Crypto Attacker Burp Plugin
October 28, 2014 5 Comments
I recently wrote a burp plugin for common crypto attacks in web apps. Check out the code on github (I also submitted to BApp store a couple days ago). I hope to add more modules as time goes on, but to start with, here is what it has:
- Active Scanning to detect padding Oracle attacks
- Active Scanning capabilities to detect input being encrypted with ECB and reflected back (can be slow)
- Attack tab to encrypt/decrypt padding oracles
- Attack tab to decrypt ECB where you control part of the request
Here are some slides about it, and giving some background on the attacks it’s doing:
And some screenshots of it in action:
I hope this is useful to some of you!