Recently, I’ve noticed a significant rise in the number of mobile applications making use of local encryption in order to encrypt request parameters prior to passing them over the wire. Not only does this make casual observation of the traffic more difficult, any type of parameter tampering/manipulation will likely fail unless the supplied payload can be successfully decrypted by the backend.

With that in mind, I developed a simple Burp Extender plugin that utilizes the IIntruderPayloadProcess interface in order to automatically encrypt payloads managed by Intruder. This way you can select an application request, identify the parameters that are encrypted, and select your payload listing as normal.

The only downside of this approach is that Intruder will show the fully encrypted payload within the results tab. In order to determine which payload was actually sent you’ll need to decrypt the payload by hand.

You can download the Netbeans project and JAR here.

(continue reading…)