Streamlining Collaboration with Burp

Background: Collaborating is a pain

Burp Suite Pro is a great tool for penetration testing web applications. A while back a colleague and I were working together on a penetration test of a large system that included multiple web applications. We both work remotely so in order to share details of partial findings or exploits we were working on in Burp, we had to either had to copy-and-paste text in an adhoc fashion or upload, download, and reload large Burp State files. I knew there had to be a better way.

The solution: git !

That particular engagement is behind us and work has been quite busy, but in the evenings I’ve been slowly working on a proof-of-concept tool to make collaboration simpler: Git Bridge.

Burp Git Bridge

Git Bridge allows Burp users to right click on Repeater or Scanner items and send them to a git repository. Users can then use the “Git” tab in Burp to cull items or drop into a shell at ~/.burp_git_bridge and do all of the usual git collaboration stuff: set upstreams, push files for backup, pull files from others, etc. Not that I’d necessarily recommend pushing any sensitive results to GitHub, but it would be possible to write simple a web-front end to view results outside of Burp as well.

BurpHub.com is available ;)

If you decide to try this extension out, proceed with caution. Note that:

1. Any data you add to Git Bridge is going to be stored at ~/.burp_git_bridge until you nuke it

2. Only interact with git servers that you trust, especially when dealing with sensitive data

Conclusion

While I’m getting a little mileage out of this extension now, it is a proof-of-concept. You might notice that the Burp GUI thread hangs for a few seconds when you send a large group of Scanner items to the Git Bridge, and that the UI could use some work. This is my first crack at a real Burp plugin and I already knew that I didn’t like developing Java Swing UIs going into it :). Regardless, if you want to learn more check out the README on Github.

Thanks for reading.

PS

git-shadow says: Total time coding (days, H:M:S): 15:53:10.