Crypto Attacker Burp Plugin

I recently wrote a burp plugin for common crypto attacks in web apps. Check out the code on github (I also submitted to BApp store a couple days ago). I hope to add more modules as time goes on, but to start with, here is what it has:

  • Active Scanning to detect padding Oracle attacks
  • Active Scanning capabilities to detect input being encrypted with ECB and reflected back (can be slow)
  • Attack tab to encrypt/decrypt padding oracles
  • Attack tab to decrypt ECB where you control part of the request

Here are some slides about it, and giving some background on the attacks it’s doing:

And some screenshots of it in action:





I hope this is useful to some of you!