Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
  1. Support Center
  2. BApp Store
  3. Brida, Burp to Frida bridge

Brida, Burp to Frida bridge

This extension works as a bridge between Burp Suite and Frida, lets you use and manipulate applications' own methods while tampering the traffic exchanged between the applications and their back-end services/servers. It supports all platforms supported by Frida (Windows, macOS, Linux, iOS, Android, and QNX).

This idea is a need that is born during the analysis of some mobile application that use strong symmetric cryptography using random keys, without knowing the correct secret all data was not modifiable via Burp neither with a custom plugin. More generally, applications' logic could be based on cryptographic tokens, it could use a complex challenge-response algorithm as well, and so on. How can we tamper the messages? Most of the times the only viable approach is to decompile/disassemble the application, identify the functions or methods we're interested in AND re-implement them. This approach is obviously time consuming and not always really viable: i.e. the generation of tokens and/or the encryption routines could be based on cryptographic material strictly tied to the device (state) or stored inside protected areas and thus not directly accessible... That's when Brida comes in handy: instead of trying to extract keys/certificates and re-writing the routines we're interested in, why don't we let the application do the dirty work for us?

The last version of Brida adds a lot of different tools that help pentesters during mobile application analysis, among which an integrated console in which output from all the Frida and Brida hooks are printed, an integrated JS editor with JavaScript syntax highlighting and an analysis tab, in which there is a tree representation of the binary (Java/OBJC classes and methods, imports/exports) and from which it is possible to graphically add inspection hooks (that print arguments and return value every time that the hooked function is executed) and tamper hooks (that dynamically change the return value of the hooked function every time that it is executed).

Requirements:

  • Python 2.7 and the frida and pyro4 modules
  • An iOS or Android device with the frida-server running on it (root privileges on the device required) or an application patched with the Frida's Gadget (root privileges on the device not required).

Further information:

Author Federico Dotta, Piergiovanni Cipolloni
Version 0.2
Rating
Popularity
Last updated 08 June 2018

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

Download BApp

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore