Steven Morrison
HomeDev JournalProjects
← Back

Building my first Burp Suite extension

A summary of my experience with building a Burp Suite extension for the Montoya API using Kotlin and Maven.

Intro

Recently I have been dabbling a bit more with CTFs and using tools like Burp Suite. This experience gave me motivation to build my own Burp Suite extension. It was an opportunity to learn more about desktop application development and have a play with Kotlin which I had never touched.

The general idea was a tool that would highlight certain request/responses based off a given set of keywords. Users could use this to surface potentially interesting requests. In the end, there are already extensions that do stuff like this, but I still had a blast!

If you are interested in the project that I built or a Kotlin extension template, you can find them here:

The setup

Customisation Option: Extension using Montoya API

There are a few options for extending Burp but I decided on an extension for full control. I choose the Montoya API because its recommended and is actively maintained compared to the legacy extender API.

Language choice: Kotlin

I chose Kotlin over Java because I read that it tries to solve some of Java problems, and in general it seemed a bit less verbose.

Build tool: Maven

I had trouble using Gradle when initially trying to setup the extension. I’ve also had trouble with it in the past when I briefly encountered it, which may be a lack of experience on my part. However, Maven just seems to work so it was the obvious choice for me!

IDE: IntelliJ IDEA

I found it to be a highly suggested option, and it was from the creators of Kotlin! Felt like it had everything in the box, plus more.

Development setup with auto reload

I simply followed the Burp Suite docs to point to the JAR file and made sure that “Reload extension automatically when file changes” option was ticked. This ensured the extension was automagically reloaded on build. It was extremely simple!

Docs/examples:

Most of the documentation and references were in Java, however they were still useful. IntelliJ came in clutch, if you copy and pasted a Java snippet into a Kotlin project it would transform it into Kotlin! It was great for messing about with the examples.

Building the UI (Swing)

For building the UI you need to use Swing components. I found this quite fiddly and there was a lot of trial and error on my part. There is cool visual guide I found here that you can use as a reference quickly see what type of component you may need.

A few things I learned to be wary of;

  • Blocking the UI - any heavy lifting should be done on a separate thread
  • Race conditions between backgrounds threads and UI updates - use SwingUtilities.invokeLater where necessary
  • Laggy UI/risk of out of memory error - becareful with how much data you are working with, set sensible size limits and only use what you need
  • UI changes not being applied immediately - it may be being blocked, or it could be as simple as a JPanel needing a revalidate after changes

Montoya API

The API exposes a bunch of functionlity for you to play with, however sometimes I felt difficulty when navigating it, or finding if it was capable of something I wanted to achieve. The PortSwigger extension examples really helped me out in this regard. Also if you feel really stuck AI can be a good way to point you in the right direction.

Debugging and Testing

I found the errors and output panel under the extensions tab super helpful. There was a couple of times where my extension totally disappeared from Burp and these panels always contained some form of exception to help me understand what happened. I used JUnit and IntelliJ’s internal features for running and debugging tests for my core logic. Again if you get stuck, AI may be able to help you identify any issues that you have missed.

Summary

I found the whole process of making a Burp Suite extension pretty seemless, especially as someone who has never touched Kotlin and has only briefly looked at Swing in the past. The auto reload functionality was really sweet too. There are probably a few things I would consider for next time though;

  • Make more use of the debugger - I primarly used this only in my tests
  • Before making something serious make sure to check similar extensions don’t already exist (as mentioned in their docs) - thankfully this was mostly a learning excercise in my case
  • Spend more time learning Kotlin basics before jumping straight in
  • Be wary of some of the gotchas that I learned here straight from the get go

If I think of any unique ideas for a new extension I would definitely be interested in building another one in the future!