A Guide For Advanced Message Protected API Hacking Using Hackvertor and Burp (part 2)

  • Dissect custom encryption, message signing, or any other message security layers — inside Burp.
  • Leverage Burp’s features and automate testing of mobile applications, APIs, or WEB.
  • Challenge security by obscurity approach; Hack easily seemingly bulletproof APIs when their message protection layers peeled off.
  • Link any external tool through Burp’s proxy with HV scripts processing the requests (like sqlmap).
  • Much easier than writing Burp extensions (when we don’t need to process the server’s response).
  • Passing up to 2 params directly into the function (string/int)
    We can pass more;
  • Every set HV variable is automatically injected/marshaled into python
    You can see all of them by running dir() inside python code. For test purposes, you can just reflect the output = str(dir()) and view all the initialized parameters
  • Timestamp
  • Param definition
  • Custom signing tag
  • Do not forget to set param type as string/int, the name won’t be saved.
  • Work with files. Upon each file save Hackvertor automatically reloads the scrip, at least for Repeater/HV tab (used to tune up the logic). Save the file, alter the HV Tab view (press space) and HV will automatically update the view based using the latest version of the file
  • You can debug the code without burp (set mock parameters inside the script): java -jar .\jython-standalone-2.7.0.jar script.py
  • When reopening Burp, the code execution tag id should be updated. When Burp starts, click Allow Code Execution inside HV top menu, open HV tab, add a custom tag and copy the new id value to the tags already used.
  • Debugging your Python code without Burp and Hackvertor
  • As for today, when using the latest version of Burp, Hackvertor, and JavaScript on Windows you have a bad time. When trying to reuse the old Hackvertor project a while ago I had a lot of compatibility problems with Windows support, Java 15 deprecation of certain in-use features, and more. To run the old code you need to downgrade the Java version and Hackvertor.
  • We aren’t really interested in fully replicating the original SDK/client behavior and can alter classes are we need it, for example with can use just a simple random number generator instead of a secure one.
  • If you can’t make a Python library work with HV, don’t hesitate to embed only relevant code parts from it into your HV script. It has more benefits than drawbacks (also much faster) and will give you more ideas on how to attack the application. All of the needed code is already there, you just need to assemble the right parts in the right order into your code.
  • Remember, that you can substitute the usage of well-known Python libs by using their java counterparts through Jython.
  • For advanced cases when the usage of external libs is needed, like crypto stick to java classes like java.security, javax.crypto with Jython.
  • When working with crypto, stick to the same classes and formats. Note, that hashing JSON string and different JSON representations will give different hash result values. Be aware of the exact classes in use. Let’s see some examples.
  • In part one I showed that we can easily embed JS libs into our code by just copying the minified version of them. That scenario won’t work with Python.
  • Using external Python libs, even designed for 2.7, would not be sufficient since they mostly cross-depend on valid python repo ecosystem/installation.
  • Local run: in the same folder as HV script file
  • Burp: temporary Lib folder that is set at each start; you can get the path by calling the next code from Hackvertor script
    import sys
    output = str(sys.path)

Wrap up



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store