A Burp suite extension designed to identify interesting requests and responses ("Blips") based on a set of given keywords.
This extension was mostly a means of learning and study, its not intended to replace more complete and mature solutions like HaE.
Requirements
- Burp Suite (at least 2023 or newer for Montoya API support). Its recommend to run latest stable version
- JRE 21 or newer
You can get the latest release from the releases page, or clone the source and build it yourself. Once you have the JAR file you can load it into Burp like so;
- Go to the Extensions tab
- Click "Add" which will open a modal
- Under "Extension details" Select "Java" for the extension type and select the JAR file
- You can leave the other sections as is and click "Next"
Once the extension has loaded you should see a new tab called "Blip".
The extension functionality sits under the Blip tab. There are two main sub tabs "Blips" and "Config".
By default the extension is disabled and there are no keywords configured. This can be managed under the "Config" tab. When making changes make sure to click "Save config" for them to be applied.
It is important to note that the extension at this time only saves configuration for the current session, it is not persistent and a Burp restart would result in having to set it up again. This is a high priority for next features.
Under the keywords pane you can add up to 20 keywords for finding "Blips" i.e. requests and responses that contain the keywords. Each one can be toggled on or off as well for granular control. When adding a keyword ensure that you hit enter to apply changes for that entry. There is a multi select capability so that you can remove keywords in bulk if needed.
This pane allows you to set a static header which will be sent in every single request (regardless of tool). This is useful for when you are testing in an environment that requires a special header to distinguish legitimate security testing versus malicious. This is a common requirement in bug bounty programs. This functionality is possible in native burp but its hidden in the settings and you need to apply it in multiple places to get the same result for all tools. This setting allows you to configure that with one control, and its easy to find.
Any matched keywords in a request or response which will result in a blip. All blips will be displayed in a table under the "Blips" subtab. Each entry shows what was found, where it was found, and which Burp tool it came from. The message ID is also present allowing you to correlate messages with Burp's native features such as HTTP history, if needed. The Blips table has two filters "all" or "bookmarked".
When you select a blip from the table the request and response viewer will populate below. Any keywords will be highlighted in yellow. There is a small keyword pane on each side that contains a list of the keywords found. If you click on a keyword, the inspector will scroll to the area in the request or response where that keyword occurs. This solves the headache of trying to manually find each occurrence.
There is a maximum of 200 blips that will show under "All Blips" at one time. If the max is reached then the oldest entry will be removed and the lastest added. Therefor it's important to bookmark a blip by clicking the star icon when you have found one that you wish to keep. Once a blip is bookmarked you can click the "Bookmarked blips" button to see them.
You can also clear all blips from the table if things are getting too cluttered. This will not affect any bookmarked blips.
Just some notes useful for extension development.
- Open Maven on the right hand side (IntelliJ IDEA)
- Under lifecycle, right-click the package and select 'Run'.
- If successful, a .jar will be created inside 'target' within the root of the project
- Go to the extensions tab and select 'Installed'
- Click 'Add'
- Select the .jar file from this projects 'target' folder
- Should see extension loaded in the logs under output (bottom pane)
There is a "Reload extension automatically when file changes" option. If enabled then you can just compile your extension and changes should be reloaded immediately.
If this isn't enabled then you will need to reload manually by unchecking and rechecking 'Loading' checkbox.
- Right-click a class name > Generate > Test
- Select JUnit 5 and select which methods you want to set up tests for.
- Test scaffolding should be created under src/test
- Update version in pom.xml and run clean/package using Maven
- Commit the change first
- Create a new tag e.g.
git tag -a v1.0.0 -m "Initial release"and push - Create a new release on GitHub; select the newly created tag and attach the relevant JAR file
Once completed you will likely need to reload your extension back into burp due to the renaming of the JAR file.
There is a standard practise of using -SNAPSHOT in the version to declare a version that is not yet released. So when we are in development we should make sure to use this tag at the end of versions. Once ready to create a new release simply remove it.
- Burp Suite dev docs: https://portswigger.net/burp/documentation/desktop/extend-burp/extensions/creating
- Montoya API ref: https://portswigger.github.io/burp-extensions-montoya-api/javadoc/burp/api/montoya/MontoyaApi.html
- Cool extension examples: https://github.com/PortSwigger/burp-extensions-montoya-api-examples
- Swing Components: https://docs.oracle.com/javase/tutorial/uiswing/components/index.html
- Visual guide for Swing Components: https://web.mit.edu/6.005/www/sp14/psets/ps4/java-6-tutorial/components.html
- Blip viewer improvements; line wrap, syntax highlighting etc
- Data persistence on project level - general config, blip and pinned/bookmarked data
- Support multiple occurrences of a keyword
- Show warning on blips tab when extension is on or off
- Enhance matching - support regex in addition to keywords
- Configure what type of tool the extension will target e.g. All, intruder, proxy etc
- You can send requests from the history through the matcher again e.g. could be useful if you didnt have tool enabled or you switch keywords
- Ability to manage different keyword collections/profiles. You can have different sets of 20 keywords, and even be able to load config in from a file
- For each keyword I could add indicator for describing why it might be useful for e.g. keyword 'innerHTML' would be XSS etc. Needs exploration
- Keyword labels or colour indicators for grouping?
- Allow keywords to be scoped to request, response or both (atm its automatically both)
- Should have the ability to clear/mark as unimportant and filter out certain requests (could use scope)
- Add notification/alert to let the user know when keywords have found. Not sure on what is totally possible with this one yet (API wise)
- Customise the highlight colours - could be useful especially for people with colour blindness or visual impairment. Would need to consider dark vs light theme too.