Merge pull request #73 from doyensec/2ndgen-extensions

2ndgen extensions

.gitignore

@@ -48,3 +48,6 @@ bin/
 lib/burpsuite_pro*.jar
 lib/burpsuite_free*.jar
 lib/burpsuite_community*.jar
+
+# Avoid committing generated files
+src/main/resources/static/*.jar

FAQ.md

@@ -0,0 +1,51 @@
+FAQ
+===
+
+Is Burp Suite Free/Community edition supported?
+-----------------------------------------------
+
+No, it is not. Burp Rest API exposes functionalities that are best suited for the Professional 
+version of Burp Suite. Even if it was possible to start _burp-rest-api_ using the Free version of Burp, this is no longer possible and the support won't be included in future releases.
+
+Whenever I run the gradle command I receive an error. What can be the the cause?
+----------------------------------------------------------------------------
+
+Often times, Gradle introduces incompatibility between major versions, therefore
+the recommended way of executing any Gradle build is by using the Gradle
+Wrapper (in short just “Wrapper”). The Wrapper is a script that invokes a
+declared version of Gradle, downloading it beforehand if necessary.
+
+See [Issue 37](https://github.com/vmware/burp-rest-api/issues/37).
+
+Is it possible to run burp-rest-api graphically in remote servers?
+------------------------------------------------------------------
+
+Yes, it is possible to run Burp in graphical environments in multiple
+configurations (X Forwarding, Full VNC, RDP, XPRA).
+
+For running a non persistent X Forwarding session on your OS you can follow this
+[guide](https://uisapp2.iu.edu/confluence-prd/pages/viewpage.action?pageId=280461906).
+
+See [Issue 60](https://github.com/vmware/burp-rest-api/issues/60).
+
+Is it possible to customize the binding address:port for Burp Proxy and/or burp-rest-api APIs?
+----------------------------------------------------------------------------------------------
+
+There are two binding ports in a standard burp-rest-api setup:
+- **burp-rest-api RPC mechanism**. Both IP address and port can be customized at runtime using command line arguments (namely _--server.address_ and _--server.port_)
+- **Burp Proxy Listener**. This is a Burp Suite configuration, and can be customized using a custom project option file.
+
+```
+        "request_listeners":[
+            {
+                "certificate_mode":"per_host",
+                "listen_mode":"192.168.1.1",
+                "listener_port":8080,
+                "running":true
+            }
+```
+
+Is Burp Suite v2 supported?
+----------------------------------------------------------------------------------------------
+
+Next generation Burp Suite v2 is a beta release at the time of writing this FAQ. While we will *try* to mantain support for both Burp Suite stable and beta, we cannot ensure full compability. For production, please stay on Burp Suite Professional stable branch.

LICENSE

@@ -1,4 +1,5 @@
 Copyright (c) 2016 VMware, Inc. All Rights Reserved.
+Copyright (c) 2018 Doyensec LLC. All Rights Reserved.
 
 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
  following conditions are met: Redistributions of source code must retain the above copyright notice, this list of

README.md

@@ -4,105 +4,55 @@
 
 A REST/JSON API to the Burp Suite security tool.
 
-Upon successfully building the project, an executable JAR file is created with the Burp Suite Professional JAR bundled
- in it. When the JAR is launched, it provides a REST/JSON endpoint to access the Scanner, Spider, Proxy and other
- features of the Burp Suite Professional security tool.
-
-## Try it out
-
-### Prerequisites
-
-* Java 8
-* Gradle
-* Licensed Burp Suite Professional version 1.7.x or later from: <http://portswigger.net/burp/>
-
-
-### Build & Run
-
-1. [Download](https://portswigger.net/burp/download.html) the Professional edition of Burp Suite.
-2. Create a `lib` folder under the project directory and place the Burp Suite JAR file into it and rename it to "burpsuite_pro.jar".
-3. The project can be run either by running the Gradle Spring `bootRun` command or by directly launching the JAR
- created from building the project:
-
-```
-    gradlew bootRun
-```
-
-or
-
-```
-    # build the jar
-    gradlew clean build
-    # and run it
-    java -jar build/libs/burp-rest-api-1.0.2.jar
-```
-The version number of the JAR should match the version number from `build.gradle` while generating the JAR.
+Since version 2.0.0 it is possible to run the burp-rest-api release jar,
+downloading it directly from the 
+[release channel](https://github.com/vmware/burp-rest-api/releases).
 
 ## Documentation
 
 ### Configuration
 
-By default, Burp is launched in headless mode with the Proxy running on port 8080/tcp (localhost only) and the REST endpoint running on 8090/tcp (localhost only).
+By default, Burp is launched in headless mode with the Proxy running on port 8080/tcp (**localhost only**) and the REST endpoint running on 8090/tcp (**localhost only**).
 
 To __run Burp in UI mode__ from the command line, use one of the following commands:
 
-With the `bootRun` command:
-```
-    gradlew bootRun -Djava.awt.headless=false
 ```
-or
-```
-    gradlew bootRun -Dheadless.mode=false
-```
-or with the `bootRun` command using the `-PappArgs` to pass args directly to burp suite :
-```
-    gradlew bootRun -PappArgs="['-Djava.awt.headless=false','--project-file=./test.burp']"
-```
-With the executable JAR:
-```
-    java -jar burp-rest-api-1.0.2.jar -Djava.awt.headless=false
+    java -jar burp-rest-api-2.0.0.jar -Djava.awt.headless=false --burp.jar=./lib/burpsuite_pro.jar
 ```
 or
 ```
-    java -jar burp-rest-api-1.0.2.jar --headless.mode=false
+    java -jar burp-rest-api-2.0.0.jar --headless.mode=false --burp.jar=./lib/burpsuite_pro.jar
 ```
 
 
 To __modify the server port__ on which the API is accessible, use one of the following commands:
 
-With the `bootRun` command:
 ```
-    gradlew bootRun -Dserver.port=8081
+    java -jar burp-rest-api-2.0.0.jar --server.port=8081 --burp.jar=./lib/burpsuite_pro.jar
 ```
 or
 ```
-    gradlew bootRun -Dport=8081
-```
-
-With the executable JAR:
-```
-    java -jar burp-rest-api-1.0.2.jar --server.port=8081
-```
-or
-```
-    java -jar burp-rest-api-1.0.2.jar --port=8081
+    java -jar burp-rest-api-2.0.0.jar --port=8081 --burp.jar=./lib/burpsuite_pro.jar
 ```
 
 You can also __modify the server address__, used for network address binding:
 
-With the `bootRun` command:
 ```
-    gradlew bootRun -Dserver.address=192.168.1.2
+    java -jar burp-rest-api-2.0.0.jar --server.address=192.168.1.2 --burp.jar=./lib/burpsuite_pro.jar
 ```
 or
 ```
-    gradlew bootRun -Daddress=192.168.1.2
+    java -jar burp-rest-api-2.0.0.jar --address=192.168.1.2 --burp.jar=./lib/burpsuite_pro.jar
 ```
 
 ### Command Line Arguments
 
 The following command line arguments are used only by the extension to configure the run mode and port number.
 
+`--burp.jar=<filaname.jar>` : Loads the Burp jar dinamically, and expose it through REST APIs. This flag is required.
+
+`--burp.ext=<filename.{jar,rb,py}` : Loads the given Burp extensions during application startup. This flag can be repeated.
+
 `--server.port=<port_number>` : The REST API endpoint is available at the given port number. `--port=<port_number>`
  works as short hand argument.
 
@@ -122,7 +72,7 @@ Command line arguments passed to the executable burp-rest-api JAR are forwarded
 `--config-file=<filename>` : Opens the project using the options contained in the selected project configuration file. To
  load multiple project configurations, this argument can be passed more than once with different values.
 
- `--user-config-file=<filename>` : Opens the project using the options contained in the selected user configuration file. To
+`--user-config-file=<filename>` : Opens the project using the options contained in the selected user configuration file. To
   load multiple user configurations, this argument can be passed more than once with different values.
 
 For more information on Projects, refer to the Burp Suite documentation
@@ -155,18 +105,55 @@ This project also comes with a client (_BurpClient.java_) written in Java for us
 ## Credits
 
 This project is originally inspired from [Resty-Burp](https://github.com/continuumsecurity/resty-burp
- "continuumsecurity/resty-burp: REST/JSON interface to Burp Suite") and is developed in partnership with [Doyensec](https://www.doyensec.com).
+ "continuumsecurity/resty-burp: REST/JSON interface to Burp Suite"), and is developed in partnership with [Doyensec LLC](https://doyensec.com/). <img src="https://www.doyensec.com/images/logo.png" width="300">
 
 ## Contributing
 
 The burp-rest-api project team welcomes contributions from the community. If you wish to contribute code and you have
  not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For
- any questions about the CLA process, please refer to our [FAQ](https://cla.vmware.com/faq). For more detailed
- information, refer to [CONTRIBUTING.md](CONTRIBUTING.md).
+ any questions about the CLA process, please refer to our [CLA FAQ](https://cla.vmware.com/faq). For more detailed
+ information, refer to [CONTRIBUTING.md](CONTRIBUTING.md) and [FAQ.md](FAQ.md).
+
+### Develop
+
+Upon successfully building the project, an executable JAR file is created.
+The Burp suite JAR can be loaded dinamically through the `--burp.jar=` argument.
+When the JAR is launched, it provides a REST/JSON endpoint to access the Scanner, Spider, Proxy and other
+ features of the Burp Suite Professional security tool.
+
+#### Prerequisites
+
+* Java 8
+* Gradle
+* Licensed Burp Suite Professional version 1.7.x or later from: <http://portswigger.net/burp/>
+
+
+#### Build & Run
+
+1. [Download](https://portswigger.net/burp/download.html) the Professional edition of Burp Suite.
+2. The project can be run either by running the Gradle Spring `bootRun` command or by directly launching the JAR
+ created from building the project:
+3. OPTIONAL: Create a `lib` folder under the project directory and place the Burp Suite JAR file into it and rename it to "burpsuite_pro.jar" in order to run the integration tests.
+
+```
+    ./gradlew bootRun --burp.jar=./lib/burpsuite_pro.jar
+```
+
+or
+
+```
+    # build the jar
+    ./gradlew clean build
+    # and run it
+    java -jar build/libs/burp-rest-api-2.0.0.jar --burp.jar=./lib/burpsuite_pro.jar 
+```
+The version number of the JAR should match the version number from `build.gradle` while generating the JAR.
+
 
 ## License
 
 Copyright (c) 2016 VMware, Inc. All Rights Reserved.
+Copyright (c) 2018 Doyensec LLC. All Rights Reserved.
 
 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
  following conditions are met: Redistributions of source code must retain the above copyright notice, this list of

build.gradle

@@ -15,7 +15,7 @@ apply plugin: 'eclipse'
 apply plugin: 'spring-boot'
 
 final def extensionName = 'burp-rest-api'
-version = '1.0.4'
+version = '2.0.0'
 
 def updateVersion() {
     def configFile = new File('src/main/resources/application.yml')
@@ -25,6 +25,17 @@ def updateVersion() {
     configFile.write(configContent, 'UTF-8')
 }
 
+sourceSets {
+    entrypoint {
+        java {
+            compileClasspath += main.output
+            runtimeClasspath += main.output
+        }
+    }
+}
+
+test.onlyIf { file('./lib/burpsuite_pro.jar').exists() }
+
 allprojects {
     //Display warning
     println " !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
@@ -55,19 +66,22 @@ targetCompatibility = 1.8
 File schemaTargetDir = new File('build/generated-schema')
 
 configurations {
-  jaxb
+    jaxb
     compile.exclude module: "spring-boot-starter-tomcat"
+    testCompile.extendsFrom entrypointCompile
+    testRuntime.extendsFrom entrypointRuntime
 }
 
 dependencies {
     compile('org.springframework.boot:spring-boot-starter-web')
     compile("org.springframework.boot:spring-boot-starter-jetty")
-    compile fileTree(dir: 'lib', include: '**/*.jar')
     compile "io.springfox:springfox-swagger2:2.+"
     compile "io.springfox:springfox-swagger-ui:2.+"
-
-    compile name: 'burpsuite_pro'
+    compileOnly "net.portswigger.burp.extender:burp-extender-api:1.7.22"
+
+    entrypointCompileOnly "net.portswigger.burp.extender:burp-extender-api:1.7.22"
 
+    testCompile fileTree(dir: 'lib', include: '**/*.jar')
     testCompile('org.springframework.boot:spring-boot-starter-test')
     testCompile('org.apache.httpcomponents:httpclient:4.5.2')
 
@@ -97,6 +111,20 @@ bootRun {
     }
 }
 
+
+task entrypointJar(type: Jar) {
+    destinationDir = file("src/main/resources/static/")
+    from(sourceSets.entrypoint.output) {
+        include '**/*.class'
+    }
+    archiveName = 'rest-api.jar'
+}
+jar.dependsOn entrypointJar
+task deleteEntrypointOriginalJar(type: Delete) {
+    delete entrypointJar.archivePath.toString() + '.original'
+}
+assemble.dependsOn deleteEntrypointOriginalJar
+
 task extractApi(type: Copy) {
 	from(zipTree('build/libs/' + extensionName + '-' + version + '.jar'))
 	into 'build/libs'

src/entrypoint/java/burp/BurpExtender.java

@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2018 Doyensec LLC.
+ */
+
+package burp;
+
+import java.io.PrintWriter;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+
+/**
+ * burp.BurpExtender is the burp-rest-api 2nd-gen entrypoint.
+ *
+ * This class search for the burp.LegacyBurpExtender 1st-gen entrypoint in the default classpath in order to execute it
+ * through reflection. This is needed in order to made Burp able to load more than one extension at a time.
+ */
+public class BurpExtender implements IBurpExtender {
+    /**
+     * This method is invoked when the extension is loaded. It registers an
+     * instance of the
+     * <code>IBurpExtenderCallbacks</code> interface, providing methods that may
+     * be invoked by the extension to perform various actions.
+     *
+     * @param callbacks An
+     *                  <code>IBurpExtenderCallbacks</code> object.
+     */
+    @Override
+    public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
+        try {
+            legacyRegisterExtenderCallbacks(callbacks);
+        } catch (Exception e) {
+            PrintWriter stderr = new PrintWriter(callbacks.getStderr(), true);
+            stderr.format("Exception: %s %s %s", e.getClass().getCanonicalName(), e.getCause(),  e.getMessage());
+        }
+    }
+
+    private static void legacyRegisterExtenderCallbacks(IBurpExtenderCallbacks callbacks)
+            throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException, InstantiationException {
+
+        ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
+        Class clazz = classLoader.loadClass("burp.LegacyBurpExtender");
+        Object obj = clazz.newInstance();
+        Method method = clazz.getMethod("registerExtenderCallbacks", IBurpExtenderCallbacks.class);
+        method.invoke(obj, callbacks);
+    }
+}

src/main/java/burp/BurpExtender.java → src/main/java/burp/LegacyBurpExtender.java

@@ -6,15 +6,15 @@
 import java.io.PrintWriter;
 
 /**
- * Copyright VMware, Inc. All rights reserved. -- VMware Confidential
+ * Copyright VMware, Inc. All rights reserved.
  */
-public class BurpExtender implements IBurpExtender {
-    private static final Logger log = LoggerFactory.getLogger(BurpExtender.class);
-    private static BurpExtender instance;
+public class LegacyBurpExtender implements IBurpExtender {
+    private static final Logger log = LoggerFactory.getLogger(LegacyBurpExtender.class);
+    private static LegacyBurpExtender instance;
     private IBurpExtenderCallbacks callbacks;
     private IExtensionHelpers helpers;
 
-    public static BurpExtender getInstance() {
+    public static LegacyBurpExtender getInstance() {
         return instance;
     }