Intro 
Burp suite can intercept HTTP requests, this burp suite extender extends that functionality specifically for dealing with CryptoJS encrypted requests. It decrypts intercepted requests, decrypts them for tampering / modification, then encrypts it back before forwarding the request.
Repo
The project is available for free on github!
Demo
Here’s a little demo of me using the extender.
Just in case it’s a bit blurry, here’s what I did:
- First I refresh the webapp a few times so we can see the CryptoJS passphrase printed in the console is dynamic
- I then try to intercept a request, and see that the request body is partly encrypted
- We then get the name of the parameter that contains the encrypted data
- After getting the 2 required information, we input them in the CryptoJS tab
- The CryptoJS passphrase (in that case
735yb) - The parameter name (in that case
jCryption)
- The CryptoJS passphrase (in that case
- Then we can edit encrypted data as if it was a regular unencrypted request body
- Then we can see a logout button indicating we successfully logged in, which means we succesfully decrypted the initial data (
qwe:asd), modified it (intoadmin:password), re-encrypted and forwarded the new request successfully.
How it Works
The underlying cryptographic function being used is AES, which is a block cipher. Block ciphers works with specific length keys, while a passphrase is of variable length. Because of this, the CryptoJS library does some Key Derivation Function (KDF) that takes in the passphrase and outputs the key. Here’s a super simplified diagram of the difference between regular block ciphers and CryptoJS.
CryptoJS performs that KDF and other things such as padding the message before encryption, adding salt, formatting the encrypted message, etc. under an abstraction layer. So when we want to encrypt a message, we simply call encrypt("passphrase here", "message here") and we get a nice encrypted message that we can just call decrypt("passphrase here", "encrypted message here") and we can get back our original message. This is the challenge of this project. Here’s a super simplified diagram of CryptoJS’s encrypt function.
How this extension does the job, is by being able to do the same thing CryptoJS can do (encrypt decrypt with passphrase on a block cipher), write that as a burp suite extender, and use Burp’s existing APIs to interface with Burp’s existing tools and also interface with the user’s input.
When we intercept a request, we simply call our implementation of decrypt that does the exact same thing as the CryptoJS counterpart, after we do what we want with the plaintext, we call our implementation of encrypt that also does the exact same thing as the CryptoJS counterpart.
The Challenge
Before I started this project I first studied basic cryptography and block ciphers at cryptohack. Why go through that trouble? Because:
We need to understand the functions performed by CryptoJS from taking in the passphrase all the way to producing the encrypted message, after that we also need to understand the inverse of those actions in order to be able to decrypt the message.
Then we need to apply our understanding in a different language, because CryptoJS is written in JS, but Burp Suite is written in Java, we have to rewrite these cryptographic functions in Java (though burp suite now supports extensions in other languages too such as python).
Conclusion
This was quite an awesome project for me, though it looks simple, but it actually goes quite in depth on the cryptography, I also learned about working with APIs built by other people and understanding them through documentations.
| ‹ Previous project: Compfest Hospital | Next project: Advent of Code 2021 › |