Crypto Attacker Burp Plugin
October 28, 2014 5 Comments
I recently wrote a burp plugin for common crypto attacks in web apps. Check out the code on github (I also submitted to BApp store a couple days ago). I hope to add more modules as time goes on, but to start with, here is what it has:
- Active Scanning to detect padding Oracle attacks
- Active Scanning capabilities to detect input being encrypted with ECB and reflected back (can be slow)
- Attack tab to encrypt/decrypt padding oracles
- Attack tab to decrypt ECB where you control part of the request
Here are some slides about it, and giving some background on the attacks it’s doing:
And some screenshots of it in action:
I hope this is useful to some of you!
Cheers for this. However I have an issue installing this plugin via the BApp Stope using the latest jython 2.7b3.
Error: [snip]cryptoAttack.py”, line 17, in
from java import awt;
ImportError: cannot import name awt
[snip]
Thanks for letting me know. That is strange since I am running the same version of jython and don’t get the error :/
I am also getting the same error
I had the same error above, but I fixed it by checking my version of jython.
I run Arch Linux and there are 2 versions of jython available to me;
dave /opt $ yaourt jython
1 community/jython 2.5.3-2 [installed]
An implementation of the Python language written in Java
2 aur/jython27 2.7b3-1 (8)
An implementation of the Python language written in Java
I had the latest version initially install, (jython27), so I replaced with jython 2.5.3-2 and the extention now loads just fine.
People encountering the error – I think this was fixed with this commit: https://github.com/webstersprodigy/webstersprodigy/commit/547b7fec1a7553b84c130d674ea9bd156864393a. I am not sure the BAPP store is running the latest, but I pinged portswigger. Anyways, try getting the latest from github and see if the problem repros?