Saturday, May 7, 2011

Buby Script Basics Part 1

For those of you who are new to Buby, it is a platform to write Ruby based extensions for the Burp Suite API and I'm going to attempt to cover some of the basics.  First let me say thank you to Tebo for providing his insight. Tebo is the author of the Buby.kicks_ass => true article. Additionally, thank you Eric Monti the creator of Buby. Buby's homepage is located Here .


Although you can write Ruby code, this is a JRuby Gem. What does this mean? It means that the code execution environment is JRuby (Java+Ruby) and the Gem should be installed in the JRuby environment.

Lets install JRuby first:

Next, install the Buby Gem.

Basic example of running a script:

The options you see explained

jruby -S buby  => runs the jruby environment leveraging the buby gem

-i  => interactive, this means you can interact with Burp from the console.

-B => this is the location of your Burp jar file

-r => The script you'd like to run. This is an easy way to run the buby code you've created.

Finally, an example of sending a command to burp via the -i (interactive option). Here we produce an alert "Hello World".



Post Command

Okay so that wraps up Part 1 of Buby Basics.

If you'd like some scripts to mess around before Part 2, you can find some scripts I put together Here.

~Happy Hacking



  1. Thanks for all the buby series.

  2. Thanks for your comment! More Buby-fu and AppSec to come.



  3. Thanks, - Page not found

  4. @anonymous

    yeah it may be lost to the interwebs, i'll see if tebo still has the post.

  5. I did a quick 'installing dser' for java serialised object fiddling, in case it's useful to any pentesters out there by the way... here.

  6. @kitkat - Thanks for leaving the link. I think it would be cool to see the dser plugin shaped into a wXf/buby module.

  7. Hi,
    Is there a problem with installing buby on Ubuntu 12.04 with jruby? Pulled jruby with apt-get but buby install fails.

    Trying to install buby to then play around with Dser, Serializable and other tools related to Java serialization.


  8. Hey @Arvind - Couple things I have come across...

    Buby 1.3.3 seems to have issues, I usually revert to buby 1.3.1 (gem install buby --version=1.3.1). Also, the latest version of Burp has broken Buby AFAICT so if you want to use Buby (before it is fixed or a new maintainer steps forward), you'll have to leverage an pre- 1.5v of Burp IIRC).