Burp extension to sign Payment Gateway API requests by calculating a variation of a HMAC-SHA512 and adding it to the request.
This was written quickly during a penetration test of a specific client's bespoke API but can serve as a template for similar Burp extensions when needed. Manipulation of HTTP requests in custom ways is a reasonably common requirement during web application testing. Hopefully this can serve as an example and a starting point for anyone needing to do something similar on a pentest.
In this case in order for each HTTP request to be processed by the API it needed to have a correct signature based on the current values of the parameters. This meant in order to use tools like Intruder or Active Scan to fuzz HTTP parameters, a way was needed of calculating and adding the correct signature to each request generated by Burp before sending it. Otherwise the requests would be rejected by the API without being processed and any vulnerabilities that were in fact present would not have been detected in this way.
Modify and adapt as needed to fit your own circumstances.
First download the latest standalone Jython from https://www.jython.org/download
In Burp Suite:
- Extender -> Options
- Click 'Select file' under 'Python Environment'
- Select jython-standalone-2.7.2.jar or whatever version you downloaded
- Extender -> Extensions
- Click 'Add'
- Change 'Extension Type' to Python
- Click 'Select file' under 'Extension Details'
- Select paymentAPIsigner.py and click 'Next'