PimpMyBurp #10 : Hackvertor
October 11, 2023
Hackvertor is a Burp Suite extension that allows changes to be made based on tags written in requests on the fly. This makes it possible to perform a wide range of actions within Burp itself, without having to rewrite scripts for each new feature required.
- Using tags simplifies the process of making changes in the context of other Burp Suite features.
- Fuzzing with modifications on the fly (e.g. with Intruder).
- Support for encoding and decoding, encryption and decryption of values.
- Support for IP spoofing by generating random IP addresses that can bypass protection mechanisms and filters.
- Generate signatures.
- Fill in forms with false datasets.
To give you an idea of how Hackvertor works, it may be a good idea to first take a tour of the extension's direct tab to learn how to use the different tags. To help you understand the tool better, let's take a look at some case studies.
Encode & Encrypt
Let's take the case of fuzzing, where the data must be sent encoded or encrypted.
Let's imagine a website where a quick examination of the code allows us to understand that AES encryption is performed on the front-end before being sent for verification. We can then see that the AES key enabling this encryption is leaked in the front-end source code. This allows us to preform a brute-force attack to obtain a valid encryption value.
By inserting a payload as shown below in Burp's Intruder tab and iterate over a wordlist, Hackvertor will AES encrypt the current value provided by the wordlist. Once the value is encrypted, Intruder will send the request containing the new encrypted value to the target.
Various tags are also available for encoding and decoding, such as for base64 and burp_urlencode :
<@base64>20 septembre 2023<@/base64> GET <@burp_urlencode>/invoices/20 Septembre 2023<@/burp_urlencode> <@d_base64>MjAgc2VwdGVtYnJlIDIwMjM=<@/d_base64> <@d_burp_url>GET /invoices/20+Septembre+2023<@/d_burp_url>
There are also various techniques available if you need to encode a payload to bypass a filter – for example:
The Math category can be useful for arithmetic calculations, but its great strength comes from its ability to randomly generate sequences of letters or numbers, or to add padding to your values.
To bypass certain Web Application Firewalls (WAF), it is possible to add a disproportionately large value so that the rest of the request is not checked. In this way, it would be possible to add a fake parameter with a large number of random letters to the content of your POST request:
In the case of an attempted exploit via a form, for example, it is sometimes necessary to enter different data for each request. For this purpose, there's a Fake category containing tags for fake addresses, fake companies, fake phone numbers and fake words by categories, with a choice of language.
<@fake_address("$firstName, $lastName, $fullAddress","fr_FR")/> <@fake_phoneNumber("$cellPhone","fr_FR")/> <@fake_company("$name, $url, $catchPhrase, $logo","en-GB")/>
In some cases, tokens can be generated based on other data, such as the date. As an example, we can transform our data into a JWT after receiving the current date:
It is possible to reuse data placed elsewhere in the query. To do this, you need to define the data with a <@set_ywh_var(false)><@/set_ywh_var(false)> tag, then simply call it with a get, followed by the name given to the variable: <@get_ywh_var/>.
Other variables can be set to reuse information, such as values within the body, headers or information related to the HTTP protocol.
As we've already covered, it is possible to obtain the date or a timestamp of the current time. The choice of format allows you to easily add adapted values in many different situations.
<@python('output = "".join(chr((ord(char) - 65 + 13) % 26 + 65) if i % 2 == 0 and char.isalpha() else char for i, char in enumerate(input))','<YOUR_HV_TOKEN>')>data_to_modify<@/python>
This Python code takes each character from an input and encodes it into a Rot13 format. This example demonstrates the potential of harnessing Hackvertor to write custom code directly in Burp.
To prevent interpretation of a payload containing a tag that wasn’t created by you (e.g, one that is already in a request passing through your proxy), you can simply enable or disable Hackvertor via the top bar. For Custom Tags, they are associated with a random token that must be known before they can be executed.