Crypto Attacker Burp Plugin

I recently wrote a burp plugin for common crypto attacks in web apps. Check out the code on github (I also submitted to BApp store a couple days ago). I hope to add more modules as time goes on, but to start with, here is what it has:

  • Active Scanning to detect padding Oracle attacks
  • Active Scanning capabilities to detect input being encrypted with ECB and reflected back (can be slow)
  • Attack tab to encrypt/decrypt padding oracles
  • Attack tab to decrypt ECB where you control part of the request

Here are some slides about it, and giving some background on the attacks it’s doing:

And some screenshots of it in action:

Scan

config

Decrypt

EncryptPNG

I hope this is useful to some of you!

5 Responses to Crypto Attacker Burp Plugin

  1. Anon says:

    Cheers for this. However I have an issue installing this plugin via the BApp Stope using the latest jython 2.7b3.

    Error: [snip]cryptoAttack.py”, line 17, in
    from java import awt;
    ImportError: cannot import name awt
    [snip]

  2. davehardy20 says:

    I had the same error above, but I fixed it by checking my version of jython.
    I run Arch Linux and there are 2 versions of jython available to me;

    dave /opt $ yaourt jython
    1 community/jython 2.5.3-2 [installed]
    An implementation of the Python language written in Java
    2 aur/jython27 2.7b3-1 (8)
    An implementation of the Python language written in Java

    I had the latest version initially install, (jython27), so I replaced with jython 2.5.3-2 and the extention now loads just fine.

  3. People encountering the error – I think this was fixed with this commit: https://github.com/webstersprodigy/webstersprodigy/commit/547b7fec1a7553b84c130d674ea9bd156864393a. I am not sure the BAPP store is running the latest, but I pinged portswigger. Anyways, try getting the latest from github and see if the problem repros?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s