*Phew*, burpdot is now up to version 0.5. I can’t really explain the relief I feel at getting this version out. Ever since David planted the idea of visualising Burp log files showing how URLs refer to one another he was always going on about “Hey, jQuery is easy right? Sure! You can build up a web interface right? That’ll only take you a couple of days?”. Well according to the network graph I’ve been making tiny commits to the work in progress branch for the past 2 months, only now have I merged it back in and voila.

The existing command line functionality should be exactly the same, but, if you set up your environment according to the documented dependancies then you should be able to simply run “./burpweb.rb” and open up http://localhost:8015.

Less words, more shows:

Burpdot is now up to version 0.4, it’s starting to shape up into something a little bigger than first imagined, which I guess is the way with these things. But first lets cover the simple stuff, as of 0.4, burpdot now has a new mode to output into a SQLite database file. At the moment, there’s not much point in this functionality, but new versions will use it – but lets leave that for another post. Example:

# ./burpdot.rb -i burp.log -m sqlite -o burp.db

Excitement!

Okay, not really. Anyway, before getting onto the depth option I’ll have to admit, I don’t really know much about using Graphviz. So, after a little reading I figured out a couple of over-rides that really help with burpdot (via Afterglow) generated graphs, the normalize option, the splines option, and using vpsc for overlay prevention instead of ortho. You can see these generated below.

The concept of depth is really simple, set to 1 and burpdot only extracts the domain portion of the URI, set to 2, and you get the domain and the path, set to 3 you get the domain, path and query string. By default depth is set to 2, so you get graphs as generated in previous versions. Examples:

# ./burpdot.rb -i burp.log -m csv -d 1 | ./afterglow.pl -t -c burp.properties | neato -v -Tpng -Gnormalize=true -Gsplines=true -Goverlap=vpsc -o burp-depth-1.png

# ./burpdot.rb -i burp.log -m csv -d 2 | ./afterglow.pl -t -c burp.properties | neato -v -Tpng -Gnormalize=true -Gsplines=true -Goverlap=vpsc -o burp-depth-2.png

# ./burpdot.rb -i burp.log -m csv -d 3 | ./afterglow.pl -t -c burp.properties | neato -v -Tpng -Gnormalize=true -Gsplines=true -Goverlap=vpsc -o burp-depth-3.png

It wasn’t until after I’d pushed the 0.1 version of burpdot up to git when I remembered secviz.org. If you haven’t checked it out you certainly should, it’s a great portal for people to share visualisations of log analysis/mining, in particular those related to security. I pinged Raffy, who maintains the site, on twitter, and he reminded me of Afterglow, a perl tool that he maintains which facilitates the process of generating graphs. The power of Afterglow comes from it’s powerful color properties file and plethora of options. So it made perfect sense for burpdot to be modified to output simple CSV files, which could then be consumed and processed with Afterglow.

A simple example:
# ./burpdot.rb -i burplogfile.log -m csv | ./afterglow.pl -t -c burp.properties | neato -v -Tpng -Goverlap=orthoyx -o burp.png

Which generates:

You can grab Afterglow from: http://afterglow.sourceforge.net/ and the updated burpdot from: https://github.com/xntrik/burpdot.

Update: Forgot to give epic big ups to Dave who helped get the label wrapping Perl Fu working in the burp.properties file!

The other day my colleague David says to me:
“Burp’s SiteMap is really useful, but I don’t understand where all these extra sites were requested from. I wish there was some way in which the referer information could be visualised”
(Paraphrased of course.. Dave is normally dropping f-bombs here and there)

And of course, this is how most hacks are born. A tool that does almost everything you need it to do, and then you find you have some other tangential requirements that aren’t being met. The next thing you know, Ruby has been whipped out, a day or so later you have your script.

The idea is really simple (as most hacks are). Enable “request” logging in Burp, save that file somewhere, parse that file with “burpdot.rb” to create a Graphviz DOT file, and then parse that file with one of the numerous Graphviz tools to output an image file.

Firstly, you need to convert a Burp log file into a Graphviz DOT file, which is as simple as
# ./burpdot.rb -i burp.log -o burp.dot

A scaled down, jpg-ised example here, which was created with
# sfdp -v -Tpng -O burp.dot

If you click it, you’ll get to an SVG version, for bandwidth’s sake. This was created with
# sfdp -v -Tsvg -O burp.dot

From start to finish:

Known Issues / Future Ideas:

• The Graphviz files get large, quickly. Just by browsing a few sites, you can generate a huge DOT file, and therefore potentially huge graphic. I’m an absolute novice with Graphviz, so optimising overflows etc is not really my forte, if anyone has any suggestions for how to improve this, please let me know.
• Because they’re so large, I’ve had neato and other Graphviz tools lock up my system. I’ve had the most luck with sfdp from Graphviz version 2.26.3 (I believe this is the default that comes with OSX 10.6.6).
• There’s no pretty highlighting of *anything*. Future releases may include more of this in the DOT files.
• There’s no pretty grouping of *anything*. As above.
• No nice interactivity yet, such as clicking on a node and seeing all its partners.

You can get burpdot from : https://github.com/xntrik/burpdot.