Burp Infiltrator is a tool for instrumenting target web applications in order to facilitate testing using Burp Scanner. Burp Infiltrator modifies the target application so that Burp can detect cases where its input is passed to potentially unsafe APIs on the server-side. In industry jargon, this capability is known as IAST (interactive application security testing).
This article demonstrates how to set up and use Burp Infiltrator and provides an example of the tool locating an issue in the WebGoat training application. The version of “Mutillidae” we are using is taken from OWASP’s Broken Web Application Project. Find out how to download, install and use this project.
First, select the Burp Infiltrator option from the "Burp" menu.
The wizard allows you to export the Burp Infiltrator installer from Burp, select the type of application that you want to instrument and save the file to your preferred location.
Note: Before installing and running Burp Infiltrator, ensure that the application is not currently running, as this may prevent the bytecode on disk from being modified.
Next, copy the Burp Infiltrator installer onto a machine containing the compiled application bytecode. This might be already located on the target application server, or on another machine ready to deploy.
Note: During patching, Burp Infiltrator needs to know the location of the application bytecode. The easiest way to achieve this is to place the Infiltrator installer into the root folder of the application and run it from there as the working directory. Alternatively, you can specify the path(s) to the folder(s) that contain the application bytecode as a comma-separated list during the installation process.
Ensure that the user context being used to perform the Burp Infiltrator installation has permissions to write to the files and folders containing the application bytecode.
Then, run the infiltrator from the comand line (e.g. using java -jar burpinfiltrator.jar).
By default, the Burp Infiltrator installer runs interactively and asks a series of questions during installation.
Alternatively, you can run it non-interactively.
Burp Infiltrator patches the application bytecode to inject instrumentation hooks at locations where potentially unsafe APIs are called.
When the patching process is completed, launch the application in the normal way using the modified bytecode.
Finally, perform a scan of the application.
Burp Infiltrator enables Burp to report:
- The potentially unsafe API that was called.
- The full value of the relevant parameter to that API.
- The application call stack when the API was invoked.