Skip to content

Burp extension to sign Payment Gateway API requests by calculating a variation of a HMAC-SHA512 and adding it to the request.

License

Notifications You must be signed in to change notification settings

TartarusLabs/Burp-Request-Signer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 

Repository files navigation

Burp Extension - Payment Gateway API Request Signer

Burp extension to sign Payment Gateway API requests by calculating a variation of a HMAC-SHA512 and adding it to the request.

This was written quickly during a penetration test of a specific client's bespoke API but can serve as a template for similar Burp extensions when needed. Manipulation of HTTP requests in custom ways is a reasonably common requirement during web application testing. Hopefully this can serve as an example and a starting point for anyone needing to do something similar on a pentest.

In this case in order for each HTTP request to be processed by the API it needed to have a correct signature based on the current values of the parameters. This meant in order to use tools like Intruder or Active Scan to fuzz HTTP parameters, a way was needed of calculating and adding the correct signature to each request generated by Burp before sending it. Otherwise the requests would be rejected by the API without being processed and any vulnerabilities that were in fact present would not have been detected in this way.

Modify and adapt as needed to fit your own circumstances.

Installation

First download the latest standalone Jython from https://www.jython.org/download

In Burp Suite:

  • Extender -> Options
  • Click 'Select file' under 'Python Environment'
  • Select jython-standalone-2.7.2.jar or whatever version you downloaded
  • Extender -> Extensions
  • Click 'Add'
  • Change 'Extension Type' to Python
  • Click 'Select file' under 'Extension Details'
  • Select paymentAPIsigner.py and click 'Next'

About

Burp extension to sign Payment Gateway API requests by calculating a variation of a HMAC-SHA512 and adding it to the request.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages