Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

How to Write a (Java) Burp Suite Extension for Tabnabbing Attacks

DZone's Guide to

How to Write a (Java) Burp Suite Extension for Tabnabbing Attacks

In this post, you'll learn how to use Burp Suite and Java to scan your applications for vulnerabilities to tabnabbing attacks.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Context and Goal

The goal of this article is to explain how to create an extension for the Burp Suite Professional, taking as implementation example the “Reverse Tabnabbing” attack.

“Reverse Tabnabbing” is an attack where an (evil) page linked from the (victim) target page is able to rewrite that page. For example, a victim's site could be replaced by a phishing site. The cause of this attack is the capacity of a new opened page to act on parent page’s content or location.

For more details about the attack itself, you can check the OWASP Reverse Tabnabbing article.

The attack vectors are the HTML links and JavaScript window.open function, so, to mitigate the vulnerability, you have to add the attribute value rel="noopener noreferrer" to all the HTML links and, for JavaScript, add add the values noopener,noreferrer in the windowFeatures parameter of the window.openfunction. For more details about the mitigation process, please check the OWASP HTML Security Check article.

Basic Steps for (Any Burp) Extension Writing

The first step is to create an empty (Java) project and add the Burp Extensibility API (the Javadoc of the API can be found here) into your classpath. If you are using Maven, then the easiest way is to add this dependency is via a pom.xml file:

<dependency>
    <groupId>net.portswigger.burp.extender</groupId>
    <artifactId>burp-extender-api</artifactId>
    <version>LATEST</version>
</dependency>

Then the extension should contain a class called BurpExtender (into a package called burp) that should implement the IBurpExtender interface.

The IBurpExtender interface has only a single method (registerExtenderCallbacks) that is invoked by Burp when the extension is loaded.

For more details about basics of extension writing, you can read Writing your first Burp Suite extension from the PortSwigger website.

Extend the (Burp) Scanner Capabilities

In order to find the Tabnabbing vulnerability we must scan/parse the HTML responses (coming from the server), so the extension must extend the Burp scanner capabilities.

The interface that must be extended is the IScannerCheck interface. The BurpExtender class (from the previous paragraph) must register the custom scanner, so the BurpExtender code will look something like this (where ScannerCheck is the class that extends the IScannerCheck interface):

public class BurpExtender implements IBurpExtender {

    @Override
    public void registerExtenderCallbacks(
            final IBurpExtenderCallbacks iBurpExtenderCallbacks) {

        // set our extension name
        iBurpExtenderCallbacks.setExtensionName("(Reverse) Tabnabbing checks.");

        // register the custom scanner
        iBurpExtenderCallbacks.registerScannerCheck(
                new ScannerCheck(iBurpExtenderCallbacks.getHelpers()));
    }
}

Let’s look closer at the methods offered by the IScannerCheck interface:

  • consolidateDuplicateIssues – This method is called by the Burp engine to decide whether the issues found for the same URL are duplicates.
  • doActiveScan – This method is called by the scanner for each insertion point scanned. In the context of Tabnabbing extensions, this method will not be implemented.
  • doPassiveScan  – This method is invoked for each request/response pair that is scanned. The extension will implement this method to find the Tabnabbing vulnerability. The complete signature of the method is the following one: List<IScanIssue> doPassiveScan(IHttpRequestResponse baseRequestResponse). The method receives an IHttpRequestResponse parameter as an instance, which contains all the information about the HTTP request and HTTP response. In the context of the Tabnabbing extension, we will need to check the HTTP response.

Parse the HTTP Response and Check for the Tabnabbing Vulnerability

As seen in the previous section, the Burp runtime gives us access to the HTTP requests and responses. In our case, we will need to access the HTTP response using the method IHttpRequestResponse#getResponse. This method returns a byte array (byte[]) representing the HTTP response as HTML.

In order to find the Tabnabbing vulnerability, we must parse the HTML represented by the HTML response. Unfortunately, there is nothing in the API offered by Burp for parsing HTML.

The most efficient solution that I found to parse HTML was to create a few classes and interfaces that are implementing the observer pattern (see the below class diagram ):

The most important elements are :

Final Words

If you want to download the code or try the extension you can find all you need on the GitHub repository: tabnabbing-burp-extension.

If you are interested in some metrics about the code you can the sonarcloud.io tabnnabing project.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
burp suite ,security ,security analytics ,java security ,tabnabbing

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}