Last updated: August 3, 2021
Read time: 7 Minutes
Burp Infiltrator is a tool for instrumenting target web applications in order to facilitate testing using Burp Scanner. Burp Infiltrator modifies the target application so that Burp can detect cases where its input is passed to potentially unsafe APIs on the server side.
Burp Infiltrator currently supports applications written in:
Burp Infiltrator works in the following way:
Because Burp Infiltrator works by observing Burp payloads containing Burp Collaborator domains, and communicates back to Burp via the specified Burp Collaborator server, use of Burp Infiltrator requires that:
Use of private Burp Collaborator servers is supported by Burp Infiltrator, and the Infiltrator instrumentation knows which Collaborator server to communicate with based on the full domain name that Burp sends in its payloads. However, only private Collaborator servers that are configured using a domain name are supported; private Collaborator servers configured via an IP address are not supported.
To make use of Burp Infiltrator, it needs to be installed within the target application using the following steps:
Export the Burp Infiltrator installer from Burp Suite Professional. Go to the Burp menu, select "Burp Infiltrator", select the type of application that you want to instrument, and save the file to your preferred location.
Note: Before installing and running Burp Infiltrator, ensure that the application is not currently running, as this may prevent the bytecode on disk from being modified.
Copy the Burp Infiltrator installer onto a machine containing the compiled application bytecode. This might be already located on the target application server, or on another machine ready to deploy.
During patching, Burp Infiltrator needs to know the location of the application bytecode. The easiest way to achieve this is to place the Infiltrator installer into the root folder of the application, and run it from there as the working directory. Alternatively, you can specify the path(s) to the application bytecode during the installation process.
Ensure that the user context being used to perform the Burp Infiltrator installation has permissions to write to the files and folders containing the application bytecode.
Run Burp Infiltrator from the command line. For example, for Java applications, enter
java -jar burp_infiltrator_java.jar.
By default, the Burp Infiltrator installer runs interactively, and asks a series of questions during installation. Alternatively, you can run it non-interactively.
Burp Infiltrator patches the application bytecode to inject instrumentation hooks at locations where potentially unsafe APIs are called.
When the patching process is completed, launch the application in the normal way using the modified bytecode.
Finally, perform a scan of the application.
Burp Infiltrator enables Burp Scanner to report the potentially unsafe API that was called, the full value of the relevant parameter, and the application call stack when the API was invoked.
Please take note of the following considerations relating to the patching process:
ildasmtools that are distributed with the .NET framework and the Windows SDK tools, respectively; or (b) the
monodistools that are distributed with mono. You must specify the location of the assembly and disassembly tools during the patching process. Note that the version of the assembly tool must match the version of the .NET framework that the bytecode is targeting, to ensure compatibility.
SupressIldasmAttributeattribute, as this will prevent Burp Infiltrator from instrumenting the assembly.
You can install Burp Infiltrator non-interactively. This supports various use cases. For example, a CI pipeline could automatically deploy an application build to a staging server, install the Burp Infiltrator instrumentation, and perform a scan using Burp Scanner.
To run the Burp Infiltrator non-interactively, add the following argument to the command line:
In non-interactive mode, the Burp Infiltrator installer will use default values for all configuration options that are normally prompted for in interactive mode. You can use additional command line arguments to override these default values if required. Use the following command line argument to list all the supported options:
Before installing Burp Infiltrator non-interactively, you should use the above command to view the details of the default values for configuration options that will be used unless overridden, and ensure that the correct options will be used based on your requirements.
Note: By running the Burp Infiltrator installer in non-interactive mode, you are deemed to have read and agreed to all warnings and disclaimers that are displayed during interactive installation.
Note: Configuration options are specified during the patching operation, and are applied within the changes that the patching operation makes to the application bytecode. To modify the configuration of Burp Infiltrator after patching has been performed, it will be necessary to re-run the Burp Infiltrator installer using the updated options, and then restart the application.