The other day my colleague David says to me:
“Burp’s SiteMap is really useful, but I don’t understand where all these extra sites were requested from. I wish there was some way in which the referer information could be visualised”
(Paraphrased of course.. Dave is normally dropping f-bombs here and there)
And of course, this is how most hacks are born. A tool that does almost everything you need it to do, and then you find you have some other tangential requirements that aren’t being met. The next thing you know, Ruby has been whipped out, a day or so later you have your script.
The idea is really simple (as most hacks are). Enable “request” logging in Burp, save that file somewhere, parse that file with “burpdot.rb” to create a Graphviz DOT file, and then parse that file with one of the numerous Graphviz tools to output an image file.
Firstly, you need to convert a Burp log file into a Graphviz DOT file, which is as simple as
# ./burpdot.rb -i burp.log -o burp.dot
A scaled down, jpg-ised example here, which was created with
# sfdp -v -Tpng -O burp.dot
If you click it, you’ll get to an SVG version, for bandwidth’s sake. This was created with
# sfdp -v -Tsvg -O burp.dot
From start to finish:
Known Issues / Future Ideas:
- The Graphviz files get large, quickly. Just by browsing a few sites, you can generate a huge DOT file, and therefore potentially huge graphic. I’m an absolute novice with Graphviz, so optimising overflows etc is not really my forte, if anyone has any suggestions for how to improve this, please let me know.
- Because they’re so large, I’ve had neato and other Graphviz tools lock up my system. I’ve had the most luck with sfdp from Graphviz version 2.26.3 (I believe this is the default that comes with OSX 10.6.6).
- There’s no pretty highlighting of *anything*. Future releases may include more of this in the DOT files.
- There’s no pretty grouping of *anything*. As above.
- No nice interactivity yet, such as clicking on a node and seeing all its partners.
You can get burpdot from : https://github.com/xntrik/burpdot.
Tags: browser, burp, burpdot, development, Security, security assessment, web application