAP.
  5. Java Swing remains a necessary challenge - Despite being dated technology from the late 1990s, Swing is still required for Burp extension UIs, though tools like IntelliJ's form designer can help newcomers.
  6. Dependency management requires special handling - Using Gradle's shadow plugin to create "uber JARs" ensures extensions include all required libraries, improving user experience for extension adoption.
  7. Extension development skills transfer to threat response - The ability to quickly develop custom tools helps security professionals respond to emerging threats like Log4j, where standard tools may lag behind.

Who Should Watch

This technical session is ideal for:

  • Web application penetration testers looking to overcome tool limitations when testing complex applications
  • Security engineers with basic programming knowledge who want to automate repetitive testing tasks
  • Application security professionals who need to develop custom tooling for client-specific frameworks
  • Developers interested in security who want to leverage their programming skills in security testing
  • Security team leads evaluating how custom tooling can improve testing efficiency and coverage

While some programming knowledge is helpful, the presentation is accessible to security professionals with limited development experience who are willing to learn through hands-on practice.

    Chris Cerne BF Headshot

    About the speaker, Christopher Cerne

    Security Consultant III

    Christopher is a Security Consultant III focused on application security and hybrid application assessments at Bishop Fox. He has over a decade of experience in computer technology and is recognized in the security community for finding numerous 0-day vulnerabilities with responsible disclosures. While obtaining a B.S. degree in Computer Science at Virginia Tech (VT), Christopher studied embedded device security, worked as a teaching assistant in the Department of Computer Science, and joined the VT Cybersecurity Club (CyberVT) where he learned the basics of vulnerability research and competed in CTFs. Christopher holds a Junior Penetration Tester Certification (eJPT).

    When Christopher isn’t busy conducting hybrid application assessments for Bishop Fox clients, he enjoys being outdoors, especially hiking and biking throughout the Blacksburg, Virginia area. He is also a member of VPI Cave Club.

    More by Christopher

    Extend Your Knowledge

    Check out these related resources.

    Tool Talk Episode 9 webcast title in neon letters on dark background with Matt Keeley and Joe Sechman headshots presenting the security tool Spoofy.
    Workshops & Training

    Spoofy in Action: Advancing Domain Spoofing Detection

    Learn how to efficiently identify subdomain takeover vulnerabilities using Spoofy, an open-source tool that automates the assessment process and helps protect your organization from potential subdomain spoofing attacks.

    Learn More
    Bishop Fox Tool Talk Episode 8 asminject.py
    Workshops & Training

    Process Injection on Linux: A Deep Dive into asminject.py

    Watch as we explore Bishop Fox’s very own asminject.py, a code injection tool that tampers with trusted Linux processes to capture sensitive data and change program behavior.

    Learn More
    Bishop Fox Tool Talk episode 7 CloudFox to find exploitable attack paths in cloud infrastructure presented by three security consultants
    Workshops & Training

    CloudFox in Action: Mapping Exploitable Paths in AWS

    Watch as we explore Bishop Fox’s very own CloudFox, a command line tool that helps offensive security practitioners navigate unfamiliar cloud environments and find exploitable attack paths in cloud infrastructure. Tune in to our livestream for a demo of CloudFox!

    Learn More

    This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.