Burp community forum

Writing an extension to add a signature on requests

Alla | Last updated: Jul 01, 2015 09:14AM UTC

Hello, I am testing a web service that expects one of the request parameters to contain a hash of the remaining parameters and a shared secret. If I do a scan of it with Burp Scanner the majority of the requests will be treated as invalid by the service, because of the signature mismatch. What I'd like to do is capture the request the scanner is making just before it is sent, calculate the valid signature and replace it in the request. I suppose there should be a way to do it with Burp Extender, but I don't see a method that allows me to do that. Any suggestions? Thanks. Alla

PortSwigger Agent | Last updated: Jul 02, 2015 08:43AM UTC

You can do this fairly easily with an extension. Probably the best option would be to register an IHttpListener. Your listener will get called for every request and response passing through any Burp tool. You can choose to operate only on requests to the relevant target host (or URL, or having a given parameter, etc.). You can perform whatever modifications you need, and update the request before it is sent. There are various methods in IExtensionHelpers to analyze requests to obtain their parameters, and to update a parameters value, which should make your code fairly simple.

You need to Log in to post a reply. Or register here, for free.