Following our initial release of the addToTLSPassThrough Burp Suite Extension, we are pleased to announce publication of version 1.0.1!
AddToTLSPassThrough 1.0.1
Significant improvements to the extension have been added to improve its maintainability and functionality:
- The org.json library is now used to perform all JSON juggling between the extension and Burp, removing the messy use of String concatenation.
- Previously there were two functions defined to add new TLS Passthrough rules, one which added multiple rules and one which added single rules. All numbers of rules now call the same function, reducing code duplication.
- The extension now checks for duplicate rules prior to addition of a new rule. Attempting to add a duplicate rule now sets the rule to “enabled”, and the undocumented “file” parameter discussed below to a wildcard value.
It was discovered after publishing the previous version that Burp saves its TLS Passthrough rules with an undocumented “file” regular expression parameter, which was unsupported by the first release of our extension. In the native TLS Passthrough workflow not using our extension, a user is likely to use the right-click context menu on a target request and use “Copy URL”:
They will then paste that value using either of the “Paste URL” buttons provided in TLS Pass Through settings:
When the “Paste URL” button is clicked, a hidden “file” parameter specifying the regular expression of the filepath is saved into the settings:
{"protocol":"https","file":"^/tag/opus\\.js.*","port":"^443$","host":"^opus\\.analytics\\.yahoo\\.com$","enabled":true}
In the new version of our extension, if there is already a rule saved into Burp with the same host and port values (i.e., one previously added using Paste URL), we set the hidden “file” parameter to a wildcard so that all possible files are matched and passed through. Our extension’s wildcard behavior may not be desirable for people that want to perform TLS Passthrough by application filepath (e.g., to exclude requests made to specific API endpoints from reaching Burp tools). It’s suggested these people continue to use the existing Paste URL feature for this level of granularity. Having this hidden regular expression parameter made visible to the user would also be a welcome change in a future edition of Burp.
The new version is now available in the Burp App Store and may also be downloaded from our GitHub repository.
MORE FROM WHITE OAK SECURITY
White Oak Security provides deep-dive offensive security testing. We are a highly skilled and knowledgeable cyber security and penetration testing company that works hard to help organizations strengthen their security posture by getting into the minds of opponents to try to protect those we serve from malicious threats through expertise, integrity, and passion.
Our unique industry experience allows us to offer a wide range of services to help analyze and test information security controls and provide guidance to prioritize and remediate vulnerabilities.