JSON Crypto Helper a Ruby-based Burp Extension for JSON Encryption/Decryption - Part I

Burp Suite is one of my favorite tools when performing security assessments of web applications. Although it can handle almost all the basic situations by itself, corner case applications need some extra Burp customizations to maximize your assessment capabilities. For this purpose, Burp provides an extension API that enables you to extend its functionality. Extensions can be written in Java, Python or Ruby.

This is the first post in a three-part series about how to write a simple Ruby extension that helps deal with encrypted JSON messages (read part two here). You can download the complete extension code here. It was inspired by the JSON Decoder extension by Michal Melewski, which is available here.

Context

The last mobile application I tested used encrypted JSON messages to communicate with the server and any tampering or fuzzing was almost impossible. Requesting URLs in a browser looked like this:

As you can see, only the value string was encrypted and encoded with base64:

{
  "hello":"9DpW68SsC5nHi5PeyXEHEA==",
  "test":{ 
    "input1":"irTKsV484FzLRuH2A1r42Q==",
    "input2":"fFAUsaRu8W47lfusAtzV88ewPj9etXuoPtbCUUMzQHs="
  }
}

From a security perspective, the additional encryption step is not really efficient because the encryption/decryption is performed locally on the device; it is not difficult to retrieve all the information needed to decrypt the message directly from the application binary. And that's what I did. So, after reversing the binary (an iOS application), I managed to extract the following information (NOTE: the encryption key and the IV have been changed for demonstration purposes):

Encryption Key (hex digits): 0cc91185341d6a27c380e97fed30b4a1dcafd7f5044f09cc7fa6b3fa0df290b

IV (hex digits): abdad4a94d544b52f4782e2856f82874

Encryption Algorithm: AES 128bit CBC

You can verify this using OpenSSL from the terminal:

$ echo "9DpW68SsC5nHi5PeyXEHEA==" | openssl enc -aes-128-cbc -base64 -d -K a0cc91185341d6a27c380e97fed30b4a1dcafd7f5044f09cc7fa6b3fa0df290b -iv abdad4a94d544b52f4782e2856f82874
   => world!

So, now you have all you need to get rid of the encryption and use Burp the same way you do with unencrypted content. The end goal is to automatically decrypt the value anywhere in the Burp interface, automatically encrypt the value you want to send to the server (using the Repeater tool for example) and fuzz the JSON parameters with on-the-fly encryption (Intruder tool).

Setup the environment

Because we will use Ruby to implement the extension, you need to setup the environment with JRuby. The easiest way to do it is using RVM. Just install it using the RVM install guide and run the following commands in the directory you will create your Ruby extension:

$ rvm install jruby
$ rvm --ruby-version use jruby@burp --create

This will install JRuby (if you don't have it yet) and create the gemset burp. It also adds .ruby-version and .ruby-gemset files to tell RVM which ruby version and which gemset to use when entering the directory.

Then just run Burp like this:

JRUBY_HOME=$MY_RUBY_HOME java -XX:MaxPermSize=1G -Xmx1g -Xms1g -jar [burp_install_dir]/burpsuite_pro_v1.6.09.jar

It is important to setup the JRUBY_HOME environment variable to tell Burp where the JRuby environment is located.

IBurpExtender interface

The first thing to do is to implement the IBurpExtender interface with the method #registerExtenderCallbacks.

require 'java'
java_import 'burp.IBurpExtender'

class BurpExtender
  include IBurpExtender

  def registerExtenderCallbacks(callbacks)
    callbacks.setExtensionName("JSON Crypto Helper")
  end
end

This method is called when the extension is loaded; passing a callbacks instance that implements the IBurpExtenderCallbacks interface. This instance will be used to perform many actions, for example here, #setExtensionName is used to inform the extension name that will be displayed in Burp.

To load the extension you need first to configure Burp Suite Extender tool (Options tab) and specify the path where the JRuby jar is installed. If you're using RVM, it should be in your RVM project path, commonly installed here: $HOME/.rvm/rubies/jruby-x.x.x/lib/jruby.jar.

Then select Add in the Extensions tab, select the extension type Ruby and your .rb file. You should see your new extension showing up in the list:

Creating a Custom Tab

In order to interact with any Burp tools, you will need to create a specific tab that will display the decrypted JSON content. To do so, you need to implement the IMessageEditorTabFactory interface and register your extension with #registerMessageEditorTabFactory. Then you create a separate class that will take care of it (I called it JSONDecryptorTab) and instantiate it in the #createNewInstance method. Because you will use the callbacks a lot, it is a good idea to create an instance variable to easily access it inside JSONDecryptorTab instances.

require 'java'
java_import 'burp.IBurpExtender'
java_import 'burp.IMessageEditorTabFactory'

class BurpExtender
  include IBurpExtender
  include IMessageEditorTabFactory
  attr_reader :callbacks

  def registerExtenderCallbacks(callbacks)
    @callbacks = callbacks
    callbacks.setExtensionName("JSON Crypto Helper")
    callbacks.registerMessageEditorTabFactory(self)
  end

  def createNewInstance(controller, editable)
    JSONDecryptorTab.new(@callbacks, editable)
  end
end

Let's see how the JSONDecryptorTab class looks like. First it needs to implement the IMessageEditorTab interface:

class JSONDecryptorTab
  include IMessageEditorTab
  ...[SNIP]...

and the following methods:

• #initialize: the constructor, which setups some instance variable:

def initialize(callbacks, editable)
  # Burp Suite useful helpers:
  @helper = callbacks.get_helpers()
  # Create a Burp's plain text editor to use with this extension:
  @txt_input = callbacks.create_text_editor()
  # Indicates if the text editor is read-only or not:
  @editable = editable
end

• #getTabCaption: the tab name that will be displayed by Burp

def getTabCaption
  return "JSON Crypto Helper"
end

• #isEnabled: this method is invoked each time Burp displays a new message to check if the new custom tab should be displayed. It should return a Boolean (see below).
• #setMessage: this method is invoked each time a new message is displayed in your custom tab. This method will take care of processing the message, decrypting the JSON and displaying it (see below).
• #getMessage: this method is invoked each time you leave the custom tab. It returns an array of bytes that will be used by Burp (see below).
• #isModified: this method is invoked after calling #getMessage and if the editor tab is editable (in the Repeater tool for example). It should return true if the message has been edited. You simply use the value returned by #text_modified? of the text editor object:

def isModified
  return @txt_input.text_modified?
end

• #getSelectedData: not in use, but still need to be defined.

Decrypting JSON

Burp invokes the #isEnabled method to know if the custom tab has to be displayed for a given message (request or response). In this method, you will simply analyze the content and check if it is a proper JSON:

def isEnabled(content, is_request)
  return false if content.nil? or content.empty?
  if is_request
    info = @helper.analyze_request(content)
  else
    info = @helper.analyze_response(content)
  end
  return json?(info, is_request)
end

The method #json? uses the information already gathered by Burp:

def json?(info, is_request)
  if is_request
    return info.content_type == IRequestInfo::CONTENT_TYPE_JSON
  end
  return (info.stated_mime_type == "JSON" or info.inferred_mime_type == "JSON")
end

Don't forget to import the java interface for the constant CONTENT_TYPE_JSON:

java_import 'burp.IRequestInfo'

Now the tab should be displayed on every JSON request or response. Next step, you need to fill it with the decrypted JSON. The #setMessage method will take care of this:

def setMessage(content, is_request)
  return if content.nil? or content.empty? or @txt_input.text_modified?
  if is_request
    info = @helper.analyze_request(content)
  else
    info = @helper.analyze_response(content)
  end
  headers = content[ 0..(info.get_body_offset - 1) ].to_s
  body = content[ info.get_body_offset..-1 ].to_s
  body = process_json(body, :decrypt) if json?(info, is_request)
  @txt_input.text = (headers + body).to_java_bytes
  @txt_input.editable = @editable
end

Basically, the method analyses the message content, extracts the body, processes it and fills the editor.

#process_json will take care of decrypting/encrypting the JSON message. First, it will parse the content using the JSON Ruby library, decrypt/encrypt it and finally generate a well formatted JSON using #pretty_generate from the same library:

def process_json(json, mode = :no_encryption)
  message = ""
  begin
    json_tmp = JSON.parse(json)
    if mode == :decrypt
      json_tmp = decrypt_json(json_tmp)
    elsif mode == :encrypt
      json_tmp = encrypt_json(json_tmp)
    end
    message << JSON.pretty_generate(json_tmp)
  rescue OpenSSL::Cipher::CipherError => e
    # not encrypted, ignore and return the original message
    puts "process_json: Cryptography error: #{e.message}"
    message << json
  rescue JSON::ParserError => e
    puts "process_json: Parsing error: #{e.message}"
    message << json
  end
  message
end

Note that in case of decryption/encryption or parsing errors, the method rolls-back to the unmodified JSON message.

Decryption and Encryption Routines

I created a separate module for all the cryptographic methods. You will need to include it in the JSONDecryptorTab class.

module EncryptionHelper
  # Key and IV retrieved from the application binary
  KEY = "\xa0\xcc\x91\x18\x53\x41\xd6\xa2\x7c\x38\x0e\x97\xfe\xd3\x0b\x4a\x1d\xca\xfd\x7f\x50\x44\xf0\x9c\xc7\xfa\x6b\x3f\xa0\xdf\x29\x0b"
  IV = "\xab\xda\xd4\xa9\x4d\x54\x4b\x52\xf4\x78\x2e\x28\x56\xf8\x28\x74"
  ALGO = "aes-128-cbc"

  def encrypt text
      cipher = OpenSSL::Cipher::Cipher.new(ALGO)
      cipher.encrypt
      cipher.key = KEY
      cipher.iv = IV
      ciphertext = cipher.update(text)
      ciphertext << cipher.final
  end

  def decrypt ciphertext
      cipher = OpenSSL::Cipher::Cipher.new(ALGO)
      cipher.decrypt
      cipher.key = KEY
      cipher.iv = IV
      text = cipher.update(ciphertext)
      text << cipher.final
  end

  def encode_b64 text
      [text].pack('m0')
  end

  def decode_b64 encoded_text
      encoded_text.unpack('m')[0]
  end

  # This method will base64-decode and decrypt each value recursively
  def decrypt_json(json)
    json.each do |key, value|
      if value.is_a?(Hash)
        json[key] = decrypt_json(value)
      else
        value_tmp = decode_b64(value)
        if value_tmp.empty?
          json[key] = value
        else
          json[key] = decrypt(value_tmp)
        end
      end
    end
    json
  end

  # This method will encrypt and base64-encode each value recursively
  def encrypt_json(json)
    json.each do |key, value|
      if value.is_a?(Hash)
        json[key] = encrypt_json(value)
      else
        if value.empty?
          json[key] = value
        else
          json[key] = encode_b64(encrypt(value))
        end
      end
    end
    json
  end
end

Also, don't forget to require openssl and json in the file:

require "openssl"
require "json"

You are now able to decrypt JSON messages in the new custom tab, which is available in any tool. For example, in the Proxy tool:

Parting Thoughts

With this first post we covered the basics of Burp Extender tool and learned how to write a simple ruby-based extension. We took an encrypted JSON as an example but this also works with any content you want to process before displaying. For example, it won't be too complicated to implement a parser for an in-house communication protocol used by the application.

In the next post I will explain how to automatically encrypt the JSON values using the Repeater tool. This will enable you to write or modify a plaintext JSON and send it encrypted to the remote server.

Stay tuned!