Recently, I’ve noticed a significant rise in the number of mobile applications making use of local encryption in order to encrypt request parameters prior to passing them over the wire. Not only does this make casual observation of the traffic more difficult, any type of parameter tampering/manipulation will likely fail unless the supplied payload can be successfully decrypted by the backend.

With that in mind, I developed a simple Burp Extender plugin that utilizes the IIntruderPayloadProcess interface in order to automatically encrypt payloads managed by Intruder. This way you can select an application request, identify the parameters that are encrypted, and select your payload listing as normal.

The only downside of this approach is that Intruder will show the fully encrypted payload within the results tab. In order to determine which payload was actually sent you’ll need to decrypt the payload by hand.

You can download the Netbeans project and JAR here.

The Code

package burp;

import java.awt.*;

import java.security.Key;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import javax.crypto.spec.IvParameterSpec;

import sun.misc.*;

public class BurpExtender implements IBurpExtender, IIntruderPayloadProcessor {

    private IExtensionHelpers helpers;

    @Override
    public void registerExtenderCallbacks(final IBurpExtenderCallbacks callbacks) {
        // obtain an extension helpers object
        helpers = callbacks.getHelpers();

        // set our extension name
        callbacks.setExtensionName("Encrypted AES Payloads");

        // register ourselves as an Intruder payload processor
        callbacks.registerIntruderPayloadProcessor(this);
    }

    @Override
    public String getProcessorName() {
        return "AES Encypter";
    }

    @Override
    public byte[] processPayload(byte[] currentPayload, byte[] originalPayload, byte[] baseValue) {
        try {
            String payloadString = new String(currentPayload);
            String result = BurpExtender.encrypt(payloadString);
            return result.getBytes();
        } catch(Exception e) {
            return null;
        }
    }

    public static String encrypt(String plainText) throws Exception {
        // generate key
        byte[] keyValue=new byte[] { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01};
        Key skeySpec = new SecretKeySpec(keyValue, "AES");

        // Generate null IV
        byte[] iv = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
        IvParameterSpec ivSpec = new IvParameterSpec(iv);

        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(Cipher.ENCRYPT_MODE, skeySpec, ivSpec);

        byte[] encVal = cipher.doFinal(plainText.getBytes());
        String encryptedValue = new BASE64Encoder().encode(encVal);
        return encryptedValue.toString();
    }
}

Here you can see that the post processing payload is very simple. We first set a few details regarding our extension and register a callback to the IntruderPayloadProcessor interface.

The IIntruderPayloadProcess API only allows for two methods, getProcessorName and processPayload. Under processPayload we simple take the currentPayload (our unecrypted value) and pass it to our “encrypt” method. In this example I’ve implemented AES/CBC using PKCS5Padding (which will also work for PCKS7Padding under AES 128) and a null IV. However, this example can easily be expanded in order to implement any other type of crypto supported by the native Java libraries.

You can access the Burp IntruderPayloadProcessor API docs here.

Installing the Extension

***Before you begin however you must have access to BurpSuite Pro v.1.5.01.

Installing the extension is fairly simple. Launch burp, go to the Extender tab, click “Add” and navigate to the supplied JAR.

burp-1

Next, send your target request to intruder. Once in intruder, select each parameter containing encrypted data that you’d like to tamper with:

burp-3

Once you have your payload positions defined, select the “Payload” sub-tab and navigate to “Payload Processing”. Here we’ll be adding our custom payload processor. Select “add” and in the popup menu, navigate down to “Invoke Burp Extension” and select our custom payload processor, “AES Encrypter”.

burp-4

Finally, you can go ahead and launch your intruder session.

burp-5

Closing

Before I wrap this out I just want to stress again that this is not a perfect solution. Initially I had wanted to write this extension in Python (my language of choice) using the Jython API, however I soon realized that Jython does not handle C-extensions. Because of this, you cannot call any crypto modules directly via Python and the Jython API. With that I went with the less complete solution and implemented a bare-bones payload processor.