Wednesday, December 30, 2009

Belch v1.0 - Burp external channel manipulator

Belch v1.0 is out.

Belch is a plug-in for burp suite designed to aid protocol analysis and manipulation, it is fairly simple.

When dealing with thin client application (such as jser - java serialization protocol ) most of the time the communication between the client and the server is encrypted and transmitted in binary format.

Most proxy tools cannot manipulate binary packets on the fly with a valuable editor, that is why i wrote Belch.

Belch is aimed at helping protocol analysis be smother, once you understood the protocol concepts and write an encryption/decryption tool, you wish to use it upon live communication.

Enters Belch..

Belch lunches as a burp suite plug-in that interacts with the communication on both ends.
Once a message has been trapped burp forwards it to Belch process.

Belch perform the following action on the message:

1. it logs the message to a file
2. it then execute an external editor (user choice , notepad,sed,awk,perl, etc.) on the file, in this step the editor manipulate the message data.
3. once editor process has terminated Belch reads the file content and forward it to Burp onto the wire.

Bellow is a screen capture of Belch settings:

Enable/Disable : this option enable or disable Belch.

: this button pops up the Logging folder selection GUI, in this folder Belch will record all the traffic that passes throw it.

Trap Requests
: when enabled Belch will pass requests to the External editor for processing.

Trap Responses
: when enabled Belch will pass responses to the External editor for processing.

this button pops up the External editor selection GUI, Belch will execute the editor on each selected message as pre-configured in the requests/responses check-boxes.

Automation Enabled: when checked responses that arrived will be preprocessed by the selected processor and the will be sent to the client side of communication.

Automation Folder (Automator): this button will pop up the Automation responses folder selection, when automation is enabled select the first response to be sent to the processor and the to the client, since Belch records it traffic using the ##_Response.raw convention, Belch automation will iterate on the following responses sequentially.

Processor: this button will pop up the processor selection GUI, Belch will execute this processor on each response prior to forwarding it to the client.

Reset: this button will reset the iteration responses into the first response that was selected.

command line arguments:
Belch will process the following tokens when lunched:
- the external editor to use,
- the folder in which Belch should record its traffic,
- the executable that will be launched on server responses prior to forwarding them to the client.

here is an example of running Belch using notepad as an editor and as an processor

java -Xmx512m -cp burpsuite_v1.2.01.jar;Belch.jar burp.StartBurp Editor="notepad.exe" LogPath=.\temp Processor=notepad.exe

Download from source forge at
Enjoy :)


  1. Thanks for this great tool. I have a question when dealing with the Java Serialized binary format data. Does your tool convert the binary stream into XML or any other more readable formats? If so - how can I do this?

  2. I love reading through your blog, I wanted to leave a little comment to support you and wish you a good continuation. Wish you best of luck for all your best efforts.

    Thin Clients & Zero Clients