Introducing the Bambda Library

PortSwigger

28 Apr 202515:24

Summary

TLDRIn this presentation, the team from Burp Suite discusses the new Bambas library, a powerful tool for managing Java-based Banders. Banders are small code snippets that enhance Burp Suite's functionality, allowing users to personalize workflows and automate tasks. The Bamba library simplifies the process of saving, sharing, and editing Banders directly within Burp Suite. It also introduces the ability to import and export Banders, including templates, and integrates a community-driven repository. The team demonstrates how the library improves workflow efficiency and usability, with features like bulk importing and exporting, and the ability to edit Banders seamlessly in the editor.

Takeaways

😀 Bambas are Java-based snippets of code that run directly within Burp Suite's interface, offering customization for various tasks like match/replace rules and table columns.
😀 The Bamba library allows users to easily save, load, and share their Bambas without leaving Burp Suite, making it easier to accumulate and reuse them across projects.
😀 Bambas can be used for a wide range of tasks, including filtering HTTP traffic, logging authorized tokens, and improving memory efficiency by filtering static content.
😀 Users can leverage Bambas to detect vulnerabilities by automatically searching for issues like misconfigured access controls, missing security headers, and insecure cookie settings.
😀 Although Bambas are powerful tools for penetration testing, they are also designed to be throwaway, quick-code solutions that can be discarded after use.
😀 The Bamba library simplifies managing Bambas by allowing import/export functionality, integration with GitHub, and sharing across projects or with the community.
😀 New users can easily get started with Bambas through templates created by Burp Suite's research team, eliminating the need for immediate Java knowledge.
😀 Users can import entire folders of Bambas from repositories, such as GitHub, and Burp Suite automatically manages versions and IDs to track changes.
😀 The ability to edit and save Bambas directly in Burp Suite's editor streamlines workflows, enabling faster iterations without leaving the environment.
😀 A unique ID is assigned to each Bamba, ensuring consistency and management across multiple versions and installations when exporting/importing Bambas.
😀 Upcoming features for Bambas include custom actions in the repeater, allowing for more interactive and tailored questions to be asked during penetration testing.

Q & A

What is Bamba in Burp Suite?
-Bamba is a small section of Java-based code that runs directly from Burp Suite's interface. It allows users to personalize tasks such as creating custom match and replace rules, customizing table columns and filters, and more.
How can Bamba help with managing traffic data in Burp Suite?
-Bamba helps by providing filters in areas like HTTP History, WebSockets, and Logger. It can reduce noise, identify useful data (such as authorized JWT tokens), and ensure only relevant requests are recorded, improving workflow and memory efficiency.
What are some examples of tasks Bamba can automate?
-Bamba can automate tasks like filtering for authorized JWT tokens, creating custom columns to highlight vulnerabilities, and hijacking CSP reports automatically using the collaborator.
What is the major downside to using Bamba?
-While Bamba allows the execution of any Java code, it can be used for unnecessary or 'fun' features, such as making the Burp window bounce around the desktop or even shutting down the system, which can lead to distractions or system crashes if not used carefully.
What are the new features introduced with the Bamba library?
-The Bamba library allows users to save, load, edit, and share Bamba scripts directly within Burp Suite. Users can import, export, and manage their Bamba collection easily, as well as access templates to make it easier for new users to get started.
How does the Bamba library make it easier to share Bamba scripts?
-The Bamba library enables users to easily export and import Bamba scripts, either individually or in bulk. This functionality is designed to make sharing Bamba scripts with others, such as colleagues or the community, seamless and efficient.
What is the role of templates in the Bamba library?
-Templates in the Bamba library provide pre-configured Bamba scripts that users can instantly use without having to write Java code themselves. These templates are designed to help new users get started and are adaptable for those already familiar with Bamba.
Can users contribute to the Bamba repository?
-Yes, Burp Suite encourages contributions to the Bamba repository. Users can pull requests to add new Bamba scripts that they find useful, and the team has already seen contributions from the community.
How does Burp Suite ensure the consistency of Bamba scripts when importing from multiple sources?
-Burp Suite uses a unique ID for each Bamba script, ensuring that when users import scripts, it can track whether the script is new or has been previously added. If there are duplicate versions, users will be prompted to decide which version to keep.
What is the process for importing multiple Bamba scripts from a GitHub repository?
-Users can download a ZIP file of the GitHub repository and extract it. Burp Suite will then recursively go through all folders and import the scripts automatically, making it easy to add large collections of Bamba scripts.