Proxying the Proxy - Python scripting in Burp-Suite (sort-of)

By Yechiel Worenklein and David Tawil, penetration testers at Cybersafe

The journey begins when we were tasked with testing and an API used for finical transactions, and received A Postman collection from the client for that matter.

We quickly realized that it was not going to be an easy task. As part of our usual practice, we proxied the Postman requests through Burp Suite. However, no matter what we did, we could not get our modified requests to go through successfully.

We tried different methods, but it seemed like the server was always one step ahead of us. We were stuck, feeling like we were trying to hack into the Pentagon without any passwords or clearance.

Sending the request to repeater and submitting the request at the beginning seemed to work but when making the smallest change to any part of the request caused the request to fail.

Worst than that, after a minute or so, even the original request started failing which caused us to assume it has to to with time but still did not explain the modification issue

After banging our heads against the wall for a couple of hours. we suddenly noticed something we missed from the beginning: a Postman pre-request script!

Apparently, the server implemented content HMAC signing which signs every payloads with a secret + the current time-stamp.

The customer had a unique implementation if the technique as it was not intended to be used in a browser.

Postman pre-request scripts are scripts based on JavaScript that run before each request is sent and can read and modify data from the request attributes as well as postman environment variables.

Reading the script taught us that the script generates a variable encryptable (figure 1) which consists or a time stamp (which causes the request to fail after a shot time), the request method, the request URL and finally, the request body (figure 2)

then, the script generates a hash base on the previous variable and a user secret (figure 3)

finally the script appends 2 headers to the request: the timestamp and the hash (figure 4)

We've hit a bit of a roadblock because Burp Suite doesn't offer much in terms of pre-request actions. The Burp macros are quite limited, and there isn't a straightforward way to run a script from within Burp..

But we really needed a way to get it to work as we wanted to run a burp scan on the API.

Then the idea came like a lighting, proxy-chaining!

Nothing prevents us of redirecting burps traffic through a custom proxy written in python or any other flexible programing language that will calculate the correct hash and send append the appropriate headers.

Now we just need to chose the right tools for the mission.

We settled on mitmproxy which for who ever is not familiar with, is a proxy for pentesters similar to burp written in python and best of all, supports custom scripts that can interact with any part of the flow using a robust API.

Converting the script to python did not take too long and finally we got something looking like this

I order to start up the proxy we simply need to run the executable and supply the script we have written as an argument

Now that we have our Proxy up and running we need to tell Burp to Proxy it’s traffic through mitm.

This is done in the settings, under the connection tab in the upstream proxy section.

Bingo! it worked, now we can test any payload we wish with the convenience of burp without the authentication failing due to a signature mismatch

We can also take advantage of burp scanner which was useless without having a way to modify the headers

this is how the traffic generated from burp scanner looks like through mitmproxy’s logs

The pentest results are obviously private but we thought sharing this technique can be useful for people facing similar challenges.

Happy hacking…