Burp Suite API插件开发指南：篡改HTTP请求头<\/h1>

1. 场景概述<\/h2>
本教程针对一个常见的Web安全测试场景：目标站点在HTTP请求头中需要一个SHA256哈希值进行校验。如果拦截修改请求后没有重新计算哈希值，请求会被后端拒绝。<\/p>

1.1 问题描述<\/h3>
目标站点要求每个HTTP请求头包含Hash<\/code>字段<\/li>
该Hash值是请求体的SHA256哈希值<\/li>
手动修改每个请求的Hash值效率低下<\/li>
需要开发Burp Suite插件自动完成这一过程<\/li>
<\/ul>
2. 模拟后端实现<\/h2>
使用Flask框架模拟一个需要Hash校验的后端服务：<\/p>
import<\/span> flask
<\/span><\/span>from<\/span> flask import<\/span> request
<\/span><\/span>from<\/span> hashlib import<\/span> sha256
<\/span><\/span>
<\/span><\/span>app =<\/span> flask.<\/span>Flask(__name__)
<\/span><\/span>
<\/span><\/span>@app<\/span>.<\/span>route('\/'<\/span>, methods=<\/span>['GET'<\/span>, 'POST'<\/span>])
<\/span><\/span>def<\/span> handle_request<\/span>():
<\/span><\/span>    hash =<\/span> request.<\/span>headers.<\/span>get('Hash'<\/span>)
<\/span><\/span>    body =<\/span> request.<\/span>get_data()
<\/span><\/span>    calculated_hash =<\/span> sha256(body).<\/span>hexdigest()
<\/span><\/span>    
<\/span><\/span>    if<\/span> hash is<\/span> not<\/span> None<\/span>:
<\/span><\/span>        if<\/span> str(hash).<\/span>strip() ==<\/span> calculated_hash:
<\/span><\/span>            data =<\/span> request.<\/span>form.<\/span>get('data'<\/span>)
<\/span><\/span>            if<\/span> data is<\/span> not<\/span> None<\/span>:
<\/span><\/span>                return<\/span> data
<\/span><\/span>            else<\/span>:
<\/span><\/span>                return<\/span> "No data provided."<\/span>
<\/span><\/span>        else<\/span>:
<\/span><\/span>            return<\/span> "Invalid signature!"<\/span>
<\/span><\/span>    else<\/span>:
<\/span><\/span>        return<\/span> "No hash provided."<\/span>
<\/span><\/span>
<\/span><\/span>app.<\/span>run(host=<\/span>"127.0.0.1"<\/span>, port=<\/span>5000<\/span>, debug=<\/span>True<\/span>)
<\/span><\/span><\/code><\/pre>2.1 后端逻辑解析<\/h3>

从请求头获取Hash<\/code>值<\/li>
计算请求体的SHA256哈希值<\/li>
比较两者是否一致<\/li>
一致则返回请求体中的data<\/code>字段内容<\/li>
不一致返回"Invalid signature!"<\/li>
无Hash头返回"No hash provided."<\/li>
<\/ol>
3. 请求响应示例<\/h2>
3.1 正常请求示例<\/h3>
请求:<\/strong><\/p>
GET \/ HTTP\/1.1
Host: 127.0.0.1:5000
Connection: keep-alive
Hash: 8897c835cf0001adff74ddf1953bc2f24d36fb3448ec180528ae0640f55f42e0
Content-Type: application\/x-www-form-urlencoded
Content-Length: 20

data=Attack+succeed!
<\/code><\/pre>
响应:<\/strong><\/p>
HTTP\/1.1 200 OK
Server: Werkzeug\/3.1.3 Python\/3.12.6
Date: Mon, 23 Dec 2024 03:46:38 GMT
Content-Type: text\/html; charset=utf-8
Content-Length: 15
Connection: close

Attack succeed!
<\/code><\/pre>
3.2 无效请求示例<\/h3>
请求(修改了请求体但未更新Hash):<\/strong><\/p>
GET \/ HTTP\/1.1
Host: 127.0.0.1:5000
Connection: keep-alive
Hash: 8897c835cf0001adff74ddf1953bc2f24d36fb3448ec180528ae0640f55f42e0
Content-Type: application\/x-www-form-urlencoded
Content-Length: 20

data=Attack+succeed!+1
<\/code><\/pre>
响应:<\/strong><\/p>
HTTP\/1.1 200 OK
Server: Werkzeug\/3.1.3 Python\/3.12.6
Date: Mon, 23 Dec 2024 03:58:26 GMT
Content-Type: text\/html; charset=utf-8
Content-Length: 18
Connection: close

Invalid signature!
<\/code><\/pre>
4. Burp Suite插件开发<\/h2>
4.1 插件基础框架<\/h3>
package<\/span> arr;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> burp.api.montoya.BurpExtension;<\/span>
<\/span><\/span>import<\/span> burp.api.montoya.MontoyaApi;<\/span>
<\/span><\/span>import<\/span> burp.api.montoya.logging.Logging;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> HelloWorld<\/span> implements<\/span> BurpExtension {<\/span>
<\/span><\/span>    MontoyaApi api;<\/span>
<\/span><\/span>    Logging logging;<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> initialize<\/span>(<\/span>MontoyaApi api)<\/span> {<\/span>
<\/span><\/span>        api.<\/span>extension<\/span>().<\/span>setName<\/span>(<\/span>"Hello World"<\/span>);<\/span>
<\/span><\/span>        this<\/span>.<\/span>api<\/span> =<\/span> api;<\/span>
<\/span><\/span>        this<\/span>.<\/span>logging<\/span> =<\/span> api.<\/span>logging<\/span>();<\/span>
<\/span><\/span>        this<\/span>.<\/span>logging<\/span>.<\/span>logToOutput<\/span>(<\/span>"*** Freebuf.com - Hello World loaded ***"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.2 插件功能实现<\/h3>
我们需要扩展这个基础框架，添加HTTP请求处理逻辑：<\/p>

实现HttpHandler接口<\/strong>：处理HTTP请求和响应<\/li>
计算请求体哈希<\/strong>：对请求体计算SHA256哈希<\/li>
更新请求头<\/strong>：将计算出的哈希值更新到请求头的Hash<\/code>字段<\/li>
<\/ol>
4.3 完整插件代码<\/h3>
package<\/span> arr;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> burp.api.montoya.BurpExtension;<\/span>
<\/span><\/span>import<\/span> burp.api.montoya.MontoyaApi;<\/span>
<\/span><\/span>import<\/span> burp.api.montoya.http.handler.*;<\/span>
<\/span><\/span>import<\/span> burp.api.montoya.logging.Logging;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> java.security.MessageDigest;<\/span>
<\/span><\/span>import<\/span> java.security.NoSuchAlgorithmException;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> HashUpdater<\/span> implements<\/span> BurpExtension,<\/span> HttpHandler {<\/span>
<\/span><\/span>    private<\/span> MontoyaApi api;<\/span>
<\/span><\/span>    private<\/span> Logging logging;<\/span>
<\/span><\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> initialize<\/span>(<\/span>MontoyaApi api)<\/span> {<\/span>
<\/span><\/span>        this<\/span>.<\/span>api<\/span> =<\/span> api;<\/span>
<\/span><\/span>        this<\/span>.<\/span>logging<\/span> =<\/span> api.<\/span>logging<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        api.<\/span>extension<\/span>().<\/span>setName<\/span>(<\/span>"Hash Updater"<\/span>);<\/span>
<\/span><\/span>        api.<\/span>http<\/span>().<\/span>registerHttpHandler<\/span>(<\/span>this<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        logging.<\/span>logToOutput<\/span>(<\/span>"*** Hash Updater loaded ***"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> RequestToBeSentAction handleHttpRequestToBeSent<\/span>(<\/span>HttpRequestToBeSent request)<\/span> {<\/span>
<\/span><\/span>        \/\/ 获取请求体
<\/span><\/span><\/span><\/span>        byte<\/span>[]<\/span> requestBody =<\/span> request.<\/span>body<\/span>().<\/span>getBytes<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 计算SHA256哈希
<\/span><\/span><\/span><\/span>        String hashValue =<\/span> calculateSHA256(<\/span>requestBody);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 创建带有更新后Hash头的新请求
<\/span><\/span><\/span><\/span>        HttpRequest newRequest =<\/span> request.<\/span>withHeader<\/span>(<\/span>"Hash"<\/span>,<\/span> hashValue);<\/span>
<\/span><\/span>        
<\/span><\/span>        logging.<\/span>logToOutput<\/span>(<\/span>"Updated Hash header to: "<\/span> +<\/span> hashValue);<\/span>
<\/span><\/span>        
<\/span><\/span>        return<\/span> RequestToBeSentAction.<\/span>continueWith<\/span>(<\/span>newRequest);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> ResponseReceivedAction handleHttpResponseReceived<\/span>(<\/span>HttpResponseReceived response)<\/span> {<\/span>
<\/span><\/span>        \/\/ 不修改响应
<\/span><\/span><\/span><\/span>        return<\/span> ResponseReceivedAction.<\/span>continueWith<\/span>(<\/span>response);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    private<\/span> String calculateSHA256<\/span>(<\/span>byte<\/span>[]<\/span> data)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            MessageDigest digest =<\/span> MessageDigest.<\/span>getInstance<\/span>(<\/span>"SHA-256"<\/span>);<\/span>
<\/span><\/span>            byte<\/span>[]<\/span> hashBytes =<\/span> digest.<\/span>digest<\/span>(<\/span>data);<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 转换为十六进制字符串
<\/span><\/span><\/span><\/span>            StringBuilder hexString =<\/span> new<\/span> StringBuilder();<\/span>
<\/span><\/span>            for<\/span> (<\/span>byte<\/span> b :<\/span> hashBytes)<\/span> {<\/span>
<\/span><\/span>                String hex =<\/span> Integer.<\/span>toHexString<\/span>(<\/span>0xff<\/span> &<\/span> b);<\/span>
<\/span><\/span>                if<\/span> (<\/span>hex.<\/span>length<\/span>()<\/span> ==<\/span> 1<\/span>)<\/span> {<\/span>
<\/span><\/span>                    hexString.<\/span>append<\/span>(<\/span>'0'<\/span>);<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>                hexString.<\/span>append<\/span>(<\/span>hex);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            
<\/span><\/span>            return<\/span> hexString.<\/span>toString<\/span>();<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>NoSuchAlgorithmException e)<\/span> {<\/span>
<\/span><\/span>            logging.<\/span>logToError<\/span>(<\/span>"SHA-256 algorithm not found: "<\/span> +<\/span> e.<\/span>getMessage<\/span>());<\/span>
<\/span><\/span>            return<\/span> ""<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.4 代码解析<\/h3>


类定义<\/strong>：<\/p>

实现BurpExtension<\/code>和HttpHandler<\/code>接口<\/li>
包含MontoyaApi<\/code>和Logging<\/code>实例<\/li>
<\/ul>
<\/li>

initialize方法<\/strong>：<\/p>

设置插件名称<\/li>
注册HTTP处理器<\/li>
输出加载日志<\/li>
<\/ul>
<\/li>

handleHttpRequestToBeSent方法<\/strong>：<\/p>

处理即将发送的HTTP请求<\/li>
获取请求体并计算SHA256哈希<\/li>
创建带有更新后Hash头的新请求<\/li>
返回修改后的请求<\/li>
<\/ul>
<\/li>

handleHttpResponseReceived方法<\/strong>：<\/p>

处理接收到的HTTP响应<\/li>
本例中不修改响应<\/li>
<\/ul>
<\/li>

calculateSHA256方法<\/strong>：<\/p>

计算字节数组的SHA256哈希<\/li>
返回十六进制字符串表示<\/li>
处理可能的算法不存在异常<\/li>
<\/ul>
<\/li>
<\/ol>
5. 插件使用说明<\/h2>


编译插件<\/strong>：<\/p>

将代码编译为JAR文件<\/li>
确保包含所有必要的依赖<\/li>
<\/ul>
<\/li>

加载插件<\/strong>：<\/p>

打开Burp Suite<\/li>
转到"Extensions"标签页<\/li>
点击"Add"按钮<\/li>
选择"Java"类型<\/li>
浏览并选择编译好的JAR文件<\/li>
<\/ul>
<\/li>

验证插件工作<\/strong>：<\/p>

拦截或修改任何发送到目标站点的请求<\/li>
观察插件是否自动更新了Hash头<\/li>
检查日志输出确认哈希计算<\/li>
<\/ul>
<\/li>

测试场景<\/strong>：<\/p>

修改请求体内容<\/li>
确认Hash头自动更新<\/li>
验证请求能否通过后端校验<\/li>
<\/ul>
<\/li>
<\/ol>
6. 扩展功能建议<\/h2>


配置界面<\/strong>：<\/p>

添加设置界面允许配置哈希算法<\/li>
允许自定义请求头名称<\/li>
<\/ul>
<\/li>

性能优化<\/strong>：<\/p>

缓存哈希计算结果<\/li>
添加条件判断，仅对特定目标应用插件<\/li>
<\/ul>
<\/li>

错误处理<\/strong>：<\/p>

增强异常处理<\/li>
添加详细的日志记录<\/li>
<\/ul>
<\/li>

多算法支持<\/strong>：<\/p>

支持MD5、SHA1等其他哈希算法<\/li>
根据响应头动态选择算法<\/li>
<\/ul>
<\/li>
<\/ol>
7. 总结<\/h2>
本教程详细介绍了如何开发一个Burp Suite插件来自动处理HTTP请求头中的哈希校验问题。通过实现HttpHandler<\/code>接口，我们能够拦截和修改即将发送的HTTP请求，自动计算请求体的哈希值并更新请求头，从而解决手动操作的繁琐问题。<\/p>
关键点总结：<\/p>

理解目标站点的哈希校验机制<\/li>
使用Burp Suite Montoya API处理HTTP请求<\/li>
实现SHA256哈希计算逻辑<\/li>
自动更新请求头中的哈希值<\/li>
通过日志记录插件运行状态<\/li>
<\/ol>
这种自动化方法显著提高了安全测试效率，特别是在需要频繁修改请求的场景下。开发者可以根据实际需求扩展此基础插件，添加更多实用功能。<\/p>
Burp Suite API插件开发指南：篡改HTTP请求头<\/h1>

1. 场景概述<\/h2> 本教程针对一个常见的Web安全测试场景：目标站点在HTTP请求头中需要一个SHA256哈希值进行校验。如果拦截修改请求后没有重新计算哈希值，请求会被后端拒绝。<\/p>

3. 请求响应示例<\/h2>

4. Burp Suite插件开发<\/h2>

1. 场景概述<\/h2>
本教程针对一个常见的Web安全测试场景：目标站点在HTTP请求头中需要一个SHA256哈希值进行校验。如果拦截修改请求后没有重新计算哈希值，请求会被后端拒绝。<\/p>
